The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 55

Tuesday 7 June 2016

Contents

An expensive Pivot Table
Patrick O'Beirne
Nanaimo hospital health-care system problems
dkross
Hackers disrupt Russian Internet Primaries
RT
"Push for encryption law falters despite Apple case spotlight"
via John Gilmore
"FBI pushes for more power to crush your privacy"
Caroline Craig
Yahoo Announces Public Disclosure of National Security Letters
LW
"Judge sends two to prison for 7 years for H-1B fraud"
Patrick Thibodeau
App to get PII from CAC card
Jeremy Epstein
"Android gets patches for serious flaws in hardware drivers and mediaserver"
Lucian Constantin
Geopolitical Hedging as a Service
JEBruner
TeamViewer users are being hacked in bulk, and we still don't know how
Ars Technica
Dutch Firm Trains Eagles to Take Down High-Tech Prey: Drones
NYTimes
Dodgers using a global positioning device to situate their fielders
NYTimes
This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip
Andy Greenberg
Password app developer overlooks security hole to preserve ads
Engadget
Facebook, Twitter, YouTube and Microsoft agree to remove hate speech across the EU
techcrunch
Samsung: Don't install Windows 10. REALLY
The Register
Phones and Badges, whatever could go wrong...wrong....wrong
David Lesher
"Oracle employee says she was sacked for refusing to fiddle cloud accounts"
John Ribeiro
"NSW government playing Big Brother with citizens' data"
Asha Barbaschow
"Right to be forgotten" extends to newspaper archives
Flanders Today
Holiday Fun_"glitch" at Kennedy_pen and paper check in
dkross
OPM and US gov breach theater
Alister Wm Macintyre
Re: Major Cell Phone Radiation Study Reignites Cancer Questions
David Brodbeck
David Brodbeck
Re: The risk of blaming the messenger
Jay Libove
Re: France's Guillotining of Global Free Speech
Chris Drewe
The Oracle Effect: 'isis'
Daily WTF
PGN
Re: Microsoft accused of Windows 10 upgrade "nasty trick"
Jack Christensen
Re: Another Risk of Self-Driving Cars; Clogged Highways?!?
Craig Burton
Re: Connected Car Security
John Levine
Re: In Oracle v. Google, a Nerd Subculture Is on Trial
John Levine
Re: Theoretical Breakthrough Made in Random Number Generation
John Levine
Info on RISKS (comp.risks)

An expensive Pivot Table

"Patrick O'Beirne" <pob@sysmod.com>
Wed, 1 Jun 2016 12:09:59 +0100
Recently discussed on the Eusprig (European Spreadsheet Risk Interest Group)
mail list:

A hospital trust in Blackpool (pop. 145,000) in the UK was fined 185,000 GBP
for leaking sensitive information via an Excel Pivotable.

https://ico.org.uk/media/action-weve-taken/mpns/1624118/blackpool-nhs-trust-monetary-penalty-notice.pdf

It is a problem of the sorcerer's apprentice - knowing enough to be
dangerous.  To paraphrase Barry Boehm, "[EUC gives] many who have little
training or expertise in how to avoid or detect high-risk defects tremendous
power to create high-risk defects. "

The key point is "The Trust knew or ought to have envisaged those risks and
it did not take reasonable steps to prevent the contravention."  So: if they
OUGHT to have known, by what means were they expected to envisage those
risks? What guidance is available that describes that issue? Is it part of
any accredited training materials? The answer I think is here:

"It is worth noting that the Commissioner' s office issued two monetary
penalty notices on 30 July 2012 (Torbay NHS Trust) and 20 August 2013
(Islington Council) which raised awareness about the issue of data that
could be hidden in pivot tables. The Commissioner's office also
published a blog on 28 June 2013 entitled The Risk of Revealing Too Much.

https://iconewsblog.wordpress.com/2013/06/28/ico-blog-the-risk-of-revealing-too-much/
This shows the pivot table feature in question.
Just to explain, if the pivotcache is present then even if the original data
sheet is deleted, the data can be recreated by a simple double-click on a
pivotable cell.

They reference:
https://iconewsblog.wordpress.com/2015/11/13/the-dangers-of-hidden-data/
https://www.mysociety.org/2013/06/13/whatdotheyknow-team-urge-caution-when-using-excel-to-depersonalise-data/

Read the "Five Key Messages" at the end.

This is of course just one such example. The hidden rows in the Barclay's
bid for Lehman assets, or the summary chart in a paper on hospital
treatments which had the entire Excel spreadsheet embedded in it, are more.

