The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 21

Thursday 14 January 2016

Contents

Ex-NSA boss Michael Hayden says FBI director is wrong on encryption
????
Ukraine electric grid down via malware
Data Breach Today
Fed STAR system flunks cyber security audit
GovInfoSec
Oregon Benefit Information System mess
AlMac
Michigan gets a damning cyber audit
Detroit Free Press
What do we know about medical errors related to EMRs?
HealthCareBlog
Skylake processors appear to have some glitches
Ars Technica
Google Opens Up About When Its Self-Driving Cars Have Nearly Crashed
Matt McFarland
Clickjacking Campaign Plays on European Cookie Law
MalwareBytes
`Smart' Guns: What Could Possibly Go Right?
Henry Baker
Can Computer Games Improve the Ability to Study?
Cathy Farmer
Ballot Battles: The History of Disputed Elections in the U.S.
Luther Weeks
FTC vs. dental practice software
Bank Info Sec
TurboTax and gmail and the conflation of two accounts
Stephen Bryant
Twitter Considering 10,000-Character Limit for Tweets
Recode via LW
URL query string parameters hanging on for dear life
Dan Jacobson
Calculating your threat 'score'
Justin Jouvenal via Henry Baker
Routers could soon help police solve crimes
Ryan O'Hare
Another fixed-width field problem
Steve Summit
USC students required to detail sexual history before registering for classes
Anthony Gockowski
Security of IoT: "always listening" devices in the office
Security Week
Fortinet Firewalls seem to have a hardwired SSH Password issue
Ars Technica via Bob Gezelter
Re: FTC's "Privacy Con" kicks out those who care about privacy
John Gilmore
Re: Dutch government defers on dumbing down security
Paul van Keep
Re: Analysis of VW Dieselgate SW
Dan Pritts
Re: Hotmail and how not to block spam
Jeremy Epstein
John Levine
Re: Risks of Facial Recognition
AlMac
Info on RISKS (comp.risks)

Ex-NSA boss Michael Hayden says FBI director is wrong on encryption

Lauren Weinstein <lauren@vortex.com>
Wed, 13 Jan 2016 14:53:16 -0800
http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/

  The FBI director wants the keys to your private conversations on your
  smartphone to keep terrorists from plotting secret attacks.  But on
  Tuesday, the former head of the U.S. National Security Agency—the
  supreme experts on communications—said that would be a terrible idea.
  General Michael Hayden, now retired, was speaking at a cybersecurity
  conference in Miami Beach. He expressed his unwavering support for
  encryption, a feature that protects voice calls or texts by turning data
  into nonsensical, indecipherable code.  "I disagree with [FBI director]
  Jim Comey," Hayden said in a speech. "I actually think end-to-end
  encryption is good for America."


Ukraine electric grid down via malware (Data Breach Today)

"Alister Wm Macintyre" <macwheel99@wowway.com>
Tue, 5 Jan 2016 15:27:49 -0600
Recently Ted Koppel was in the news with "Lights Out" book on US electric
power grid vulnerabilities to: hacking; snipers; EMP; other troubles.

Many people, in discussion lists, argued against Ted's position, using
arguments, which were disproven by his book, and its citations.

Now here comes an incident in the Ukraine.

This is not the first cyber attack on critical infrastructure blamed on
Russians.  Russia has previously been blamed for Black Energy Trojans
malware, used in this attack, and for cyber attacks on critical
infrastructure of other European nations in past years.
http://www.databreachtoday.com/ukrainian-power-grid-hacked-a-8779

Contrary to Data Breach Today "first use" speculation, a Saudi oil refinery
was attacked with the Shamoon virus, allegedly by Iran in retaliation for US
Israel Stuxnet attack.  [...]

https://en.wikipedia.org/wiki/Saudi_Aramco#Cyber_attack
https://en.wikipedia.org/wiki/Shamoon


Fed STAR system flunks cyber security audit (GovInfoSec)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 5 Jan 2016 14:43:37 -0600
The Fed is the US Central Banking system, where the governors are appointed
by the US government, on those rare occasions when the President and
Congress can come to an agreement, and come from the nation's largest
banks.

A US inspector general report on a Federal Reserve audit raises more
questions than it answers regarding the security risks facing one of the
Fed's systems.
<https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm>

The Office of the Inspector General for the Board of Governors of the
Federal Reserve System and Consumer Financial Protection Bureau recently
issued an executive summary of the audit, which focuses on the Fed's
Statistics and Reserve System, or STAR. It recommends the Fed strengthen
information controls related to planning; security assessment and
authorization; contingency planning; auditing; access control; risk
assessment; and system and information integrity.

STAR is a mainframe system developed in 1998 that supports the statistics
and reserves functions at the Federal Reserve's Board and banks. The system
collects and edits more than 75 periodic statistical reports that are
received from financial institutions, according to OIG. In addition, the
system manages financial institutions' reserve requirements and term
deposits.

