precedence: bulk
Subject: Risks Digest 29.15
RISKS-LIST: Risks-Forum Digest Wednesday 9 December 2015 Volume 29 : Issue 15
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.15.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Reboot not a solution -- especially for commercial aviation (Mark Richards)
Working on Cheaper Sensors, Deeper Learnings (Gabe Goldberg)
How Electronic Health Records Are Harming Patients (CIO)
Hopeless failure of Dutch telecom providers & Phone House to protect
personal data: How I could access 12+ million records (Kees Huyser)
Car calls 911 to report accident after Florida hit and run (ABC)
Fired Kemp worker says he is a scapegoat re: Massive Georgia data breach
(AJC)
Trend Micro finds security bugs in over 6M devices (Help Net)
"New payment card malware hard to detect and remove" (Jeremy Kirk)
The attack that broke Tor, and how Tor plans to fix it (Kashmir Hill)
France looking at banning Tor, blocking public Wi-Fi (Sebastian Anthony)
Interesting hack to gain backstage access (BBC via Ken Olthoff)
"I gave my students iPads -- then wished I could take them back"
(WashPost)
"Why Node.js waited for OpenSSL security update before patching"
(Fahmida Y. Rashid)
I thought it was "https://" (Dan Jacobson)
Road to Robotic Parking Is Littered With Faulty Projects
(UK National Crime Agency *via The New York Times*)
Your child is a CYBER-CRIMINAL! (UK National Crime Agency via
Lauren Weinstein)
How not to report on the encryption 'debate' (CJR)
Terrorists Mock Bids to End Use of Social Media (NYTimes)
Re: Database Error Complicit In Turkish Airlines Landing Accident
(Dan Jacobson)
"Post on Facebook - and get a tax bill." (Kate Palmer via Chris Drewe)
Re: Everyone is lying about the downed Russian jet? (David Damerell)
Re: reply@not.possible (Dimitri Maziuk)
Voter Privacy in the Age of Big Data (Ira Rubenstein)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 5 Dec 2015 10:40:24 -0500
From: Mark Richards <mark.richards@massmicro.com>
Subject: Reboot not a solution -- especially for commercial aviation
Terrestrial-bound computer users blindly accept a system reboot as a problem
solution. In my experience this remains a constant in Windows (version 7
and below... I have no experience with 8 or above, thanks), and various
Apple OS's. (My Linux boxes just keep on running). This mindset has crept
into the maintenance practices of the commercial airlines. For many years I
have read frequently the exploits of in-flight failures resolved by cycling
a circuit breaker; of a "maintenance engineer" doing much the same on the
ground to fix a "glitch".
I think a read of the NTSC's report on the crash of an Indonesia Air Asia
Airbus A320-200 which killed all aboard on 28 Dec, 2014, is worthy for its
potential to sober flight crews, maintenance and regulators:
avherald.com/h?article=47f6abc7/0028&opt=0
[Date corrected in archive copies. PGN]
That CRM, basic recovery procedures, and a host of other
allegedly-well-trained responses went out the window, including the
continued lack of side stick conflict detection in Airbus designs, can, I
think, be implicated in this mess... but it all began with a hard failure
and a "reboot", taking us back to the old principle of the straw that breaks
the camel's back.
In flight, system restarts must remain the option of the crews. The very
hint of restricting flight crew access to the hardware meets with a strong
objection. However, we also see in this instance that the act of shutting
off a system completely was not met with an appropriate crew response.
Reversion to lower levels of flight dynamic protections simply return the
airplane to stick and rudder. One may rightly ask why this is so
problematic. In the thinner upper levels, with tighter speed/stall margins,
are crews simply not familiar enough to manage these extremes?
Among the lessons: things that go bump in the night tend to leave bits
floating on the ocean. Need a reboot? There's a good reason why. Let's
abandon the cheap and easy way out as it only puts off the inevitable
disaster.
------------------------------
Date: Fri, 4 Dec 2015 18:22:56 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Working on Cheaper Sensors, Deeper Learnings
Automotive Intelligence - Consumer Technology Association
It is crucial for an autonomous car to be able to understand and learn
behaviors, weigh factors and make judgment calls, not simply to follow
rules, asserts Jim Buczkowski, global director of electronic systems,
research and innovation at Ford Motor Co. in Dearborn, MI. "I don't think
you can program for every single individual situation but you can't have a
situation where the machine comes back and says, 'I don't know what to do,'"
he says. Further, autonomous vehicles must be engineered for "graceful
failure" when technology can't function -- for example, when one of the
vehicle's sensors is blocked by dirt or inclement weather -- meaning "you
still have some capability for driver assistance, but you don't have full
autonomy," he explains. "Those are things that are part of the strategy that
folks are looking at and working on."
http://www.cta.tech/i3/Features/2015/November-December/Automotive-Intelligence.aspx
...what could go wrong?
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Fri, 4 Dec 2015 08:22:55 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: How Electronic Health Records Are Harming Patients
CIO via NNSquad
http://www.cio.com/article/3011576/ehr/why-electronic-health-records-arent-more-usable.html
EHRs are designed to support billing more than patient care, experts say
... It shouldn't come as a surprise that most doctors are unhappy with
their electronic health record (EHR) systems, which tend to be clunky,
hard to use and may actually get in the way of truly excellent patient
care ... Doctors' biggest complaint about the EHR is that it slows them
down, especially in the documentation phase. "Compared to handwriting or
dictating, EHRs take doctors nine times longer to enter the data,"
Anderson says. "Sure, you have more information in the EHR than in paper
records, but it takes more time." ... Other alerts go off to prevent
adverse drug interactions with other medications, allergies, or foods.
Many of these are inapplicable to particular patients, and after a while,
doctors may stop paying attention to them or turn them off. Three quarters
of EHRs don't allow the customization of these alerts, according to
Anderson.
------------------------------
Date: Tue, 8 Dec 2015 14:31:54 +0100
From: Kees Huyser <kees.huyser@nikhef.nl>
Subject: Hopeless failure of Dutch telecom providers & Phone House to
protect personal data: How I could access 12+ million records
A (long) story of exposed passwords and lax security.
"The sales guy started renewing my Vodafone subscription and therefor needed
to log in at a dealer portal from Vodafone. He didn't remember the login
password, and, here it comes, on the screen he opened an Excel file which
contained *all* their passwords.
Is this happening for real? I had just told him minutes ago I'm an
experienced professional hacker, and we had both laughed about the
password-taped-on-monitor leak.
Curiously and intensively I looked on the screen to get a picture of the
treasure trove that was in front of me. Passwords to view and modify
customer data of KPN, Vodafone, Telfort, T-Mobile, UPC, Tele2 and other
companies were right in front of me.
http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecom-providers-extremely-poorly-protected-how-i-could-access-12-million-records
Kees Huyser
------------------------------
Date: Tue, 8 Dec 2015 08:31:58 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Car calls 911 to report accident after Florida hit and run (ABC)
ABC 7, Chicago, 4 Dec 2015, Port St. Lucie, FL
A hit-and-run mystery was solved and a woman arrested in Florida after an
unusual call to 911. It wasn't the driver who picked up the phone, but
instead it was the car itself that called for help.
Port St. Lucie police say a car safety feature helped them to track down
57-year-old Cathy Bernstein, who they say hit a truck and then [p]lowed
through a van on Prima Vista Boulevard.
Bernstein allegedly fled the scene, but her car's emergency assistance
feature didn't just make a record of the crash, it automatically contacted
911.
http://abc7chicago.com/technology/car-auto-dails-911-to-report-accident-after-driver-allegedly-commits-hit-and-run/1109554/
------------------------------
Date: Thu, 3 Dec 2015 19:36:37 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Fired Kemp worker says he is a scapegoat re: Massive Georgia data
breach (AJC)
AJC via NNSquad
http://www.ajc.com/news/news/state-regional-govt-politics/exclusive-fired-kemp-worker-says-he-is-a-scapegoat/npbBC/
The employee fired after being blamed for a massive data breach at the
Georgia Secretary of State's Office said Wednesday he has been made a
scapegoat by the agency. In an exclusive interview with The Atlanta
Journal-Constitution, longtime state programmer Gary Cooley said he did
not have the security access to add millions of Social Security numbers
and birth dates to a public data file -- something Secretary of State
Brian Kemp accused him of doing. And while he acknowledged a role in the
gaffe, he also outlined a more complicated series of missteps and
miscommunication both within the office and with PCC Technology Group, an
outside vendor tasked with managing voter data for the state.
------------------------------
Date: Tue, 8 Dec 2015 07:55:16 -0600
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com
Subject: Trend Micro finds security bugs in over 6M devices (Help Net)
An estimated 6.1 million smart phones, routers, and smart TVs still use old
versions of software with security bugs for which fixes were available in
2012.
This is because many ap developers are using obsolete versions of Universal
Plug & Play (UPnP) SDK library (libupnp).
See chart in Help Net article, & Trend Micro blog, listing 20 popular apps
in this condition.
http://www.net-security.org/secworld.php?id=19196
http://blog.trendmicro.com/trendlabs-security-intelligence/high-profile-mobile-apps-at-risk-due-to-three-year-old-vulnerability/#
[Incidentally OWASP has published top 10 security flaws found in modern apps.
https://www.owasp.org/index.php/Top_10_2013-Top_10]
------------------------------
Date: Tue, 08 Dec 2015 15:05:35 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "New payment card malware hard to detect and remove"
Jeremy Kirk, InfoWorld, 7 Dec 2015
FireEye finds that Nemesis, which comes from a suspected Russian group,
is a bootkit
http://www.infoworld.com/article/3012125/malware/new-payment-card-malware-hard-to-detect-and-remove.html
------------------------------
Date: Mon, 07 Dec 2015 08:41:23 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: The attack that broke Tor, and how Tor plans to fix it
(Kashmir Hill)
Kashmir Hill, Fusion, 30 Nov 2015
http://fusion.net/story/238742/tor-carnegie-mellon-attack/
Law enforcement has been complaining for years about the Web "going dark,"
saying that encryption and privacy tools are frustrating their ability to
track criminals online. But massive FBI operations over the last year that
have busted 'hidden sites' used for the sale of drugs, hacking tools, and
child pornography suggest the digital criminal world has gotten lighter,
with law enforcement bragging that criminals can't "hide in the shadows of
the Dark Web anymore." While mysterious about its tactics, law enforcement
indicated that it had found a way to circumvent the tool on which these
sites relied, a software called Tor. But criminals are not the only ones
who rely on it.
[Henry also suggests other sites as well. PGN]
https://www.fbi.gov/newyork/press-releases/2014/dozens-of-online-dark-markets-seized-pursuant-to-forfeiture-complaint-filed-in-manhattan-federal-court-in-conjunction-with-the-arrest-of-the-operator-of-silk-road-2.0
https://www.torproject.org/projects/torbrowser.html.en
http://motherboard.vice.com/read/the-operators
https://gitweb.torproject.org/doctor.git
------------------------------
Date: Mon, 07 Dec 2015 08:48:14 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: France looking at banning Tor, blocking public Wi-Fi
(Sebastian Anthony)