Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 28.07
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 15 Jul 2014 16:16:46 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 15 July 2014  Volume 28 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.07.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
14,000 Draft Notices Sent To Pennsylvania Men Born In 1800s (Doug Hosking)
Birth control of the future could be activated with wireless remote
  (Sarah Gray via Henry Baker)
Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords (Dan Goodin)
Private crypto key stashed in Cisco VoIP manager allows network hijacking
  (Dan Goodin via Monty Solomon)
FCC's awful website crashes on last day for initial net neutrality comments
  (Jon Brodkin via Lauren Weinstein)
Pew Research: Global Opinions of U.S. Surveillance (Richard Forno)
GCHQ hacks online polls (Glenn Greenwald via Henry Baker)
Report: Rare leaked NSA source code reveals Tor servers targeted
  (Cyrus Farivar via Monty Solomon)
Should hospitals investigate their patients? (danny burstein)
Designing water slides is not the same as designing roller coasters
  (Ben Rothke)
Female Cyber Sleuths Hack Into Silicon Valley's Boys Club"
  (Jordan Robertson)
Site catalogues links being censored from Google by EU (Lauren Weinstein)
The right to be forgotten will turn the Internet into a work of fiction
  (David Mitchell via Lauren Weinstein)
WashPost: In NSA-intercepted data, those not targeted far outnumber the
  foreigners who are (Lauren Weinstein)
Chinese Hackers Broke Into U.S. Personnel Networks, NYT Reports (AP via
  David Farber)
Germany 'may revert to typewriters' to counter hi-tech espionage (Henry Baker)
Re: Hong Kong electronic voting system ... (nick brown, Michael Bacon)
Re: Unix "*" wildcards considered harmful (Dave Horsfall, PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 10 Jul 2014 18:49:18 -0700
From: "Doug Hosking" <doug1 () sonic net>
Subject: 14,000 Draft Notices Sent To Pennsylvania Men Born In 1800s

... and you thought "Y2k-like" bugs were ancient history .

http://pittsburgh.cbslocal.com/2014/07/10/14000-draft-notices-sent-to-pa-men
-born-in-1800s/

------------------------------

Date: Mon, 07 Jul 2014 15:57:18 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Birth control of the future could be activated with wireless remote
  (Sarah Gray)

FYI -- Q: If the NSA hacked this device & caused a woman to get pregnant,
would the NSA legally become the father of the child & be liable for child
support?  What if NSA-weakened encryption enabled someone else to hack the
device?

Sarah Gray, *Salon*, 7 Jul 2014
The device, developed by MicroCHIP, can last up to 16 years
http://www.salon.com/2014/07/07/birth_control_of_the_future_could_be_activated_with_a_wireless_remote/

The company MicroCHIP, based in Massachusetts, is developing a rather
futuristic form of contraception: a microchip that lasts for 16 years and
can be easily turned off, no doctor's appointment necessary.

The concept was conceived two years ago when Bill Gates visited Robert
Langer's MIT lab. Gates, according to MIT Technology Review, mused over
whether it was possible to create a birth control that could easily be
turned on or off as desired. Langer thought a product he invented with
Michael Cima and John Santini in the 1990s might work, which was licensed to
MicroCHIP.

The chip would be wireless, and could be controlled by the patient via
remote control. Doctors, too, could control dosage remotely. MIT Technology
Review explains the technology:

``The device measures 20 x 20 x 7 millimeters, and it is designed to be
implanted under the skin of the buttocks, upper arm, or abdomen. It
dispenses 30 micrograms a day of levonorgestrel, a hormone already used in
several kinds of contraceptives. Sixteen years' worth of the hormone fits in
tiny reservoirs on a microchip 1.5 centimeters wide inside the device.
MicroCHIP invented a hermetic titanium and platinum seal on the reservoirs
containing the levonorgestrel. Passing an electric current through the seal
from an internal battery melts it temporarily, allowing a small dose of the
hormone to diffuse out each day.''

Gates is no stranger to sexual health technology. In 2013, the Bill and
Melinda Gates Foundation challenged innovators to build a better condom --
one that would protect against unwanted pregnancy, sexually transmitted
infections and feel good -- to entice more folks to use them.

