Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 28.04
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 24 Jun 2014 11:20:18 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 24 June 2014  Volume 28 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.04.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Bloomberg News index of stories on health RISKS (Ed Ravin)
Badly engineered missile defense systems deployed ``because there was a
  rush'' (Gabe Goldberg)
Various aircraft disappeared from controllers' purview (Reuters via PGN)
Pervasive drone failures (Craig Whitlock via PGN)
Is There a Crisis in Computer-Science Education? (Jonah Newman)
Shortage of Cybersecurity Professionals: Risk to National Security (PhysOrg)
Hong Kong electronic voting system cyber-attacked (SCMP via
  Lauren Weinstein, Gordon Peterson via Dave Farber)
Wrong e-mail address: 35,000 student records misaddressed (danny burstein)
London transport authority acknowledges contactless technology risk (Wm)
"Murder in the Amazon cloud" (Paul Venezia via Gene Wirchenko)
PKI Compromised on Blackberry 9900 Series Devices (Alan Boritz)
Poorly anonymized logs reveal NYC cab drivers' detailed whereabouts
  (Ars Technica via Lauren Weinstein)
Stingrays nab cellular activities (dan farmer)
Free Wi-Fi from Xfinity and AT&T also frees you to be hacked
  (Sean Gallagher via Henry Baker)
Hong Kong electronic voting system cyber-attacked (Christian Huitema via
  Dave Farber)
Bank online banking garbles outgoing payments (danny burstein)
Re: Trouble with firefox updates (Joe Durusau)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 21 Jun 2014 13:29:03 -0400
From: Ed Ravin <eravin () panix com>
Subject: Bloomberg News index of stories on health RISKS

Bloomberg News has a nice index page of stories about hacking pacemakers and
insulin pumps, electronic health records privacy/security issues, and so on.
There's also articles on "Who's buying medical records" and one on deaths
blamed on electronic health record systems.  In short, it reads like a RISKS
digest special issue on computers and health care:

  http://topics.bloomberg.com/putting-patient-privacy-at-risk/

One interesting thing noted from the article "UnitedHealth recalls Digital
Health Record Software" -- medical devices that have software bugs that kill
people have to be reported to the FDA, but health record software that has
bugs that can kill people doesn't.

And special mention for the graphic on re-identifying allegedly anonymous
medical records:

  http://www.bloomberg.com/infographics/2013-06-05/reidentifying-anonymous-medical-records.html

------------------------------

Date: Thu, 19 Jun 2014 22:32:45 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Badly engineered missile defense systems deployed ``because
 there was a rush''

A *Los Angeles Times* investigation found that many former and current
Pentagon officials familiar with the U.S. missile defense program consider
it a failed program. The U.S. Missile Defense Agency (MDA), tasked with
developing and testing missile defense systems, has spent over $40 billion
to develop the Ground-based Midcourse Defense system (GMD), a system many
industry observers call unreliable and requiring complete redesign.

http://www.homelandsecuritynewswire.com/dr20140618-badly-engineered-missile-defense-systems-deployed-because-there-was-a-rush

------------------------------

Date: Fri, 20 Jun 2014 14:38:58 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Various aircraft disappeared from controllers' purview

Source: Reuters, *The Guardian*, 14 Jun 2014 (Thanks to Peter Ladkin;
  slightly PGN-ed)

Dozens of aircraft briefly vanished from air-traffic control radars in
nAustria, Germany, the Czech Republic and Slovakia over the last two weeks in
incidents that Slovak authorities blamed on military electronic warfare
exercises.  Air-traffic controllers in Austria and Germany said data about
the planes -- position, direction, height or speed -- went missing on 5 and
10 June 2014, but the outages posed no serious danger. Their Czech and
Slovak counterparts also encountered cases of vanishing aircraft on the same
days.

The disappearance of objects on radar screens was connected with a planned
military exercise that took place in various parts of Europe, whose goal was
the interruption of radio communication frequencies, according to the Slovak
air traffic services.  ``Immediately after the identification of the problem
with the displays, the side organising the exercises was contacted and the
exercise was stopped.''  It did not identify the military force, but
Austrian media said it was NATO.  NATO declined to comment.