Patrick O'Beirne, Systems Modeling http://www.sysmod.com
http://ie.linkedin.com/in/patrickobeirne


Nanaimo hospital health-care system problems

"Deank..vzw" <dkross@vzw.blackberry.net>
Mon, 30 May 2016 17:39:12 +0000
http://www.theprovince.com/health/local-health/nanaimo+doctors+electronic+health+record+system/11947563/story.html

But nine weeks after startup, physicians in the Nanaimo hospital's
intensive-care and emergency departments reverted to pen and paper this
week *out of concern for patient safety*.

Doctors said the system is flawed—generating wrong dosages for the most
dangerous of drugs, diminishing time for patient consultation, and losing
critical information and orders...

...But doctors complain the new technology is slow, overly complicated and
inefficient.

“The iHealth computer interface for ordering medications and tests is so
poorly designed that not only does it take doctors more than twice as long
to enter orders, even with that extra effort, serious errors are occurring
on multiple patients every single day,'' wrote one physician at the Nanaimo
hospital.  “ Tests are being delayed. Medications are being missed or
accidentally discontinued.''

Doctors can't easily find information entered by nurses, the physician
wrote.


Hackers disrupt Russian Internet Primaries

Jeremy Epstein <jeremy.j.epstein@GMAIL.COM>
Mon, 30 May 2016 16:23:38 -0400
https://www.rt.com/politics/344827-voters-personal-data-leaked-online/

Opposition PARNAS party cancels primaries over massive leak of voters'
personal data, RT, 30 May 2016

The Russian Party of People's Freedom, PARNAS, has had to suspend its
Internet primaries after a file with personal details of all participants
was placed on the party's website. Top party officials blame unidentified
hackers for the privacy breach.

PARNAS was holding primaries in order to finalize its list of candidates for
the September parliamentary elections. Ninety-six candidates and about
24,000 voters registered for the procedure, but the number of those who
actually voted was much lower.

The file containing logins and passwords of everyone who had taken part in
the primaries was posted on the PARNAS website on Sunday afternoon. The data
was real and allowed anyone to see full details of any voter—including
name, emails and phone numbers, as well as the people they voted for. Site
administrators had to shut down the Internet voting earlier than planned and
recommended that their supporters urgently change all their passwords.


"Push for encryption law falters despite Apple case spotlight" (Volz et al.)

John Gilmore <gnu@toad.com>
Sun, 29 May 2016 23:17:50 -0700
http://www.reuters.com/article/us-usa-encryption-legislation-idUSKCN0YI0EM
Dustin Volz, Mark Hosenball and Joseph Menn, Reuters, 27 May 2016

After a rampage that left 14 people dead in San Bernardino, key
U.S. lawmakers pledged to seek a law requiring technology companies to give
law enforcement agencies a "back door" to encrypted communications and
electronic devices, such as the iPhone used by one of the shooters.

Now, only months later, much of the support is gone, and the push for
legislation dead, according to sources in congressional offices, the
administration and the tech sector.

Draft legislation that Senators Richard Burr and Dianne Feinstein, the
Republican and Democratic leaders of the Intelligence Committee, had
circulated weeks ago likely will not be introduced this year and, even if it
were, would stand no chance of advancing, the sources said.

Key among the problems was the lack of White House support for legislation
in spite of a high-profile court showdown between the Justice Department and
Apple Inc over the suspect iPhone, according to Congressional and Obama
Administration officials and outside observers.

"They've dropped anchor and taken down the sail," former NSA and CIA
director Michael Hayden said.


"FBI pushes for more power to crush your privacy" (Caroline Craig)

Gene Wirchenko <genew@telus.net>
Mon, 06 Jun 2016 09:32:13 -0700
Caroline Craig, InfoWorld, 3 Jun 2016
The FBI continues its push to greatly expand government surveillance
and exempt that spying from constitutional safeguards and privacy rules
http://www.infoworld.com/article/3078179/privacy/fbi-pushes-for-more-power-to-crush-your-privacy.html

opening text:

Like living in a police state much? The FBI is pushing on multiple fronts to
greatly expand its surveillance powers and exempt that spying from
constitutional safeguards and privacy rules. Many in Congress are only too
happy to help.

With a treasure trove of digital information tantalizingly within reach, the
FBI doesn't want to be slowed down by inconveniences like Fourth Amendment
protections. So frustrated is FBI chief James Comey by constitutional limits
that he told the Senate Intelligence Committee that the FBI's difficulty in
getting its hands on Americans' online communications resulted from a "typo"
in the law that should be changed. He may get his wish.