The microchip device is still in the testing phase, and is not yet FDA
approved. CNET reports:

``So far, the chips have been tested in a human clinical trial, delivering
osteoporosis medication to post-menopausal women over a one-month period,
demonstrating that the technology works, producing no adverse immune
reaction, and demonstrating the durability of the chip. The device was
implanted using a local anesthetic, and the procedure took no more than 30
minutes.''

There are, of course, large kinks to work out before this could become a
viable contraceptive method (not including political battles over birth
control).  A commenter on MIT Technology Review worries about who could
potentially control such a device without the woman's consent. It is a
rather scary prospect.

The chips would need all sorts of encryption to protect data and keep the
device safe from hackers. As technology entwines itself more and more within
the fabric of our being -- quite literally in this case -- we must tread
carefully, especially in terms of health.

MIT Technology Review, CNET

------------------------------

Date: Tue, 8 Jul 2014 01:38:32 -0400
From: Monty Solomon <monty () roscom com>
Subject: Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords
  (Dan Goodin)

Dan Goodin, Ars Technica
More evidence the Internet of things treats security as an afterthought.

In the latest cautionary tale involving the so-called Internet of things,
white-hat hackers have devised an attack against network-connected
lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the
LED devices.

The attack works against LIFX smart lightbulbs, which can be turned on and
off and adjusted using iOS- and Android-based devices. Ars Senior Reviews
Editor Lee Hutchinson gave a good overview here of the Philips Hue lights,
which are programmable, controllable LED-powered bulbs that compete with
LIFX. The bulbs are part of a growing trend in which manufacturers add
computing and networking capabilities to appliances so people can manipulate
them remotely using smartphones, computers, and other network-connected
devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX,
more than 13 times the original goal of $100,000. ...

http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/

------------------------------

Date: Tue, 8 Jul 2014 01:45:14 -0400
From: Monty Solomon <monty () roscom com>
Subject: Private crypto key stashed in Cisco VoIP manager allows network
 hijacking (Dan Goodin)

Update closes backdoor allowing unauthorized control of sensitive messaging
gear.

Dan Goodin, Ars Technica, 2 Jul 2014

Cisco Systems has released a security update that closes a backdoor allowing
attackers to control software that large organizations use to manage voice
over IP (VoIP) calls and messaging over their networks.

The default secure shell (SSH) key made it possible for hackers to gain
highly privileged administrative access to the Cisco Unified Communications
Domain Manager, the networking company warned in an advisory published
Wednesday. From there, intruders could execute arbitrary commands or gain
persistent access to the systems. The advisory didn't explicitly say that
attackers could monitor discussions or track the times that calls or
messages were made and who sent and received them, but it wouldn't be
surprising if those capabilities were also possible in an e-mail, a Cisco
representative said these capabilities were not possible. In addition to
VoiP management, the Cisco Unified Communications Domain Manager also allows
users to manage Cisco Jabber, a cloud-based service for instant messaging,
voice and video communications, desktop sharing, and conferencing. ...

http://arstechnica.com/security/2014/07/private-crypto-key-stashed-in-cisco-voip-manager-allows-network-hijacking/

------------------------------

Date: Tue, 15 Jul 2014 08:20:04 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: FCC's awful website crashes on last day for initial net neutrality
  comments (Jon Brodkin)

Jon Brodkin, Ars Technica via NNSquad, 15 Jul 2014
http://arstechnica.com/information-technology/2014/07/fccs-awful-website-crashes-on-last-day-for-initial-net-neutrality-comments/

  "Today is the last day to file initial comments on the Federal
  Communications Commission's network neutrality proposal, and the FCC's
  ancient website is unable to handle the load.  This morning when trying to
  access the form to submit comments and the list of already submitted
  comments, I got an error message that said: "could not inspect JDBC
  autocommit mode." I also got this much longer and more entertaining error
  message: ..."

------------------------------

Date: July 14, 2014 at 3:57:47 PM EDT
From: Richard Forno <rforno () infowarrior org>
Subject: Pew Research: Global Opinions of U.S. Surveillance

[Pew Research via Dave Farber]

The Pew Research Center's 2014 Global attitudes survey asked 48,643
respondents in 44 countries what they thought about the American government
monitoring communications, such as e-mails and phone calls, in the U.S. and
other countries. Specifically, global publics were asked whether the
U.S. government's alleged monitoring of communications from individuals
suspected of terrorist activities, American citizens, citizens of the survey
countries or the leaders of the survey countries is acceptable or
unacceptable.

http://www.pewglobal.org/2014/07/14/nsa-opinion/

------------------------------

Date: Tue, 15 Jul 2014 06:30:16 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: GCHQ hacks online polls (Glenn Greenwald)

FYI -- How thin is the line between "hacking online polls" and "hacking
online elections"?