------------------------------

Date: Fri, 20 Jun 2014 14:38:58 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Pervasive drone failures (Craig Whitlock)

Craig Whitlock, *The Washington Post*, 20 Jun 2014 [PGN-ed]
More than 400 drones have crashed since 2011, due to mechanical breakdowns,
human error, bad weather, and other reasons.  The cited report is certainly
a warning for future private drones.
http://www.washingtonpost.com/sf/investigative/2014/06/20/when-drones-fall-from-the-sky/?hpid=z1

------------------------------

Date: Mon, 23 Jun 2014 11:41:01 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Is There a Crisis in Computer-Science Education?

Is There a Crisis in Computer-Science Education?
The Chronicle of Higher Education (06/23/14) Jonah Newman
via ACM TechNews, Monday, June 30, 2014

Mother Jones editor Tasneem Raja recently wrote a report on computer science
education trends in the United States and found the country graduated
proportionally fewer computer science majors in 2011-12 than in 1985-86.  In
1985-86, 4.3 percent of college graduates received computer science degrees,
compared to just 2.6 percent of graduates in 2011-12.  However, the report
also found a steady fluctuation in interest among undergraduates and
graduates in computer science.  For example, in the 1970s and 1980s, many
elementary, middle, and high schools taught computer science programming to
students, according to University of Oregon professor Joanna Goode.
However, "as the PC revolution took place, the introduction to the CD-ROMs
and other prepackaged software, and then the Internet, changed the typical
school curriculum from a programming approach to a 'computer literacy'
skill-building course about 'how to use the computer,'" Goode says.  In
addition, fluctuations in college-degree attainment are often connected to
changes in the job market in certain industries.  The peak in computer
science degrees came in 1985, about four years after the introduction of
IBM's first personal computer and the Apple II.  Similarly, a second wave of
computer science graduates came in the early 2000s, about four years after
the dot-com bubble.  The latest data indicates the U.S. currently is in the
middle of another rise in interest in computer science at the college level,
according to Raja.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-ba53x2b4a5x060127&;

------------------------------

Date: Mon, 23 Jun 2014 11:41:01 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Shortage of Cybersecurity Professionals: Risk to National Security

Shortage of Cybersecurity Professionals Poses Risk to National Security
PhysOrg.com (18 Jun 2014) via ACM TechNews, Monday, June 30, 2014

The nationwide shortage of cybersecurity professionals is posing risks for
national and homeland security, according to a new RAND Corporation study.
The demand for trained cybersecurity professionals is particularly severe in
the federal government, which offers lower salaries than the public sector.
"As cyberattacks have increased and there is increased awareness of
vulnerabilities, there is more demand for the professionals who can stop
such attacks," says RAND scientist and lead study author Martin Libicki.
"But educating, recruiting, training, and hiring these cybersecurity
professionals takes time."  Libicki says the demand for cybersecurity
professionals began to overtake supply in 2007, largely due to increased
reports of large-scale hacking attacks.  The manpower shortage is primarily
at the high end of the capability scale, where cybersecurity professionals
command salaries of more than $200,000 to $250,000, according to Libicki.
Many organizations are trying to deal with the shortage by focusing on
internal promotion and educational efforts.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-ba53x2b4a7x060127&;

------------------------------

Date: June 19, 2014 at 12:54:09 AM EDT
From: Lauren Weinstein <lauren () vortex com> <lauren () vortex com>
Subject: Hong Kong electronic voting system cyber-attacked

  (South China Morning Post via NNSquad)
  http://www.scmp.com/news/hong-kong/article/1535654/referendum-organisers-extend-poll-after-cyberattacks-electronic

  Organizers of Occupy Central say they will extend voting on electoral
  reform from three days to 10 days after its electronic system was targeted
  by hackers.  The system, set up to accept advance registrations, has been
  hit by more than 10 billion cyberattacks since it was launched last week.

As Gomer Pyle used to say, "Surprise, surprise, surprise!"

------------------------------

Date: Jun 19, 2014 2:13 PM
From: "Gordon Peterson" <gep2 () terabites com>
Subject: Re: Hong Kong electronic voting system cyber-attacked

   [Via Dave Farber's ip]

The FATAL flaw of online voting systems (and one for which there is *no*
technological solution whatsoever) isn't DDoS, identification, or
communications security.  it's very simply that there is *no* way to ensure
that the voter isn't voting under duress... with a gun held to their head
(figuratively, or even literally).  No way to be sure there isn't someone
watching over their shoulder to make sure they're voting the "right" way.
No way to make sure the voter isn't selling their vote (drugs, sex, alcohol,
money...).  Anyone in a position of power over the voter.  Employer,
landlord, union shop steward, nursing home attendant, parent, health care
giver, social worker, gang lord, .... could be almost anybody.