The system, which is being modernized to a Web-based application, is deemed
a moderate-risk system, meaning a breach could place the agency at a
significant disadvantage or result in major damage, requiring extensive
repairs to assets or resources.

The IG says it did not publish the full audit—even a redacted version --
"given the sensitivity of information security review work."

So, we do not know, for sure, what problems were found, can only speculate.

IGs need to find a way to describe in all their audits more details on how
to address IT security weaknesses while protecting sensitive information.

Massive economic info comes from the US Fed, which people want to be able to
reply upon.  Tons of things can go wrong, if this data can be manipulated by
hackers.

http://www.govinfosecurity.com/blogs/federal-reserve-infosec-concerns-raised-p-2024
https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm
http://www.federalreserve.gov/econresdata/default.htm


Oregon Benefit Information System mess

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 7 Jan 2016 23:10:07 -0600
The US State of Oregon appears to be engaged in a failed conversion effort,
with the department which helps Oregon citizens find new jobs, and get
unemployment compensation after losing old jobs.

Here is the latest in a series of cyber security audits:

http://sos.oregon.gov/audits/Documents/2015-31.pdf

This audit focuses on two systems,

  The Oregon Benefit Information System (OBIS), which processes unemployment
  benefits, and the Oregon Automated Tax System (OATS), which deals with
  unemployment tax reports from employers.

The Oregon Employment Department is converting from a 1990's mainframe
system, where essential documentation was inadequately maintained, and there
does not seem to be an effort to regenerate what's needed for better cyber
security.  They estimate it will take at least another decade to complete
this conversion, at which point the old system will be at least 30 years
old.  There is work to be done, which the old system allegedly cannot
handle, or the staff does not know how to make it handle, so a lot of work
is being done manually.  There may be many people who used to work on that
kind of system, qualified for what's needed, some of them part time, and for
which a state employment office is eminently qualified to locate & hire, but
instead they say they have no current employees with the necessary know-how.
They had an Oct 2014 breach
<http://www.oregonlive.com/money/index.ssf/2014/10/security_breach_discovered_at_oregon_employment_department_investigation_into_scope_source_continues.
html> involving over 800,000 citizens: names; addresses; SS#.  The
associated cyber security vulnerabilities have not yet been fixed.
Allegedly either they cannot be fixed on their old system, or no-one knows
how, or the state budget is too inadequate to resolve this.  The articles do
not identify what KIND of mainframe system.

http://portlandtribune.com/pt/9-news/287226-164243-brown-replaces-employment-department-director-after-critcal-audit

http://www.oregonlive.com/politics/index.ssf/2016/01/kate_brown_replaces_head_of_em.html

http://www.wweek.com/2015/12/31/audit-says-oregon-employment-department-computer-systems-should-be-replaced/

I do not understand how come 50 US states, with very similar
responsibilities, have to have 50 different computer systems, managed
independently.

A close Oregon neighbor is Silicon Valley.  Surely they can get professional
help, if they want it.

I do not even know if the Oregon system really is a mainframe system.  I
worked for 55+ years on systems, which were NOT mainframes, but most
everyone who works from a PC, labels anything larger than a PC as a main
frame.  After a while, I gave up on correcting people.

I have written and modified tens of thousands of programs in my career.  At
every employer, any given program can be modified hundreds of times, in its
life time, thus designing software so that it is easy to modify and test,
has always been an important criteria for me.  Apparently this is not a
common standard.  Blaming difficulty in modifying programs is the same as
saying the place has had a lack of standards for normal software support.

In my career I've done dozens of conversions across: OS versions; platforms;
hardware; software; data base systems; how data stored, accessed.

A successful conversion should take no more than 2 years from start to
finish.  I've done a few that took only a few months.

I have also been involved in conversions which got abandoned, thanks to
inadequate resources, change in management personnel & their desires, and
poor planning which I was not allowed to have a say about.

There are generally two main stages.

. Preparation & training - we get the qualified people, tools,
  documentation, budget, schedule, all planned out, how the implementation
  and testing is to be conducted, decide strategies such as how long to run
  in parallel, or which systems will be totally cut-over.  For a major
  conversion, this can take a year or more.  A major goal is to figure out
  how to do the implementation in as short a time period as practical.  Some
  tools may be purchased,, some may need to be developed in house.  Auditors
  should be consulted, to be sure the final design can meet their standards.
  When there is PII data involved, tests will need a data base of bogus
  info, because a failed test can mean a breach of the data being tested.

. Actual implementation, testing should take no more than 6 months to a
  year, during which time part of the budget pays for rank and file work
  force to get training in the new systems..


Michigan gets a damning cyber audit (Detroit Free Press)

"Alister Wm Macintyre" <macwheel99@wowway.com>
Tue, 5 Jan 2016 23:48:22 -0600
The State of Michigan had an IT audit, with poor results.  But the Governor
is taking them seriously.

80% of Michigan state gov is on Windows servers, which were not audited at
this time.