Yahoo Announces Public Disclosure of National Security Letters

Lauren Weinstein <lauren@vortex.com>
Sun, 5 Jun 2016 15:33:00 -0700
https://yahoopolicy.tumblr.com/post/145258843473/yahoo-announces-public-disclosure-of-national

  As part of our ongoing commitment to transparency, Yahoo is announcing
  today the public disclosure of three National Security Letters (NSLs) that
  it received from the Federal Bureau of Investigation (FBI). This marks the
  first time any company has been able to publicly acknowledge receiving an
  NSL as a result of the reforms of the USA Freedom Act.  We're able to
  disclose details of these NSLs today because, with the enactment of the
  USA Freedom Act, the FBI is now required to periodically assess whether an
  NSL's nondisclosure requirement is still appropriate, and to lift it when
  not. We believe this is an important step toward enriching a more open and
  transparent discussion about the legal authorities law enforcement can
  leverage to access user data.


"Judge sends two to prison for 7 years for H-1B fraud" (Patrick Thibodeau)

Gene Wirchenko <genew@telus.net>
Mon, 06 Jun 2016 10:14:16 -0700
Patrick Thibodeau, Computerworld, 4 Jun 2016
Company ran 'a captive stable of cheap labor,' say U.S. officials
http://www.computerworld.com/article/3079224/it-careers/judge-sends-two-to-prison-for-7-years-for-h-1b-fraud.html

opening text:

Two brothers were sentenced Friday to 87 months in prison for running an
H-1B fraud scheme intended to create a low cost, on-demand workforce,
federal law enforcement officials said.


App to get PII from CAC card

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 3 Jun 2016 10:10:53 -0400
US Department of Defense employees use Common Access Cards (typically, and
redundantly, called "CAC Cards").  Depending on the specific parts of DoD,
these are used both as ID badges and access cards (e.g., to get into
buildings or to access computers), etc.  Since in many places these are the
ID badges, they are typically worn on a necklace or on a pocket or belt,
but in general in a place that's highly visible.  Employees are generally
instructed not to have their badges visible outside their work location,
but that rule is honored in the breach.  (For example, on the subway, or in
restaurants near DoD offices at lunchtime.)

The CAC Card has a 2D barcode, which apparently includes the person's name,
SSN, and other information, in an unencypted form.  Someone developed a
mobile phone app (call CACscan) which retrieves this information from a
photo.  [See
https://www.reddit.com/r/AirForce/comments/4l6tui/just_got_this_email_about_the_google_play_app/
for a discussion.]

The response to this app has been interesting - basically broken into
recommendations to protect (e.g., don't leave your card visible when
outside work, watch for people taking photographs) and foolish (e.g., don't
download the app - which doesn't solve the problem).  [The latter can be
found at
https://ellsworthafrc.org/2016/05/25/attention-android-device-owners-do-not-use-cac-scan-app/
]

Surprisingly - or not - I've not seen anything discussing *fixing* the
problem - or maybe it's effectively impossible to do anything in the short
term, given the number of cards that would need to be reissued, systems
that would need to be revised to deal with encrypted bar codes, etc.


"Android gets patches for serious flaws in hardware drivers and mediaserver" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Mon, 06 Jun 2016 15:33:02 -0700
Google has fixed more than 30 vulnerabilities in Android. A statue for
Google's Android Marshmallow operating system sits on the Google campus

Lucian Constantin, InfoWorld, 6 Jun 2016
http://www.infoworld.com/article/3079791/android/android-gets-patches-for-serious-flaws-in-hardware-drivers-and-mediaserver.html

opening text:

The June batch of Android security patches addresses nearly two dozen
vulnerabilities in system drivers for various hardware components from
several chipset makers.

The largest number of critical and high severity flaws were patched in the
Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera
driver. Some of these privilege escalation vulnerabilities could allow
malicious applications to execute malicious code in the kernel leading to a
permanent device compromise.


Geopolitical Hedging as a Service (JEBruner)

Lauren Weinstein <lauren@vortex.com>
Fri, 3 Jun 2016 10:14:26 -0700
http://jebruner.com/2016/06/geopolitical-hedging-as-a-service/

  Google and Microsoft have found themselves embroiled in some awkward
  geopolitical disputes as they've made their mapping services available
  around the world, and they've found a brilliant diplomatic workaround to
  the demands of dogmatic politicians: they give each country the map that
  its government wants, serving it seamlessly to domestic users by reckoning
  the locations of their IP addresses.  It's possible to force these
  services to display the map corresponding to a particular country, though,
  and I've done that here in order to compare the maps that they serve to
  different constituencies. Try out some examples of delicate sensibilities
  by clicking the links below, or explore the map comparisons by using the
  drop-down menus. Click the [=>] symbol for more background on each
  disagreement.

