Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.22
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 23 Mar 2013 17:01:42 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 23 March 2013  Volume 27 : Issue 22

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.22.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Small furry animals and slithering snakes vs Electric Utilities (Ishikawa)
Panama Canal Railway upgrade problems (Robert Heuman)
National Vulnerability Database is hacked! (Mark Thorson)
Re: Weapons Experts Raise Doubts About Israel's Antimissile System
  (Amos Shapir)
Feds announce massive scanning of private Internet communications
  (Lauren Weinstein)
Google's trust problem (Ezra Klein via Dewayne Hendricks)
"Smile, you're on Google Glass, whether you like it or not" (Caroline Craig
  via Gene Wirchenko)
"Andrew Auernheimer joins growing list of so-called hackers facing
   harsh justice" (Ted Samson via Gene Wirchenko)
Security hole lets Apple passwords be reset with e-mail addr, DoB
  (Chris Welch via Jim Reisert)
Re: Electronic health records: teething problems?" (William Pociengel)
Re: Mars Rover is Repaired, NASA Says (William Pociengel)
Re: Fake silicone fingers strike again (Amos Shapir)
Re: Attorney General's testimony on Aaron Swartz raises more ... (Wol)
Microwave oven interference robustness mode (Jidanni)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 22 Mar 2013 14:39:12 +0900
From: ishikawa <ishikawa () yk rim or jp>
Subject: Small furry animals and slithering snakes vs Electric Utilities

In the never-ending saga of small furry animals and slithering snakes vs
electric utilities, here is the latest and more horrifying incident.

Martin Fackler, Fukushima Blackout Hints at Plant's Vulnerability, *The
New York Times*, 19 Mar 2013
  http://www.nytimes.com/2013/03/20/world/asia/blackout-halts-cooling-system-at-fukushima-plant.html

Martin Fackler, Rat Body Linked to Blackout at Atomic Site, *The New York
  Times*, 20 Mar 2013
 http://www.nytimes.com/2013/03/21/world/asia/rat-at-fukushima-plant.html

A lot of Japanese must have gone through uncomfortable moments.  Initially,
when I learned that there was a re-wiring work was going on, I thought there
was some type of human error. Now a rodent is implicated.

In either case, TEPCO is losing public trust, well, at least from me.  If an
important piece for feeding electricity is not protected from a rodent, how
can we tell the piece won't fall down or break down if another reasonably
large earthquake hits the area (and this is no idle threat in Japan, the
virtually the busiest center of earthquakes in the world.)

I would not mind losing electricity for my home for a few hours or even half
a day after a big earthquake. That is life in this corner of the world. Many
households in Japan stock water/food/battery, etc. just in case. We can't
argue with earthquakes as the saying goes here. (The other two, we can't
argue in the saying are thunderbolts, and one's father.)

But a crippled nuclear reactor site with many used fuel rods that requires
continuous cooling needs better care than typical households.

BTW, I found a few similar incidents in RISKS:

 RISKS-8.75   SRI attacked by kamikaze squirrels?
 RISKS-8.77   Re: Power outages
              (A raccoon hit U. of Utah and disturbed a
              room-temperature fusion experiment, and it was mentioned
              that JPL had seen similar attacks, er, incidents. )
 RISKS-18.52  Rats take down Stanford power and Silicon Valley Internet service
 RISKS-19.88  Japanese snake vs. railroad electrical supply
 RISKS-23.39  Boa triggers blackout in Honduras
              (Nation-wide blackout for 15 minutes! Beat other animals to
              date in the scale of the incident.)

I thought that utility companies would have learned from these off-angle
attacks from the nature by now.

------------------------------

Date: Sat, 23 Mar 2013 19:38:20 -0400
From: "R.S. (Bob) Heuman" <robert.heuman () alumni monmouth edu>
Subject: Panama Canal Railway upgrade problems

Reuters (Panama City), 22 Mar 2013
http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323

Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday.  The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway.  But a computer upgrade on Wednesday by Panama
Ports Co, which manages two of those ports, caused severe lags, Kenna said.

Since then, the railway has moved only about 350 containers a day.
Traffic picked up on Friday, and the system should be operating normally
by Monday, Kenna added.

------------------------------

Date: Thu, 21 Mar 2013 16:53:56 -0700
From: Mark Thorson <eee () sonic net>
Subject: National Vulnerability Database is hacked!

Their server is offline due to malware infection.  They probably clicked on
an ad in an e-mail.  The exploit used a vulnerability in Adobe's ColdFusion
software.

http://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/

------------------------------

Date: Sun, 24 Mar 2013 01:02:09 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Weapons Experts Raise Doubts About Israel's Antimissile System
  (RISKS-27.21)

The following article by the Israel Institute for National Security Studies
contains a detailed debunking of the arguments used by some of the
researches which had produced these results.  It seems to be a yet another
case of "how to lie with statistics"...
http://www.inss.org.il/publications.php?cat=21&incat=&read=11166

------------------------------

Date: Thu, 21 Mar 2013 20:39:59 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Feds announce massive scanning of private Internet communications

http://j.mp/Z5d4TP  (Google+ via NNSquad)
http://j.mp/11n0qzS (Reuters / New York Times)

  "Under the program, critical infrastructure companies will pay the
  providers, which will use the classified information to block attacks
  before they reach the customers. The classified information involves
  suspect web addresses, strings of characters, e-mail sender names and the
  like."

Here we go!  It's out in the open at last.  Encrypt deeply now, or forever
hold your peace. CHARACTER STRINGS? EMAIL SENDER NAMES?  Who do they think
they're kidding?

------------------------------

Date: Friday, March 22, 2013
From: Dewayne Hendricks
Subject: Google's trust problem (Ezra Klein)

Ezra Klein, *The Washington Post*, 21 Mar 2013
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/03/21/googles-trust-problem/

James Fallows likes software meant to help him organize and simplify his
life. So, naturally, he moved immediately to download Google Keep, the
search giant's ``new app for collecting notes, photos, and info.''  The
problem, Fallows quickly realized, is that he wasn't sure he could trust it.

Google now has a clear enough track record of trying out, and then
canceling, `interesting' new software that I have no idea how long Keep will
be around. When Google launched its Google Health service five years ago, it
had an allure like Keep's: here is the one place you could store your
prescription info, test readings, immunizations, and so on and know that you
could get at them. That's how I used it -- until Google canceled this
`experiment' last year. Same with Google Reader, and all the other products
in the Google Graveyard that Slate produced last week.

And if there's even a 25 percent chance that Google Keep will be canceled
in two years, do you really want to be the sucker who spent endless hours
organizing your life around it?

Now, most people don't use Google Reader, or even know it's being canceled.
Same for Google Wave, Google Buzz, Google Health and Picnik, and all the
rest of the beloved little apps that have been sent to that cloud above the
cloud, where data is stored forever and servers never overload. This is a
pained whine emanating almost exclusively from Google power users.

Most people, however, also aren't the sort of early adopters who will rush
to download Google Keep. But Fallows is that kind of early adopter. So am
I. And Google needs early adopters. They need weirdos to rush to download
their new apps, try them out, offer feedback, and, ultimately, proselytize
to their friends. And I do all that! For instance, have you ever tried using
Sleep Cycle? This isn't an early adopter thing -- the app has been around
for awhile -- but I just started using it and am now annoying everyone I
know badgering them to try waking up to Sleep Cycle. It'll change your life.

But I'm not sure I want to be a Google early adopter anymore. I love Google
Reader. And I used to use Picnik all the time. I'm tired of losing my
services.

In fact, I'm starting to worry a bit about Gmail, which is at the core of
pretty much my entire life. I know, I know -- Gmail is safe. The data it
feeds into the Google mainframe is extremely valuable to the search giant.
They won't let anything happen to it.

But I'm a heavy user of Gmail. And so I've been buying more space on
Google's servers. Recently, I hit 30 gigs -- and learned Google won't let me
purchase any more room. The service which once swore I'd never have to
delete a message now tells me my only option is to delete gigabyte after
gigabyte of past e-mails.

That's their right, of course. But it was a reminder that Google's core
business isn't running an e-mail system or selling data storage. The thing
I wanted to pay them to do wasn't something they make much money off. So
now I'm a bit nervous: I freed up a good number of gigabytes, but now I've
run through much of the low-hanging fruit, and the bar measuring how far I
am from my storage unit is beginning to tick up again.

The problem, I'm beginning to think, is simply mismatch. The core services
of Google's business are often not the Google services I rely on most. And
even when their core products and my needs do meet, the business connection
is indirect. ...

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>

------------------------------

Date: Mon, 18 Mar 2013 10:14:31 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Smile, you're on Google Glass, whether you like it or not"
  (Caroline Craig)

Caroline Craig, InfoWorld, 15 Mar 2013
Google Glass's style points are debatable, but one thing's for sure:
Data collection and user privacy will never be the same
http://www.infoworld.com/t/internet-privacy/smile-youre-google-glass-whether-you-it-or-not-214568

------------------------------

Date: Tue, 19 Mar 2013 11:13:37 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Andrew Auernheimer joins growing list of so-called hackers facing
  harsh justice" (Ted Samson)

Ted Samson, InfoWorld, 18 Mar 2013
The 26-year-old security researcher sentenced to 41 months in prison
for pulling e-mail address from public-facing server
http://www.infoworld.com/t/hacking/andrew-auernheimer-joins-growing-list-of-so-called-hackers-facing-harsh-justice-214742

------------------------------

Date: Fri, 22 Mar 2013 14:11:11 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Security hole lets Apple passwords be reset with e-mail addr, DoB
  (Chris Welch)

Chris Welch, 22 Mar 2013  @chriswelch

"Apple yesterday rolled out two-step verification, a security measure that
promises to further shield Apple ID and iCloud accounts from being
hijacked. Unfortunately, today a new exploit has been discovered that
affects all customers who haven't yet enabled the new feature. It allows
anyone with your e-mail address and date of birth to reset your password --
using Apple's own tools. We've been made aware of a step-by-step tutorial
(which remains available as of this writing) that explains in detail how to
take advantage of the vulnerability.  The exploit involves pasting in a
modified URL while answering the DOB security question on Apple's iForgot
page. It's a process just about anyone could manage, and The Verge has
confirmed the glaring security hole firsthand."

http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth

------------------------------

Date: Fri, 22 Mar 2013 14:20:05 -0500
From: William Pociengel <wpociengel () yahoo com>
Subject: Re: Electronic health records: teething problems?" (RISKS-27.18)

Actually you just need to use a screen name and something that looks like a
valid e-mail address. It accepts and posts your comment; but yes it is a bit
odd to request an e-mail address.

------------------------------

Date: Fri, 22 Mar 2013 08:37:08 -0500
From: William Pociengel <wpociengel () yahoo com>
Subject: Re: Mars Rover is Repaired, NASA Says (Re: RISKS-27.21)

Since when did NASA stop using 3 computers for deep space exploration?  They
always used to have every critical system in 3's for this very reason.

------------------------------

Date: Fri, 22 Mar 2013 11:32:33 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Fake silicone fingers strike again (RISKS-27.21)

It is amazing that the system would be vulnerable to this attack, especially
since the vulnerability has been suggested long before such systems have
even existed.  In his movie Sleeper, released in 1973, Woody Allen employs
exactly this method to subvert a fingerprint scanning system; I'm quite sure
he was not the first to suggest it either.

------------------------------

Date: Fri, 22 Mar 2013 15:27:32 +0000
From: Wol <antlists () youngman org uk>
Subject: Re: Attorney General's testimony on Aaron Swartz raises more ...

It's interesting to see how other jurisdictions handle this.

There's been a recent case in the UK where the prosecutor did this (quote a
maximum sentence). And on appeal this was all the justification the appeal
court needed to throw a guilty plea out of the window and overturn the
entire court-martial.

The message is clear. In the UK this is totally unacceptable practice.

------------------------------

Date: Sat, 23 Mar 2013 10:30:41 +0800
From: jidanni () jidanni org
Subject: Microwave oven interference robustness mode

The IEEE 802.11 committee that developed the Wi-Fi specification conducted
an extensive investigation into the interference potential of microwave
ovens.  A typical microwave oven uses a self-oscillating vacuum power tube
called a magnetron and a high voltage power supply with a half-wave
rectifier (often with voltage doubling) and no DC filtering. This produces
an RF pulse train with a duty cycle below 50% as the tube is completely off
for half of every AC mains cycle: 8.33 ms in 60 Hz countries and 10 ms in 50
Hz countries.

This property gave rise to a Wi-Fi "microwave oven interference robustness"
mode that segments larger data frames into fragments each small enough to
fit into the oven's "off" periods.

http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.22
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.22 RISKS List Owner (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]