20% of Michigan state gov is on 950 UNIX servers. (I believe UNIX was
originally designed more for access than for security.) 63 of the 950 were
selected by MI Auditor General for a detailed audit.

(Other states & local governments should also audit their cyber security.)

Critical state operations are on 30 unsupported (obsolete) versions of UNIX.
( 30 / 63 up-to-date is better than what I have witnessed in my IT career).
5 of the unsupported versions had been that way for over 10 years.

90 % of the servers are not kept current with patches. If they get hacked,
they don't have the controls to detect that.  (very unhealthy)

There was no segregation of duties to protect against insider misbehavior,
like embezzlement, id theft, do proper change management, etc. (this audit
obviously long overdue)

84% of the servers had not had passwords changed in a timely fashion, with
one had not been changed in nine years. (I have seen worse.)

47% of the tested servers had had no vulnerability scans in over a month.
When that was done at the IG auditor request, an average of 77
vulnerabilities was found on these servers with 420 being the largest #.
(But how serious were they, and was there any budget to avoid this?) Some
servers had not been scanned in 2 years.

$2.9 million had been spent on a security tool, not installed on all
servers, for which this tool was paid for.

http://www.freep.com/story/news/local/michigan/2015/12/17/report-rips-security-state-computer-systems/77409208/

http://audgen.michigan.gov/finalpdfs/15_16/r071056315.pdf

State & Local governments, in the USA, have been hurting due in part to
reduced tax revenues from the Great Recession, followed by a tepid recovery,
with more financial bubbles at risk of bursting.  But all along, funding
leaders of private and public operations have typically treated IT as an
expense to minimize, not insurance needing minimum protection standards, nor
tool to maximize worker productivity.  Consequently there are periodic cyber
security incidents.

. Florida inadvertently exposed PII on children in foster care and/or court
  cases, we learned Oct 2015.

. Georgia accidentally released PII on 6 million voters, we learned Nov
  2015.

. Indiana had inadequate budget for cyber security, so DMV got breached
  (Driver & Motor Vehicle licenses), and someone stole corporate taxes paid
  for Unemployment Compensation.

. Illinois state employee payroll system got hacked, with id theft against
  most all of them.

. Maine had to pay ransom April 2015 to recover data smashed by malware.

. Minnesota password protection for DMV was inadvertently removed via an Aug
  2015 server update.

. Ohio had tax data on 50,000 taxpayers "lost" this month, January 2016.

. Oregon had a Dec 2015 breach of name, address, SS# & date of birth on
  almost 1,000 Veterans.

. Texas Nov 2015 breach released thousands of SS#s.

. Virginia GovWin system used 3rd party Deltek software, breached in 2014,
  getting user names, passwords on 80,000 users, and credit card info on
  25,000 users.

. Several states (I do not have a list) had Secretary of State registration
  of companies, with HQ in that state, hacked, to facilitate id theft
  against those companies.

. Many states have multiple incidents.

There are 50 US states, unless you accept the last Puerto Rico vote to
become a US state, as valid.  (US Senate does not.)

About 17% of all cyber breaches are of government systems.
http://datalossdb.org/statistics


What do we know about medical errors related to EMRs?

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 13 Jan 2016 9:49:10 PST
  [TNX to Dr. Deborah Peel" <dpeelmd@patientprivacyrights.org>]

http://thehealthcareblog.com/blog/2016/01/11/what-do-we-know-about-medical-errors-associated-with-electronic-medical-records/

The dangers of US electronic health systems are hidden and have never been
systematically studied. There is no meaningful federal oversight or
regulation of EHRs to protect the public.  Health IT vendors voluntarily
report flaws in their products. Yet healthcare is the largest sector of the
economy.  Is it unsafe at any speed?

Quotes from Ross Koppel:

* "Considerably over 80% of the reported errors involve horrific patient
  harm: many deaths, strokes, missed and significantly delayed cancer
  diagnoses, massive hemorrhage, 10-fold overdoses, ignored or lost critical
  lab results, etc.

* Central to this article's contribution is its data source and an
  understanding of the direction of causation of the findings: These errors
  came to light not because a healthcare provider noted an EHR-related
  problem, but because the patient was harmed, the provider was sued and
  there was an insurance payment."

The HITECH portion of the 2009 stimulus bill mandated national use of EHRs
without prior clinical trials.  EHRs were not comprehensively and thoroughly
tested for effectiveness, safety, usability, reliability, accuracy,
security, or privacy.

Besides causing bodily harms and deaths, US EHRs destroy the right to health
privacy: the data holders control all uses, disclosures and sales of
personal health data, not patients. See:
https://patientprivacyrights.org/2014/01/ims-health-files-ipo-legal/
We can't opt-out of EHRs, nor is it easy to find physicians who don't use
them. What if you don't have a physician-friend to stay with you 24/7 if
you're hospitalized?

www.patientprivacyrights.org<http://www.patientprivacyrights.org/>


Skylake processors appear to have some glitches (Ars Technica)

"Bob Gezelter" <gezelter@rlgsc.com>
Tue, 12 Jan 2016 11:19:16 -0700
Ars Technica reports that multiple organizations have uncovered a problem
with Intel's Skylake series processors when running complex computational
workloads.

>From the article:

"Intel has identified an issue that potentially affects the 6th Gen Intel
Core family of products. This issue only occurs under certain complex
workload conditions, like those that may be encountered when running
applications like Prime95. In those cases, the processor may hang or cause
unpredictable system behaviour.

Intel has developed a fix, and is working with hardware partners to
distribute it via a BIOS update.

No reason has been given as to why the bug occurs, but it's confirmed to
affect both Linux and Windows-based systems. Prime95, which has
historically been used to benchmark and stress-test computers, uses Fast
Fourier Transforms to multiply extremely large numbers. A particular
exponent size, 14,942,209, has been found to cause the system crashes."

The complete Ars Technica article is at:
http://arstechnica.com/gadgets/2016/01/intel-skylake-bug-causes-pcs-to-freeze-during-complex-workloads/


Google Opens Up About When Its Self-Driving Cars Have Nearly Crashed

"ACM TechNews" <technews-editor@acm.org>
Wed, 13 Jan 2016 12:21:38 -0500 (EST)
Matt McFarland, *The Washington Post*, 12 Jan 2016
  via ACM TechNews; 13 Jan 2016

Google's fleet of automated vehicles, currently undergoing testing on roads
in California and Texas, have had 13 near-misses in which a driver had to
intervene to prevent a collision, according to a new Google report on the
tests in California.  The study estimated on 272 occasions in the 14-month
test period drivers commandeered the cars due to software failure, while in
69 other incidents the drivers opted to take control to ensure the vehicles
operated safely.  The report points to a general decline in technology
malfunctions since the fall of 2014.  "It seems to be a pretty good sign of
progress," says Chris Urmson, director of Google's self-driving car project.
However, Princeton University's Alain Kornhauser cautions the cars'
performance under easy or favorable road conditions can be deceiving.  "It's
informative, but it shouldn't be treated as a true measure of the vehicle's
safety," says Carnegie Mellon University professor Aaron Steinfeld.  The
Google report cited the rate of disengagement, when the cars sense a system
failure and ask the test driver to take over, as the most significant area
of progress.  Although this rate fell in early 2015, it increased late in
the year, with Google attributing it to more difficult conditions under
which cars were being tested, such as in heavy traffic and inclement
weather.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2dae4x065853&


Clickjacking Campaign Plays on European Cookie Law

Lauren Weinstein <lauren@vortex.com>
Fri, 8 Jan 2016 09:10:03 -0800
https://blog.malwarebytes.org/fraud-scam/2016/01/clickjacking-campaign-plays-on-european-cookie-law/

  "We've spotted an advertising campaign that tricks users into clicking on
  what looks like a notification alert that actually hides a legitimate
  advert, therefore abusing both the advertiser and the ad network hosting
  the ad (Google Ads Services).  The rogue actors behind this fraudulent
  activity are cleverly leveraging a European law on the use of cookies to
  seemingly prompt visitors to answer a question."

I've been saying all along that the EU cookie notification law was useless,
nonsense, or worse. Well, here's proof of the worse.


`Smart' Guns: What Could Possibly Go Right?

Henry Baker <hbaker1@pipeline.com>
Fri, 08 Jan 2016 14:28:42 -0800
On RISKS, we ironically ask "what could possibly go wrong?" when shown some
new hare-brained technology.

In the case of "smart" guns, I can't even get past "what could possibly go
right?"

I haven't performed an exhaustive search, but I can't recall a single
instance in which a "smart" gun would have stopped *any* mass shooting
instance, nor *any* police shooting of an unarmed suspect.

"Smart" guns are an appeal to some God-like "AI" entity that can solve the
"Trolley Problem" [0] in microseconds; Google is supposedly working on such
technology for self-driving cars—but don't hold your breath waiting for a
God-like solution to this Trolley problem any time soon.

When it takes an entire legal system, including juries and prosecutors
weighing tons of evidence to come to a Monday-morning legal conclusion, how
in the world is some "smart gun" going to decide this in microseconds?

All that having been said, I'm even more frightened by what can go wrong; in
2016, we're about to harvest the most amazing collection of "Internet of
Things" security vulnerabilities that the world has ever seen.  However,
it's one thing if your Bluetooth pillow is hacked; quite another if your
"smart gun" is hacked.

[0] https://en.wikipedia.org/wiki/Trolley_problem

Terry Collins, CNET, 4 Jan 2016
Obama orders feds to study smart gun technology
http://www.cnet.com/news/obama-orders-feds-to-study-smart-gun-technology/


Can Computer Games Improve the Ability to Study? (Cathy Farmer)

"ACM TechNews" <technews-editor@acm.org>
Wed, 13 Jan 2016 12:21:38 -0500 (EST)
Cathy Farmer, University of Bristol News, 8 Jan 2016
  via ACM TechNews; 13 Jan 2016

University of Bristol researchers conducted a brain-imaging study showing
technological game-playing can involve brain activity that positively
supports learning.  The research is linked to a larger classroom study,
which will include 10,000 secondary school students across Britain, and it
could provide a new perspective on concerns that some children spend too
much time playing computer games.  The researchers will show how the
gamification of learning can reduce the activity of a particular brain
network that governs mind wandering.  The researchers found when students
tried to study by reading notes and looking at example questions, this
Default Mode Network portion of the brain was strongly activated.  However,
when studying became a competitive game, the additional brain activity
disappeared and learning increased.  "This is evidence that computer games
can be good for learning, if we are careful about how we design and develop
them," says University of Bristol professor Paul Howard-Jones.  As part of
the study, 24 student volunteers experienced three types of study sessions
while having their brains scanned.  The brain-imaging experiment showed how
the students concentrated and learned better when studying was part of a
game.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2daebx065853&


Ballot Battles: The History of Disputed Elections in the U.S.

"Luther Weeks" <Luther@CTVotersCount.org>
Sat, 9 Jan 2016 10:46:03 -0500
http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276/ref=sr_1_1?ie=UTF8

Here is what I said on my Blog, essentially what I said on Amazon:
http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/

Book Review: Ballot Battles by Edward B. Foley
By Luther Weeks <http://ctvoterscount.org/author/lgwadmin/>, 9 Jan 2016
<http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/>

I have long been a fan of the papers and other writings of Edward B. Foley
of the Moritz College of Law
<http://moritzlaw.osu.edu/faculty/professor/edward-b-foley/> .  He writes
extensively on the issues associated with close elections, how have been
decided since the founding of the United States, and how the process might
be improved. Last month his book on the subject, Ballot Battles:The History
of Disputed Elections in the United States was released.
<http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276>

To me, it was a highly fascinating read that kept my interest through every
page. It should be required reading for anyone interested in Election
Integrity.

As I would define it, Ballot Battles is focused on one component of election
integrity, i.e. How close elections have been decided in the U.S., rather
than if the vote counting itself was accurate. Foley's work is an important
component of election integrity. Further along that vein we could say that
Fair Elections go beyond Election Integrity to include fair voter
eligibility, access to the polls, candidate access to the ballot, access to
the press, and campaign financing etc.

Ballot Battles follows close elections and the process for deciding the
declared winner from 1781 through 2008.  While Presidential races from 1800,
1876, and 2000 are important, many other races for the U.S. Senate, U.S.
House, and Governors are just as important to history and the challenges
remaining today. Reforms have been attempted after major controversies, yet
as Foley shows they have been insufficient, including those after 2000.  We
remain vulnerable.  As summarized at one point in Ballot Battles:

"the 1960 presidential election must be viewed as a failure of American
government to operate as a well-functioning democracy.  That failure puts
1960 along-side 1876 - and, as we shall later consider, 2000 - in a
disturbing series of instances in which the nation has lacked the
institutional capacity to identify accurately the winner of the presidency."

There is no easy solution. It would likely require a Constitutional
Amendment.  Ultimately, as Foley recommends, following successful models of
instances of bodies of equal numbers of partisans, with a single respected
non-partisan member.  That is unlikely to always work, yet that has worked
better than the system we are left with for adjudicating close Federal
Elections.

Ballot Battles thoroughly covers the adjudication process and the risks to
which we are exposed.  Those seeking information on fraud and error in
elections will not find the details here.  Likewise, those seeking agreement
that the Supreme Court erred or acted responsibly in 2000 will find little
agreement here, yet much to ponder, much to learn about the law, and the
precedents applied to resolve election challenges.


FTC vs. dental practice software (Bank Info Sec)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 7 Jan 2016 14:26:40 -0600
The golden rule of privacy:  Say what you do and do what you say.

Violate that rule in the USA, and the gov may come after you, except where
you are allowed to keep your business practices confidential.

In the USA, medical privacy is governed by HIPAA regulations.
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>
http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/

The US Federal Trade Commission (FTC) on Jan. 5 announced a $250,000
settlement with Henry Schein Practice Solutions, a New York-based provider
of practice management software for dental practices, stemming from the
company's false advertising about encryption capabilities.  The company has
been ordered to halt the misleading advertising, and to notify all prior
customers of the truth.

Schein had been marketing its Dentrix G5 software to dental practices around
the USA for two years with deceptive claims that the software provided
industry-standard encryption of sensitive patient information and, in doing
so, ensured that practices using its software would protect patient data as
required by HIPAA. Instead, however, the company was offering a less robust
"data masking technique using cryptographic technology," the FTC says.
<http://dentrix.com/products/dentrix>
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>
http://www.bankinfosecurity.com/ftc-fines-software-vendor-over-encryption-cl
aims-a-8782
https://www.ftc.gov/system/files/documents/cases/160105scheincmpt.pdf


TurboTax and gmail and the conflation of two accounts

Stephen Bryant <scbscb@yahoo.com>
Tue, 5 Jan 2016 23:01:34 +0000 (UTC)
I haven't use TurboTax for years, but the last time I did I gave them a
gmail address.  The address had this form, using my actual first name,
middle initial, and last name:
  firstname.i.lastname@gmail.com.

In late March, 2014, I got email from TurboTax saying my tax return had been
rejected by the IRS.  Since I hadn't submitted one, I was concerned.

To make a long story short, I eventually realized that the mail had been
sent to firstnameilastname@gmail.com, not firstname.i.lastname@gmail.com.
It appears that google considered these to be the same address but TurboTax
did not.  Someone with my name, including middle initial, had entered that
address into TurboTax.  All subsequent mail from TurboTax came to me.

I decided it was not fraud on his part, just bad luck.

He soon fixed his tax return, because I got another email saying that it had
been accepted.

But later that year, I got a marketing email from TurboTax inviting me to
use their services again, and while trying to see if I could resolve the
underlying issue, wound up with a link to his tax return!

So I called TurboTax again but never felt certain that they really
understood.  But I do think the other guy has taken care of the problem on
his end since I'm no longer getting progress reports on his tax returns.

Two morals: be careful how you enter your email address, and uh, don't enter
it in a gmail signup page.  On the other hand, you could construct all sorts
of variants of your gmail address and use those to track who's sharing your
email address with whom.

Steve B (name withheld to protect the unlucky)


Twitter Considering 10,000-Character Limit for Tweets

Lauren Weinstein <lauren@vortex.com>
Tue, 5 Jan 2016 15:13:18 -0800
http://recode.net/2016/01/05/twitter-considering-10000-character-limit-for-tweets/

  Twitter is building a new feature that will allow users to tweet things
  longer than the traditional 140-character limit, and the company is
  targeting a launch date toward the end of Q1, according to multiple
  sources familiar with the company's plans.  Twitter is currently
  considering a 10,000 character limit, according to these sources.

Given their policy of allowing people and organizations you've never
followed to contaminate your timeline with commercials and other irrelevant
content, with no way for you to disable that pipeline, it's clear this is
really all about permitting much vaster contamination of this sort to take
place. In the Twitter environment, so deeply saturated with nasty trolls
already, this will be a sea change of the worst possible sort. Not the
beginning of the end for Twitter, but a major acceleration of the continuing
process already leading rapidly toward their demise.


URL query string parameters hanging on for dear life

Dan Jacobson <jidanni@jidanni.org>
Mon, 11 Jan 2016 15:27:26 +0800
Many times URL query string parameters have got mistreated, making *me* look
*bad*. It would be much better if the whole URL failed.

* YouTube starting time parameters ignored by players, making
grandma think I wanted her to watch the whole movie.

* Multiple Google Static Maps API path parameters being thrown away when
sharing via Facebook, making people think my map had only one path on it.

And I just *bet* the zoom parameter in
http://www.heywhatsthat.com/?view=QUPO7R8D&maptype=TERRAIN&zoom&hideprofiles=1
will one day fail, making it look like my noise complaint exhibit I used
it for was about a much larger area!


Calculating your threat 'score' (Justin Jouvenal)

Henry Baker <hbaker1@pipeline.com>
Mon, 11 Jan 2016 08:11:32 -0800
FYI—A bad FICO score could kill your chances of getting a mortgage.  A
bad 'Beware' score could kill you, period.

'Another program, called Media Sonar, crawled social media looking for
illicit activity.'

'But perhaps the most controversial and revealing technology is the
threat-scoring software Beware. ... The searches return the names of
residents and scans them against a range of publicly available data to
generate a color-coded threat level for each person or address: green,
yellow or red.  Exactly how Beware calculates threat scores is something
that its maker, Intrado, considers a trade secret, so it is unclear how much
weight is given to a misdemeanor, felony or threatening comment on Facebook.
However, the program flags issues and provides a report to the user.'

'Councilman Clinton J. Olivier, a libertarian-leaning Republican, said
Beware was like something out of a dystopian science fiction novel and asked
Dyer a simple question: "Could you run my threat level now?"  Dyer agreed.
The scan returned Olivier as a green, but *his home came back as a yellow,*
possibly because of someone who previously lived at his address, a police
official said.'

'"[Beware] has failed right here with a council member as the example."'

Justin Jouvenal, *The Washington Post*, 10 Jan 2016
The new way police are surveilling you: Calculating your threat 'score'
https://www.washingtonpost.com/local/public-safety/the-new-way-police-are-surveilling-you-calculating-your-threat-score/2016/01/10/e42bccac-8e15-11e5-baf4-bdf37355da0c_story.html


Routers could soon help police solve crimes (Ryan O'Hare)

Henry Baker <hbaker1@pipeline.com>
Mon, 11 Jan 2016 08:57:42 -0800
FCC WiFi Router Kerfuffle Coincidence? :

https://www.fcc.gov/news-events/blog/2015/11/12/clearing-air-wi-fi-software-updates-0

'Routers, for example, capture 'chatter' from smartphones, tablets and
wearables'

'Wi-Fi devices capture a media access control (MAC) address from mobile
devices, which are unique identifiers for each phone, laptop or tablet,
which try to connect to the network.'