Glenn Greenwald, *The Guardian*, 14 Jul 2014
Hacking Online Polls and Other Ways British Spies Seek to Control the Internet
https://firstlook.org/theintercept/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet/

The secretive British spy agency GCHQ has developed covert tools to seed the
Internet with false information, including the ability to manipulate the
results of online polls, artificially inflate pageview counts on web sites,
`amplify' sanctioned messages on YouTube, and censor video content judged to
be `extremist'.  The capabilities, detailed in documents provided by NSA
whistleblower Edward Snowden, even include an old standby for pre-adolescent
prank callers everywhere: A way to connect two unsuspecting phone users
together in a call.

The tools were created by GCHQ's Joint Threat Research Intelligence Group
(JTRIG), and constitute some of the most startling methods of propaganda and
Internet deception contained within the Snowden archive.  Previously
disclosed documents have detailed JTRIG's use of ``fake victim blog posts,''
``false flag operations,'' ``honey traps'' and psychological manipulation to
target online activists, monitor visitors to WikiLeaks, and spy on YouTube
and Facebook users.

But as the U.K. Parliament today debates a fast-tracked bill to provide the
government with greater surveillance powers, one which Prime Minister David
Cameron has justified as an ``emergency'' to ``help keep us safe,'' a newly
released top-secret GCHQ document called ``JTRIG Tools and Techniques''
provides a comprehensive, birds-eye view of just how underhanded and
invasive this unit's operations are.  The document -- available in full here
-- is designed to notify other GCHQ units of JTRIG's ``weaponised
capability'' when it comes to the dark Internet arts, and serves as a sort
of hacker's buffet for wreaking online havoc.

The ``tools'' have been assigned boastful code names.  They include invasive
methods for online surveillance, as well as some of the very techniques that
the U.S. and U.K. have harshly prosecuted young online activists for
employing, including ``distributed denial of service'' attacks and ``call
bombing.'' But they also describe previously unknown tactics for
manipulating and distorting online political discourse and disseminating
state propaganda, as well as the apparent ability to actively monitor Skype
users in real-time -- raising further questions about the extent of
Microsoft's cooperation with spy agencies or potential vulnerabilities in
its Skype's encryption.  Here's a list of how JTRIG describes its
capabilities:

 * ``Change outcome of online polls'' (UNDERPASS)

 * ``Mass delivery of e-mail messaging to support an Information
Operations campaign'' (BADGER) and ``mass delivery of SMS messages to
support an Information Operations campaign'' (WARPARTH)      [WARPATH?  PGN]

 * ``Disruption of video-based websites hosting extremist content
through concerted target discovery and content removal.'' (SILVERLORD)

 * ``Active skype capability. Provision of real time call records
(SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also
contact lists.'' (MINIATURE HERO)

 * ``Find private photographs of targets on Facebook'' (SPRING BISHOP)

 * ``A tool that will permanently disable a target's account on their
computer'' (ANGRY PIRATE)

 * ``Ability to artificially increase traffic to a website'' (GATEWAY)
and ``ability to inflate page views on websites'' (SLIPSTREAM)

 * ``Amplification of a given message, normally video, on popular
multimedia websites (Youtube)'' (GESTATOR)

 * ``Targeted Denial Of Service against Web Servers'' (PREDATORS FACE)
and ``Distributed denial of service using P2P. Built by ICTR, deployed by
JTRIG'' (ROLLING THUNDER)

 * ``A suite of tools for monitoring target use of the UK auction site
eBay (www.ebay.co.uk)'' (ELATE)

 * ``Ability to spoof any e-mail address and send e-mail under that
identity'' (CHANGELING)

 * ``For connecting two target phone together in a call'' (IMPERIAL
BARGE)

While some of the tactics are described as ``in development,'' JTRIG touts
``most'' of them as ``fully operational, tested and reliable.'' It adds:
``We only advertise tools here that are either ready to fire or very close
to being ready.''

And JTRIG urges its GCHQ colleagues to think big when it comes to Internet
deception: ``Don't treat this like a catalogue.  If you don't see it
here, it doesn't mean we can't build it.''

The document appears in a massive Wikipedia-style archive used by GCHQ to
internally discuss its surveillance and online deception activities.  The
page indicates that it was last modified in July 2012, and had been accessed
almost 20,000 times.

GCHQ refused to provide any comment on the record beyond its standard
boilerplate, in which it claims that it acts ``in accordance with a strict
legal and policy framework'' and is subject to ``rigorous oversight.''  But
both claims are questionable.

British watchdog Privacy International has filed pending legal action
against GCHQ over the agency's use of malware to spy on Internet and mobile
phone users.  Several GCHQ memos published last fall by The Guardian
revealed that the agency was eager to keep its activities secret not to
protect national security, but because ``our main concern is that references
to agency practices (ie, the scale of interception and deletion) could lead
to damaging public debate which might lead to legal challenges against the
current regime.'' And an EU parliamentary inquiry earlier this year
concluded that GCHQ activities were likely illegal.

As for oversight, serious questions have been raised about whether top
national security officials even know what GCHQ is doing.  Chris Huhne, a
former cabinet minister and member of the national security council until
2012, insisted that ministers were in ``utter ignorance'' about even the
largest GCHQ spying program, known as Tempora -- not to mention ``their
extraordinary capability to hoover up and store personal e-mail, voice
contact, social networking activity and even Internet searches.'' In an
October Guardian op-ed, Huhne wrote that ``when it comes to the secret world
of GCHQ and the [NSA], the depth of my `privileged information' has been
dwarfed by the information provided by Edward Snowden to The Guardian.''

------------------------------

Date: Tue, 8 Jul 2014 01:44:08 -0400
From: Monty Solomon <monty () roscom com>
Subject: Report: Rare leaked NSA source code reveals Tor servers targeted
  (Cyrus Farivar)

Cyrus Farivar, Ars Technica, 3 Jul 2014
NSA says it only gathers such data for "valid foreign intelligence purposes."

Two Germany-based Tor Directory Authority servers, among others, have been
specifically targeted by the National Security Agency's XKeyscore program,
according to a new report from German public broadcaster ARD. Tor is a
well-known open source project designed to keep users anonymous and
untraceable-users' traffic is encrypted and bounced across various computers
worldwide to keep it hidden.

This marks the first time that actual source code from XKeyscore has been
published. ARD did not say how or where it obtained the code.  Unlike many
other NSA-related stories, the broadcaster did not specifically mention the
information being part of the trove leaked by whistleblower Edward
Snowden. ...

http://arstechnica.com/tech-policy/2014/07/report-rare-leaked-nsa-source-code-reveals-tor-servers-targeted/

  [Mok-Kong Shen noted: Tor users identified by NSA (auf deutsch).  PGN]
http://www.heise.de/newsticker/meldung/XKeyscore-Quellcode-Tor-Nutzer-werden-von-der-NSA-als-Extremisten-markiert-und-ueberwacht-2248328.html

------------------------------

Date: Sun, 6 Jul 2014 12:59:26 -0400 (EDT)
From: danny burstein <dannyb () panix com>
Subject: Should hospitals investigate their patients?

Via the PRIVACY Forum <privacy () vortex com>
http://www.businessweek.com/articles/2014-07-03/hospitals-are-mining-patients-credit-card-data-to-predict-who-will-get-sick

  Imagine getting a call from your doctor if you let your gym membership
  lapse, make a habit of buying candy bars at the checkout counter, or begin
  shopping at plus-size clothing stores. For patients of Carolinas
  HealthCare System, which operates the largest group of medical centers in
  North and South Carolina, such a day could be sooner than they
  think. Carolinas HealthCare, which runs more than 900 care centers,
  including hospitals, nursing homes, doctors' offices, and surgical
  centers, has begun plugging consumer data on 2 million people into
  algorithms designed to identify high-risk patients so that doctors can
  intervene before they get sick. The company purchases the data from
  brokers who cull public records, store loyalty program transactions, and
  credit card purchases.

------------------------------

Date: Mon, 7 Jul 2014 09:45:52 -0400
From: Ben Rothke <brothke () gmail com>
Subject: Designing water slides is not the same as designing roller coasters

The Verr├╝ckt is to be the world's tallest and fastest water slide and was
to open on 23 May 2014.

In an interview, Schlitterbahn Waterparks & Resorts co-owner Jeff Henry said
that ``Our correction coefficients were all off. Models didn't show air and
water friction. A lot of our math was based on roller coasters at first, and
that didn't translate to a water slide like this.''
http://www.usatoday.com/story/travel/destinations/2014/06/26/verruckt-worlds-tallest-water-slide-exclusive-ride-video/11421473,

------------------------------

Date: Mon, 7 Jul 2014 12:14:37 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: "Female Cyber Sleuths Hack Into Silicon Valley's Boys Club"
  (Jordan Robertson)

Jordan Robertson, Bloomberg, 1 Jul 2014
[via ACM TechNews, Monday, July 7, 2014]

Women occupied just over 26 percent of computer and mathematical positions
in the U.S. last year, according to the U.S. Bureau of Labor Statistics.
However, one area of the tech world in which women are making great gains is
information security, where they outnumber men in certain positions, such as
analyst and adviser, according to the International Information Systems
Security Certification Consortium.  Women such as ThreatGrid threat manager
Tiffany Rad, for example, have found great success in information security,
assuming leadership positions in both industry and academia.  Women also are
seeking education in the field much more than they previously did.  Rad says
college classes she teaches on information security law that used to be
exclusively male are now almost evenly split between men and women.  The
success of women in information security also has come relatively quickly.
Jeff Moss, founder of the DefCon and Black Hat security conferences, says
although almost no women attended the conferences during the late '90s, now
there are "too many to mention."  Many attribute women's success in the
field to its meritocratic nature.  Heather Adkins, one of the founding
members of Google's security staff, says the field was mired in sexism when
she joined it in the late '90s, but it has markedly improved, although she
says bias still persists in some areas.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-bc1fx2b625x059672&;

------------------------------

Date: Thu, 10 Jul 2014 21:59:48 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Site catalogues links being censored from Google by EU

(Hidden from Google via NNSquad): http://hiddenfromgoogle.com/

  "The purpose of this site is to list all links which are being censored by
  search engines due to the recent ruling of "Right to be forgotten" in the
  EU. This list is a way of archiving the actions of censorship on the
  Internet. It is up to the reader to decide whether our liberties are being
  upheld or violated by the recent rulings by the EU."

 - - -

As inevitable as the sun rising in the east. And -- fascinating -- it not
only isn't a cloaked registration, but the registrant appears to be an
identifiable person with a notable presence on the Net (including on
GitHub). There is no escape from the Streisand Effect.

------------------------------

Date: Sun, 6 Jul 2014 12:05:16 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: The right to be forgotten will turn the Internet into a work of
  fiction (David Mitchell)

David Mitchell, *The Guardian via NNSquad
http://www.theguardian.com/commentisfree/2014/jul/06/right-to-be-forgotten-internet-work-of-fiction-david-mitchell-eu-google

  "People's right to suppress unpleasant lies which are publicly told is
  being extended to unpleasant truths -- until they die when it's suddenly
  open season on slander. The Internet will become constructed entirely of
  two different sorts of untruth: contemporaneous unalloyed praise and
  posthumous defamatory hearsay.

  No one has the right to be forgotten, any more than they have the right to
  be remembered. Our only right in this regard should be not to be lied
  about. And then maybe we can try to see the unflattering facts of other
  people's pasts in the light of our own imperfections. I wouldn't think
  less of someone because his house was repossessed 16 years ago. But I
  would if he turned out to be a liar."

------------------------------

Date: Sat, 5 Jul 2014 20:29:43 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: WashPost: In NSA-intercepted data, those not targeted far outnumber
  the foreigners who are

*The Washington Post* via NNSquad 5 Jul 2014
http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html

  The surveillance files highlight a policy dilemma that has been aired only
  abstractly in public. There are discoveries of considerable intelligence
  value in the intercepted messages and collateral harm to privacy on a
  scale that the Obama administration has not been willing to address.
  Among the most valuable contents, which The Post will not describe in
  detail, to avoid interfering with ongoing operations, are fresh
  revelations about a secret overseas nuclear project, double-dealing by an
  ostensible ally, a military calamity that befell an unfriendly power, and
  the identities of aggressive intruders into U.S. computer networks
  ... Months of tracking communications across more than 50 alias accounts,
  the files show, led directly to the 2011 capture in Abbottabad of Muhammad
  Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in
  a 2002 terrorist bombing on the Indonesian island of Bali. At the request
  of CIA officials, The Post is withholding other examples that officials
  said would compromise ongoing operations.

Executive summary: Complicated.  LW

------------------------------

Date: Thu, 10 Jul 2014 08:32:51 -0400
From: "David Farber via ip" <ip () listbox com>
Subject: Chinese Hackers Broke Into U.S. Personnel Networks, NYT Reports

http://www.huffingtonpost.com/2014/07/09/chinese-hackers_n_5572871.html

WASHINGTON (AP)  Chinese hackers broke into the computer networks of the
U.S. Office of Personnel Management earlier this year with the intention of
accessing the files of tens of thousands of federal employees who had
applied for top-secret security clearances, according to The New York Times.

Senior U.S. officials say the hackers gained access to some of the agency's
databases in March before the threat was detected and blocked, the Times
reported in an article posted on its website Wednesday night. How far the
hackers penetrated the agency's systems was not yet clear, the newspaper
said.

Accusations of hacking by China and counterclaims of such activity by the
U.S. government have strained U.S.-Chinese relations. Chinese hacking has
been a major theme of U.S.-China discussions this week in Beijing, though
both sides have publicly steered clear of the controversy.

In May, the Justice Department filed a 31-count indictment against five
Chinese military officials operating under hacker aliases and accused them
of penetrating computer networks of a half-dozen steel companies and makers
of solar and nuclear technology to gain a competitive advantage. The Chinese
government denied the allegations and suspended a working group on cyber
rules that was to be part of the annual "Strategic and Economic Dialogue"
this week.

The Office of Personnel Management houses personal information for all
federal employees. Those applying for security clearances would be expected
to provide such information as foreign contacts, previous jobs, past drug
use and other personal details, the newspaper reported.

The Times quoted an unidentified senior U.S. official as saying that the
attack had been traced to China but that it wasn't clear whether the hackers
were part of the government. A Homeland Security Department official
confirmed to the Times that an attack occurred but said no loss of
personally identifiable information had been identified.

The Office of Personnel Management oversees a system by which federal
employees applying for security clearances enter financial data and other
personal information, the Times said, and those who maintain such clearances
are required to update their information through that system. Agencies and
contractors use the information to investigate employees.

The attack in March was not announced even though the Obama administration
has urged U.S. companies to share information about breaches in security
with the government and with consumers, the newspaper reported.

"The administration has never advocated that all intrusions be made public,"
Caitlin Hayden, a spokeswoman for the Obama administration, said in a
statement to the Times. "We have advocated that businesses that have
suffered an intrusion notify customers if the intruder had access to
consumers' personal information. We have also advocated that companies and
agencies voluntarily share information about intrusions."

Hayden said the administration had no reason to believe that personally
identifiable information for employees had been compromised.

------------------------------

Date: Tue, 15 Jul 2014 06:14:40 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Germany 'may revert to typewriters' to counter hi-tech espionage

FYI -- They now have to also worry about the xerox machines...

http://www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance

Germany 'may revert to typewriters' to counter hi-tech espionage

Politicians claim communications technology is mistrusted in wake of US
spying allegations and NSA surveillance revelations

Philip Oltermann in Berlin
theguardian.com, Tuesday 15 July 2014 10.51 BST

German politicians are considering a return to using manual typewriters for
sensitive documents in the wake of the US surveillance scandal.

The head of the Bundestag's parliamentary inquiry into NSA activity in
Germany said in an interview with the Morgenmagazin TV programme that he and
his colleagues were seriously thinking of ditching e-mail completely.

Asked "Are you considering typewriters" by the interviewer on Monday night,
the Christian Democrat politican Patrick Sensburg said: "As a matter of
fact, we have -- and not electronic models either".  "Really?", the
surprised interviewer checked. "Yes, no joke", Sensburg responded.

During the continuing row over alleged US spying operations in Germany,
there had been speculation that the CIA may have actively targeted the
Bundestag's NSA inquiry committee.

"Unlike other inquiry committees, we are investigating an ongoing situation.
Intelligence activities are still going on, they are happening," said
Sensburg..

Last year, the Russian government reportedly took similar measures in
response to proof of NSA spying, as revealed by whistleblower Edward
Snowden.

The federal guard service, a powerful body tasked with protecting Russia's
highest-ranking officials, put in an order for 20 Triumph Adler typewriters,
which create unique "handwriting", that allows its source to be traced.

According to German media, revelations about digital surveillance have
triggered a fundamental rethink about how the government conducts its
communications.  "Above all, people are trying to stay away from technology
whenever they can", wrote Die Welt.

"Those concerned talk less on the phone, prefer to meet in person.  More
coffees are being drunk and lunches eaten together. Even the walk in the
park is increasingly enjoying a revival".

------------------------------

Date: Tue, 8 Jul 2014 00:32:28 +0200 (CEST)
From: nick.brown () free fr
Subject: Re: Hong Kong electronic voting system ... (RISKS-28.04)

Voting under duress?

Some years ago, I was invited --- as a "person who knows about computers"
--- to take part in a multinational commission (organised by legal/political
science people) that was looking at the possibilities for introducing
e-voting standards across Europe.

Most countries sent delegations with a moderately technical focus, but the
Swedes simply said, "We will not introduce any form of absentee voting ---
including postal voting --- until we have some way to know that the person
making the vote is alone in the room and cannot be subjected to any form of
duress". (To this day, postal voting is only accepted at Swedish elections
from people resident outside the country; I guess the pragmatic need to
accept _some_ kind of vote outweighs the "duress" issue in that case.)

PGN stated that Peterson is oversimplifying here. I'm not sure if that's
correct. If there is a single, easy to understand, non-technical flaw that
makes the technical discussion obsolete, it might be the best way to
dissuade lawmakers --- who tend to be easy to befuddle with gee-whiz claims
about technology --- from adopting e-voting technology.

Nick Brown, Strasbourg, France.  (Now retired from my previous job; hence
the change of address from nick.brown () coe int )

------------------------------

Date: Sun, 6 Jul 2014 20:23:49 +0100
From: Michael Bacon <michaelbacon () tiscali co uk>
Subject: Re: Hong Kong electronic voting system ... (Kamens, RISKS-28.06)

"For example, in many faux democracies, this takes the form of members of
the dominant party's goon squad visiting voters at home, one by one, ...

Forget your "faux democracies"; this type of behaviour is being investigated
by the Electoral Commission and the police in more than one UK local council
election, and has been suggested to have occurred in national General
Elections.  Particularly as the variant whereby individuals of the same
ethnicity as the voters - many of whom are not fluent in the English
language - collect their postal voting papers to complete them ... in the
spirit of being helpful, of course.

This notwithstanding, eVoting would deny us the amusement of pregnant and
hanging chads.

------------------------------

Date: Sun, 6 Jul 2014 11:22:57 +1000 (EST)
From: Dave Horsfall <dave () horsfall org>
Subject: Re: Unix "*" wildcards considered harmful (Baker, Re: RISKS-28.06)

The original author got pilloried for this over on Full Disclosure, for
revealing a "bug" that's been known for around thirty years, and working
exactly as documented.  It's sad to see RISKS picking it up.

If a person chops a foot off by swinging an axe around, whose fault is it?
The axe's?  The manufacturer's (both of the axe and the tool-she)?  Or,
heaven forbid, the user's fault?

We seem to have a culture of "It's not my fault!", and finding someone else
to blame does not bode well for the future.

Dave Horsfall, North Gosford NSW, Australia

------------------------------

Date: Sun, 6 Jul 2014 4:45:33 PDT
From: Peter G Neumann <risko () csl sri com>
Subject: Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.07)

Dave, This is an old topic in RISKS regarding disclosure of bugs.  Contrary
to your view, the attackers often find the vulnerabilities before the good
guys.  From a software engineering point of view, I frequently note that the
buffer overflow problem was recognized and avoided in Multics around 1965.
I expect your message will be followed by many others saying it's about time
THIS bug in a very commonly used piece of software was finally unveiled.
Maybe NOW it will be fixed pervasively!

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.07
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 28.07 RISKS List Owner (Jul 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault