mailing list archives
Risks Digest 27.79
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 6 Mar 2014 10:55:22 PST
RISKS-LIST: Risks-Forum Digest Thursday 6 March 2014 Volume 27 : Issue 79
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
95% of bank ATMs face XP end of security support (Henry Baker)
"7 hidden dangers of wearable computers" (Jaikumar Vijayan via
"Techies: Take a congressman and a cop to work with you" (Bill Snyder via
"Two more Bitcoin exchanges fall prey to alleged hacker theft" (Kevin Lee
via Gene Wirchenko)
"What Disney World teaches us about mobile payments" (Galen Gruman via
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
(Ars Technica via Lauren Weinstein)
Linksys E1000, E1200, and E2400 routers reportedly have exploitable
vulnerability (Bob Gezelter)
Re: Apple Rolls Out CarPlay (Bob Frankston)
TrustyCon and the RSA con NSA poll (Scott Miller)
Re: Smarter caller-id spoofing (Chris Drewe)
Apple security rules leave inherited iPad useless (Amos Shapir)
Author Anne Rice has it dead wrong on comments and anonymity
Race To Stop 'Revenge Porn' Raises Free Speech Worries (Lauren Weinstein)
Medtronic Carelink User Guide on passwords (Shawn Merdinger)
Book review: Adam Shostack, Threat Modeling: Designing for Security
Abridged info on RISKS (comp.risks)
Date: Tue, 04 Mar 2014 06:34:04 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: 95% of bank ATMs face XP end of security support
FYI -- "Banks everywhere are in a race against time to upgrade their ATMs
_before_ they become hot targets for hackers." "Before" ???
I can't wait for the security popup window (see link below) to show up on
the 8th of each month on my bank's XP ATM machine.
Of course, the cure may be worse than the disease: "Modern technology allows
companies to push software updates via their networks instead of paying each
ATM a physical visit." What could possibly go wrong with this plan,
especially when these same banks have yet to upgrade to TLS1.2 on their own
websites ? --- Published on Dec 29, 2013 Electronic Bank Robberies:
Stealing Money from ATMs with Malware:
BTW, these US banks are subsidized by US taxpayers through below-market
interest rates from the Fed, so US taxpayers are paying for this folly, not
"Yes, Microsoft will use a popup to push users off of Windows XP"
95% of bank ATMs face end of security support
By Jose Pagliery @Jose_Pagliery March 4, 2014: 6:59 AM ET
Nearly all ATMs run on Windows XP, and that'll soon be a problem.
NEW YORK (CNNMoney)
Banks everywhere are in a race against time to upgrade their ATMs before
they become hot targets for hackers.
An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is
killing off tech support for that operating system on April 8. That means
Microsoft (MSFT, Fortune 500) will no longer issue security updates to patch
holes in Windows XP, leaving those ATMs exposed to new kinds of
"This isn't a Y2K thing, where we're expecting the financial system to shut
down. But it's fairly serious," said Kurtis Johnson, an ATM expert with
U.S. manufacturer Triton.
If banks fail to upgrade their ATMs to a newer version of Windows by April,
customers might be at risk. If hackers discover new flaws in Windows XP,
those bugs will go unaddressed, leaving attackers free to exploit them.
It can't yet be known what hackers could do with a Windows XP ATM after
April 8. But the prospect of providing a potentially compromised machine
with your account and PIN information is unsettling.
Major banks are now cutting special deals with Microsoft to extend life
support for their Windows XP machines while they replace their fleet of
ATMs. JPMorgan (JPM, Fortune 500) bought a one-year extension of service
and plans to start upgrading ATMs to Windows 7 at Chase banks in July.
Citibank (C, Fortune 500) and Wells Fargo (WFC, Fortune 500) said they're
also upgrading ATMs, but they wouldn't provide details about their plans.
Bank of America (BAC, Fortune 500) did not respond to requests for comment.
Replacing the operating systems on ATMs is a major undertaking. In the
United States, there are 210,500 bank ATMs, about 200,000 of which run on
Windows XP, according to Retail Banking Research in London. In most cases,
banks must upgrade the software one ATM at a time, and some will need the
entire computer inside replaced too. Labor included, it's a process that
experts in the ATM industry say could cost anywhere between $1,000 and
"Once they start using an operating system, they'll ride it as long and as
hard as they can," said Wes Dunn, a sales executive at ATM manufacturer
Microsoft CEO: "Mobile first, cloud first"
It might sound odd that ATMs are running on aging software better suited to
a home PC. In fact, security experts have chastised the financial industry
for putting ATMs on a PC operating system in the first place. They argue
ATMs should be using software that is scaled down and less buggy, such as
But banks long ago decided that Microsoft's familiar way of displaying
windows and text would sit well with customers.
Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that
resembles the latest apps on tablets and smartphones, said Jeff Dudash, a
spokesman for ATM manufacturer NCR.
One ATM manufacturer, Diebold (DBD), says banks are using this opportunity
to add newer card readers to their ATMs that accept more secure chip-and-PIN
cards. Those cards have already been adopted worldwide but have yet to grow
popular in the United States.
Banks that retrofit their ATMs with new hardware will, in the future, be
able to upgrade their entire fleets of ATMs with a click of a button.
Modern technology allows companies to push software updates via their
networks instead of paying each ATM a physical visit.
Ironically, bank customers have less to worry about from those nondescript
ATMs found in malls, bars and tiny convenience stores. Those 208,000
independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung,
make up the other half of the nation's ATMs. And nearly all of them run on
an even older, simpler operating system called Windows CE -- which Microsoft
First Published: March 4, 2014: 6:59 AM ET
Date: Tue, 04 Mar 2014 09:15:44 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "7 hidden dangers of wearable computers" (Jaikumar Vijayan)
Jaikumar Vijayan, Computerworld, March 4, 2014 (via InfoWorld)
Wearable computers like smart watches offer myriad benefits, but they
also raise security concerns.
Date: Thu, 06 Mar 2014 09:34:42 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Techies: Take a congressman and a cop to work with you"
Bill Snyder, InfoWorld, 6 Mar 2014
From distracted driving to virtual money, the law and lawmakers can't keep
up with technological change. Let's clue them in.
As we all know, technology moves at a lightning pace. But the law moves
much, much slower. A glance at some of the events that have made news
recently shows why we need to periodically get policy makers and enforcers
into the tech trenches.
Date: Wed, 05 Mar 2014 08:28:23 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Two more Bitcoin exchanges fall prey to alleged hacker theft"
Kevin Lee, *Tech Radar*, 4 Mar 2014
Bitcoin taking the one-two punch
A pair of Bitcoin exchanges have gone down after a bout of hacking attacks.
Flexcoin announced that its virtual vault was emptied by Internet thieves
and that it will be shutting down immediately.
The second bad news for Bitcoin came from Poloniex, which admitted it lost
12.3% of its cryptocurrency funds in an estimated $50,000.
Date: Tue, 04 Mar 2014 09:12:23 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "What Disney World teaches us about mobile payments" (Galen Gruman)
Galen Gruman, InfoWorld, 04 Mar 2014
Even in a highly controlled environment, the popular notion struggles
to work as needed.
Date: Tue, 4 Mar 2014 12:17:02 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
"Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that circumvent
the most widely used technology to prevent eavesdropping on the Internet,
thanks to an extremely critical vulnerability in a widely used
cryptographic code library. The bug in the GnuTLS library makes it
trivial for attackers to bypass secure sockets layer (SSL) and Transport
Layer Security (TLS) protections available on websites that depend on the
open source package. Initial estimates included in Internet discussions
such as this one indicate that more than 200 different operating systems
or applications rely on GnuTLS to implement crucial SSL and TLS
operations, but it wouldn't be surprising if the actual number is much
higher. Web applications, e-mail programs, and other code that use the
library are vulnerable to exploits that allow attackers monitoring
connections to silently decode encrypted traffic passing between end users
and servers. The bug is the result of commands in a section of the GnuTLS
code that verify the authenticity of TLS certificates, which are often
known simply as X509 certificates."
http://j.mp/1jPcVOr (Ars Technica via NNSquad
Date: Wed, 05 Mar 2014 00:58:40 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: Linksys E1000, E1200, and E2400 routers reportedly have exploitable
There is reportedly another vulnerability in a SOHO router product, this
time affecting a family of Linksys products. Apparently, the vulnerability
affects the Home Network Administration Protocol (HNAP) used for remote
management of routers and firewalls. From the report, it appears to be
another case of weak authentication. The ARS Technica report can be found
The SANS blog post is at:
Bob Gezelter, http://www.rlgsc.com
Date: 3 Mar 2014 20:21:30 -0500
From: "Bob Frankston" <bob2 () bob ma>
Subject: Re: Apple Rolls Out CarPlay (RISKS-27.78)
It's hard to tell how open the interface is from these announcements.
According to http://goo.gl/Lg7rpk it is a factory feature. Given it's 2014
why not make this a generic network connection? Do others on the list have
There's a risk here in locking cars into Apple's silo instead of a more open
protocol. http://goo.gl/TvVyiC laments automobile manufacturers understand
these new technologies.
What would be nice is more of an open BYOD (Bring Your Own Device) attitude
with a place for mounting devices and access to screens but then we get into
regulations, liability, the business model of the automobile industry and
Date: Tue, 4 Mar 2014 07:41:51 -0500
From: "Scott Miller" <SMiller () unimin com>
Subject: TrustyCon and the RSA con NSA poll (Re: RISKS-27.78)
On the other paw, there is this article stating that a poll taken at the RSA
conference to which TrustyCon is the intended counterpoint has 52% of
respondents disagreeing that NSA surveillance went too far. Which, if
accurate and representative, suggests that the enemies of privacy are not
only the NSA and companies such as RSA that depend on the MIC and the Wars
On Everything, but a very large number of individual information security
practitioners, as well. Perhaps a case should be made to restructure
organizations for infosec professionals to reflect who is on which side here
(I do think that at this point in the debate, "sides" is an appropriate
Date: Wed, 05 Mar 2014 19:10:40 +0000
From: "Chris Drewe" <e767pmk () yahoo co uk>
Subject: Re: Smarter caller-id spoofing (RISKS-27.75)
This may be old news now, but I just spotted this on *The Telegraph* web site.
Jessica Winch, *The Telegraph*, 5 Mar 2014
Caller ID shows your bank's number -- but it's actually a fraudster
Conmen are using fake 'caller ID' numbers to persuade victims that the call
is from their bank; Watch out for phony e-commerce sites looking to steal
your money and personal data.
Fraudsters are targeting bank customers with a new scam using fake caller ID
The conmen call the customer and pretend to be a representative from their
bank or credit card company. They convince customers the call is from their
bank because the caller ID matches a legitimate bank number, often the one
printed on the back of a bank card. The scammers then persuade the customer
to hand over sensitive personal and financial information.
The scam, known as "number spoofing", has been widespread in the United
States for at least a year and is now becoming common in Britain. According
to Ofcom, the phone regulator, the fraudsters use software to manipulate the
caller ID number. [...]
Date: Wed, 5 Mar 2014 17:58:18 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Apple security rules leave inherited iPad useless
Inherited iPad cannot be used because Apple does not know how to deal with
wills. Full story at: http://www.bbc.com/news/technology-26448158
Beside the technical points, there is an interesting point of principle
here: Do rules set up by a multi-national company trump the law of the land?
Date: Wed, 5 Mar 2014 16:56:24 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Author Anne Rice has it dead wrong on comments and anonymity
"Anne Rice signs petition to protest bullying of authors on Amazon"
"The Interview with the Vampire author is a signatory to a new petition,
which is rapidly gathering steam, calling on Amazon to remove anonymity
from its reviewers in order to prevent the "bullying and harassment" it
says is rife on the site."
http://j.mp/1fISk9B (*The Guardian* via NNSquad)
Anne Rice apparently only wants good reviews. Because the problem with
removing anonymity in book (or app!) reviews is that it skews reviews toward
the positive. It creates a "fan boy" atmosphere were anyone who dares to
speak out against a book or app (or whatever) is set upon by the fan
boys. And it discourages people who may have special knowledge about
sensitive topics from reviewing at all. Think of a parent who has a child
with a disease that carries stigma -- afraid to comment non-anonymously for
fear of the impact on that child. Sorry, Anne, you're missing the
point. Bullying is bad, but trying to kill anonymity is even worse.
Date: Thu, 6 Mar 2014 09:43:20 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Race To Stop 'Revenge Porn' Raises Free Speech Worries
"This is a delicate issue," says Lee Rowland of the American Civil
Liberties Union, who says the legislation is "spreading like wildfire."
"The ACLU is concerned both with the protection of privacy and free speech
rights." "But the reality is that revenge porn laws tend to criminalize
the sharing of nude images that people lawfully own," says Rowland, a
lawyer with the ACLU's Speech, Privacy and Technology Project. "That
treads on very thin ice constitutionally." The compelling constitutional
questions, however, have not slowed the state-level efforts to criminalize
the distribution and posting of explicit photos or videos without the
consent of the subject.
http://j.mp/1fbdVau (NPR via NNSquad)
The intersection of privacy and free speech is clearly among the most
complex policy-related Internet areas. No simple answers.
Date: Tue, 4 Mar 2014 14:47:14 -0500
From: Shawn Merdinger <shawnmer () gmail com>
Subject: Medtronic Carelink User Guide on passwords
"You may use these stickers to write your username and password and post on
your computer monitor."
While I can understand the rationale behind this, and in some ways it makes
sense. For a home health monitoring system, the user is likely sick, older,
perhaps mentally not all there, or otherwise incapacitated...and perhaps
relying on a family member or outside caregiver or skilled computer user. So
the time delays in finding or remembering a lost/forgotten password may have
a higher HEALTH risk than the risk of these credentials openly displayed in
the home...and the vendor helpdesk costs of handling customer password
resets were also likely a driver here. That said, there are risks. It's a
matter of who pays the price, wittingly or not.
Date: Mon, 3 Mar 2014 19:50:16 -0500
From: Ben Rothke <brothke () hotmail com>
Subject: Book review: Adam Shostack,Threat Modeling: Designing for Security
When it comes to measuring and communicating threats, the most ineffective
example in recent memory was the Homeland Security Advisory System -- which
was a color-coded terrorism threat advisory scale. The system was rushed
into use and its output of colors was not clear. What was the difference
between levels such as high, guarded, and elevated? From a threat
perspective, which color was more severe - yellow or orange? Former DHS
chairman Janet Napolitano even admitted that the color-coded system
presented ``little practical information'' to the public While the DHS has
never really provided meaningful threat levels, in *Threat Modeling:
Designing for Security*, author Adam Shostack (full disclosure: Adam and I
are friends) has done a remarkable job in detailing an approach that is both
achievable and functional. More importantly, he details a system where
organizations can obtain meaningful and actionable information, rather than
vague color charts.
Full review at:
[Adam's initial epigram (attributed to George Box) is ``All models are
wrong, some models are useful.'' This is a large book, xxxiii+590 pp.,
Wiley, 2014. It distills considerable practically oriented wisdom and
experience, and should be a very valuable resource for developers of
would-be more-secure systems. Indeed, the emphasis is on practicality, as
Adam eschews higher-end more formally based approaches.
In contrast to Adam's threat-driven approach, I noted in RISKS-27.73 the
top-down approach that Nancy Leveson and Bill Young describe in their
Inside Risks article in the February 2014 issue of the *Communications of
ACM*, which begins with the enterprise-level emergent properties (e.g.,
for security and human safety) rather than driven bottom-up from the
threat models, and implicitly exposes the threat models to encompass
intentional and accidental threats.
Perhaps both of these approaches *together* might dramatically improve on
the state of the art in commercial system developments today. Adam's
approach might be limited by the incompleteness of the threat set, and
Nancy and Bill's by the difficulties in refining the analysis to encompass
all realistic threats and failure modes. PGN.]
The major sections of Adam's book have these titles:
Part 1: Getting Started
Part 2: Finding Threats
Part 3: Managing and Addressing Threats
Part 4: Threat Modeling in Technologies and Tricky Areas
Part 5: Taking It To the Next Level
Appendix A: Helpful Tools
Appendix B: Threat Trees
Appendix C: Attacker Lists
Appendix D: Elevation of Privilege: The Cards
Appendix E: Case Studies
Bibliography (24 pages) and index
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.79
- Risks Digest 27.79 RISKS List Owner (Mar 06)