Obi-Wan: "Luke, you're going to find that many of the truths we cling to
depend greatly on our own point of view."


TeamViewer users are being hacked in bulk, and we still don't know how (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Sun, 5 Jun 2016 12:09:07 -0700
http://arstechnica.co.uk/security/2016/06/teamviewer-users-hacked-but-how/

  For more than a month, users of the remote login service TeamViewer have
  taken to Internet forums to report their computers have been ransacked by
  attackers who somehow gained access to their accounts. In many of the
  cases, the online burglars reportedly drained PayPal or bank accounts. No
  one outside of TeamViewer knows precisely how many accounts have been
  hacked, but there's no denying the breaches are widespread.

TeamViewer has also long been the favored tool of fake support scammers.


Dutch Firm Trains Eagles to Take Down High-Tech Prey: Drones (NYT)

Monty Solomon <monty@roscom.com>
Sun, 29 May 2016 02:10:10 -0400
When small, off-the-shelf models pose security or other threats, birds have
the advantage of grounding them without a potentially dangerous crash.
http://www.nytimes.com/2016/05/29/world/europe/drones-eagles.html


Dodgers using a global positioning device to situate their fielders

Monty Solomon <monty@roscom.com>
Sun, 29 May 2016 02:28:24 -0400
Chase Utley, Missed by a Pitch, Burns the Mets With Two Home Runs
http://www.nytimes.com/2016/05/29/sports/baseball/chase-utley-missed-by-noah-syndergaard-pitch-burns-the-mets.html

The Mets reportedly complained to Major League Baseball about the Dodgers
using a global positioning device to situate their fielders.

"We observed some members of the Dodgers organization using technology to
establish defensive positions, presumably for use during the game.  Major
League Baseball is going to look at that issue.'', Mets General Manager
Sandy Alderson told ESPN.

The Dodgers did not deny using such a device as a positioning and scouting
aid, though they said it was not employed during a game. There is no MLB
rule outlawing the method. The Dodgers reportedly asked the Mets if they
could paint lines on the Citi Field grass as markers for their fielders, but
Alderson denied the request.


This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip (Andy Greenberg)

Dewayne Hendricks <dewayne@warpspeed.com>
Sunday, June 5, 2016
Andy Greenberg, *WiReD*, 1 Jun 2016
<https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/
<http://postlink.www.listbox.com/2136039/117dfea62fed4761ac9bec0c5f5d50d1/125086/546f591f?uri=aHR0cHM6Ly93d3cud2lyZWQuY29tLzIwMTYvMDYvZGVtb25pY2FsbHktY2xldmVyLWJhY2tkb29yLWhpZGVzLWluc2lkZS1jb21wdXRlci1jaGlwLw>>

Security flaws in software can be tough to find. Purposefully planted ones'
hidden backdoors created by spies or saboteurs' are often even
stealthier. Now imagine a backdoor planted not in an application, or deep in
an operating system, but even deeper, in the hardware of the processor that
runs a computer. And now imagine that silicon backdoor is invisible not only
to the computer's software, but even to the chip's designer, who has no idea
that it was added by the chip's manufacturer, likely in some far-flung
Chinese factory. And that it's a single component hidden among hundreds of
millions or billions. And that each one of those components is less than a
thousandth of the width of a human hair.

In fact, researchers at the University of Michigan haven't just imagined
that computer security nightmare; they've built and proved it works. In a
study that won the best paper award at last week's IEEE Symposium on Privacy
and Security, they detailed the creation of an insidious, microscopic
hardware backdoor proof-of-concept. And they showed that by running a series
of seemingly innocuous commands on their minutely sabotaged processor, a
hacker could reliably trigger a feature of the chip that gives them full
access to the operating system. Most disturbingly, they write, that
microscopic hardware backdoor wouldn't be caught by practically any modern
method of hardware security analysis, and could be planted by a single
employee of a chip factory.

“Detecting this with current techniques would be very, very challenging if
not impossible,'' says Todd Austin, one of the computer science professors
at the University of Michigan who led the research.  It's a needle in a
mountain-sized haystack.''  Or as Google engineer Yonatan Zunger wrote after
reading the paper: “This is the most demonically clever computer security
attack I've seen in years.''  [... The paper considers inserting analog
devices as simple as a capacitor.  PGN]


Password app developer overlooks security hole to preserve ads

Lauren Weinstein <lauren@vortex.com>
Sat, 4 Jun 2016 21:26:39 -0700
http://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

  Think it's bad when companies take their time fixing security
  vulnerabilities? Imagine what happens when they avoid fixing those holes
  in the name of a little cash. KeePass 2 developer Dominik Reichl has
  declined to patch a flaw in the password manager's update check as the
  "indirect costs" of the upgrade (which would encrypt web traffic) are too
  high—namely, it'd lose ad revenue. Yes, the implication is that profit
  is more important than protecting users.


Facebook, Twitter, YouTube and Microsoft agree to remove hate speech across the EU (techcrunch)

Lauren Weinstein <lauren@vortex.com>
Tue, 31 May 2016 07:43:33 -0700
http://techcrunch.com/2016/05/31/facebook-twitter-youtube-and-microsoft-agree-to-remove-hate-speech-across-the-eu/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

  Facebook, Twitter, Google's YouTube, Microsoft as well as the European
  Commission unveiled a new code of conduct to remove hate speech according
  to community guidelines in less than 24 hours across these social media
  platforms. The EU has ramped up efforts leading to this code of conduct
  following the recent terrorist attacks in Brussels and Paris.

Also:
Beware the Global Net Police -
http://archive.wired.com/politics/law/news/2002/12/56916
(2002 in "Wired" by yours truly)

A Proposal for Dealing with Terrorist Videos on the Internet
http://lauren.vortex.com/archive/001139.html
(Dec 2015 from my legacy blog)


Samsung: Don't install Windows 10. REALLY

People For Internet Responsibility\
Wed, 1 Jun 2016 08:54:25 -0700
http://www.theregister.co.uk/2016/05/31/windows_10_samsung_fail/

  Samsung is advising customers against succumbing to Microsoft's nagging
  and installing Windows 10.  The consumer electronics giant's support staff
  have admitted drivers for its PCs still don't work with Microsoft's newest
  operating system and told customers they should simply not make the
  upgrade.  That's nearly a year after Microsoft released Windows 10 and
  with a month to go until its successor - Windows 10 Anniversary Update -
  lands.  Samsung's customers have complained repeatedly during the last 12
  months of being either unable to install Microsoft's operating system on
  their machines or Windows 10 not working properly with components if they
  do succeed.  However, with the one-year anniversary fast approaching it
  seems neither of these tech giants have succeeded in solving these
  persistent problems.


Phones and Badges, whatever could go wrong...wrong....wrong

David Lesher <wb8foz@panix.com>
Sun, 05 Jun 2016 16:38:48 -0400
Kastle Systems, a supplier of access control systems, has a new application
to turn your cell phone into your building access badge.

We don't need no syncing badges!

I can't imagine anything would ever go wrong. No one's phone ever gets
cracked, no OS upgrade breaks existing apps, phones are never stolen, and
the batteries last forever!

<https://www.washingtonpost.com/business/capitalbusiness/with-new-hands-free-system-kastle-is-investing-big-in-office-security/2016/06/03/3f018a0a-2429-11e6-9e7f-57890b612299_story.html>

  [Also noted by Geoff Goodfellow.  PGN]


"Oracle employee says she was sacked for refusing to fiddle cloud accounts" (John Ribeiro)

Gene Wirchenko <genew@telus.net>
Fri, 03 Jun 2016 11:27:22 -0700
John Ribeiro, InfoWorld, 2 Jun 2016

There are lies, damned lies, statistics, damned statistics, and then there
are CPU benchmark scores.  To this, we might add market share:

Svetlana Blackburn says she was terminated from her job as senior finance
manager because she threatened to blow the whistle on accounting principles
she considered unlawful
http://www.infoworld.com/article/3078071/cloud-computing/oracle-employee-says-she-was-sacked-for-refusing-to-fiddle-cloud-accounts.html

selected text:

A senior finance manager in Oracle's cloud business has complained to a
federal court that she was terminated from her job because she refused to go
along with accounting principles she considered unlawful.

Blackburn alleges that upper management was trying to fit "square data into
round holes" in a bid to boost the financial reports of the cloud services
business, which would be "paraded" before company leaders and investors.


"NSW government playing Big Brother with citizens' data"

Gene Wirchenko <genew@telus.net>
Fri, 03 Jun 2016 12:02:47 -0700
Asha Barbaschow, ZDnet, 3 Jun 2016
The New South Wales government has undertaken a project in Sydney's south to
determine who lives where and with whom, with the intention of reducing
monitoring residents' movements to 30-minute intervals.
http://www.zdnet.com/article/nsw-government-playing-big-brother-with-citizens-data/


Right to be forgotten" extends to newspaper archives

Lauren Weinstein <lauren@vortex.com>
Mon, 30 May 2016 19:19:59 -0700
http://www.flanderstoday.eu/business/right-be-forgotten-extends-newspaper-archives

  The "right to be forgotten", which allows members of the public to have
  references to their private life removed from Internet searches, also
  extends to newspaper archives, the Cassation Court has ruled ...  The
  Rossel group said it regretted the ruling, which it said "opens the door
  to the rewriting of history".

Now they're going after primary sources, not restricted to search results.
This is an Orwellian nightmare in the making.


Holiday Fun_"glitch" at Kennedy_pen and paper check in

"Deank..vzw" <dkross@vzw.blackberry.net>
Mon, 30 May 2016 17:08:05 +0000
Shutdowns are front page news when at airports...but at hospitals, not.

http://www.post-gazette.com/news/transportation/2016/05/30/Computer-glitch-resolved-at-JFK-Airport-after-massive-delays-memorial-day-new-york-Verizon/stories/201605300091

Mr. Buccino said a server providing wireless Internet and other computer
services had problems at about 4 p.m. Sunday, which required manual
check-in. An airport official said the services were provided by Verizon,
which did not offer a comment when reached on late Sunday.

Mr. Buccino said Terminal 7 is operated by British Airways, which leases
space to other carriers. He said at one point Sunday night, more than 1,000
passengers were waiting in line to get checked in.  A line of frustrated
economy-class passengers could be seen stretching out the terminal doors,
snaking up the sidewalk all the way back onto the elevated roadway that
leads to the terminal. Inside, airline employees were writing boarding
passes by hand, sometimes in pencil.  Sent from my Verizon Wireless
BlackBerry


US gov breach theater

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 3 Jun 2016 07:39:32 -0500
With many organizations, as soon as any employee detects that a breach, or
other cyber intrusion is in progress, that individual captures evidence of
what's going on, and informs upper management.  If upper management believes
the employee report, then the exposed material is shut down from Internet to
prevent further leakage, unless the organization already has some plan in
place to let the leakage continue, because law enforcement can track the
perpetrators, and more likely to catch them if the leak continues.
Sometimes security personnel are authorized to do the shut down, without
waiting on upper management approval.  That is the normal process, but there
are exceptions.

OPM breach, new info I learned, thanks to a post on a Linked In cyber
security group:

The breach was first discovered April 15 or 16, 2015 by an OPM contract
engineer, with CSRA, using a Cylance tool.  Within a day, OPM sought help
with this situation from  U.S.-Computer Emergency Readiness Team. (US-CERT)

A week later, April 22, it was re-discovered by CyTech Services demo of
cyber breach detection software.

It appears that OPM was more interested in comparing cyber security
detection products, than fixing known vulnerabilities.

CyTech says they helped OPM clean up the vulnerability, thanks to an oral
contract with OPM, for which they are owed $ 600,000.00.  OPM denies this.

http://democrats.oversight.house.gov/sites/democrats.oversight.house.gov/files/documents/2016-05-26.EEC%20to%20HPSCI%20Re.CyTech.pdf
http://fedscoop.com/how-the-opm-breach-was-really-discovered
https://fcw.com/articles/2016/05/26/cummings-letter-opm-breach.aspx

Manchurian chip is when hardware & software is purchased from nations which
are not good friends, so there is a risk that they will come supplied with
spy tech to help our adversaries.  Many gov tech buyers have not yet learned
that lowest bidder increases risk of this.  It amazes me that our US State
Dept buys computer stuff from Iran, China, Russia and North Korea.  Sounds
like the division, which identifies threats, is not on speaking terms with
the one which figures out where to buy stuff. That tends to support my
notion that Clinton server was safer than gov server.

Clinton e-mail server story has not changed, except for a few additions,
latest—it had an Internet-based printer.

http://krebsonsecurity.com/2016/05/did-the-clinton-email-server-have-an-internet-based-printer/

I think the bigger political tech story will be when MSNM starts covering
the trial, where on the very first day of the Republican Convention, Donald
Trump is scheduled to be in court to answer charges of fraud with his Trump
University.  Which of the two places will he show up at?  If he fails to
appear at the trial, will federal marshals be sent to drag him away from the
convention?

DHS recently did a penetration test of SSA, and had no trouble getting into
everything.  The test was at the request of the Social Security
Administration, which did not think the problem warranted notification of
Inspector General.  Congressional oversight not happy, but will they budget
$ to fix this?  I doubt it.

http://www.politico.com/tipsheets/morning-cybersecurity/2016/05/credit-for-discovering-the-opm-breach-electronic-communications-transaction-records-fight-unfolds-united-states-and-brazil-no-good-on-botnets-214527

OPM Breach - we previously learned that this was one of the worse breaches
for the federal government, and it was thanks to NSA injecting
vulnerabilities into software sold to the feds.  NSA believes that they can
spy on anything they please this way, without anyone other than NSA using
the vulnerabilities they deliver all over the place.  Many people have
pointed out that they are wrong, but they continue to be in denial.  Ditto
many national leaders which support FBI doing the same thing.  So it does
not matter what OPM did to fix that breach, they can be sure that thanks to
NSA FBI and other government intelligence and law enforcement agencies,
there will be more vulnerabilities delivered in the future.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
Panama Papers group:  https://www.linkedin.com/groups/8508998


Re: Major Cell Phone Radiation Study Reignites Cancer Questions

David Brodbeck <david.m.brodbeck@gmail.com>
Mon, 30 May 2016 17:40:05 -0700
One thing that immediately stood out for me, in the cell phone study, was
they claim to have found a link between cell phone radiation and cancer for
CDMA signals, but not for GSM signals.

If there were a link, I would expect it to potentially be sensitive to power
level or frequency band, but definitely not to the protocol in use.  To me
this is a big red flag that the results may be statistical noise and not a
sign of an actual effect.


Re: Major Cell Phone Radiation Study Reignites Cancer Questions - notsp

<>
Mon, 30 May 2016 19:01:22 -0700
Keep in mind that traditional CDMA is spread spectrum and traditional GSM is
not.


Re: The risk of blaming the messenger

Jay Libove <libove@felines.org>
Sun, 29 May 2016 18:11:48 +0000
While I agree with Rogier Wolff's basic premise, I think that the specific
example of the OKCupid dataset release is not appropriate.  It's one thing
when "data is public", e.g., a single query can dump a
shouldn't-have-been-accessible database.

It's quite another to put in the effort of harvesting information
(thousands, millions of queries), analyse it, create a report about its
contents, and then publish it.

While one can reasonably criticise OKCupid profile holders for being upset
that they could be discovered, and we must case blame on developers and
system engineers who leave systems vulnerable through common errors and
negligence, one must criticise a "researcher" who violates the intended use,
Terms of Service, privacy, and almost surely law in a case such as this. It
was irresponsible and unethical, civilly culpable, and quite probably
criminal.

Jay Libove, CISSP, CIPP/US, CIPT, CISM Barcelona, Spain


Re: France's Guillotining of Global Free Speech (RISKS-29.54)

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 04 Jun 2016 21:45:32 +0100
By chance I have a book to hand called the "Shorter Illustrated History Of
The World" by J M Roberts (pub 1993).  The section on the French Revolution
includes this: '... the revolution was a was a touchstone of political
opinions.  If you were for the revolution... you probably believed in free
speech and the wickedness of press censorship... if you were against the
revolution, you looked for strong government... you believed it was wicked
to allow the spread of harmful opinion, and you thought discipline and good
order more important than personal freedom.'

So it seems that the world is divided into those who feel that liberty is a
nice idea as long as it doesn't get too much in the way of the government
running things, and those who feel that protecting liberty should be what
government is all about.

By the way, as many RISKS readers will know, we in the UK are due to have a
referendum on June 23rd about our membership of the EU.  Much of the debate
has been about financial matters, but personally I feel that a big problem
is the culture clash between us Brits and our 'Anglo-Saxon' ways, and the
other European countries (e.g. RTBF).


The Oracle Effect: 'isis'

Lauren Weinstein <lauren@vortex.com>
Thu, 2 Jun 2016 09:13:44 -0700
The Daily WTF via NNSquad

http://thedailywtf.com/articles/the-oracle-effect

  Even simple rituals can feed into this Oracle Effect.  For example, PayPal
  doesn't want to handle transactions for ISIS, which isn't unreasonable,
  but how do you detect which transactions are made by honest citizens, and
  which by militants? What about just blocking transactions containing the
  letters "isis"? This seems like a pretty simple algorithm, but think about
  the amount of data flowing through it, and suddenly, it picks up the air
  of ritual- we have a magic incantation that keeps us from processing
  transactions for militants.  Using algorithms and decision-support systems
  isn't bad. It's not even bad if they're complicated! They're solving a
  complicated problem, and we'd expect the resulting system to reflect at
  least some of that complexity. A recent conference hosted at NYU Law spent
  time discussing how we could actually avoid biases in policing by using
  well-designed algorithms, despite also pointing out the risks and dangers
  to human rights. These sorts of decision-making tools can make things
  better- or worse. They're just a tool.


Re: The Oracle Effect: 'isis'

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 4 Jun 2016 15:47:48 PDT
How about these words, ending in "isis", all verboten!

anaclisis anacrisis anagnorisis anticrisis aphanisis arthrocleisis
arthroclisis bronchiocrisis bronchophthisis cardioschisis celioschisis
chorisis corocleisis craniorhachischisis cranioschisis crisis cystophthisis
cystoschisis decisis diacrisis diaschisis eccrisis enclisis enterocleisis
enteroclisis enterophthisis epicrisis erythrocytoschisis gastrophthisis
gastroschisis hemophthisis heterogenisis hisis hypocrisis hysterocleisis
iridencleisis isis karyoschisis laryngophthisis lithophthisis merisis
minicrisis myelophthisis nephrophthisis ophthalmophthisis otocleisis
pachisis palatoschisis panmyelophthisis parisis phthisis plasmaphoresisis
pneumonophthisis proclisis prosoposchisis pylorocleisis rachischisis
serophthisis splenocleisis spondyloschisis staphyloschisis syncrisis
synezisis thoracoceloschisis thoracogastroschisis thoracoschisis
tracheoschisis trichoschisis uranoschisis urophthisis


Re: Microsoft accused of Windows 10 upgrade "nasty trick" (Risks 29:54)

Jack Christensen <christensen.jack.a@gmail.com>
Thu, 2 Jun 2016 08:03:39 -0400
I've used Steve Gibson's "Never 10" utility on a half-dozen Windows 7
and 8.1 machines. It works as advertised and seems to be nicely implemented.

https://www.grc.com/never10.htm


Re: Another Risk of Self-Driving Cars; Clogged Highways?!? (Shapir, RISKS-29.53)

Craig Burton <craig.alexander.burton@gmail.com>
Sun, 29 May 2016 21:12:35 +1000
> The main trouble is that when a main road is blocked, GPS may direct
> drivers through side streets—which would quickly block much worse if
> hundreds of cars pour into them, all following the same instructions.

I agree - this would then block up those alternative ways as well and the
routing algorithm would not know what to do.  This should not apply to
self-driving cars. Ideally the car-router should learn to bunch up groups of
self-driving cars and take control of the traffic lights(!) to interleave
car groups and keep them moving (one known strategy). I wonder if more of
the traffic system being centrally automated will make it better or worse.
I suspect people driving cars introduces a lot of entropy which would be
removed by self-driving cars.  This would seem to raise the risk of a pile
of classic problems to do with lack of damping, to say the least?


Re: Connected Car Security (Goldberg, RISKS-29.54)

"John Levine" <johnl@iecc.com>
29 May 2016 14:28:31 -0000
> Now, experts say, the same connectivity may also offer a solution to this
> cybersecurity problem, in the form of over-the-air updates. ...

Gack, choke.

See Harold Feld's long but very well informed piece on DSRC.  It's all about
the spectrum squatting and monetizing your data, hardly if at all about car
safety.  Car companies have a history of completely failing at cybersecurity
and the NHTSA which is mandating DSRC is no better.

http://www.wetmachine.com/tales-of-the-sausage-factory/how-dsrc-makes-us-less-safe-privacy-and-cybersecurity-part-1/


Re: In Oracle v. Google, a Nerd Subculture Is on Trial (RISKS-29.53)

"John Levine" <johnl@iecc.com>
29 May 2016 13:49:17 -0000
By the way, Google won.  The jury found that Google's use of Oracle's APIs
were protected by fair use.  Oracle of course says they'll appeal.

http://arstechnica.com/tech-policy/2016/05/google-wins-trial-against-oracle-as-jury-finds-android-is-fair-use/

If this ridiculous screed by one of Oracle's lawyers is any indication,
Google doesn't have much to worry about.

http://arstechnica.com/tech-policy/2016/05/op-ed-oracle-attorney-says-googles-court-victory-might-kill-the-gpl/

(Latter piece and its inanity also noted by LW.)


Re: Theoretical Breakthrough Made in Random Number Generation

"John Levine" <johnl@iecc.com>
29 May 2016 13:44:54 -0000
> I believe you are referring to pseudorandom numbers, not random numbers.
> Big difference.

A few moments spent looking at the article confims that they're talking
about actual random numbers.

To get random numbers, you need to start with an entropy source, but it's
hard to find high quality sources, particularly if you need a lot of random
numbers.  This paper describes a new way to take two low quality sources and
create a high-quality source from them.

https://threatpost.com/academics-make-theoretical-breakthrough-in-random-number-generation/118150/

Please report problems with the web pages to the maintainer

Top