'London's City Airport also recently won 800,000 of funding to develop
the tracking technology as part of its Internet of Things.  The airport is
using the technology to monitor servicing equipment as well as triangulate
the location of passengers in the terminal.'

Ryan O'Hare for MailOnline, 11 Jan 2016
Forget fingerprints, ROUTERS could soon help police solve crimes: Data
collected by Wi-Fi devices can find and identify criminals
www.dailymail.co.uk/sciencetech/article-3393878/Forget-fingerprints-ROUTERS-soon-help-police-solve-crimes-Data-collected-Wi-Fi-devices-identify-criminals.html

* Wi-Fi devices such as routers could be used by police to access data
* Information could place people at the scene at the time a crime took place
* Devices such as routers log successful as well as failed attempts to log on
* In addition, they can capture unique identifiers from mobile devices

[...]


Another fixed-width field problem

Steve Summit
Mon, 11 Jan 2016 16:36:51 -0500
It's not Y2K, it's more amusing than serious, but there are lots of
electronically-updatable variable-message signs around the U.S. that display
the current jackpot level of the multi-state Powerball lottery, but now that
it's hit $1.4 billion, most of the signs are stuck at $999 million.

https://www.washingtonpost.com/news/post-nation/wp/2016/01/11/the-powerball-jackpot-is-so-big-it-doesnt-even-fit-on-lottery-billboards/


USC students required to detail sexual history before registering for classes (Anthony Gockowski)

Henry Baker <hbaker1@pipeline.com>
Tue, 12 Jan 2016 16:45:46 -0800
FYI—This is really insane!  How long before this information gets hacked
& posted online—a la "Ashley Madison" ?

"This course is *mandatory*, and you must complete it by February 9, 2016.
If you do not complete the training by this date you will receive a
*registration hold* until the training is complete,"

Anthony Gockowski. Campus Reform
http://www.campusreform.org/?IDq55

A mandatory online course at USC asks students to disclose the number of
sexual encounters they have had.  Many universities require students to
complete a course on Title IX, but some students at USC are worried the
online course they are required to take is too intrusive. [...]


Security of IoT: "always listening" devices in the office + "IoT"

Lauren Weinstein <lauren@vortex.com>
Thu, 7 Jan 2016 09:02:24 -0800
Security of IoT [Internet of Things] "always listening" devices in the
office + "Internet of Thing"

Do You Have a Security Policy for "IoT" Gadgetry in the Office?
http://www.securityweek.com/when-iot-comes-office

  But on a serious note—how many things are showing up at the office this
  week that are an always-on conduit to your network from some external
  third party you really shouldn't be trusting? Watches, streaming media
  widgets, phones, tablets and a whole host of other things are likely
  making their way into the office right now. You probably have a BYOD
  policy, but do you have an IoT policy? BYOD policies are meant to address
  your mobile handsets, tablets and personal laptops, but who's addressing
  all the other gadgetry?

  = =
"Internet of Thing":

[G+ IMAGE] - https://plus.google.com/+LaurenWeinstein/posts/desWQWgwFYG


Fortinet Firewalls seem to have a hardwired SSH Password issue

"Bob Gezelter" <gezelter@rlgsc.com>
Tue, 12 Jan 2016 19:10:54 -0700
According to Fortinet via Ars Technica:

"This issue was resolved and a patch was made available in July 2014 as part
of Fortinet's commitment to ensuring the quality and integrity of our
codebase. This was not a "backdoor" vulnerability issue but rather a
management authentication issue. The issue was identified by our Product
Security team as part of their regular review and testing efforts. After
careful analysis and investigation, we were able to verify this issue was
not due to any malicious activity by any party, internal or external. All
versions of FortiOS from 5.0.8 and later as well as FortiOS 4.3.17 and later
are not impacted by this issue."

However, the Arstechnica article also states:

"According to the exploit code, the undisclosed authentication works on
versions 4.3 up to 5.0.7. If correct, the surreptitious access method was
active in FortiOS versions current in the 2013 and 2014 time frame and
possibly earlier, based on this rough release history. The weakness was
eventually patched, but so far, researchers have been unable to locate a
security advisory that disclosed the alternative authentication method or
the hard-coded password. While one researcher told Ars the exploit no longer
works in version 5.2.3, that release is still suspicious because it
contained the same hard-coded string."

Why was such a hardcoded access mechanism included in the first place.

The complete Ars Technica article is at:
http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/

- Bob Gezelter, http://www.rlgsc.com


Re: FTC's "Privacy Con" kicks out those who care about privacy

John Gilmore <gnu@toad.com>
January 10, 2016 at 6:04:44 PM EST
Wait, this is a "Privacy Convention" where you can't even get in without
showing government-issued photo ID to government employed goons?  Held at
the "Constitution Center" where everyone is searched without cause before
they are permitted to participate?

Clearly some apparatchiks with doublethink minds are very busy at the
Federal Trade Commission.  I guess you won't see anybody there who
actually has any personal principles about privacy, because the job of
the guards is to keep such people OUT.

	John

PS: Come super early, because (1) the useless suspicionless searches
will be slow because the government doesn't care how much of your time
they waste; and (2) even though they asked you to send in your
information early to "pre-register", they just keep that info and use
it for the government's interest—never for your interest.  And you
perhaps thought the FTC was more on the side of the individual citizen
than other government agencies like, say, the TSA, DoJ, or the IRS?
Ho, ho, ho.


Re: Dutch government defers on dumbing down security (EDRi)

"Paul van Keep" <paul@vankeep.com>
Wed, 6 Jan 2016 00:07:04 +0100
I'd like to suggest some improvements to the translation of the conclusion of
the original letter from the Dutch Government.

Google Translate does a reasonable job but still gets some meanings
completely wrong:

  "The government's role is to ensure the safety of the Netherlands and the
  offenses to detect."

should be

  "The government's role is to ensure the safety of the Netherlands and to
  investigate criminal activities."

and

  "In the international context, the Netherlands will pronounce these
  conclusion and the considerations."

should be

  "The Netherlands will advocate this resolution and the underlying
  considerations in the international context."

H.G.J. Kamp is Minister of Economic Affairs.


Re: Analysis of VW Dieselgate SW (Baker, RISKS-29.20)

Dan Pritts <danno@dogcheese.net>
Tue, 5 Jan 2016 15:21:33 -0500
> FYI—Terrific analysis of the VW Dieselgate software:

> The computer software has two different modes, one of which is far more
> efficient in its use of the additive Adblue (urea); the less efficient
> model is selected only when running the standardized test.

The primary/initial culprit in the US is a different VW Diesel - one that
does not use Adblue.


Re: Hotmail and how not to block spam (RISKS-29.20)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 6 Jan 2016 08:17:03 -0500
In RISKS 29.20, Gene Wirchenko described having relinquished an email
address, and then getting it back 20 months later from the ISP.  He and I
corresponded, and I wrote:

"But the real risk is that if someone other than you had recovered your
email address, they could have used that access to get access to any
accounts (e.g., e-commerce, bank) where you had forgotten to change your
address on file.  Since very few sites require anything other than access to
the email account listed on initial account setup, reallocation of email
addresses is a serious risk.  I'm really surprised that any ISP would allow
it, without clear evidence that you were in fact the same person."

Gene clarified that he had proved to the ISP that he was in fact the same
person (which is a relief to me!).  And he agreed that the risk of account
recovery given access to a legitimate email address is a real one, perhaps
more serious than the risks he had identified in his message (mailbombing
and leaking identifiable information).

Of course this isn't a comprehensive list of risks from someone recovering a
former email address - we've all experienced scammers using captured
accounts for "help, I'm stuck overseas" scams, spear phishing attacks, etc.


Re: Hotmail and how not to block spam (RISKS-29.20)

"John Levine" <johnl@iecc.com>
6 Jan 2016 01:52:46 -0000
> There are also risks here.  What it had been someone else who had gotten
> that E-mail address?  1) The person gets mailbombed.  2) There might be
> >enough identifiable information to cause trouble in some cases.

No kidding.  A year or so ago Yahoo freed up a bunch of long abandoned
account names and it occurred to a lot of people that this could be a
problem.  It turned out that those particular Yahoo accounts hadn't been
used for mail in a very long time, if ever but it's still a problem.

So to slap a band-aid on it, the IETF published RFC 7293, which lets a
sender add a mail header like this:

 Require-Recipient-Valid-Since: bob@examp1e.com; Sat, 1 Jun 2013 09:23:01 -0700

That tells the recipient system that if the recipient isn't the same person
it was on that date, please don't deliver the mail.  (There's also an SMTP
extension, see the RFC for details.)  This depends on the recipient system
implementing it, but it's better than nothing.


Re: Risks of Facial Recognition (RISKS-29.20)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 5 Jan 2016 16:03:15 -0600
> Facial Recognition is unregulated.
> Companies may do anything they please with your picture.

Prof. Peter Bernard Ladkin points out that this is not true in Europe.

Sorry.  I am in the USA, summarizing what was in a USA publication.
Pages 40-45 of the Feb 2016 issue of Consumer Reports magazine.

It includes US privacy advocates attempting to reform this system, corporate
interests not complying, a lack of meaningful US regulations, implied
consent, with zero explicit warnings.

It gives examples of how Facial Recognition has allegedly been used in
several international venues, including: cruise ships; Germany; Latin
America; Singapore; South Korea; Spain; UK; USA.

Be warned Europeans, if you visit the USA.  You won't have privacy
rights you are accustomed to.

Please report problems with the web pages to the maintainer

Top