mailing list archives
Risks Digest 27.72
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 27 Jan 2014 15:53:54 PST
RISKS-LIST: Risks-Forum Digest Monday 27 January 2014 Volume 27 : Issue 72
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Signal Failure at Grand Central (Peter Wild)
NEWS FLASH: Alarms are distracting! Turing off alarms is a priority!
(Richard Irvin Cook)
Hackers Steal Law Enforcement Inquiry Documents from Microsoft
Gmail glitches down worldwide; Hotmail hitches (Etherington/Perez)
Stolen Laptops (Laura Corriss)
Converting Google Chrome into a Bugging Device by exploiting Speech
Recognition feature - The Hacker News (David Farber)
"Google dismisses eavesdropping threat in Chrome" (Keremy Kirk
via Gene Wirchenko)
How Google Calendar can tip off your boss that you want a raise (Dan Goodin
via Monty Solomon)
Proofpoint Uncovers Internet of Things Cyberattack (Jim Reisert)
Apple.com does more to protect your password ... (Dan Goodin via
Snapchat's new "security" feature holds up about as long
as a double cheeseburger (Lauren Weinstein)
BYOD? Leaving a Job Can Mean Losing Pictures of Grandma (Lauren Weber
You don't want your privacy: Disney and the meat space data race
(John Foreman via Monty Solomon)
Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden
Re: Software licensing as information leak (Dimitri Maziuk)
Name-collision risks (Burt Kaliski)
2nd Neuro-Inspired Computational Elements Workshop (Murat Okandan)
Abridged info on RISKS (comp.risks)
Date: Fri, 24 Jan 2014 14:30:27 -0500
From: "Peter.Wild () sbcglobal net" <peter.wild () sbcglobal net>
Subject: Signal Failure at Grand Central
causes 2-hour disruption; one power supply shut down for replacement; the
other had a disconnected wire
[As I say to a few close confidants that, as an auditor, I am grateful
that my clients continue to make the same mistakes - because that is what
keeps me relevant!!!]
I thought that you might like to include the item below, the event happened
at Grand Central station in New York City last night. What is does not talk
about are the stampedes that happened when trains started running, it was
- - - -
An Explanation & Apology for Last Evening's (Thursday, 23 Jan 2014)
System-Wide Disruption of Service
The two-hour disruption in service you experienced last evening traced to
human error during an electrical repair project.
The computers that run the railroad's signal system lost reliable power at
7:45 PM when one of two main power supply units was taken out of service for
replacement. Technicians performing the work did not realize that a wire was
disconnected on the other main power supply unit. This destabilized the
power supply system for more than an hour until a backup supply could be
At the time this incident occurred, there were more than 50 trains at
various locations on all three lines. While the cause of this power problem
was being identified and repairs were being made, Rail Traffic Controllers
immediately took the safest course of action. They instructed all train
engineers, via radio, to bring their trains to the nearest station. This had
to be done slowly, train-by-train, to ensure everyone's safety. Trains were
not allowed to proceed through switches until signal maintainers could
respond and manually ensure the switches were lined up correctly. All
trains had light, heat and power during the disruption, and no customers
were ever in danger. Customers were able to get off trains when they reached
Repairs were made by 9 PM. Once repairs were made, the computers needed to
reboot before we could begin running trains again. Trains began moving
again by 9:30 PM. Full control over the signal system was re-established by
10:30 PM. Significant delays continued throughout the evening hours. This
project should have been analyzed for risks and redundancy before it began,
and it should have been performed in the middle of the night over a weekend,
not when thousands of customers were trying to get home in cold weather.
While this specific incident has been addressed and an internal review is
underway, we are also bringing in an independent consultant to examine how
and why these mistakes were made, and to recommend any necessary changes to
operating procedures and practices.
Metro-North customers deserve better. We sincerely regret this incident and
apologize for the inconvenience our customers experienced.
Peter Wild, Mobile (203) 722 9453
Date: Mon, 27 Jan 2014 12:45:34 +0000
From: Richard Irvin Cook <rcook () kth se>
Subject: NEWS FLASH: Alarms are distracting! Turing off alarms is a priority!
Silencing Many Hospital Alarms Leads To Better Health Care
Richard I Cook, MD, Professor of Healthcare System Safety, STH, KTH,
Huddinge, SWEDEN +46 70 190 42 16 www.ctlab.org<http://www.ctlab.org>
[The Foresight Saga once again: An ounce of prevention is worth nothing
at all, because it would pound healthcare into oblivion? PGN]
Date: Sat, 25 Jan 2014 08:44:58 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Hackers Steal Law Enforcement Inquiry Documents from Microsoft
Targeted attacks like this are not uncommon, especially for an
organization like Microsoft. What's interesting about this is that the
incident was significant enough to disclose, indicating that a fair number
of documents could have been exposed, or that the company fears some
documents will make their way to the public if released by the attackers
-- which may be the case if this was a `hacktivist' attack. ``In terms of
the cyberattack, we continue to further strengthen our security. This
includes ongoing employee education and guidance activities, additional
reviews of technologies in place to manage social media properties, and
process improvements based on the findings of our internal investigation."
(Adrienne Hall, General Manager of Microsoft's Trustworthy Computing Group)
[Source: Mike Lennon, Security Week, 24 Jan 2014; via NNSquad, PGN-ed]
Date: Fri, 24 Jan 2014 15:18:40 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Gmail glitches, Hotmail hitches
Darrell Etherington, Gmail and Google+ go down across the world, service
returns after roughly 50 minutes, TechCrunch
Sarah Perez, Glitch is causing thousands of e-mails to be sent to one man's
Hotmail account, TechCrunch
Date: Sat, 25 Jan 2014 13:51:34 -0500
From: Laura Corriss <lcorriss () earthlink net>
Subject: Stolen Laptops
[From Steve Greenwald's Greenwald-INFOSEC]
Okay, here we go again. Gee, Coke just announced that "employee data was
exposed". How? Stolen laptops. Wow! Who would have guessed it?
How is this still happening?
Actually, I know. Last May the laptop belonging to the head of Human
Resources at my place of employment was stolen (but not reported to us peons
(otherwise know as the organization's employees) until late December). A
couple of weeks ago the university's executive committee announced that that
same HR department head was promoted to Vice President, making HR a separate
division. And nothing else has been said about the matter. There has been
no response to the numerous e-mails and complaints that have been made (many
by me, and I haven't given up).
Apparently, the people running the university see that this problem is
prevent (after all, it's happening to large financial institutions, fortune
500 companies, even the government) so evidently there is nothing they can
do about it.
Maybe the focus of all the security experts on this list (and everywhere
else) should be to start an information campaign to tell them that, yes,
there are things that can be done and here's a list of what to do.
Research is important. Figuring out how to stay ahead (or even get close
to) of the hackers, thieves, insiders (i.e. the "bad guys") is important.
Discussing what is and isn't working is important.
But, what is even more important is getting the information out there,
beyond just the IT department (assuming that they have a clue). We might
not be able to prevent stolen laptops, but we certainly can make sure that
the resulting problems are mitigated.
My approach is to get the attention of the HR department head and the CIO
and outline for them exactly what can be done to protect this from happening
again (and to protect the reputation of the university). I will bring in
anyone and everyone who can and is willing to help me.
I think this list should start publishing a public blog addressing these
issues. All of you have connections and all of you have credentials that
should make people, including executives, listen and pay attention.
Protecting data on stolen laptops might be a good place to start.
Anyone agree? Anyone interested? Does anyone have a better suggestion?
Because every time something like this happens, it makes the security
community look inconsequential and incompetent.
Date: Thu, 23 Jan 2014 18:00:40 -0500
From: David Farber <dfarber () me com>
Subject: Converting Google Chrome into a Bugging Device by exploiting Speech
Recognition feature - The Hacker News
Date: Fri, 24 Jan 2014 14:39:40 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Google dismisses eavesdropping threat in Chrome" Keremy Kirk)
Jeremy Kirk, InfoWorld, 23 Jan 2014 Chrome can access a computer's
microphone after a person thinks a speech recognition feature is off, says
Google said there's no threat from a speech recognition feature in its
Chrome browser that a developer said could be used to listen in on users.
But Ater found that Chrome remembers if a person granted permission to a
site that uses HTTPS, a security feature that encrypts communication between
a client and a server. It will allow sites using HTTPS to start listening in
the future without asking for permission again.
The attack doesn't work if permission isn't granted to enable speech
Date: Mon, 27 Jan 2014 02:55:57 -0500
From: Monty Solomon <monty () roscom com>
Subject: How Google Calendar can tip off your boss that you want a raise
Dan Goodin, Ars Technica, 23 Jan 2014
Potential privacy leak "feature" continues to take some users by surprise.
It's a feature that has bitten Google Calendar users in the past, but it's
worth a reminder: in some cases, the widely used service may unexpectedly
leak sensitive information to bosses, spouses, or just about anyone else.
The inadvertent leakage stems from Google Calendar's quick add feature,
which is designed to automatically add the who, what, and where to events
without requiring a user to manually enter those details. Typing "Brunch
with Mom at Java 11am Sunday" is intended to schedule the event for the
following Sunday morning at 11 and list the place as "Java." Participants
can be added by listing their e-mail addresses, and in many cases, Google
will respond by automatically adding an entry to the participants' calendar
Google heavily promoted this time-saving feature during the rollout of its
mail and calendar services. But as documented as early as 2010, the behavior
can also result in the leakage of private information for people who are
unaware of it. Alas, almost four years later, it's still catching some
people by surprise. Blogger Terence Eden explained how an entry his wife put
in her personal Google Calendar made its way to her boss. It read: "e-mail
[boss's address] to discuss pay rise" and included a date a few months in
the future. The boss quickly received the reminder as an entry in her own
Google Calendar. [...]
Date: Thu, 23 Jan 2014 19:14:38 -0700
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Proofpoint Uncovers Internet of Things Cyberattack (Re: R 27 71)
More than 750,000 Phishing and SPAM e-mails Launched from "Thingbots"
Including Televisions, Fridge [PGN-ed]
SUNNYVALE, Calif. January 16, 2014. Proofpoint, Inc., a leading
security-as-a-service provider, has uncovered what may be the first proven
Internet of Things (IoT)-based cyberattack involving conventional household
"smart" appliances. The global attack campaign involved more than 750,000
malicious e=mail communications coming from more than 100,000 everyday
consumer gadgets such as home-networking routers, connected multi-media
centers, televisions and at least one refrigerator that had been compromised
and used as a platform to launch attacks. As the number of such connected
devices is expected to grow to more than four times the number of connected
computers in the next few years according to media reports, proof of an
IoT-based attack has significant security implications for device owners and
Enterprise targets. [...]
"Bot-nets are already a major security concern and the emergence of
thingbots may make the situation much worse" said David Knight, General
Manager of Proofpoint's Information Security division. "Many of these
devices are poorly protected at best and consumers have virtually no way to
detect or fix infections when they do occur. Enterprises may find
distributed attacks increasing as more and more of these devices come
on-line and attackers find additional ways to exploit them."
Date: Mon, 27 Jan 2014 02:51:51 -0500
From: Monty Solomon <monty () roscom com>
Subject: Apple.com does more to protect your password ... (Dan Goodin)
Dan Goodin, Ars Technica, 24 Jan 2014
Apple.com does more to protect your password, study of top 100 sites finds
Which sites allow "123456"?
Study names/shames the best/worst password policies.
Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding
customer passwords, according to a comprehensive study of the top 100
e-commerce websites that also ranked Major League Baseball, Karmaloop,
Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst.
Apple.com was the only site to receive a perfect score of 100, which was
based on 24 criteria, such as whether the site accepts "123456" and other
extremely weak passwords and whether it sends passwords in plaintext by
e-mail. Microsoft and academic supplier Chegg tied for second place with 65,
while Newegg and Target came in third with 60. By contrast, MLB received a
score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale
and Toys R US each got a -60. Each site was awarded or deducted points
based on each criterion, leading to a possible score from -100 and 100. The
study was conducted by researchers from password manager Dashlane based on
the password policies in effect on the top 100 e-commerce sites from January
17 through January 22. [...]
Date: Thu, 23 Jan 2014 09:45:20 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Snapchat's new "security" feature holds up about as long
as a double cheeseburger
http://j.mp/1aME2Xu (Steve's Computer Vision Blog via NNSquad)
"With very little effort, my code was able to "find the ghost" in the
above example with 100% accuracy. I'm not saying it is perfect, far from
it. I'm just saying that if it takes someone less than an hour to train a
computer to break an example of your human verification system, you are
doing something wrong. There are a ton of ways to do this using computer
vision, all of them quick and effective. It's a numbers game with
computers and Snapchat's verification system is losing."
- - -
The problem is that Snapchat is demonstrating that they don't really care
about security at all. They're hardly even going through the motions.
[See also 4.6 million Snapchat phone numbers and usernames leaked
(RISKS-27.68) and other items in RISKS-27.69. PGN]
Date: Mon, 27 Jan 2014 01:23:00 -0500
From: Monty Solomon <monty () roscom com>
Subject: BYOD? Leaving a Job Can Mean Losing Pictures of Grandma (Lauren Weber)
Lauren Weber, *Wall Street Journal*, 21 Jan 2014
Some Companies Wipe Workers' Personal Cellphones Clean After They Leave
In early October, Michael Irvin stood up to leave a New York City restaurant
when he glanced at his iPhone and noticed it was powering off. When he
turned it back on again, all of his information-email programs, contacts,
family photos, apps and music he had downloaded-had vanished.
The phone looked "like it came straight from the factory," said Mr. Irvin,
an independent health-care consultant.
It wasn't a malfunction. The device had been wiped clean by AlphaCare of New
York, the client he had been working for full-time since April. Mr. Irvin
received an email from his AlphaCare address that day confirming the phone
had been remotely erased. [...]
Date: Mon, 27 Jan 2014 00:42:00 -0500
From: Monty Solomon <monty () roscom com>
Subject: You don't want your privacy: Disney and the meat space data race
John Foreman, MailChimp, 18 Jan 2014
MailChimp Chief Data Scientist is at Disney World this weekend wearing his
RFID-equipped MagicBand. Here's how he thinks the practice of digitally
tracking consumers in the physical world will reach everywhere from theme
parks to our homes.
Date: Fri, 24 Jan 2014 13:43:53 -0500
From: David Lesher <wb8foz () panix com>
Subject: Re: Risks-27.71: Medical "scribes" ease doctor's data entry burden
... Instead, electronic health records have become a disease in need of a
cure, as physicians do their best to diagnose and treat patients while
continuously feeding the data-hungry computer.
Was this not entirely predictable? The whole EMR charade was hyped as being
the penultimate solution to everything wrong with healthcare in the United
But what EMR use was really doing was taking the #1 critical resource choke
point, the work time of the MD, and instead of optimizing it, demanding
[s]he spend time on clerical work best done by someone less skilled, less
trained, and far far less expensive per minute.
[The MD time touches another medical issue, infection control. Yes, if they
thoroughly scrubbed between each patient visit as they do rounds, it would
reduce infection spread. But where will that scrub time come from; what else
To me, the whole EMR euphoria harks back to the promises re: how electronic
voting machines were going to err solve all our election problems. The
common thread: The Hill dumped lots of money onto a problem, without really
looking at what the solution would be. It's rather like the Cardassian legal
system: Sentence First, Verdict Later; but here it's "Money First, Thinking
Date: Fri, 24 Jan 2014 09:57:48 -0600
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: Software licensing as information leak (Levy, RISKS-27.71)
On Fri, 10 Jan 2014 Stuart Levy wrote:
... The design is for enterprise system administrators to be able to
track *all* software installed on *any* monitored machine -- and select
some subset of packages as "interesting". Interesting software can be
usage-tracked, and optionally flagged as being under a variety of kinds of
license control ... and monitored ...
The flip side: a scientist working on NMR spectra is using several (of many)
software packages to combine multiple spectra, FFT them, identify regions of
interest, clean up the noise, and so on and so forth. A lot of it is manual
and is driven by the scientist's expertise. The end result is often the 3D
structure of the studied molecule that yields insight into its biological
function and leads to new drugs etc.
The problem is reproducibility: in order to get from the original raw data
to the same exact final result, potentially you need to not only use the
same software but also the exact versions and retrace the exact sequence of
steps. Or not -- but as long we can do that, we can't prove otherwise or run
any software comparison studies.
So yeah, we want to know not only what software you're using but also what
you did with it in exact detail. Otherwise we can have one study claim that
zinc kills common cold virus and another: that it kills small furry kittens,
and no way to reproduce either result.
(I expect NMR is not the only field where this exists, it's the one I'm
Date: Thu, 23 Jan 2014 15:05:46 +0000
From: "Kaliski, Burt" <bkaliski () verisign com>
Subject: Name-collision risks
As I've just noted on my Verisign blog today, we're organizing a workshop in
March 2014 on the risks of "name collisions" in the Domain Name System - a
major topic in the ICANN community of late:
I thought you might find this of interest in your ongoing effort to collect
and analyze computer system risks. I've enjoyed following your commentary
over the years, from my early days in cryptography and security.
The risk is not well known outside the Domain Name System community, and
we're looking for ways to get more of industry informed and engaged.
The workshop is open to the public. Papers will be selected by the
technical program committee. In addition, the top papers will receive
awards of up to $50,000.
Burt Kaliski Jr., Senior Vice President and CTO, bkaliski () Verisign com
m: 571-528-2679 t: 703-948-4664 12061 Bluemont Way, Reston, VA 20190
Date: Mon, 27 Jan 2014 10:07:59 -0800
From: Murat Okandan <mokanda () sandia gov>
Subject: 2nd Neuro-Inspired Computational Elements Workshop
Sandia National Laboratories and DARPA will be hosting the 2nd annual
Neuro-Inspired Computational Elements Workshop (NICE 2014), 24-26 Feb 2014
Objective: The focus of this workshop is the creation of next generation of
information processing/computation architectures beyond stored program
architecture and Moore's Law limits.
Goal: Bring together researchers from different scientific disciplines and
applications areas that are converging towards a new computational /
information processing approach, determine potential pathways, identify
applications that would have immediate benefit, and pursue resources to
accelerate activity in those areas.
A list of confirmed speakers is available at the event web site.
Registration: Cost for the workshop is $150.
Event website: http://nice.sandia.gov_
Contact: Murat Okandan <mokanda () sandia gov>, Ph.D., Chair, 1-505-284-6624
Event Organization Linda Wood <llwood () sandia gov1>, 1-505-284-8404
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.72
- Risks Digest 27.72 RISKS List Owner (Jan 28)