Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.23
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 30 Mar 2013 16:57:32 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 30 March 2013  Volume 27 : Issue 23

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.23.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
IRS: Tax glitch affects about 660K returns (Heather Hollingsworth via
  Monty Solomon)
Panama Canal Railway hit after upgrade (Bob Heuman)
Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth via
  Monty Solomon)
More on Spamhaus et al. (sender anonymized by request)
More cyberscares from our governments (Lauren Weinstein)
SSL, RC4, and Site Administrators (Steve Bellovin)
Microwave oven interference robustness mode (jidanni)
Saudi Arabia 'threatens Skype ban' (Lauren Weinstein)
FBI wants real-time access to ... well ... pretty much  everything (LW)
NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects (LW)
Big Data and a Renewed Debate Over Privacy (Steve Lohr via Monty Solomon)
Database Is Shut Down by NASA for a Review (Mark Mazzetti via Monty Solomon)
"12 hard truths about cloud computing" (Peter Wayner via Gene Wirchenko)
"One in six Amazon S3 storage buckets are ripe for data-plundering"
  (Ted Samson via Gene Wirchenko)
Some digital cameras easily turned into spying devices (Lauren Weinstein)
Google offers *offline* language translation support for Android (LW)
Risks of using other people's libraries (Phil Nasadowski)
25,000 could be affected by data breach at Salem State University
  (Monty Solomon)
"Twitter-shaming can cost you your job" (Ted Samson via Gene Wirchenko)
"Cisco inadvertently weakens password encryption in IOS (Lucian Constantin
  via Gene Wirchenko)
Password must contain multiple character classes... (jidanni)
"Microsoft Employee Info Being Hacked Through Xbox Live" (Chris Paoli via
  Gene Wirchenko)
"Updated Windows 8 apps not in sync with Google Calendar" (Woody Leonhard
  via Gene Wirchenko)
Re: Small furry animals ... (jericho)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 25 Mar 2013 01:03:46 -0400
From: Monty Solomon <monty () roscom com>
Subject: IRS: Tax glitch affects about 660K returns (Heather Hollingsworth)

Heather Hollingsworth, AP, 13 Mar 2013

KANSAS CITY, Mo. (AP) - A tax-preparation glitch affecting about 660,000 tax
returns will delay refunds by as long as six weeks, with customers of the
nation's largest tax preparer among those affected.

The Internal Revenue Service said in a statement that a problem with a
''limited number of software company products'' affected some taxpayers
filing a form used to claim educational credits between 14 and 22 Feb 2013.

The agency didn't name any companies in the statement, which it released
Tuesday, but Kansas City-based H&R Block has been informing customers about
problems. H&R Block spokesman Gene King said Wednesday that the company
isn't saying how many of its customers were affected by the problems with
Form 8863. ...

http://www.boston.com/news/education/2013/03/13/irs-tax-glitch-affects-about-returns/2RStz826IfaP2YS5fFILsK/story.html

------------------------------

Date: Sat, 23 Mar 2013 19:38:20 -0400
From: Bob Heuman <robert.heuman () alumni monmouth edu>
Subject: Panama Canal Railway hit after upgrade

Reuters, 22 Mar 2013
http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323

Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday.  The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway.  But a computer upgrade on 20 Mar 2013 by Panama
Ports Co (which manages two of those ports) caused severe lags, Kenna said.
Since then, the railway has moved only about 350 containers a day.  Traffic
picked up on Friday, and the system should be operating normally by Monday,
Kenna added.

------------------------------

Date: Wed, 27 Mar 2013 14:01:57 -0400
From: Monty Solomon <monty () roscom com>
Subject: Online Dispute Becomes Internet-Snarling Attack (Markoff/Perlroth)

John Markoff and Nicole Perlroth, *The New York Times*, 26 Mar 2013
Firm Is Accused of Sending Spam, and Fight Jams Internet

A squabble between a group fighting spam and a Dutch company that hosts Web
sites said to be sending spam has escalated into one of the largest computer
attacks on the Internet, causing widespread congestion and jamming crucial
infrastructure around the world.

Millions of ordinary Internet users have experienced delays in services like
Netflix or could not reach a particular Web site for a short time.
However, for the Internet engineers who run the global network the problem
is more worrisome. The attacks are becoming increasingly powerful, and
computer security experts worry that if they continue to escalate people may
not be able to reach basic Internet services, like e-mail and online
banking.

The dispute started when the spam-fighting group, called Spamhaus, added the
Dutch company Cyberbunker to its blacklist, which is used by e-mail
providers to weed out spam. Cyberbunker, named for its headquarters, a
five-story former NATO bunker, offers hosting services to any Web site
"except child porn and anything related to terrorism," according to its Web
site.

A spokesman for Spamhaus, which is based in Europe, said the attacks began
on March 19, but had not stopped the group from distributing its blacklist.

Patrick Gilmore, chief architect at Akamai Networks, a digital content
provider, said Spamhaus's role was to generate a list of Internet spammers.
Of Cyberbunker, he added: "These guys are just mad. To be frank, they got
caught. They think they should be allowed to spam." ...

http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html

------------------------------

Date: Wed, 27 Mar 2013 09:48:41 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: More on Spamhaus et al. (Another sender, anonymized by request)

[I don't like sending out anonymized messages, but it appears that many
legit users are simply terrified of upsetting Spamhaus.  Via NNSquad.
Lauren]

  Date: Wed, 27 Mar 2013 NN:09:11 -NNNN
  From: []
  Subject: More on Spamhaus et al. [Another sender anonymized by request]

  On 27 Mar, [] wrote:

  Spamhaus has selected some of my IP addresses now and then for lock down
  as well -- even though they never demonstrated any proof of any sort that
  there was any good reason. Indeed there was none. Then I found out that
  they false positive list about 90,000 IPs a day -- according to them.  And
  I found out what it takes to get removed -- which is excessive for the
  fact that they are acting without basis and from a location where class
  action suits are not going to work. They won't even reveal their real
  names.

  In any case, vigilante injustice is not what the Internet needs.

------------------------------

Date: Thu, 28 Mar 2013 19:38:03 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: More cyberscares from our governments

"Cyberattacks Seem Meant to Destroy, Not Just Disrupt"

http://j.mp/10eldVl  (New York Times)

  Mr. Obama's goal was to erode the business community's intense opposition
  to federal legislation that would give the government oversight of how
  companies protect "critical infrastructure," like banking systems and
  energy and cellphone networks. That opposition killed a bill last year,
  prompting Mr. Obama to sign an executive order promoting increased
  information-sharing with businesses.  "But I think we heard a new tone at
  this latest meeting," an Obama aide said later. "Six months of unrelenting
  attacks have changed some views."

In a word regarding this entire article: bull.  My bet is that most of this
stuff is coming from the functional equivalent of pimple-faced kids in their
parents' basements in Cleveland.  Hell, sad to say, I wouldn't be all that
surprised if our own governments are behind many of the attacks on our own
companies.  This is all about our own governments wanting to scare the hell
out of us so that we'll let them and their cyberscare-industrial complex
buddies get more and more powerful, richer and richer, and won't complain as
they tap our networks just like they've wanted to do pretty much all along.
And we're falling for it, boys and girls.

------------------------------

Date: Fri, Mar 29, 2013 at 3:38 PM
From: Federal Trade Commission <subscribe () subscribe ftc gov>
Subject: SSL, RC4, and Site Administrators

  [image: Tech () FTC Banner] <http://techatftc.wordpress.com/>

Steve Bellovin
SSL, RC4, and Site Administrators
<http://techatftc.wordpress.com/2013/03/29/ssl-rc4-and-site-administrators/>

There's been yet another report of security problems with SSL.
<http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/>

If you run a website or mail server, you may be wondering what to do about
it.  For now, the answer is simple: nothing -- and don't worry about it.

First of all, at the moment there's nothing to do.  You can't invent your
own cryptographic protocol; no one else would have a compatible browser.
Besides, they're notoriously hard to get right.  In the very first paper on
the topic, Roger Needham and Michael Schroeder wrote ``Finally, protocols
such as those developed here are prone to extremely subtle errors that are
unlikely to be detected in normal operation. The need for techniques to
verify the correctness of such protocols is great, and we encourage those
interested in such problems to consider this area.''  Why do you think your
design will be better than one that has been scrutinized for more than 15
years?

Some of the trouble in this latest breach is due to weaknesses in the RC4
cipher algorithm.  No one who works in cryptography was surprised by this
report; it's been showing cracks since at least 1997.  What's new is that
someone has managed to turn the weaknesses into a real exploit, albeit one
that needs at least 224 and preferably 230 encryptions of the same plaintext
to work.  (By the way, this is why cryptographers are so concerned about
minor weaknesses: as Bruce Schneier is fond of noting, attacks always get
better, they never get worse.)  Besides, ciphers are even harder to get
right than protocols are.  <http://www.schneier.com/>

The real reason not to worry, though, is that unless you're being targeted
by a major intelligence agency, this sort of cryptanalytic attack is *very*
far down on the risk scale.  Virtually all attackers will look for unpatched
holes, injection or cross-site scripting attacks, people who will fall for
spear-phishing attacks, etc., long before they'll try something like this.
The common attacks are a lot easier to launch; besides, the attackers
understand them and know how to use them.

In the long run, RC4 has to be phased out.  I certainly wouldn't start any
new designs that depended on RC4's characteristics or performance, but there
are plenty of other algorithm possibilities today.  Vendors do need to ship
web browsers and servers that support newer versions of SSL (formally known
as TLS); weaknesses at the protocol level can't always be fixed by patching
code.  For now, though, stay up to date with your patches and software, and
practice good security hygiene.  (And if you are being targeted by a major
intelligence agency, you should talk to a major counterintelligence agency,
not me!)

Posted in Tech () FTC <http://techatftc.wordpress.com/category/techftc/>

------------------------------

Date: Sat, 23 Mar 2013 10:30:41 +0800
From: jidanni () jidanni org
Subject: Microwave oven interference robustness mode

The IEEE 802.11 committee that developed the Wi-Fi specification
conducted an extensive investigation into the interference potential
of microwave ovens. A typical microwave oven uses a self-oscillating
vacuum power tube called a magnetron and a high voltage power supply
with a half wave rectifier (often with voltage doubling) and no DC
filtering. This produces an RF pulse train with a duty cycle below 50%
as the tube is completely off for half of every AC mains cycle: 8.33
ms in 60 Hz countries and 10 ms in 50 Hz countries.

This property gave rise to a Wi-Fi "microwave oven interference
robustness" mode that segments larger data frames into fragments each
small enough to fit into the oven's "off" periods.

http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven

------------------------------

Date: Mon, 25 Mar 2013 12:12:24 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Saudi Arabia 'threatens Skype ban'

http://j.mp/16TWb2V (BBC via NNSquad)

  "Encrypted messaging services such as Skype, Viber and WhatsApp could be
  blocked in Saudi Arabia, the telecommunications regulator there is
  reported to have warned.  It is demanding a means to monitor such
  applications, but Saudis say that would seriously inhibit their
  communications.  Saudi newspapers are reporting that the companies behind
  the applications have been given a week to respond."

------------------------------

Date: Tue, 26 Mar 2013 22:27:27 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: FBI wants real-time access to ... well ... pretty much everything

"FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013"
http://j.mp/11Kqi9d  (Slate via NNSquad)

  "Despite the pervasiveness of law enforcement surveillance of digital
  communication, the FBI still has a difficult time monitoring Gmail, Google
  Voice, and Dropbox in real time. But that may change soon, because the
  bureau says it has made gaining more powers to wiretap all forms of
  Internet conversation and cloud storage a "top priority" this year."

Actually, what they want is real-time access to pretty much everything from
everyone.  If they could force hardware manufacturers to install keyloggers,
screengrabbers, and audio/video siphons into every piece of telecom gear
manufactured, they would.  And at some point, they'll probably try.  Could
they catch more bad guys that way?  Yeah.  But they also could solve more
crimes by installing government cameras and microphones in everyone's homes
and businesses.  At some point -- like now -- we simply have to say that
civil liberties trump.

------------------------------

Date: Mon, 25 Mar 2013 21:11:43 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: NYPD Facial Recog Unit Uses Facebook, Instagram To Track Down Suspects

  "Police are searching for suspects' photos on Instagram and Facebook, then
  running them through the NYPD's new Facial Recognition Unit to put a face
  to a name, DNAinfo New York has learned.  Detectives are now breaking
  cases across the city thanks to the futuristic technology that marries mug
  shots of known criminals with pictures gleaned from social media,
  surveillance cameras and anywhere else cops can find images."
  http://j.mp/XCVDrd  (DNAinfo.com via NNSquad)

Remember what I say, again and again: "Public Is Public!"

------------------------------

Date: Mon, 25 Mar 2013 00:31:06 -0400
From: Monty Solomon <monty () roscom com>
Subject: Big Data and a Renewed Debate Over Privacy (Steve Lohr)

Big Data Is Opening Doors, but Maybe Too Many

Steve Lohr, *The New York Times*, 23 Mar 2013

In the 1960s, mainframe computers posed a significant technological
challenge to common notions of privacy. That's when the federal government
started putting tax returns into those giant machines, and consumer credit
bureaus began building databases containing the personal financial
information of millions of Americans. Many people feared that the new
computerized databanks would be put in the service of an intrusive corporate
or government Big Brother.

"It really freaked people out," says Daniel J. Weitzner, a former senior
Internet policy official in the Obama administration. "The people who cared
about privacy were every bit as worried as we are now."

Along with fueling privacy concerns, of course, the mainframes helped prompt
the growth and innovation that we have come to associate with the computer
age. Today, many experts predict that the next wave will be driven by
technologies that fly under the banner of Big Data - data including Web
pages, browsing habits, sensor signals, smartphone location trails and
genomic information, combined with clever software to make sense of it all.

Proponents of this new technology say it is allowing us to see and measure
things as never before - much as the microscope allowed scientists to
examine the mysteries of life at the cellular level.  Big Data, they say,
will open the door to making smarter decisions in every field from business
and biology to public health and energy conservation.

"This data is a new asset," says Alex Pentland, a computational social
scientist and director of the Human Dynamics Lab at the M.I.T.  "You want it
to be liquid and to be used."

But the latest leaps in data collection are raising new concern about
infringements on privacy - an issue so crucial that it could trump all
others and upset the Big Data bandwagon. Dr. Pentland is a champion of the
Big Data vision and believes the future will be a data-driven society. Yet
the surveillance possibilities of the technology, he acknowledges, could
leave George Orwell in the dust. ...

http://www.nytimes.com/2013/03/24/technology/big-data-and-a-renewed-debate-over-privacy.html

------------------------------

Date: Mon, 25 Mar 2013 00:34:11 -0400
From: Monty Solomon <monty () roscom com>
Subject: Database Is Shut Down by NASA for a Review (Mark Mazzetti)

Mark Mazzetti, *The New York Times*, 22 Mar 2013

WASHINGTON - NASA has shut down a large public database and is limiting
access to agency facilities by foreign citizens as part of a broader
investigation into efforts by China and other countries to get information
about important technology.

NASA announced the security procedures this week, after the F.B.I. arrested
a Chinese citizen at Dulles International Airport in Virginia who had
boarded a plane to Beijing.

The man, Bo Jiang, had been working as a contractor at NASA's Langley
Research Center in southern Virginia. According to an affidavit filed on
Monday, Mr. Jiang is being charged with making false statements to federal
agents - failing to disclose that he was carrying a laptop, hard drive and
SIM card that were discovered after a search of his belongings. ...

http://www.nytimes.com/2013/03/23/us/nasa-shuts-down-database-during-security-inquiry.html

------------------------------

Date: Mon, 25 Mar 2013 10:36:11 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "12 hard truths about cloud computing" (Peter Wayner)

Peter Wayner, InfoWorld,
Performance, security, cost -- here's what to really expect from the cloud
http://www.infoworld.com/d/cloud-computing/12-hard-truths-about-cloud-computing-214920

------------------------------

Date: Thu, 28 Mar 2013 10:43:30 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "One in six Amazon S3 storage buckets are ripe for data-plundering"
  (Ted Samson)

Ted Samson, InfoWorld, 27 Mar 2013
Researchers discover nearly 2,000 Amazon Simple Storage Service
buckets containing freely accessible sensitive data
http://www.infoworld.com/t/cloud-security/one-in-six-amazon-s3-storage-buckets-are-ripe-data-plundering-215349

------------------------------

Date: Tue, 26 Mar 2013 18:11:04 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Some digital cameras easily turned into spying devices

http://j.mp/XaU20U  (Net-Security [+video] via NNSquad)

  "Newer cameras increasingly sport built-in Wi-Fi capabilities or allow
  users to add SD cards to achieve them in order to be able to upload and
  share photos and videos as soon as they take them.  But, as proven by
  Daniel Mende and Pascal Turbing, security researchers with German-based IT
  consulting firm ERNW, these capabilities also have security flaws that can
  be easily exploited for turning these cameras into spying devices.  Mende
  and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit
  each of the four ways it can communicate with a network. Not only have
  they been able to hijack the information sent from the camera, but have
  also managed to gain complete control of it."

------------------------------

Date: Wed, 27 Mar 2013 10:55:50 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Google offers *offline* language translation support for Android

http://j.mp/Zq5Gzg  (Google Translate Blog via NNSquad)

  Have you ever found yourself in a foreign country, wishing you knew how to
  say "I'm lost!" or "I'm allergic to peanuts"? The Internet and services
  like Google Translate can help-but what if you don't have a connection?
  Today we're launching offline language packages for Google Translate on
  Android (2.3 and above) with support for fifty languages, from French and
  Spanish to Chinese and Arabic.

Seriously useful and cool.

------------------------------

Date: Mon, 25 Mar 2013 22:37:34 -0400
From: Phil Nasadowski <pnasadowski () pcsintegrators com>
Subject: Risks of using other people's libraries

We recently ran into a situation where I work, where a vendor's (a large,
well-known, multinational company with a two letter abbreviation for it's
name) piece of software was not fully compatible with Windows 7, 64bit.  In
particular, a portion of the UI that's very, very useful for looking at
variables, is broken.

Being that the software in question was a development package for their
programmable logic controllers, and the widespread use of Windows 7 / 64 bit
in our office, a call to the vendor was in order.

The vendor replied that they were *not* going to update the package for 64
bit operating systems and there was *no* workaround.

A bit of pressing and a few nasty emails later, we got the full story:

Apparently the software uses a library developed by an outside firm.  That
firm went bankrupt and is no longer in business.  There is no copy of the
source code to the library.  The library is not 64 bit compatible.  Thus,
the vendor is forced to rewrite a portion of his software in house.  Or seek
another library.  Or something.

We are stuck with a piece of broken software for the mean time.  They say
maybe 6 months to a year to fix it.  I doubt we're alone.

I'm sure this isn't the first time this has happened.  I'm sure it won't be
the last.  It's a risk of relying on someone else's library to do something.
If they go away, you may be stuck with incompatible software.  And your
customers won't be happy about it.

Philip Nasadowski, Project Engineer, PCS Integrators

------------------------------

Date: Mon, 25 Mar 2013 00:19:47 -0400
From: Monty Solomon <monty () roscom com>
Subject: 25,000 could be affected by data breach at Salem State University

http://www.newburyportnews.com/local/x1533629801/25-000-could-be-affected-by-data-breach-at-SSU

http://bostonglobe.com/metro/2013/03/15/virus-accesses-salem-state-university-database-containing-personal-information-for-thousands/S7AJvP1k7Zb7lLzSqhm7pN/story.html?s_campaign=8315

------------------------------

Date: Mon, 25 Mar 2013 09:51:31 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Twitter-shaming can cost you your job" (Ted Samson)

  Ah, the wonders/blunders of modern communication.

Ted Samson, InfoWorld, 21 Mar 2013
Complaint on Twitter about overheard off-color jokes ends up costing
two techies their jobs
http://www.infoworld.com/t/technology-business/twitter-shaming-can-cost-you-your-job-214956

------------------------------

Date: Mon, 25 Mar 2013 10:00:24 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Cisco inadvertently weakens password encryption in IOS
  (Lucian Constantin)

Lucian Constantin, IDG News Service, InfoWorld, 20 Mar 2013
http://www.infoworld.com/d/security/cisco-inadvertently-weakens-password-encryption-in-its-ios-operating-system-214907

Cisco inadvertently weakens password encryption in its IOS operating system
The password encryption scheme used in newer Cisco IOS versions is weak,
researchers find.

------------------------------

Date: Fri, 29 Mar 2013 19:39:17 +0800
From: jidanni () jidanni org
Subject: Password must contain multiple character classes...

I have just encountered the most clodsworthy...
Lost Password Login
https://savannah.gnu.org/

Welcome, jidanni. You may now change your password.
New password / passphrase:
(not too short, must contain multiple character classes: symbols, digits
(0-9), upper and lower case letters) (for instance: Stigma5Brass3Status)
New Password (repeat):

  1. Why am I here? Because I always forget my password.
  2. Why do I always forget my password? Because I am not allowed to use
     my much better password, but have to conform to some expert person's
     concept of what is a good password.

------------------------------

Date: Tue, 26 Mar 2013 10:37:42 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft Employee Info Being Hacked Through Xbox Live"

Chris Paoli, 20 Mar 2013
And one security expert unravels the tangled web of related attacks.
http://redmondmag.com/articles/2013/03/20/xbox-live-hack.aspx

------------------------------

Date: Wed, 27 Mar 2013 09:42:00 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Updated Windows 8 apps not in sync with Google Calendar"
  (Woody Leonhard)

  Users caught in the middle:

Woody Leonhard, InfoWorld, 26 Mar 2013
http://www.infoworld.com/t/microsoft-windows/updated-windows-8-apps-not-in-sync-google-calendar-215225

Updated Windows 8 apps not in sync with Google Calendar
Microsoft's new version of the Metro 'productivity' apps Mail, Calendar,
and People refuses to sync with Google Calendar

But it is not just Microsoft:

"After you upgrade Mail, Calendar, and People (they all come together), the
first time the Metro apps try to sync with a Google Calendar, you see this
message:

Reconnect this account / We can't connect to blahblah () gmail com because
Google no longer supports ActiveSync. Reconnect to get your email and
contacts using a different method. Cancel to save your email drafts and
reconnect later."

------------------------------

Date: Sun, 24 Mar 2013 12:29:57 -0500 (CDT)
From: security curmudgeon <jericho () attrition org>
Subject: Re: Small furry animals ... (Re: Ishikawa, RISKS-27.22)

[Ishikawa notes only] the tip of the iceberg.  While doing research for a
presentation, I focused only on squirrel-related outages of both power and
communications.  The presentation is available here:

http://attrition.org/security/conferences/2012-BruCON-CyberWar-v18-FINAL03.pptx

If you start at slide 33 and click through to slide 39, you will not only
see my attempt at a humorous assertion that squirrels are a bigger threat
than 'cyberwar', but in the notes below each side is extensive details of
other incidents caused by squirrels. In some cases, I had to resort to (now
shared) Google spreadsheets because there were so many incidents.

In particular, look at the notes for Slide 34 which has one fascinating
statistic:

  Squirrels caused 177 power outages in Lincoln, Nebraska, in 1980, which
  was 24% of all outages. Estimated annual costs were $23,364 for repairs,
  public relations, and lost revenue. In Omaha, in 1985, squirrels caused
  332 outages costing at least $47,144. After squirrel guards were installed
  over pole-mounted transformers in Lincoln in 1985, annual costs were
  reduced 78% to $5,148.

Another article tells us:

  In Georgia, squirrel-related outages more than tripled from 5,273 in 2005
  to 16,750 in 2006. [..] Georgia Power officials estimate the rodents cost
  them $2 million last year. [..] It appears that the problem may in part be
  due to acorns. [..] PECO, which powers Philadelphia and its surrounding
  counties, spends $1 million a year on squirrel guards to stop outages from
  "those rascally little varmints," Engel said.

Another reference in the presentation also gives us this:

http://blog.level3.com/2011/08/04/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/

  According to Level 3 Communications, Squirrel chews account for a whopping
  17% of our damages so far this year! (2011)

So, while a rat has the distinction of going after a nuclear power plant,
that little critter is just the latest in a painfully long history of such
incidents.

  [In addition to the SRI item that Ishikawa noted, I have probably
  previously noted in RISKS that SRI International has experienced at least
  5 squirrelcides that brought down the entire institute's power -- despite
  our having created a co-generation plant in response to the first few.  In
  http://www.csl.sri.com/neumann/illustrativerisks.html, search for
  "squirrel" gives those and others:
  * Squirrel arcs power, downs computers in Providence RI
  * SRI attacked by kamikaze squirrel who downs uninterruptible power
  * 4th SRI squirrelcide causes 8-hour outage, surges, system rebuild
  * 5th SRI squirrelcide causes 18.5-hour institute outage
  * Another squirrelcide: San Jose Airport power cut
  * Squirrel attack brings down Walla Walla
  * Squirrel knocked out Trumbull Connecticut infrastructure computer center
  PGN]

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.23
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.23 RISKS List Owner (Mar 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault