[via David Farber's IP] Dana Liebelson, *Mother Jones*, 24 Oct 2013 Security experts say the federal health insurance website is vulnerable to a common technique that hackers use to steal personal information. <http://www.motherjones.com/politics/2013/10/obamacare-healthcare-gov-hacked-clickjacking> With Healthcare.gov plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers. According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called "clickjacking," where invisible links are planted on a legitimate web page. Using this scheme, hackers could trick users into giving up personal data as they enter it into the web site, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus health care claims. And it's not just the federal exchange that has security problems. Some of the 15 states that have established their own online exchanges aren't using standard encryption throughout their Obamacare websites—leaving user information at risk. Here's the problem: When an American signs up for Obamacare online, they must enter a good deal of personal information to verify identity -- including name, Social Security number, phone number, email address, income, and employer—and identifying information for their family members. In the majority of states, Americans will enter this information directly into the Healthcare.govwebsite. Kyle Wilhoit, a threat researcher at Trend Micro, a Japanese security software company, studied the Healthcare.gov portal with his security team and found a "moderate risk" for hacking due to an easy-to-fix coding problem that leaves the site vulnerable to clickjacking. Nidhi Shah, who works on research and development for Hewlett-Packard's Web Security Research Group, found the same problem. This wouldn't be the first time a federal site experienced coding problems: Earlier this year, SAM.gov, a government contracting award management site, automatically revealed companies' private data, without a hacker lifting a finger, because of bad coding. "Common clickjacking would be a popular method to attempt to exploit [the site]" says Wilhoit. "Hackers could use this information in the creation of fake identities, fake credit cards, and fake accounts very easily." He adds that it's relatively easy to fix, although the fixed code would need to rolled out on multiple Healthcare.gov pages and potentially state websites as well. Asked about clickjacking concerns, the Department of Health and Human Services (HHS) referred Mother Jones to this security statement, which says that Americans don't need to worry: "If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents." Other parts of Obamacare's tech infrastructure are less vulnerable to attack. Although Healthcare.gov is at risk for clickjacking, sensitive information submitted through the website is not permanently stored in any centralized database (contrary to Republican fears), making it harder for hackers to steal Americans' data in bulk. Instead, user information is routed through a secure "data hub" to various federal agencies, including the Social Security Administration, where it can be double-checked and verified. Then private insurance companies are directly notified that a consumer has signed up and selected a health care plan. Experts say that the federal data hub that routes information to federal agencies is fairly secure. "A successful attack against Healthcare.gov would likely be a very well organized and financed attack and be spectacular because it would be so hard and thus so unlikely," says Christopher Budd, threat communications manager for Trend Micro. Chris Rasmussen, policy analyst for the Center for Democracy and Technology, agrees that the hub is "encrypted and secure." Some state Obamacare sites could be significantly more vulnerable than the federal portal. Healthcare.gov site uses a common form of encryption called Secure Sockets Layer (SSL), which prevents information from being intercepted by a hacker after you click "send" (SSL doesn't defend against most clickjacking). But the 15 states currently running their own independent Obamacare websites do not have explicit instructions from the HHS to use SSL. According to HHS, these states and the District of Columbia, which also has its own Obamacare site, are independently responsible for ensuring that they "develop standards to protect the privacy and security of consumers' personal information." "These state sites...represent more viable targets for direct attack" than the federal data hub, Budd argues. And hackers have been known to target state healthcare programs—last year, over 280,000 Social Security numbers were stolen from Utah's Medicaid server. Hawaii, for example, does not automatically use SSL across its entire website, potentially leaving user information vulnerable to hackers -- particularly if a visitor to the site is using an open wireless network, such as one at a coffee shop. The same is true with the online health exchanges created by Minnesota and Colorado. Budd notes that attacking state sites "rather than the more fortress-like data warehouse [like the data hub] can be easier to pull off with a greater chance of success." Many security experts argue that Healthcare.gov's code would quickly improve if it was open source—posted publicly for other programmers to examine, adapt, and improve. In fact, the code for the site was originally supposed to be open source. But HHS removed its code from open-source websites after developers complained they had trouble distinguishing which code belonged to which part of the website. Since then, all of Healthcare.gov's coding mistakes have happened behind closed doors
CNN is reporting that the security assessment was incomplete when the site was rolled out. Since security is generally the last thing done before fielding, this shouldn't be surprising. What's surprising is that so far, only one security vulnerability has become public—given that the whole development project seems to have been poorly coordinated (i.e., without a strong system architecture or system integrator), I expect that there are a lot of security problems whether the different pieces connect together. http://www.cnn.com/2013/10/30/politics/obamacare-website-warning-memo/index.html?hpt=hp_t1
One of the hazards to modern systems is complacency. High Mean Time Between Failure systems fail rarely, thus there is an increasing tendency to discover insufficient planning for failure (several years ago, AOL had a multi-hour outage caused by a "router update", a fact that I noted in a past edition of the "Computer Security Handbook"). Networked (and cloud) systems are particularly vulnerable to this type of problem with communications infrastructure. The ACA exchanges (HEALTHCARE.GOV and the free-standing state exchanges) all rely on the IRS to validate taxpayer information. Apparently, this data hub may not have been provisioned with sufficient redundancy to survive an equipment failure. According to the Money article: "... Joanne Peters, a spokeswoman for the Department of Health and Human Services, said a vendor networking issue at Verizon subsidiary Terremark was to blame. Peters said the vendor had 'experienced a failure in a networking component," and the attempted fix crashed the system. ..." The moral of the story remains: Trust but verify. Outsourcing connectivity is not the problem, but ensuring availability in the face of failure requires full verification. All too often, there are shared points of failure which may not be obvious (even two telecommunications vendors may in the end be using the same strand of fiber). The original article is at: http://money.cnn.com/2013/10/27/news/obamacare-website-malfunction/index.html Bob Gezelter, http://www.rlgsc.com
Toyota has reached a settlement in the first case in the US that found the company liable in the case of sudden unintended acceleration. http://abcnews.go.com/Business/wireStory/oklahoma-judge-settlement-reached-toyota-case-20683630?singlePage=true "The ruling was significant because it was the first case where plaintiffs argued that a car's electronics—in this case the software connected to the Camry's electronic throttle-control system—caused the unintended acceleration. The Japanese automaker recalled millions of cars, starting in 2009, following claims of sudden acceleration in Toyota vehicles. It has denied that electronics played any role in the problem." There is a similar ongoing federal case in California, and apparently 80 similar cases in state courts. "The fact that it was a jury in Oklahoma—which is generally considered a very conservative, not plaintiff-friendly state—that doesn't bode very well for Toyota," Marketos said. [...] A federal judge in Orange County, California, is dealing with wrongful death and economic loss lawsuits that have been consolidated. Similar to the Oklahoma County case, federal lawsuits contend that Toyota's electronic throttle-control system was defective and caused vehicles to surge suddenly. Toyota has denied the allegation, and neither the National Highway Traffic Safety Administration nor NASA found evidence of electronic problems. Wylie Aitken, an Orange County plaintiff's attorney who is a liaison with the cases filed in state court against Toyota, said he thinks the Oklahoma case "could be a game-changer to get the compensation the plaintiffs are entitled to." A more detailed technical analysis in an EE Times article (no single-page link available) summarizes the results of the analysis of Toyota's source code by the Barr Group, an embedded systems consulting company, and other experts. Their testimony was crucial in the outcome of the case, and they were able to come to stronger conclusions than the NHTSA and NASA could last December. http://www.eetimes.com/document.asp?doc_id19903 "Barr said that the 2005 Camry L4 source code and in-vehicle tests by the experts confirmed that some critical variables are not protected from corruption, and sources of memory corruption are present. He believes that Toyota's engineers sought to protect numerous variables against software- and hardware-cause corruptions, but they failed to mirror several key critical variables, and they made no hardware protection available against bit flips. Stack overflow and software bugs led to memory corruption, he said. And it turns out that the crux of the issue was these memory corruptions, which acted "like ricocheting bullets." [...] When asked if the whole case for unintended acceleration could be pinned on the task X death, Barr replied, "The task X death in combination with other task deaths." There are 24 tasks and 16 million different ways those tasks can die. The experts group was able to demonstrate at least one way for the software to cause unintended acceleration, but there are so many other ways that could have happened. Barr also said more than half the 24 tasks' deaths studied by the experts in their experiments "were not detected by any fail safe." After the Oklahoma trial, what steps should the NHTSA be taking? Barr made some suggestions: NHTSA needs to get Toyota to make its existing cars safe and also needs to step up on software regulation and oversight. For example, FAA and FDA both have guidelines for safety-critical software design (e.g., DO-178) within the systems they oversee. NHTSA has nothing. Also, NHTSA recently mandated the presence and certain features of black boxes in all US cars, but that rule does not go far enough. We observed that Toyota's black box can malfunction during unintended acceleration specifically, and this will cause the black box to falsely report no braking. NHTSA's rules need to address this, e.g., by being more specific about where and how the black box gets its data, so that it does not have a common failure point with the engine computer. For those interested, the NHTSA/NASA report on Toyota is at: http://www.nhtsa.gov/staticfiles/nvs/pdf/NASA-UA_report.pdf http://www.nhtsa.gov/staticfiles/nvs/pdf/NASA_FR_Appendix_A_Software.pdf Unfortunately, it is unlikely that we will see any report from the Barr Group, due to confidentiality agreements they signed with Toyota. There is some followup by the EE Times here: http://www.eetimes.com/author.asp?section_id6&doc_id19910 P.S.: Another excellent analysis of the topic is "Toyota's killer firmware: Bad design and its consequences", by Michael Dunn: http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--Bad-design-and-its-consequences
EDN has an article about Toyota's electronic throttle control system software and unintended acceleration: Toyota's killer firmware: Bad design and its consequences http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--Bad-design-and-its-consequences There's also an interesting companion discussion on Hacker News: https://news.ycombinator.com/item?id=6636811
Some details of the software, from the plaintiff's expert witness. http://www.edn.com/design/automotive/4423428/1/Toyota-s-killer-firmware--Bad-design-and-its-consequences
[Via Dave Farber's IP] The subject sounded promising, but the outcome is not so. Hats off to the sophistic "Citizens United"—they will not be penalized as real, flesh citizens, because they are a corporation. Despite at least $1.75 million in bribes said to have been paid the company around the globe, nobody will go to jail for what U.S. Attorney Steven Dettelbach describes as their "worldwide pattern of criminal conduct," because they are a corporation --- and you are not. The $50 million the company has agreed to pay is a mere fraction of the firm's $3billion in annual revenues. That, even though Diebold is a repeat offender --- which may be describing it mildly... In 2010 the company settled an SEC fraud suit for $25 million. They also admitted in 2008 that they had overstated 2007 election division revenue by some 300% in hopes of manipulating stock prices. http://truth-out.org/news/item/19623-diebold-charged-with-bribery-falsifying-docs-worldwide-pattern-of-criminal-conduct Brad Friedman, The Brad Blog, 25 Oct 2013 One of the world's largest ATM manufacturers and, formerly, one of the largest manufacturers of electronic voting systems, has been indicted by federal prosecutors for bribery and falsification of documents. The charges represent only the latest in a long series of criminal and/or unethical misconduct by Diebold, Inc. and their executives over the past decade. According to Cleveland's Plain Dealer, a U.S. Attorney says the latest charges are in response to "a worldwide pattern of criminal conduct" by the company.... Federal prosecutors Tuesday filed charges against Diebold Inc., accusing the North Canton-based ATM and business machine manufacturer of bribing government officials and falsifying documents in China, Indonesia and Russia to obtain and retain contracts to provide ATMs to banks in those countries. The two-count criminal information and deferred prosecution agreement calls for Diebold to pay nearly $50 million in penalties: $23 million to the U.S. Securities and Exchange Commission, and $25 million to the Department of Justice. The agreement with federal prosecutors also calls for the implementation of rigorous internal controls that includes a compliance monitor for at least 18 months. The government agreed to defer criminal prosecution for three years, and drop the charges if Diebold abides by the terms of the agreement. Despite at least $1.75 million in bribes said to have been paid the company around the globe, nobody will go to jail for what U.S. Attorney Steven Dettelbach describes as their "worldwide pattern of criminal conduct," because they are a corporation --- and you are not. The $50 million the company has agreed to pay is a mere fraction of the firm's $3billion in annual revenues. That, even though Diebold is a repeat offender --- which may be describing it mildly... In 2010 the company settled an SEC fraud suit for $25 million. They also admitted in 2008 that they had overstated 2007 election division revenue by some 300% in hopes of manipulating stock prices. As earlier as 2004, thanks to documents leaked by a whistleblower, it was discovered that Diebold had illegally used uncertified certified hardware and software in California election systems and planned to lie about it to state investigators. The e-voting systems, repeatedly found over the years to be easily hacked, were decertified for use by the state at the time (though they are still used widely around much of the country today.) Still, nobody went to prison for any of Diebold's crimes. Their most notorious infamy was tied to their often bumbling work as the nation's second largest e-voting company, which produced wildly insecure and often inaccurate voting systems and tabulators and which they proved willing to lie about. The Ohio-based firm first attracted the notice, and ire, of Democrats in 2003 when its then CEO, Walden O'Dell, penned a fundraising letter on behalf of George W. Bush and the Republican Party, promising that he was "committed top helping Ohio deliver its electoral votes to the president next year." ... http://truth-out.org/news/item/19623-diebold-charged-with-bribery-falsifying-docs-worldwide-pattern-of-criminal-conduct
[via Dave Farber's IP] Two reactions to the Diebold bribery item: 1. We've known the *cost* of bribery. Thanks to the SEC, now we know the *price* of bribery. 2. The SEC is apparently selling bribery well below cost. Does that qualify as "dumping?"
Associated Press reports that the Carmel Tunnels through Haifa (in northern Israel) were shut for 8 hours last month due to a cyberattack that disabled the security camera systems. http://www.usatoday.com/story/tech/2013/10/27/ap-exclusive-israeli-tunnel-hit-by-cyber-attack/3281133/ http://www.theatlanticwire.com/global/2013/10/hackers-shut-down-tunnel-road-israel/70983/ (And others) The authority that runs the tunnels says it was just an ordinary malfunction. http://www.israelnationalnews.com/News/Flash.aspx/279141#.Um6idSR8y8w Who's correct? The risk is that perhaps it doesn't matter!
[Lucas Mearian in Computerworld, 24 Oct 2013, via ACM TechNews Autonomous vehicles could save many lives and an enormous amount of money through accident avoidance and congestion reduction, among other techniques, according to a new study from the nonprofit Eno Center for Transportation. The report estimated that up to 4.2 million accidents could be prevented, saving 21,700 lives and $450 billion in related costs annually, if 90 percent of the vehicles on U.S. roads were self-driving. Collisions could be avoided if the computer-controlled autos could sense and anticipate road conditions and surrounding objects, the study determined. Meanwhile, freeway and artery congestion could be cut by more than 75 percent through vehicle-to-vehicle and vehicle-to-infrastructure communication by autonomous cars and trucks. The study's authors note that high numbers of autonomous vehicles must be present for such outcomes to be achieved. "For example, if 10 percent of all vehicles on a given freeway segment are [autonomous], there will likely be an [autonomous vehicle] in every lane at regular spacing during congested times, which could smooth traffic for all travelers," they point out. However, various issues must first be addressed with self-driving vehicles, including the extent to which functionality would be automated, whether onboard computers could be made hack-proof, and who would be liable in the event of an accident in an autonomous car. http://www.computerworld.com/s/article/9243518/Self_driving_cars_could_save_more_than_21_700_lives_450B_a_year
[Via Dave Farber's IP] Somini Sengupta, *The New York Times*, 28 Oct 2013 http://www.nytimes.com/2013/10/29/technology/some-schools-extend-surveillance-of-students-beyond-campus.html For years, a school principal's job was to make sure students were not creating a ruckus in the hallways or smoking in the bathroom. Vigilance ended at the schoolhouse gates. Now, as students complain, taunt and sometimes cry out for help on social media, educators have more opportunities to monitor students around the clock. And some schools are turning to technology to help them. Several companies offer services to filter and glean what students do on school networks; a few now offer automated tools to comb through off-campus postings for signs of danger. For school officials, this raises new questions about whether they should—or legally can discipline children for their online outbursts. The problem has taken on new urgency with the case of a 12-year-old Florida girl who committed suicide after classmates relentlessly bullied her online and offline. [PGN-truncated for RISKS. See the full article.]
Jeremy Kirk, InfoWorld, 25 Oct 2013 Asking for private SSL keys could hurt the US economy and cause service providers to move to other legal jurisdictions http://www.infoworld.com/d/security/lavabit-encryption-key-ruling-threatens-internet-privacy-eff-argues-229535
http://j.mp/1cet4IQ (Techdirt via NNSquad) "Apparently a whistleblower recently leaked some evidence that German authorities were using a special trojan horse software to tap Skype audio conversations. The document detailing this was leaked to the German Pirate Party, one of many international "Pirate Parties" that have been formed in recent years to push for more reasonable government policies on a variety of fronts from intellectual property to privacy and government surveillance. Illegally tapping Skype conversations may be illegal, but it seems that German authorities are a lot more interested in tracking down who leaked the documents and have raided the homes of various German Pirate Party members, confiscating computer equipment. Of course, if anything, this would seem to confirm that the government was at least experimenting with, if not actively using, such a trojan horse wiretapping program—and the raids have only served to generate much more attention over that." False indignation is almost as "amusing" as hypocrisy, eh?
http://www.theguardian.com/world/2013/oct/26/nsa-surveillance-brazil-germany-un-resolution The phone of the German chancellor, Angela Merkel, might have been monitored for more than 10 years, according to a report in Der Spiegel. It said that her mobile telephone number had been listed by the NSA's Special Collection Service (SCS) since 2002—marked as "GE Chancellor Merkel"—and was still on the list weeks before President Barack Obama visited Berlin in June. In an SCS document cited by the magazine, the agency said it had a "not legally registered spying branch" in the US embassy in Berlin, the exposure of which would lead to "grave damage for the relations of the United States to another government". From there, NSA and CIA staff were tapping communication in the Berlin's government district with high-tech surveillance. Quoting a secret document from 2010, Der Spiegel said such branches existed in about 80 locations around the world, including Paris, Madrid, Rome, Prague, Geneva and Frankfurt. Merkel's spokesman and the White House declined comment on the report. German secret service officials are to travel to the US next week to seek explanations from the White House and the National Security Agency following allegations that the American intelligence agency has been tapping the mobile phone of the chancellor, Angela Merkel. The German government's deputy spokesman, Georg Streiter, said: "We are talking to the Americans to clear things up as quickly as possible. A high-level delegation will travel for talks with the White House and National Security Agency to push forward the investigation into the recent allegations." The delegation will include senior officials from the German secret service, according to German media reports. Germany and Brazil are spearheading efforts at the United Nations to protect the privacy of electronic communications. Diplomats from the two countries, which have both been targeted by the NSA, are leading efforts by a coalition of nations to draft a UN general assembly resolution calling for the right to privacy on the Internet. ...
FYI—I guess the USB stick giveth & also taketh away. I haven't been able to determine if this Russian USB hack used the much-loved autoplay/autorun (autoworm/autospy?) feature of Windows, or whether this USB stick contained something more sophisticated that somehow bypassed a disabled autorun USB port. (BTW, I believe the Chinese govt used to routinely hand out autorun CD's to commercial visitors that contained some sort of spying feature.) Nick Squires, Rome, Bruno Waterfield in Brussels and Peter Dominiczak, Russia 'spied on G20 leaders with USB sticks'; Russia used complimentary 'Trojan horse' pen drives to spy on delegates at G20 summit ... 29 Oct 2013 http://www.telegraph.co.uk/news/worldnews/europe/russia/10411473/Russia-spied-on-G20-leaders-with-USB-sticks.html Russia spied on foreign powers at last month's G20 summit by giving delegations USB pen drives capable of downloading sensitive information from laptops, it was claimed today. The devices were given to foreign delegates, including heads of state, at the summit near St Petersburg, according to reports in two Italian newspapers, La Stampa and Corriere della Sera. Downing Street said David Cameron was not given one of the USB sticks said to have contained a Trojan horse programme, but did not rule out the possibility that officials in the British delegation had received them. The Prime Minister's official spokesman said: "My understanding is that the Prime Minister didn't receive a USB drive because I think they were a gift for delegates, not for leaders." Asked if Downing Street staff were given the USBs, he said: "I believe they were part of the gifts for delegates." Delegations also received mobile phone recharging devices which were also reportedly capable of secretly tapping into emails, text messages and telephone calls. [PGN-truncated for RISKS. See the full article.]
Russia and China have been identified as having the most active spy networks operating in the UK but it is understood that some European countries are also involved in espionage attacks against Britain. Details of the spy plots were revealed in a government security document obtained by *The Sunday Telegraph*, which states that Britain is "high priority espionage target" for 20 foreign intelligence agencies. http://j.mp/1afd73O (*Telegraph* via NNSquad) Just a reminder of the gross hypocrisy in play around the world right now.
http://j.mp/HaNOah (precog.iiitd.edu.in via NNSquad) "Online social media has emerged as one of the prominent channels for dissemination of information during real world events. Malicious content is posted online during events, which can result in damage, chaos and monetary losses in the real world. We analyzed one such media, i.e., Twitter, for content generated during the event of Boston Marathon Blasts, that occurred on 15 Apr 2013. A lot of fake content and malicious proles originated on Twitter network during this event. The aim of this work is to perform in-depth characterization of what factors influenced in malicious content and proles becoming viral. Our results showed that 29% of the most viral content on Twitter, during the Boston crisis were rumors and fake content; while 51% was generic opinions and comments; and rest was true information"
Robert X. Cringely, InfoWorld, 25 Oct 2013 NSA's ex-director tastes his own medicine when a passenger on the same train tweets his off-the-record statements http://www.infoworld.com/t/cringely/theres-more-one-way-uncover-state-secrets-29579
Zach Miners, InfoWorld, 28 Oct 2013 The new plug-in for the iPhone's email client raises security concerns, some experts say http://www.infoworld.com/d/security/linkedins-intro-tool-iphones-could-be-juicy-target-attackers-229602
This weekend, I fixed a relative's PC. I found a number of security issues and decided to install ESET anti-virus software. While entering credit card information to buy a licence of ESET on their website, I lectured my relative on the need to be extremely careful providing credit card information on the net. Only then did I notice that eshop.eset.com, the security company's website, provided neither a certificate, nor encryption when I entered the credit card data. The site took my data, but failed to complete the transaction. I contacted ESET's customer service 48 hours ago, asking if their site had been compromised and the credit card data was safe. No response. I also contacted them on Twitter. No response either. Today, however, they tweeted the following: "When purchasing anything #online or #banking, use only sites that begin with How anyone can trust such companies amazes me. Michael Weiner, Vienna, Austria, email@example.com
No doubt our clinging to the 360-degree circle also keeps us behind Finland, etc., in geometry. It is silly for us to resist the metric system here, but I cannot imagine any way in which it impedes science instruction. A week given to the units in an early grade is about what it takes, and after that it is a matter of measuring and figuring. Who looks at a test tube and says "about 3 ounces"? Who looks at it and says "about 25 ccs?" In my school days, I don't recall ever seeing non-metric measures in the lab, and they ended before 1975. (I do remember the high school wrestling coach who told his chemistry class that a milligram was one million grams; but he must be long retired.)
A long update on the promise and perils of the synthetic biology and dual-use research, and what happens when Suddenly, what started as a biology problem has become a matter of information security.
Please report problems with the web pages to the maintainer