Prev

RISKS Digest 28.38

Tuesday 25 November 2014

Catastrophic Vodafone technical fault shuts down raft of key phone services including police 101 and NHS 111 numbers AND Barclays, RAC and First Great Western

Richard I Cook <ricookmd@gmail.com>

Date: Sat, 22 Nov 2014 16:35:39 +0100

"Catastrophic Vodafone technical fault shuts down raft of key phone services including police 101 and NHS 111 numbers AND Barclays, RAC and First Great Western''

[`Catastrophic' might be considered an overstatement with respect to Vodafone's services, because in this event the system operation was eventually recoverable. But it would have been catastrophic for any callers who might have died as a result of the outage. PGN]

*Daily Mail*, 22 November 2014 http://www.dailymail.co.uk/news/article-2845212/Police-non-emergency-101-number-NHS-24-hour-111-helpline-UK-technical-problem.html

A catastrophic Vodafone technical fault shut down a raft of key phone services including police and NHS hotlines—and even RAC breakdown recovery, Barclays bank and First Great Western. Problems were first reported at about 9am this morning when callers were unable to reach the police non-emergency 101 number and NHS 24's medical advice line. But customers stranded at the roadside were also unable to get through to RAC and those with queries about trains were also stuck when trying to get through on the phone.

Engineers spent hours working to resolve the issue and initially anticipated that it could take several hours to fix but worked on it as a 'matter of priority' and most lines were up and running by 1pm. A spokesperson from Vodafone said: `'We can confirm that this morning an issue with one of our fixed line call routing systems temporarily affected the services we provide to a number of organisations. However, our engineers have worked hard to resolve the issue as quickly as possible and services have now been restored. We will continue to monitor the service closely and will be carrying out a full investigation into the issue. We apologise for any inconvenience caused.''

Spy cable revealed: how telecoms firm worked with GCHQ

Brian Randell <brian.randell@newcastle.ac.uk>

Date: Nov 21, 2014 9:17 AM

This story was the main one in last night's Channel 4 News. (This IMHO is one of the best TV news programs here in the UK.)

One of the UK's largest communications firms had a leading role in creating the surveillance system exposed by Edward Snowden, it can be revealed. Cable and Wireless even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of Internet users worldwide over to spies. The firm, which was bought by Vodafone in July 2012, was part of a programme called Mastering the Internet, under which British spies used private companies to help them gather and store swathes of Internet traffic; a quarter of which passes through the UK. Top secret documents leaked by the whistleblower Edward Snowden and seen by Channel 4 News show that GCHQ developed what it called "partnerships" with private companies under codenames. Cable and Wireless was called Gerontic.

Under the moniker, the company carried out tests on equipment used to carry out the surveillance, it came up with suggestions on how the spies could go about tapping its network, and even had a GCHQ employee working full-time within the company.

And a 2011 document reveals that Cable and Wireless went further. The company rented space on a cable owned by Indian telecoms company Reliance Communications that stretched from Asia across the Middle East and landed in Porthcurno in Cornwall. Reliance's transatlantic cable lands in Sennen Cove six miles to the north. And the two cables come together at nearby Skewjack Farm. Documents show that in 2011, this allowed Britain's spies to access all traffic from Reliance's main cable and send it to the GCHQ base up the coast in Bude.

Top-secret documents from GCHQ show it was this access point, codenamed Nigella and run by Cable and Wireless, that allowed Britain's spies to gather the private communications of millions of Internet users worldwide.

Channel 4 News has been unable to establish whether Reliance Communications was served with a warrant to authorise this and the company has not responded to our calls. Either way, from having no access to the cable at all, GCHQ planned to take in a trillion gigabytes of data per second.

The documents show an increasingly close relationship between the spy agency and Cable and Wireless, which has been operating submarine cables from the UK for more than a century. From 2008 until at least 2010, Cable and Wireless held regular meetings with GCHQ and was paid tens of millions of pounds to establish surveillance on web traffic as it flowed through its networks. At one point, the Mastering the Internet programme was costing 1m pounds per month.

Cable and Wireless was bought by Vodafone in a billion-pound takeover. Documents seen by this programme appear to show that the Nigella access point was still feeding GCHQ's interception programmes as late as April 2013 -- long after Vodafone's takeover had been completed. And GCHQ's partner company was still codenamed Gerontic. [..]

http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

Woman Scammed Out of $8K Through Instagram Job Hoax, Police Say

Monty Solomon <monty@roscom.com>

Date: Tue, 25 Nov 2014 10:58:49 -0500

http://www.dnainfo.com/new-york/20141124/jamaica/woman-scammed-out-of-8k-through-instagram-job-hoax-police-say

Mobile malware: One in six smartphone users victim of cyber attack

PGN <neumann@csl.sri.com>

Date: Mon, 24 Nov 2014 13:30:08 PST

PTI, 24 Nov 2014

London: One in six smartphone and tablet device users have fallen prey to a cyber attack, according to a new study. The study also found that 60 per cent of smartphone users and almost half of tablet users are vulnerable to hacking as these devices have no protection against malicious software.

These can be anything from phishing e-mails that could result in a fraudster taking over an online account, to 'session hijacking' attacks where a user's web browsing is interrupted, monitored or even hijacked, Yorkshire Post reported.

Many smartphone and tablet devices users have no protection against 'malware' (i.e., software designed specifically to damage or disrupt a system). This is despite nearly half using mobile phones for Internet banking and one in three for online shopping.

“This year has proved a tipping point for smartphones and tablets,'' said Ori Eisen of Experian, a global information services company, which published the study. “The rapid rise in demand for online banking and retail combined with very little security on devices has created a massive opportunity for cyber criminals leaving many people and businesses extremely vulnerable.''

http://economictimes.indiatimes.com/articleshow/45255423.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

Malware-hosting e-cigs could be bad for your computer's health

Bob Frankston <bob19-0501@bobf.frankston.com>

Date: 22 Nov 2014 13:23:29 -0500

Everything is "IoT" these days. If this is indeed a USB attack anti-malware might not be enough. http://www.digitaltrends.com/cool-tech/malware-hosting-e-cigs-bad-computers-health/

A cheap Chinese cable is believed to have been the root cause of the problem, and electronic cigarette smokers are advised to stick to the well-known brands and be wary of shady counterfeit goods when picking up e-cigs. “For consumers it's a case of running up-to-date anti-malware for the production line stuff and only using trusted devices to counter the threat,'' Trend Micro's Rik Ferguson told.

[PGN notes, Henry Baker, also noted Alex Hern in *The Guardian*, 21 Nov 2014] http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers

House Republicans just passed a bill forbidding scientists from advising the EPA on their own research

Lindsay Abrams via Bob Frankston <dewayne@warpspeed.com>

Date: Nov 21, 2014 2:36 PM

[Note: This item comes from friend Bob Frankston. DLH]

Lindsay Abrams, *Salon*, 19 Nov 2014

The "reform" measure makes room for industry-funded experts on the EPA's advisory board. http://www.salon.com/2014/11/19/house_republicans_just_passed_a_bill_forbidding_scientists_from_advising_the_epa_on_their_own_research/

Congressional climate wars were dominated Tuesday by the U.S. Senate, which spent the day debating, and ultimately failing to pass, a bill approving the construction of the Keystone XL pipeline. While all that was happening, and largely unnoticed, the House was busy doing what it does best: attacking science.

H.R. 1422, which passed 229-191, would shake up the EPA's Scientific Advisory Board, placing restrictions on those pesky scientists and creating room for experts with overt financial ties to the industries affected by EPA regulations.

The bill is being framed as a play for transparency: Rep. Michael Burgess, R-Texas, argued that the board's current structure is problematic because it “excludes industry experts, but not officials for environmental advocacy groups.'' The inclusion of industry experts, he said, would right this injustice.

But the White House, which threatened to veto the bill, said it would “negatively affect the appointment of experts and would weaken the scientific independence and integrity of the SAB.''

In what might be the most ridiculous aspect of the whole thing, the bill forbids scientific experts from participating in “advisory activities'' that either directly or indirectly involve their own work. In case that wasn't clear: experts would be forbidden from sharing their expertise in their own research—the bizarre assumption, apparently, being that having conducted peer-reviewed studies on a topic would constitute a conflict of interest. “In other words,'' wrote Union of Concerned Scientists director Andrew A. Rosenberg in an editorial for RollCall, “academic scientists who know the most about a subject can't weigh in, but experts paid by corporations who want to block regulations can.''

Speaking on the House floor Tuesday, Rep. Jim McGovern, D-Mass., summed up what was going on: “I get it, you don't like science,'' he told bill sponsor Rep. Chris Stewart, R-Utah. “And you don't like science that interferes with the interests of your corporate clients. But we need science to protect public health and the environment.'' [...]

[But corporations are people. So, why not put corporations on committees? We would no longer need people who are not corporations. <Even though that is sarcasm, a smiley-face emoticon would be inappropriate.> PGN]

The safest computers are iPhones and iPads

Galen Gruman <dewayne@warpspeed.com>

Date: Nov 21, 2014 5:13 PM

Galen Gruman, Infoworld, 21 Nov 2014 PCs are where the security breaches happen—so stop using them if you can http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf> <https://www.privacyrights.org/data-breach/new>

But rarely do you see smartphones and tablets in these reports. Why? Because they're more secure than computers and data centers. That fact must be galling for the IT security pros fretting over the alleged perils of mobile devices while the PCs and data centers they manage leak like sieves. (IT shops have been told for years to encrypt PCs, yet few do.) <http://www.infoworld.com/article/2675487/security/your-laptop-data-is-not-safe--so-fix-it-.html>

But it's true: Mobile devices are safer than PCs and servers.

Let's be clear: Nothing is fully secure. Last week, we learned of Masque Attack, an iOS attack approach that takes advantage of Apple's feature that lets enterprises install their own apps rather than use the vetted App Store. If a hacker uses the same bundle ID for his malware as used by an iOS app, the pretender can be installed over the legitimate app and go undetected by mobile management tools. (It's ironic that to escape the grip of the App Store, enterprise inadvertently enabled this attack vector.) <http://www.infoworld.com/article/2846015/vulnerability-leaves-iphones-and-ipads-open-to-fake-app-attack.html>

Apple says it has no reports of actual attacks using this technique and notes that iOS will warn users if they try to override an existing app through Masque Attack.

Still, the clear reality is that mobile devices are more secure than PCs and servers, because—outside of Android—they are less open. For example, we hear of a handful of security threats in iOS each year versus a handful every week in Windows.

BlackBerry phones have the strongest security, but they're not able to act as replacement computers as an iPad can. After BlackBerry, the highest security comes from Apple's iOS. <http://www.infoworld.com/article/2613620/mobile-device-management/mobile-device-management-mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html>

If you're concerned about endpoint security, you should replace as many PCs as you can with iPads and iPhones. Depending on how Android Lolliop's Android at Work security turns out, maybe you'll be able to add Android devices to the secure mix. <http://www.infoworld.com/article/2836715/android/android-lollipop-aims-to-be-googles-ios-7.html>

Using an iPad as a computer replacement is more realistic than ever, thanks to Apple's iWork suite and Microsoft's Office suite for iOS, especially now that Microsoft's good iPad Office apps also run on iPhones. <http://www.infoworld.com/article/2841836/office-software/the-must-have-ipad-office-apps-round-95.html>

Of course, a computer can tackle many tasks a tablet or smartphone can't -- taking advantage of a big screen for complex documents and work processes is an obvious one. But using a computer also carries much a higher risk.

For employees who need to run PC-only apps and/or require more screen real estate and input flexibility than a tablet provides, the PC may be the sole viable choice as their primary computing platform. For those who don't, make the move to mobile.

'Bug' spies on computers

Jim Warren <jwarren@well.com>

Date: Nov 24, 2014 4:56 PM

A leading computer security company says it has discovered one of the most sophisticated pieces of malicious software ever seen. Symantec says the bug, named Regin, was probably created by a government and has been used for six years against a range of targets around the world. Once installed on a computer, it can do things like capture screenshots, steal passwords or recover deleted files.

Experts say computers in Russia, Saudi Arabia and Ireland have been hit most. It has been used to spy on government organisations, businesses and private individuals [...].

http://www.bbc.com/news/technology-30171614

--jim; Jim Warren, open-govt & tech-civlib advocate & sometime columnist http://en.wikipedia.org/wiki/Jim_Warren_%28computer_specialist%29 justjim36 on twitter | Jim Warren on Facebook

Re: "How to lose customers with excessive security"

Paul Wallich <pw@panix.com>

Date: Sat, 22 Nov 2014 17:24:54 -0500

I was just thinking about this because my bank has kindly locked me out of Kickstarter (as well as, occasionally, various non-US merchants). It seems that KS does a test transaction when you pledge, and this triggers their fraud-detection algorithm, so they decline the transaction. (It is possible to get the payment through by spending an hour or so on the phone with their security department, assuming I have the time and foresight to call during some subset of business hours before the KS campaign in question terminates, but as a regular practice that's not going to happen.)

While it may be a good idea to reduce my addiction to the hope of receiving possibly-useful widgets at some time in the indefinite future, I really don't want my bank making that choice. So after 35 years with them, I'm looking for a less-secure alternative...

Re: risks of lobbyist blogs, was "CASL restricts freedom of speech

John Levine <johnl@iecc.com>

Date: 22 Nov 2014 16:59:34 -0000

http://www.itbusiness.ca/article/casl-restricts-freedom-of-speech-academic-paper-argues

If you follow the link at the bottom of this page to the article's source, you'll find the blog of Barry Sookman, who, based on the extensive stuff he's written and presented, seems to be a full time anti-CASL lobbyist. The paper itself was written [by] a summer intern at Cassels Brock & Blackwell LLP, a law firm that is drumming up CASL related business, together with a law school faculty member.

I helped write CASL, and I can say that the free speech arguments are silly. This is a rear guard action by marketers who are mad that they can't legally spam anyone, anywhere, like their American colleagues can.

Book review: Ivan Ristic, Bulletproof SSL and TLS ...

Ben Rothke <brothke@hotmail.com>

Date: Tue, 25 Nov 2014 13:50:50 -0500

Ivan Ristic Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications, 1 Aug 2014 blog.ivanristic.com/2014/08/bulletproof-ssl-and-tls-final-released.html https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all. There is a perception that if a web site is SSL secured then it's indeed secure. Read a few pages in this important book and the SSL security myth is dispelled.

For the first 8 of the 16 chapters, Ristic (one of the greatest practical SSL/TLS experts around) spends 230 pages showing countless weaknesses -- vulnerabilities—attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can—if done correctly—be deployed to provide adequate security. Full review here: http://www.rsaconference.com/blogs/bulletproof-ssl-and-tls