We *must* not allow online voting, or even generalized mail-in balloting,
for that reason.

  [That is hardly the ONLY FATAL FLAW.  The entire concept is fundamentally
  fatally flawed, given the total lack of trustworthiness throughout the
  entire process.  This is the ultimate Whack-a-Mole game, and Gordon is
  DRAMATICALLY oversimplifying.  PGN]

------------------------------

Date: Tue, 17 Jun 2014 21:11:03 -0400 (EDT)
From: danny burstein <dannyb () panix com>
Subject: Wrong e-mail address: 35,000 student records misaddressed

  [Press Enterprise, California]

Confidential records for 35,212 Riverside Community College District
students were mistakenly e-mailed to an unknown account in a security breach,
officials said Monday, June 16.

Students were being notified that some of their confidential information --
including Social Security numbers, birth dates, addresses and phone numbers
-- may be at risk.  ...

The employee used a personal e-mail account to send the data to the
researcher's personal e-mail address because the data file was too large to
go through the district's secure, encrypted e-mail server, district Interim
Chancellor Irving Hendrick said. The employee incorrectly typed the address,
he said.

The data contains students' names, addresses, birth dates, student e-mail
addresses, preferred telephone numbers, some academic records, student ID
numbers and Social Security numbers for 97 percent of students, district
officials said.

rest:
http://blog.pe.com/colleges-universities/2014/06/16/colleges-rcc-moreno-valley-norco-students-data-breached/

------------------------------

Date: Wed, 18 Jun 2014 19:41:13 +0100
From: Wm <tcnw81 () tarrcity demon co uk>
Subject: London transport authority acknowledges contactless technology risk

How many organisations have warned users of their cards about the risks vs
how many have been discovered and reported ?

I was checking the balance on my Oyster card [1] on-line and noticed this:

http://tfl.gov.uk/fares-and-payments/oyster/using-oyster/card-clash

 = = = =

Card clash

Keeping your Oyster card in your wallet or purse with other cards could
cause card clash.

If you keep your Oyster card in your wallet or purse with your bank cards,
you might occasionally see a red light when you touch it on a card reader at
stations and on buses. The red light means you haven't paid for your journey
and if you are at a ticket gate, it may not open.  This can happen even if
you've got enough pay as you go credit or a valid Travelcard on your Oyster
card because you could be experiencing 'card clash'.

Many cards are now issued with contactless technology - the same as Oyster
cards:

* Most bank, credit and charge card companies are issuing new cards
  ready for contactless payments
* Many companies, educational establishments now issue contactless
  cards for cashless catering or as building entry passes

If you touch your Oyster card on a yellow card reader when it's in the same
wallet or purse as another contactless card, the reader may detect more than
one card. When this happens, the card reader doesn't know which one to read
so rejects them and you could experience any of the following:

* The ticket gate does not open.

* You get a red light when you touch in on a yellow card reader on a bus,
  ticket gate or free-standing yellow card reader.

* On buses, where contactless payment cards are accepted, your fare could be
  charged to a card that you did not intend to pay with.

To avoid card clash:

* Don't touch a wallet or purse with multiple cards on the yellow card
  reader.

* Keep your Oyster card separate from your contactless payment cards only
  touch the card you want to use on the reader when touching in and out.

Later in 2014, when contactless payment cards are accepted for travel on
Tube, tram, DLR, London Overground and most National Rail services in
London, one of the following could also happen:

* Your fare could be charged to a card you didn't intend to pay with.

* You could be charged two maximum fares if the card reader reads one card
  when you touch in at the start of your journey and a different card at the
  end when you touch out.

* Remember to separate your Oyster card from other contactless cards when
  touching in and out.

[1] Oyster is a plastic smartcard which can hold pay as you go credit,
Travelcards and Bus & Tram season tickets. You can use an Oyster card to
travel on bus, Tube, tram, DLR, London Overground and most National Rail
services in London.

------------------------------

Date: Mon, 23 Jun 2014 19:19:26 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Murder in the Amazon cloud" (Paul Venezia)

Paul Venezia, InfoWorld, 23 Jun 2014
The demise of Code Spaces at the hands of an attacker shows that, in
the cloud, off-site backups and separation of services could be key to survival
http://www.infoworld.com/d/data-center/murder-in-the-amazon-cloud-244705

------------------------------

Date: Fri, 20 Jun 2014 18:33:00 -0400
From: "Alan Boritz" <alanb () bigtowers net>
Subject: PKI Compromised on Blackberry 9900 Series Devices

This might not come as a surprise to what's left of traditional Blackberry
device users, but it appears that the 9900 and 9930 Blackberry devices do
not have a fully functional PKI security environment "out of the box." I
first discovered this when testing Steve Gibson's "revoked" web site
(https://revoked.grc.com). I opened up a trouble ticket at Research in
Motion through T-Mobile and after an hour on the phone with a RIM tech
support person, finally got him to understand that a web site security
certificate that has been revoked should NOT show "stale chain status" and
"implicitly trusted." I also convinced him that a legitimate secure web site
(in this case www.chase.com) should NOT display the same status as one with
a deliberately revoked security certificate. The implications of a
completely insecure web browser (in this case RIM's) are only the tip of the
iceberg with this particular device, since Blackberry Enterprise Server
(BES), and the less often used Blackberry Desktop Redirector, both use an
exchange of keys to implement point-to-point Triple-DES encryption.

The suspicious aspect of this security breach is that two models of
Blackberry devices from two different wireless carriers, and potentially
different parts of the world, have been compromised. I own both a Verizon
9930 and a T-Mobile 9900 (US frequencies, but may have originated out of the
US), and after wiping and re-initializing with both factory defaults
Apploader reformat, IT policies wiped (only one had one previously), both
devices show the exact same "stale chain status" and "implicitly trusted"
status for about half the root certificates in the devices.

For Steve's "revoked" web site, the Blackberry devices consistently show
"stale chain status," "unknown chain status," revocation status reads
"unknown," and trust status reads "implicitly trusted." But I also see the
same status message for "https://mobilebanking.chase.com"; and
"https://www.google.com.";

RIM has published many papers on how PKI security works with their devices
and BES products, and I thought that the certificate synch, OSCP, and CRL
functions were pretty good. As of this moment, although the desktop
certificate sync sort of works (only adds, won't delete), nothing else
does. Both the desktop and devices ignore the OCSP and CRL URL's, and none
are not sync'ing into any device or from the device to the desktop. Even if
I enter the OSCP and CRL URL's directly in the devices, the devices are not
reaching out to any of them.

The last RIM customer service person was trying to prompt me through
manually "trusting" the questionable certificates (including a revoked
certificate), and tried to convince me that this is how security is supposed
to work on Blackberry devices. I asked him if he had heard about the
Heartbleed bug, and how secure web site operators were revoking their
security certificates so that people surfing the web couldn't be tricked
into viewing a fraudulent site using one of the old certificates (now
revoked), but he wasn't getting it. RIM insists that "unknown chain status"
doesn't mean a secure connection isn't secure, since the device is always
supposed to load any web page I select. I asked the RIM tech how can a
connection be "secure" if the device couldn't validate the certificate? He
wouldn't answer. I asked the RIM tech how can a Blackberry device on a
Blackberry Enterprise Server (BES) detect if it's reaching a bogus BES
system, and he wouldn't answer that, either.

Previously, after I brought this to RIM's attention, all they did was to
attempt to quickly close out the trouble ticket and record it as "closed."
whether I responded or not. Each time, they close the ticket quicker. This
time the RIM tech refused to escalate the problem to anyone, just insisted
this is the way the device is supposed to work and that's it.

It's obvious at this point that the PKI system compromise was intentional,
and that RIM has no intention of changing it. It's also obvious that if
Blackberry devices can't detect deliberately revoked security certificates,
and the devices have been rigged to NOT warn users when their devices cannot
determine the validity of any certificate, I have to wonder whether or not
the devices could detect a bogus Blackberry Enterprise Server at the other
end of a secure channel.

------------------------------

Date: Mon, 23 Jun 2014 15:19:03 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Poorly anonymized logs reveal NYC cab drivers' detailed whereabouts

Ars Technica via NNSquad
http://arstechnica.com/tech-policy/2014/06/poorly-anonymized-logs-reveal-nyc-cab-drivers-detailed-whereabouts/

  "Botched attempt to scrub data reveals driver details for 173 million taxi
  trips."

------------------------------

Date: Sat, 21 Jun 2014 21:47:10 -0700
From: dan farmer <zen () fish2 com>
Subject: Stingrays nab cellular activities

The lengths that police and government folks will go to lie, cheat, steal,
is still amazing to me. Do they have any moral compass that's recognizable
anymore to anyone but themselves?

In this episode of our long-running drama, US marshalls and cops use
Stingrays (and presumably other things they simply haven't been caught with
yet) that nab cell location and activity and then collude to lie to judges,
defendants, just about everyone but themselves, and take outrageous actions
to hide their activities (well, no surprise, even they know they're beyond
the pale.)  The ACLU even seems taken aback.

------------------------------

Date: Mon, 23 Jun 2014 08:04:29 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Free Wi-Fi from Xfinity and AT&T also frees you to be hacked
  (Sean Gallagher)

Sean Gallagher, Ars Technica, 22 Jun 2014
Ars tests how easy it is to spoof big broadband providers to grab data.
http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/

Welcome to a way for hackers to fool you into connecting to malicious
networks and give up your personal data: a spoofed Xfinity login page.

Xfinity

If you've traveled and tried to get on the Internet, you've probably seen
some pretty suspicious looking Wi-Fi networks with names like "Free Wi-Fi"
and "Totally Free Internet."  Those are likely access points you'd best
avoid.  But there's a much bigger threat to your security than somebody
randomly fishing for you to connect to them -- the networks you've already
connected to and trusted, like AT&T and Xfinity.

Enlarge / The default settings for the AT&T Wi-Fi network on my iPhone, before I got paranoid.

Mobile broadband providers are eager to get you to connect to their
Wi-Fi-based networks while you're away from home.  AT&T has built a network
of free hotspots for customers at thousands of places -- including train
stations, as well as Starbucks and McDonald's locations across the country.
Comcast has spread its Xfinity wireless network far and wide as well,
turning customers' cable modems into public Wi-Fi hotspots accessible with
an Xfinity account login.

These free Wi-Fi connections are popular, for good reason -- they help
reduce the amount of broadband cellular data you consume, and they often
provide better network speeds than what you can manage over a 4G connection.
But they also offer a really easy way for someone to surreptitiously tap
into your Internet traffic and capture your account information for
less-than-friendly purposes.  Millions of AT&T and Xfinity customers could
be leaving themselves exposed to surreptitious hacking of their Internet
traffic, exposing their personal data as a result.

As we reported in our joint experiment with NPR, AT&T sets smartphones to
recognize and connect to attwifi hotspots automatically.  This can be
switched off in iPhones by setting the phone to ask the user before
connecting to networks when Wi-Fi is turned on but not associated with a
hotspot.  But that isn't an option on many Android devices.  (Update: as
readers point out, the latest AT&T Android settings allow for auto-connect
to be disabled.)

To demonstrate this, I set up my laptop as a Wi-Fi hotspot broadcasting the
network name (SSID) attwifi (after alerting my neighbors, of course).  After
killing off the settings for my preferred networks on my iPhone, I turned on
the Wi-Fi, and it connected to the fake attwifi hotspot without prompting.

Enlarge / The captured traffic from my iPhone as it finds the fake "attwifi"
hotspot and starts looking for things.

When I killed the attwifi network after a few seconds, my iPhone promptly
demonstrated the further risks of auto-connecting -- it automatically
reconnected with another network in the list of trusted networks on my
phone: a hotspot called xfinitywifi.  I had used an Xfinity hotspot while
waiting for an appointment a few days earlier, and suddenly I was logged
into a hotspot running on my neighbor's cable modem.

Enlarge / When the fake AT&T network went away, a real Xfinity network
connected me right away.

Comcast's Xfinity wireless hotspots present a Web page for login that
requests a customer's account ID and password, and each time you connect to
a new hotspot it re-authenticates you.  But if you've connected once during
the day, the hotspot remembers your device and reconnects you without
prompting.

That means that if someone were to set up a malicious Wi-Fi access point
called xfinitywifi, devices that have connected to Xfinity's network before
could automatically connect without alerting the user or asking for the
password.  Alternatively, using a honeypot tool such as PwnStar, an attacker
could spoof both the xfinitywifi SSID and the Xfinity login page -- stealing
their Xfinity credentials in the process.

PwnStar includes the ability to redirect devices connecting to a Web page on
the attacking system, record credentials, and then pass the victim on to
Internet access as if nothing had happened -- meanwhile launching
man-in-the-middle attacks against the client (as I demonstrated for myself
using an SSID called notxfinity to deter any of my neighbors from trying to
connect to it).

Enlarge / PwnStar in action on my Kali Linux laptop.

By the way, those Xfinity Wi-Fi login credentials?  They're the same set of
credentials used to gain access to Comcast customers' account billing
information, webmail, and other services.

This is not to say that AT&T's and Xfinity's networks are insecure in
themselves.  They are just common enough to give someone with evil in mind a
way to cast a wide net for potential victims over Wi-Fi.  The same tools I
used to spoof Xfinity could be set to automatically respond to a victim's
phone as any Wi-Fi access point they've trusted.  That's because of the
probe requests generated by smartphones and Wi-Fi -- when you turn on your
phone's Wi-Fi adapter, it will seek out any network you've ever connected to
that it was not told to forget.  When I set my attack access point (the
laptop) to not connect devices but to respond to all probe requests, my
iPhone attempted in turn to connect to every Wi-Fi network I've connected to
this year.  That in itself can be a privacy concern, since the SSIDs and
other data associated with those probe requests can be used to essentially
map out my movements.

This sort of attack can be played out anywhere you'd normally connect to a
public Wi-Fi network.  Tools like the ones I've tested can be set up to
actively go after a user of a public network, force them to disconnect from
their existing Wi-Fi network, and then pick up that connection themselves.
All of this can be done with something as small as an Android phone as well,
using a broadband cellular connection to provide victims with uninterrupted
Internet access, as we saw with the PwnPhone.

Sean Gallagher / Sean is Ars Technica's IT Editor.  A former Navy officer,
systems administrator, and network systems integrator with 20 years of IT
journalism experience, he lives and works in Baltimore, Maryland.

------------------------------

Date: June 19, 2014 at 7:02:19 PM EDT
From: Christian Huitema <huitema () microsoft com>
Subject: Re: Hong Kong electronic voting system cyber-attacked

  [via Dave Farber]

Uh, maybe. But then, check this: https://wei.sos.wa.gov/agency/osos/en/voters/Pages/vote_by_mail.aspx.

The first lines on that official website of Washington State read:
"Washington State votes by mail. Vote by mail is convenient and gives you
extra time to learn about the ballot measures and candidates before casting
your vote."

In practice, we do not observe more fraud in Washington State than in other
places that stuck with traditional ballots.

------------------------------

Date: Fri, 20 Jun 2014 17:07:53 -0400 (EDT)
From: danny burstein <dannyb () panix com>
Subject: Bank online banking garbles outgoing payments

It seems that (and I can confirm [a]) Citibank's online payment system had a
hiccup.

Quoting from the message to account holders when they logged in:

``We discovered that Citibank Online Bill Payment check(s) processed from
your account between 7 Jun and 11 Jun 2014 displayed an incorrect 'Remitted
by' or sender name and address." The msg adds that the rest of the info,
such as send to, account, amount, were correct.

[a] as it turns out, the check I had them print up and mail out
was... to me. And I hadn't yet deposited it.

Looking at it right now, the "remitted by" info on both the tear sheet, and
on the actual check, where it should have _my name and address_, has that of
someone completely unrelated to me with a cross country address.

The "pay to" section, which should have my name and address, was correct.

* Annoyingly enough, Citi's daily summary e-mails (balance info) continued
through the week, but no one thought to send out an e-mail notice about this
issue.

------------------------------

Date: Fri, 20 Jun 2014 19:18:47 -0600
From: "Joe Durusau" <durusau () att net>
Subject: Re: Trouble with firefox updates (RISKS, Wirchenko-27.95)

Perhaps the easiest solution is to simply turn updates off. I don't know =
about all versions, but as of 29.0,you can do this by clicking on the =
tools menu, selecting options, advanced, then select the update tab. =
There is an option there to never check for updates.

A more definitive way of customizing Firefox is to simply download the =
source code from ftp.mozilla.org, and change it however you wish. The =
license allows you to freely change it at your pleasure.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.04
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 28.04 RISKS List Owner (Jun 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault