Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.15
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 29 Jan 2013 14:49:23 PST

RISKS-LIST: Risks-Forum Digest  Tuesday 29 January 2013  Volume 27 : Issue 15

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Digital Map Error May Have Led To Minesweeper Grounding (Paul Saffo)
U-verse back up after outage hit thousands (Lauren Weinstein)
$180M case management system for social workers may have to be abandoned
 (Jonathan Thornburg)
How AT&T used to put service during emergencies at top priorities
  (Lauren Weinstein)
"Skin cancer apps 'dangerous'" (Robyn Preston via Gene Wirchenko)
Grammar badness makes cracking harder the long password (Dan Goodin via
  Monty Solomon)
Student's Expulsion Exposes Computer Science Culture Gap (Robert Schaefer)
School that expelled student hacker may have ignored old flaw (Ted Samson
  via Gene Wirchenko)
Man outsources his own job to China (Robert Schaefer)
MIT hacked again, URLs redirected (Joanna Kao via Monty Solomon)
Mathematicians aim to take publishers out of publishing (Richard van Noorden
  via Dewayne Hendricks via Dave Farber)
Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now? (ACM TechNews)
Red October (Peter G. Neumann)
Major vulnerabilities in Cisco VoIP phones (Lauren Weinstein)
"Twitter flaw gave third-party apps unauthorized access to private messages,
  researcher says" (Lucian Contstantin via Gene Wirchenko)
"Tweeted photos not free to publish, judge rules" (Goyal/MacKenzie via
  Gene Wirchenko)
"World's first 'tax' on Microsoft's Internet Explorer 7" (Gene Wirchenko)
12 Common Election Security Myths (R.G. Johnston via PGN)
12 survival tips from the spouse of a serial startup executive (Jeff Jedras
  via Gene Wirchenko)
Exposure of files on unsecured wireless no excuse to search ...
  (Jaikumar Vijayan via Monty Solomon)
Great blog posting in Scientific American re Comment Moderation
  (Lauren Weinstein)
Abridged info on RISKS (comp.risks)


Date: Tue, 22 Jan 2013 21:21:44 -0800
From: Paul Saffo <paul () saffo com>
Subject: Digital Map Error May Have Led To Minesweeper Grounding

This is a good one given the fact that the skipper of the minesweeper was
warned over the radio by the park rangers that they were on a collision
course and the skipper told them to "contact the US embassy.  Rather like
the old story of the battleship skipper ordering the lighthouse to move!  -p

Christopher P. Cavas, Digital Map Error May Have Led To Minesweeper Grounding

A digital chart used by the minesweeper USS Guardian to navigate Philippine
waters misplaced the location of a reef by about eight nautical miles, and
may have been a significant factor when the ship drove hard aground on the
reef on 17 Jan 2013.

As of 18 Jan, U.S. Navy ships have been directed to ``operate with caution''
when using similar electronic charts and compare the map data with paper
charts, which are considered accurate.

The Guardian drove onto Tubbataha Reef in the Sulu Sea around 2:25 a.m. on
17 Jan (some sources cite a date of 16 Jan, since that was the date in
Washington, D.C. when the incident occurred). The reef is about 80 miles
east-southeast of Palawan Island.

  [Long item truncated for RISKS.  Worth reading.  PGN]

  [The original Navy item noted by Bob Gezelter:

    Even worse than when LA-class nuclear sub San Francisco hit an uncharted
    seamount se of Guam in 2005. They were below 500 ft and running at flank
    speed and nearly lost the vessel. Though the seamount wasn't on charts,
    there was secondary info that there might be a seamount in the area, and
    in any case the chart noted that the region has largely uncharted. [...]
    [Added note from Paul Saffo.  PGN]


Date: Thu, 24 Jan 2013 19:23:39 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: U-verse back up after outage hit thousands

http://j.mp/14bnNPH  (CNN via NNSquad)

  "Service had been restored by midday Thursday for tens of thousands of
  AT&T's U-verse TV, Internet and phone customers after an outage that
  lasted several days."  [It started on Monday. PGN]

This is the same AT&T begging the FCC to allow it to abandon traditional
POTS phone service and provide *all* phone service via U-verse, et al.  This
was just a software upgrade problem.  Imagine what could happen during a
true emergency!


Date: Tue, 29 Jan 2013 12:38:52 -0800 (PST)
From: Jonathan Thornburg <jthorn () astro indiana edu>
Subject: $180M case management system for social workers may have to be abandoned


*Report finds flaws in new B.C. government computer system*
CBC News
Posted: Jan 29, 2013 6:48 AM PT
Last Updated: Jan 29, 2013 8:43 AM PT

The Ministry of Children and Family Development may have to abandon
its use of a $180-million information sharing system that was
supposed to help prevent vulnerable children from slipping through
the cracks.

The Integrated Case Management System is supposed to replace 64
different databases, linking information between social workers,
police, service providers and other ministries.

But an independent consultant's report has found major flaws,
including a lack of knowledge about the system's goals and insufficient
resources for training.

Minister Stephanie Cadieux admits child protection workers are using
the old system while a solution is sought.


An earlier report on problems with the Integrated Case Management System
is at


Date: Sat, 26 Jan 2013 13:00:54 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: How AT&T used to put service during emergencies at top priorities

[Video] 1979: "Any day without warning" - How AT&T used to put service
during emergencies at the top of their priorities
http://j.mp/14hSP8k  (AT&T via NNSquad)

Today, AT&T is asking the FCC for the right to abandon traditional
central-office phone service -- and virtually all government regulations --
causing great concerns about how phone services will function in
emergencies.  Recent history is very disturbing in these regards.  Yet, over
on the wonderful "AT&T Tech Channel," we can see how AT&T used to put
service reliability during emergencies at the top of their priorities, as
shown in this video from 1979.


Date: Mon, 28 Jan 2013 09:52:39 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Skin cancer apps 'dangerous'"

Robyn Preston, *The Sydney Morning Herald*, 18 Jan 2013

Experts are warning people not to replace visits to the doctor with
smartphone apps that claim to detect skin cancer after a study found the
technology gets it wrong almost a third of the time.


Date: Saturday, January 26, 2013
From: *Monty Solomon*
Subject: Grammar badness makes cracking harder the long password (Dan Goodin)

Dan Goodin, Ars Technica, 24 Jan 2013
Password crackers get an English lesson.

When it comes to long phrases used to defeat recent advances in password
cracking, bigger isn't necessarily better, particularly when the phrases
adhere to grammatical rules.

A team of Ph.D. and grad students at Carnegie Mellon University and the
Massachusetts Institute of Technology have developed an algorithm that
targets passcodes with a minimum number of 16 characters and built it into
the freely available John the Ripper cracking program.  The result: it was
much more efficient at cracking passphrases such as "abiggerbetter password"
or "thecommunistfairy" because they followed commonly used grammatical
rules-in this case, ordering parts of speech in the sequence "determiner,
adjective, noun." When tested against 1,434 passwords containing 16 or more
characters, the grammar-aware cracker surpassed other state-of-the-art
password crackers when the passcodes had grammatical structures, with 10
percent of the dataset cracked exclusively by the team's algorithm.

The approach is significant because it comes as security experts are
revising password policies to combat the growing sophistication of modern
cracking techniques which make the average password weaker than ever
before. A key strategy in making passwords more resilient is to use phrases
that result in longer passcodes. Still, passphrases must remain memorable to
the end user, so people often pick phrases or sentences. It turns out that
grammatical structures dramatically narrow the possible combinations and
sequences of words crackers must guess. One surprising outcome of the
research is that the passphrase "Th3r3 can only b3 #1!" (with spaces
removed) is one order of magnitude weaker than "Hammered asinine
requirements" even though it contains more words. Better still is "My
passw0rd is $uper str0ng!"  because it requires significantly more tries to
correctly guess. ...



Date: Thu, 24 Jan 2013 07:52:42 -0500
From: Robert Schaefer <rps () haystack mit edu>
Subject: Student's Expulsion Exposes Computer Science Culture Gap

Wysopal: ``Most Computer Science departments are still living in the
pre-Internet era when it comes to computer security.  Computer Science is
taught in this idealized world separate from reality. They're not dealing
with the reality that software has to run in a hostile environment.''


Robert Schaefer, Atmospheric Sciences, MIT Haystack Observatory, Westford
MA 01886 rps () haystack mit edu, 781-981-5767, http://www.haystack.mit.edu


Date: Fri, 25 Jan 2013 08:14:17 -0800
From: Gene Wirchenko <genew () telus net>
Subject: School that expelled student hacker may have ignored old flaw

Ted Samson, *InfoWorld*, 22 Jan 2013

School that expelled student hacker may have ignored 16-month-old security
flaw Dawson College stuck to its policies in expelling Hamed Al-Khabaz, but
now the school must answer for its security failings


Date: Wed, 16 Jan 2013 08:33:52 -0500
From: robert schaefer <rps () haystack mit edu>
Subject: Man outsources his own job to China


"The scenario was as follows. We received a request from a US-based company
asking for our help in understanding some anomalous activity that they were
witnessing in their VPN logs. This organization had been slowly moving
toward a more telecommuting oriented workforce, and they had therefore
started to allow their developers to work from home on certain days...As it
turns out, Bob had simply outsourced his own job to a Chinese consulting
firm. Bob spent less that one fifth of his six-figure salary for a Chinese
firm to do his job for him.  Authentication was no problem, he physically
FedExed his RSA token to China so that the third-party contractor could
log-in under his credentials during the workday."


Date: Wed, 23 Jan 2013 01:14:11 -0500
From: Monty Solomon <monty () roscom com>
Subject: MIT hacked again, URLs redirected (Joanna Kao)

Joanna Kao, *The Tech*, 22 Jan 2013

MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a
webpage claiming credit for the attack in remembrance of Aaron Swartz.

As a result of the hack, people who visited tried to reach MIT over the
Internet were redirected to the hacked Web page pictured here:
http://goo.gl/kxdm1. The hack affected all names under mit.edu, including
web.mit.edu, tech.mit.edu, etc.

The hack and subsequent outages were due to a compromise at EDUCAUSE, the
registrar that provides information on all .EDU names. A registrar, which
allows users to purchase domain names, also specifies the domain name system
(DNS) servers for a domain, which convert domain names to IP addresses -
needed to actually load the page. ...



Date: Friday, January 18, 2013
From: *Dewayne Hendricks*
Subject: Mathematicians aim to take publishers out of publishing

Episciences Project to launch series of community-run, open-access journals.
Richard Van Noorden, *Nature*, 17 Jan 2013 [via Dave Farber's IP]


Mathematicians plan to launch a series of free open-access journals that
will host their peer-reviewed articles on the preprint server arXiv. The
project was publicly revealed yesterday in a blog post by Tim Gowers, a
Fields Medal winner and mathematician at the University of Cambridge, UK.

The initiative, called the Episciences Project, hopes to show that
researchers can organize the peer review and publication of their work at
minimal cost, without involving commercial publishers.

``It's a global vision of how the research community should work: we want to
offer an alternative to traditional mathematics journals,'' says Jean-Pierre
Demailly, a mathematician at the University of Grenoble, France, who is a
leader in the effort. Backed by funding from the French government, the
initiative may launch as early as April, he says.

Many mathematicians -- and researchers in other fields -- claim that they
already do most of the work involved in publishing their research. At no
cost, they type up and format their own papers, post them to online servers,
join journal editorial boards and review the work of their peers.  By
creating journals that publish links to peer-reviewed work on servers such
as arXiv, Demailly says, the community could run its own publishing
system. The extra expense involved would be the cost of maintaining websites
and computer equipment, he says.

That cost is not small, but it could eventually be provided in part by the
journals' users. The arXiv server, for example, costs about US $826,000 a
year to run, and is funded by the Cornell University Library in Ithaca, New
York; the Simons Foundation in New York and institutional members.

Demailly says that he first thought of open-access electronic journals that
overlay arXiv eight years ago, but the concept became a reality only last
June, when he was contacted by the Centre for Direct Scientific
Communication (CCSD), based in Villeurbanne, France. The CCSD, a unit of
the French National Centre for Scientific Research, develops open-access
repositories such as the multidisciplinary archive HAL, which mirrors the
arXiv site.


Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


Date:  Mon, 14 Jan 2013 11:44:46 -0500
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now?

ACM TechNews, Monday, January 14, 2013

Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now?
Christian Science Monitor (01/09/13) Mark Clayton

Last year offered many unsettling revelations for businesses, individuals,
and U.S. government officials concerned about their vulnerability to
cyberattack.  Hackers launched offensives that took aim at a wide range of
targets, including ordinary citizens' financial information, bank Web sites,
critical infrastructure, and important federal agencies.  "The cyberthreat
facing the nation has finally been brought to public attention," says the
Center for Strategic and International Studies' James Lewis.  However, he
noted there is more befuddlement than clarity on the subject of
cybersecurity, and cultivation of the skills to discuss cybersecurity is
progressing at a slower pace than hoped.  Although there are many
cyberthreat sources, the U.S. Pentagon is chiefly concentrating on the
growing cyberwarfare capabilities of China, Russia, and Iran.  Adding to the
challenge of shoring up defenses is the multitude of cyberattackers with
diverse motivations and targets.  Meanwhile, the U.S. Cyber Consequences
Unit reports that at a corporate level, cyberattacks could potentially
generate liabilities and losses of sufficient size to bankrupt most
companies.  Meanwhile, awareness of cyberthreats is on the rise, with a
Central Intelligence Agency cybersecurity index estimating that corporate
chief information security officers reported a 50 percent increase in the
"measure of perceived risk" since March 2011.


Date: Mon, 14 Jan 2013 11:21:24 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Red October

Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage
network" - dubbed Red October - that has been active for at least five years
and is targeting diplomatic and government agencies.

Red October:   http://www.pcmag.com/article2/0,2817,2414260,00.asp


Date: Fri, 4 Jan 2013 13:37:17 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Major vulnerabilities in Cisco VoIP phones

Major vulnerabilities in Cisco VoIP phones

http://t.co/ntF86rH2  (*Science Daily* via NNSquad)

  "Cisco has since released a patch to repair these vulnerabilities but it
  is ineffective. "It doesn't solve the fundamental problems we've pointed
  out to Cisco," Cui observes. "We don't know of any solution to solve the
  systemic problem with Cisco's IP Phone firmware except for the Symbiote
  technology or rewriting the firmware. We plan to demonstrate a
  Symbiote-protected Cisco IP Phone at an upcoming conference."  The
  research conducted by Stolfo and Cui was funded by DARPA (Defense Advanced
  Research Projects Agency), IARPA (Intelligence Advanced Research Projects
  Activity), and DHS (Department of Homeland Security)."


Date: Fri, 25 Jan 2013 08:18:05 -0800
From: Gene Wirchenko <genew () telus net>
Subject:"Twitter flaw gave third-party apps unauthorized access to
  private messages, researcher says" (Lucian Contstantin)

Lucian Constantin, InfoWorld, 22 Jan 2013

Twitter flaw gave third-party apps unauthorized access to private messages,
researcher says.  The issue was fixed, but apps that gained this permission
without proper authorization still have it.


Date: Fri, 25 Jan 2013 08:09:19 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Tweeted photos not free to publish, judge rules" (Goyal/MacKenzie)

Monica Goyal and Jon Mackenzie

opening paragraph:

The debate around ownership of content posted by users of online social
media services continues.  In the wake of the recent uproar surrounding
Instagram's proposed Terms of Service changes designed to allow them to
claim ownership over their users=92 posted photographs, the New York
District Court has clarified the issues surrounding ownership of photos
posted on Twitter in a recent decision =96 AFP v Morel. While the ownership
and usage rights of content posted by users on their social media accounts
will no doubt continue to be debated by social media companies, users, and
the courts, this case does clarify some important= points.


Date: Wed, 23 Jan 2013 10:28:53 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "World's first 'tax' on Microsoft's Internet Explorer 7"

World's first 'tax' on Microsoft's Internet Explorer 7

selected text:

"I was constantly on the line to my web team. The amount of work and effort
involved in making our website look normal on IE7 equaled the combined time
of designing for Chrome, Safari and Firefox."


Date: Tue, 29 Jan 2013 11:50:56 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: 12 Common Election Security Myths (R.G. Johnston)

An item by Roger G. Jonston of the Vulenrability Assessment Team at the
Argonne National Laboratory lists 12 myths, and counters each of them with a
pithy counter-argument.  For any remaining RISKS readers who still believe
that election systems are adequately secure, this is crucial reading.


Thanks to Andrew Appel for spotting this one... PGN


Date: Fri, 25 Jan 2013 08:10:56 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "12 survival tips from the spouse of a serial startup executive"
  (Jeff Jedras)

Jeff Jedras, Mitigating a different kind of computer-related risk
*IT Business*, 23 Jan 2013

The wife of a startup entrepreneur turned venture capitalist shares tips for
other startup spouses on making the relationship work.


Date: Thu, 24 Jan 2013 10:42:07 -0500
From: Monty Solomon <monty () roscom com>
Subject: Exposure of files on unsecured wireless no excuse to search ...
  (Jaikumar Vijayan)

Exposure of files on unsecured wireless no excuse to search, judge rules
Warrantless search of file violated defendant's Fourth Amendment right,
federal judge says in child porn case

Jaikumar Vijayan, ComputerWorld , 23 Jan 2013

ComputerWorld - An individual who inadvertently exposes the contents of his
computer over an unsecured wireless network still has a reasonable
expectation of privacy against a search of those contents by the police, a
federal judge in Oregon ruled last week.

The ruling involves John Henry Ahrndt, a previously convicted sex offender
who was sentenced to 120 months in prison for possession of child
pornography on his computer.

Ahrndt had argued that some of the evidence that was used against him in
court had been gathered illegally. He had filed an appeal asking the
U.S. District Court for the District of Oregon in Portland to suppress the
evidence on the grounds that his Fourth Amendment rights against
unreasonable search had been violated.

Oregon District Court Judge Garr King initially denied Ahrndt's motion to
suppress but picked up the case again last year after the U.S. Court of
Appeals for the Ninth Circuit reversed King's first ruling.

In a 34-page ruling last week, King granted Ahrndt's renewed motion to
suppress the evidence gathered by police from his hard drive and also
ordered his subsequent testimony to them to be suppressed as well.

Ahrndt's case goes back to 2007 when one of his neighbors, a woman referred
to only as "JH" in court documents, connected to the Internet using her own
wireless network. When JH's network temporarily malfunctioned, her computer
automatically connected to Ahrndt's unsecured wireless network.

When JH subsequently opened her iTunes software to listen to music, she
noticed that another user library called "Dads LimeWire Tunes" from Ahrndt's
computer, was also available for sharing, court documents said.

When JH clicked on the folder, she immediately noticed that it contained a
lot of files with names suggesting explicit child pornography. She informed
the county sheriff's department, which sent a deputy to take a look at her
discovery. ...



Date: Tue, 29 Jan 2013 11:37:40 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Great blog posting in Scientific American re Comment Moderation

http://j.mp/XPYnRl  (Scientific American via NNSquad)

  "If you don't delete or disemvowel inappropriate comments, people will
  think you are not even reading the comment threads. If you don't show up
  in person, nobody will know you are even interested in their thoughts. If
  you don't delete the trolls, the trolls will take over and the nice people
  will go somewhere else."

Yes, yes, and yes!


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.15

  By Date           By Thread  

Current thread:
  • Risks Digest 27.15 RISKS List Owner (Jan 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]