Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.71
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 23 Jan 2014 16:00:29 PST

RISKS-LIST: Risks-Forum Digest  Thursday 23 January 2014  Volume 27 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.71.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Medical "scribes" ease doctor's data entry burden (Ed Ravin)
No Girls, Blacks, or Hispanics Take AP Computer Science Exam in
  Some States (Liana Heiten)
How the Chinese Internet ended up at a house in Cheyenne, Wyoming (Brian Fung)
Dewayne Hendricks <dewayne () warpspeed com>
FBI snatches Google Glass off the face of innocent AMC movie-goer (Rob Jackson)
Google Glass-wearing movie patron questioned by Homeland Security
  agents as potential pirate (Adi Robertson)
'Sex with Glass' is getting either sex or Glass wrong (Adi Robertson
  via Monty Solomon)
`Smart' computer-based systems in your homes (Wendy M. Grossman)
The Malware That Duped Target Has Been Found (Lauren Weinstein)
Target Hackers Wrote Partly in Russian, Displayed High Skill
  (Danny Yadron Connect)
Neiman Marcus stores reportedly hacked (Krebs via Bob Gezelter)
White hat hacker says he found 70,000 records on Healthcare.gov
  through a Google search (Adrianne Jeffries via Monty Solomon)
"NSA Devises Radio Pathway Into Computers" (Sanger/Shanker)
And this time it was real SPAM? from Fridge! (Steve Lamont)
Risks of the Internet of Things (Robert Schaefer)
Mobile apps store credentials in the clear (Bob Gezelter)
Software licensing as information leak? (Stuart Levy)
What happens when your car comes pre-equipped with monitoring (Bob Gezelter)
Warning: I recommend removing your credit/debit cards from NSI
  (Lauren Weinstein)
Re: Backdoor in popular wireless routers/DSL modems (Martin Ward)
USENIX Security submissions due 27 Feb 2014 (Kevin Fu)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 12 Jan 2014 21:08:26 -0500
From: Ed Ravin <eravin () panix com>
Subject: Medical "scribes" ease doctor's data entry burden

Meet the medical scribe, who follows the doctor around and does the data
entry required by all the electronic health records systems that have
been adopted by medical care providers in recent years.  Apparently no
one budgeted for all the time needed to type stuff in, creating a new
job opportunity in the health care field:

   Physicians who use [medical scribes] say they feel liberated from the
   constant note-taking that modern electronic health records systems
   demand. Indeed, many of those doctors say that scribes have helped
   restore joy in the practice of medicine, which has been transformed --
   for good and for bad -- by digital record-keeping.  ...

   For decades, physicians pinned their hopes on computers to help them
   manage the overwhelming demands of office visits. Instead, electronic
   health records have become a disease in need of a cure, as physicians do
   their best to diagnose and treat patients while continuously feeding the
   data-hungry computer.

Full article is here:
http://www.nytimes.com/2014/01/14/health/a-busy-doctors-right-hand-ever-ready-to-type.html

*The NY Times* notes that the 70% adoption rate of electronic health records
in hospitals and doctors' offices is partly due to "tens of billions of
federal incentive payments".  They don't mention that the companies that
make the medical records systems have lobbied Congress and the public for
those types of incentives. Newt Gingrich comes to mind as one of their more
prominent (and probably more influential) paid lobbyists.

------------------------------

Date: Wed, 15 Jan 2014 11:49:12 -0500 (EST)
From: "ACM TechNews" <technews () hq acm org>
Subject: No Girls, Blacks, or Hispanics Take AP Computer Science Exam in
  Some States (Liana Heiten)

Liana Heiten, *Education Week* 10 Jan 2014 [via ACM TechNews, 15 Jan 2014]

No female, African American, or Hispanic students took the Advanced
Placement (AP) computer science exam in some states in 2013, according to
Georgia Institute of Technology computing outreach director Barbara Ericson,
who compiled state comparisons of College Board data.  In Mississippi and
Montana, no students in any of the three categories took the AP computer
science exam last year, although the College Board notes that Mississippi
only administered one of the exams and Montana only administered 11.  Eleven
states had no African-American students taking the exam, and eight states
had no Hispanic students taking the test.  Among the 30,000 students who
took the exam last year, less than 20 percent were female, about 3 percent
were African American, and 8 percent were Hispanic, according to the College
Board website.  Females, African Americans, and Hispanics also had lower
pass rates than white males on the exam, Ericson says.  AP computer science
courses "are more prevalent in suburban and private schools than in urban,
poor schools," says Ericson, noting that only 17 states currently accept
computer science as a core math or science credit.  The College Board is
committed to increasing access to rigorous computing courses and is working
with national organizations, nonprofits, and the private sector to expand
access, says spokesperson Deborah Davis.
http://blogs.edweek.org/edweek/curriculum/2014/01/girls_african_americans_and_hi.html

------------------------------

Date: January 22, 2014 at 3:47:45 PM EST
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: How the Chinese Internet ended up at a house in Cheyenne, Wyoming
  (Brian Fung)

[Note:  This item comes from friend Steve Goldstein.  DLH][via Dave Farber]

How the Chinese Internet ended up at a house in Cheyenne, Wyoming
Brian Fung, *The Washington Post*, 22 Jan 2014
<http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/22/that-time-the-chinese-internet-found-itself-at-a-tiny-house-in-cheyenne-wyoming/>

It's not clear how it happened, but for several hours on Tuesday thousands
if not millions of Chinese Internet users were being dumped at the door of a
tiny, brick-front house on 2710 Thomes Ave. in Cheyenne, Wyo.

The users' Internet traffic, bound initially for Chinese social networking
sites and search engines, was redirected due to a mysterious error in the
country's domain name system, *The New York Times* reports. At first, some
speculated the malfunction in the traffic-routing machinery might have been
a cyberattack. Others said that China's Great Firewall -- the collection of
human and technological censors that blocks Web sites deemed undesirable by
the government -- simply made a tactical error.

"Either it was an intentional DNS [domain name system] hack or the
unintentional result of the Great Firewall, but I haven't seen any technical
analysis of what was more likely," Adam Segal, a scholar on China and
cybersecurity at the Council on Foreign Relations, told me.

The true nature of the mix-up may still be unclear, but there's a growing
consensus for the latter explanation. To get around the Great Firewall, many
Chinese (and expats, too) use services that route Web traffic through a
foreign IP address, effectively making it look like the traffic isn't coming
from inside China. One of these services, Sophidea, happens to be registered
at the very address in Wyoming that bore the brunt of all that traffic.

So the prevailing theory is that in trying to block Chinese traffic going to
Sophidea, the Great Firewall's operators accidentally diverted more traffic
there instead. According to a Chinese anti-virus software company, the Times
reports, about 75 percent of China's domain name system servers were
affected by the roughly eight-hour malfunction, during which Web browsers
failed to load .com, .net and .org Internet addresses.

As for the Wyoming house itself, it's not a bit unlike the wardrobe from
C.S. Lewis's "Chronicles of Narnia." It may look small on the outside, but
it technically houses around 2,000 corporate entities and people. A 2011
Reuters report says the place is filled with numbered mailboxes and serves
as the headquarters for Wyoming Corporate Services, a business that helps
set up shell companies that exist only on paper. [...]

------------------------------

Date: January 21, 2014 at 7:26:11 AM EST
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: FBI snatches Google Glass off the face of innocent AMC movie-goer
  (Rob Jackson)

  [via David Farber]

[Note:  This item comes from friend David Isenberg.  DLH]

Rob Jackson, Phandroid, 20 Jan 2014
FBI snatches Google Glass off the face of innocent AMC movie-goer
<http://phandroid.com/2014/01/20/fbi-google-glass-movie/>

Love it or hate it, Google Glass has been the cause for a lot of excitement
lately. Last week it was pronounced legal to wear but not use while driving
in the state of California. Shortly after, Glass was making waves again with
the launch of an app called `Sex with Glass', allowing participants to
essentially create their own sex tapes with the facial tech. Apparently, the
FBI felt left out of all the fun.

At an AMC theater in Easton Mall in Columbus, Ohio, one Google Glass
Explorer went to see Jack Ryan: Shadow Recruit, but got a rude awakening
instead. An hour into the movie he was approached by a federal agent who,
without hesitation, snatched the Google Glass off the man's face and removed
him from the theater.

Outside there were 5 to 10 officers and agents who proceeded to allegedly
badger and question him for over 3 hours, suggesting he was illegally
recording the movie. Let's get a few facts out of the way:

* It's probably not smart to bring a recording device into a movie theater,
  but let's not forget mostly everyone takes a mobile phone into a theater
  that is perfectly capable of recording.

* The man's Google Glass were the prescription version, so he essentially
  needed them on to see the movie (maybe he should have worn other glasses).

* The man had his Google Glass powered off in advance to avoid any
  misunderstandings.

The authorities eventually let the man go, but not without hours of
intimidation and a frightening story that has him shaking -- literally --
even a day after the event. A Movie Association representative compensated
the Glass Explorer with 2 free movie tickets for his night of troubles.

The authorities certainly have the right to remove a patron from the theater
suspected of recording the screen, but should wearing Google Glass be
suspicion enough? The Explorer cooperated with the authorities, but
considering his rights and his innocence, would you have acted differently
or pursued a better outcome?

As Google Glass and other wearable tech become more prevalent, you can bet
we'll hear a lot more of these stories popping up across the world. ...

------------------------------

Date: Tue, 21 Jan 2014 23:39:32 -0500
From: Monty Solomon <monty () roscom com>
Subject: Google Glass-wearing movie patron questioned by Homeland Security
  agents as potential pirate (Adi Robertson)

Adi Robertson, 21 Jan 2014

Wearing Google Glass recently proved perilous for a movie patron in
Columbus, Ohio. On Monday, The Gadgeteer posted a frightening story
apparently from a member of the Glass Explorer program. An hour into
watching Jack Ryan: Shadow Recruit wearing his prescription version of
Glass, he said, he'd been abruptly pulled from the theater and interrogated
at length by "feds," who accused him of attempting to pirate the movie by
recording it.

What followed was over an hour of the "feds" telling me I am not under
arrest, and that this is a "voluntary interview", but if I choose not to
cooperate bad things may happen to me (is it legal for authorities to
threaten people like that?). [...] They wanted to know who I am, where I
live, where I work, how much I'm making, how many computers I have at home,
why am I recording the movie, who am I going to give the recording to, why
don't I just give up the guy up the chain, 'cause they are not interested in
me. Over and over and over again.

After going through the photos on his device, the man says, the officers
concluded that there'd been a misunderstanding, and theater owner AMC called
a man from the "Movie Association," who gave him free passes to see the film
again. But the man described himself as shaken by the incident, especially
because he'd worn Glass to the theater before and had no trouble. The story
initially seemed too dramatic to be true, but both AMC and the Department of
Homeland Security's Immigration and Customs Enforcement division have
confirmed it. [...]

http://www.theverge.com/2014/1/21/5331748/google-glass-wearing-movie-patron-questioned-for-piracy

------------------------------

Date: Tue, 21 Jan 2014 23:44:52 -0500
From: Monty Solomon <monty () roscom com>
Subject: 'Sex with Glass' is getting either sex or Glass wrong
  (Adi Robertson)

Adi Robertson, 20 Jan 2014

Eager to tap the largely unexplored market for erotic Google Glass
experiences, a team of hackathon participants have somehow created both an
intriguing app and a weird, depressing commentary on gender.

Called Sex with Glass, the app shares some DNA with James Deen's parody
video: assuming that you and your partner are both participating in a closed
beta that requires purchase of a $1,500 headset, you can both don the
fragile prototypes and have extremely cautious intercourse while watching a
live camera feed from the other person's viewpoint. There are a few other
commands ("Okay Glass, play Marvin Gaye" and "Okay Glass, give me ideas")
and a few dirty puns, but these are all distractions from the main event.
Afterwards, it promises to "put all the footage together" into a video,
which will disappear five hours after being constructed.

http://www.theverge.com/2014/1/20/5328772/sex-with-google-glass-app-is-getting-either-sex-or-glass-wrong

------------------------------

Date: Thu, 16 Jan 2014 13:52:36 +0000
From: "Wendy M. Grossman" <wendyg () pelicancrossing net>
Subject: `Smart' computer-based systems in your homes

Obvious points:

1. NEST has apparently failed to learn from many decades of computer
programming experience that you don't roll out an upgrade to all your
customers until you've done a thorough small-scale test and you always
ensure you have a readily applicable rollback method. See also CompuServe
UK, c. 1991, AT&T...

2. Despite the scathing comments from one poster, problems for the entire
category are quite clear: how "smart home" components will be patched, who
will be liable for failures, and how to cope when critical elements fail if
you've taken out all the fallbacks.  Plus the fact that "smart" systems that
learn from your past behavior are ignoring a lesson dunned into all of us
with respect to financial investments: past performance is no guarantee of
future behavior.

www.pelicancrossing.net  Twitter: @wendyg

------------------------------

Date: Thu, 16 Jan 2014 17:13:54 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: The Malware That Duped Target Has Been Found

  "The malicious program used to compromise Target and other companies was
  part of a widespread operation using a Trojan tool known as Trojan.POSRAM,
  according to a new report released Thursday about an operation that
  investigators have dubbed Kaptoxa."  [literally more like Kartocha, PGN]
    http://j.mp/LmaJCc  (Wired via NNSquad)

    [Late count seems to be 110 million customers' records implicated.  The
    identity of the alleged culprit(s) remains unclear, despite some initial
    reports.  PGN]

------------------------------

Date: Tue, 21 Jan 2014 20:56:36 -0500
From: Monty Solomon <monty () roscom com>
Subject: Target Hackers Wrote Partly in Russian, Displayed High Skill
  (Danny Yadron Connect)

Danny Yadron Connect, *Wall Street Journal*, 16 Jan 2014
Hacking Campaign Appears Broad, Sophisticated and Against Many Retailers

The holiday data breach at Target Corp. appeared to be part of a broad and
highly sophisticated international hacking campaign against multiple
retailers, according to a report prepared by federal and private
investigators that was sent to financial-services companies and retailers.

The report offers some of the first details to emerge about the source of
the attack that compromised 40 million credit- and debit-card accounts and
personal data for 70 million people. It also provided further evidence the
attack on Target during peak holiday shopping was part of a concerted effort
by skilled hackers.

Parts of the malicious computer code used against Target's credit-card
readers had been on the Internet's black market since last spring and were
partly written in Russian, people familiar with the report said. Both
details suggest the attack may have ties to organized crime in the former
Soviet Union, former U.S. officials said. ...

http://online.wsj.com/news/articles/SB1000142405270230441910457932490260242686
2

------------------------------

Date: Sat, 11 Jan 2014 10:22:29 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: Neiman Marcus stores reportedly hacked

There has been a reported surge in fraudulent credit card activity connected
with cards used at Neiman Marcus stores in the Dallas, Texas area. According
to a company spokesperson, a forensics firm and the Secret Service are
presently investigating.  Reportedly, the breach has been confirmed, but
details remain undisclosed.  The original report can be found at:
http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/

Bob Gezelter, http://www.rlgsc.com

------------------------------

Date: Tue, 21 Jan 2014 23:42:45 -0500
From: Monty Solomon <monty () roscom com>
Subject: White hat hacker says he found 70,000 records on Healthcare.gov
  through a Google search (Adrianne Jeffries)

White hat hacker says he found 70,000 records on Healthcare.gov through a
Google search

Adrianne Jeffries, *The Verge*, 21 Jan 2014

The federal health insurance marketplace at Healthcare.gov still has major
security issues according to some experts, including a flaw that allows user
records to show up in Google results.

At least 70,000 records with personal identifying information including
first and last names, addresses, and user names are accessible by using an
advanced Google search and then tweaking the resulting URLs, according to
David Kennedy, founder of the security firm TrustedSec. Kennedy notes that
he never modified any URLs, just that he noticed that it was possible.

Kennedy first testified about the issue before a Congressional committee in
November, he says, but it still hasn't been resolved.  It's just one of
several issues he's identified with the site, and it's actually one of the
easier ones to fix: Kennedy estimates it would take just a few days to hide
the records. ...

http://www.theverge.com/2014/1/21/5331756/white-hat-hacker-says-he-found-70000-records-on-healthcare-gov

------------------------------

Date: Wed, 15 Jan 2014 11:49:12 -0500 (EST)
From: "ACM TechNews" <technews () hq acm org>
Subject: "NSA Devises Radio Pathway Into Computers" (Sanger/Shanker)

David E. Sanger, Thom Shanker, *The New York Times*, 14 Jan 2014
  [via ACM TechNews, 15 Jan 2014]

The U.S. National Security Agency (NSA) has embedded software within nearly
100,000 computers worldwide, enabling the United States to monitor those
machines and set up a digital pathway for launching cyberattacks.  The
software uses technology that employs a covert channel of radio waves that
can be sent from tiny circuit boards and USB cards inserted secretly into
the computers.  The transceivers can share information with an NSA field
station or hidden relay station up to eight miles away, which communicates
back to the agency's Remote Operations Center.  The transceiver also is
capable of malware transmission.  The system addresses the challenge of
infiltrating computers that adversaries have tried to render invulnerable to
surveillance or cyberattack by keeping them disconnected from the Internet.
"What's new here is the scale and the sophistication of the intelligence
agency's ability to get into computers and networks to which no one has ever
had access before," says the Center for Strategic and International Studies'
James Lewis.  Officials and experts stress that the bulk of these software
implants are defensive, used solely for surveillance and as an early warning
system for cyberattacks targeting the United States.
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html

------------------------------

Date: Mon, 20 Jan 2014 17:36:06 -0800
From: spl () tirebiter org (Steve Lamont)
Subject: And this time it was real SPAM? from Fridge!

Fridge sends spam emails as attack hits smart gadgets
http://www.bbc.co.uk/news/technology-25780908

A fridge has been discovered sending out spam after a web attack managed to
compromise smart gadgets.  The fridge was one of more than 100,000 devices
used to take part in the spam campaign.  Uncovered by security firm
Proofpoint, the attack compromised computers, home routers, media PCs and
smart TV sets.  The attack is believed to be one of the first to exploit the
lax security on devices that are part of the "Internet of things".

The spam attack took place between 23 Dec 2013 and 6 Jan 2014, said
Proofpoint in a statement. In total, it said, about 750,000 messages were
sent as part of the junk mail campaign. The emails were routed through the
compromised gadgets.

About 25% of the messages seen by Proofpoint researchers did not pass
through laptops, desktops or smartphones, it said. [...]

See also
http://www.proofpoint.com/about-us/press-releases/01162014.php

------------------------------

Date: Thu, 16 Jan 2014 09:24:07 -0500
From: Robert Schaefer <rps () haystack mit edu>
Subject: Risks of the Internet of Things

Trust Me (I'm a kettle) by Charlie Stross
  and
The kettle of doom by Matthew Squair

These two links are by way of the critical safety mailing list (highly
recommended) and are about the risks of the Internet of things.

http://www.antipope.org/charlie/blog-static/2013/12/trust-me.html
http://criticaluncertainties.com/2013/12/20/the-kettle-of-doom/

The original article on kettles as a trojan horse bearing malware comes
from an October 2013 report in *The Register*.
http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/

"The possibilities are endless: it's the dark side of the Internet of
things. If you'll excuse me now, I've got to go wallpaper my apartment in
tinfoil ..."

robert schaefer
Atmospheric Sciences Group
MIT Haystack Observatory
Westford, MA 01886

email:  rps () haystack mit edu
voice:  781-981-5767
www:  http://www.haystack.mit.edu

------------------------------

Date: Fri, 17 Jan 2014 03:06:41 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: Mobile apps store credentials in the clear

Reportedly, version 2.6.1 of the Starbucks iOS app stores the user's
Starbucks loyalty credentials en clair in the device file system.  This
exposes the credentials to theft if the device is imaged, lost (or if the
computing device being used to backup the device is compromised).
Generically, it is a poor practice to save login credentials in forms that
can be compromised. Mobile developers should take care, this class of
vulnerability often is implemented as a "feature" to enable easier use, it
is a serious vulnerability on many fronts and should not be done. More care
is needed to protect information that can be translated into real money. For
that matter, with the increasing forensic use of digital footprints, the
ability to effectively steal someone's digital identifier provides the
ability to create a trail of someone being where they have not been.  The
original report can be found at:
http://seclists.org/fulldisclosure/2014/Jan/64

Bob Gezelter, http://www.rlgsc.com

------------------------------

Date: Fri, 10 Jan 2014 18:02:33 -0600
From: Stuart Levy <stuartnlevy () gmail com>
Subject: Software licensing as information leak?

Our group uses several kinds of commercial software, under license control.
"Floating" licensing is convenient -- some number of licenses are made
available, and a central server parcels them out, ensuring that at-most-N
are in use at once, but possibly by a larger set of machines.  The server
knows when & where an instance of the licensed program is started and
finishes, but not more than that.

We're now looking at some software which chose a different vendor's scheme.
For their floating licensing, they hooked up with a company that distributes
an across-the-board software management solution.  The design is for
enterprise system administrators to be able to track *all* software
installed on *any* monitored machine -- and select some subset of packages
as "interesting".  Interesting software can be usage-tracked, and optionally
flagged as being under a variety of kinds of license control.  It seems to
be a well-designed system.

But...

In order to do this, when you install the software on any client machine, it
scans the entire machine for any sort of graphical app, and reports the full
list of programs to the central server.  A server administrator can see the
list of programs installed on any client computer.  My Mac had 536 (!)
entries.

Also: whenever you invoke any app -- not just one that's under license
control, but anything -- the central server is notified (in clear text over
the network) of what app you ran, where, by whom, and for how long.  It logs
the invocation in a database, even if the app isn't listed as "interesting",
presumably for future reference in case it becomes interesting later.

This bugs me.  I hope it bugs you.  We'd been considering getting this
floating-license setup for some software that students would use, to allow
them to put it on their own laptops and develop freely.  If it worked like
other licensing systems, that'd be fine.  But if it's going to reveal
everything they've installed on their personal machines and when they run
it, then -- even if we trust the people running the server (us) -- maybe we
shouldn't use this vendor's floating license scheme after all.

That's easy for me to say.  If I were a student, I wouldn't be given that
choice.

------------------------------

Date: Sat, 11 Jan 2014 10:35:30 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: What happens when your car comes pre-equipped with monitoring

An interesting question. What happens when your car comes pre-equipped with
monitoring? Who has access to the data and for what purposes?  New
generation cars are being equipped with instrumentation and audio-visual
recording technologies. The "goal" is to improve the car and better
understand what was happening prior to an accident. However, the information
will be recorded regardless. Who has access to this information and under
what safeguards is a serious question.  Consider audio recording. Should a
manufacturer be able to download audio contents from a vehicle at any time?
What is privacy?  Your mumblings while in transit? Conversations with your
business colleagues? Your spouse? Your date? Even in the context of accident
reconstruction, safeguards are needed. What about the legal question (e.g.,
recording people without their consent and without notice).  A complex
topic, to be sure.

*The NY Times* article can be found at:
http://www.nytimes.com/2014/01/11/business/the-next-privacy-battle-may-be-waged-inside-your-car.html

I previously discussed some of these issues in a blog article on the use of
GPS data entitled "GPS Recorders and Law Enforcement Accountability" (August
2010) at
http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html.

Bob Gezelter, http://www.rlgsc.com

------------------------------

Date: Wed, 22 Jan 2014 09:13:30 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Warning: I recommend removing your credit/debit cards from NSI

Warning: I recommend removing your credit/debit cards from all Network
Solutions/Web.com accounts

http://j.mp/1dPevzH  (Google+ via NNS)

I am attempting to verify this rather incredible story. In the meantime, if
you have any credit or debit cards on file with Network Solutions or any
other Web.com company, I recommend immediately removing them from your
account profiles. In fact, even if this particular story turns out not to be
true, I'd make the same recommendation given their ongoing shady practices
that are already confirmed.

Reference: "Network Solutions Auto-Enroll: $1,850":
http://j.mp/1dPf3Wh  (inessential)

  "To help recapture the costs of maintaining this extra level of security
  for your account, your credit card will be billed $1,850 for the first
  year of service on the date your program goes live. After that you will be
  billed $1,350 on every subsequent year from that date. If you wish to opt
  out of this program you may do so by calling us at 1-888-642-0265."

    [Apparently public outrage has led NSI to reverse this policy to be
    opt-in, not opt-out.  PGN]

------------------------------

Date: Wed, 22 Jan 2014 17:39:48 +0000
From: Martin Ward <martin () gkc org uk>
Subject: Re: Backdoor in popular wireless routers/DSL modems (Baker, RISKS-27.70)

If the bad guys have physical access to the router in your home, then you
have bigger things to worry about than them plugging a USB stick into your
router!

Dr Martin Ward STRL Principal Lecturer and Reader in Software Engineering

------------------------------

Date: Tue, 21 Jan 2014 22:57:18 -0500
From: Kevin Fu <kevinfu () umich edu>
Subject: USENIX Security submissions due 27 Feb 2014

A reminder that the submission deadline for USENIX Security is Feb 27th,
2014.  Don't be late!  I've added some new topics such as the "public good"
category while keeping traditional technical topics as the continues to
grow.

https://www.usenix.org/sites/default/files/sec14_cfp_011514.pdf
https://www.usenix.org/conference/usenixsecurity14/call-for-papers

Kevin Fu, Associate Professor, EECS Department, The University of Michigan
kevinfu () umich edu, http://spqr.eecs.umich.edu/, 616-594-0385

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.71
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.71 RISKS List Owner (Jan 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]