The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 85

Friday 25 April 2014

Contents

Bug can cause deadly failures when anesthesia device is connected to cell phones
Dan Goodin via Jeremy Epstein
Another good-news story
Chiaki Ishikawa
Automated license plate reader mistake risks
Thomas Dzubin
"Task Force on Cyber Risk Formed to Advance Research"
Alex Krutov
"12 ethical dilemmas gnawing at developers today"
Peter Wayner via Gene Wirchenko
Dogs are genetically modified human babies?
Charles C. Mann
"Intuit's secret campaign to block free tax filing"
Bill Snyder via Gene Wirchenko
Mystery attack drops avalanche of malicious messages on Twitter
Dan Goodin via Monty Solomon
"Mysterious malware steals Apple credentials from jailbroken iOS devices"
Lucian Constantin via Gene Wirchenko
Citing fraud, Maine to put photos on EBT cards
Alanna Durkin via Monty Solomon
Credit card fraud detection Catch-22, and more
Rex Sanders
FBI Informant Is Tied to Cyberattacks Abroad
Mark Mazzetti via Monty Solomon
AP: Putin declares the Internet to be a "CIA Project"
Salon
Russia bans anonymous blogging, orders bloggers to register
TechDirt via NNSquad
"The sky is falling! Hackers target satellites" (Roger A. Grimes via
????
The trouble with Canada's Digital Privacy Act
Tony Drake via Gene Wirchenko
How Urban Anonymity Disappears When All Data Is Tracked
NYT blog via Matthew Kruk
U.S. Promotes Network to Foil Digital Spying
NYTimes.com via Dave Farber
"Coding error protects some Android apps from Heartbleed"
Jeremy Kirk via Gene Wirchenko
Heartbleed hacker arrested, charged in connection to malicious bug exploit
David Kravets via Dewayne Hendricks
Heartbleed Highlights a Contradiction in the Web
Matthew Kruk
Re: Heartbleed
Dimitri Maziuk
Info on RISKS (comp.risks)

Bug can cause deadly failures when anesthesia device is connected to cell phones (Dan Goodin)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 24 Apr 2014 08:31:27 -0400
This is a pretty clear risk!

http://arstechnica.com/security/2014/04/bug-can-cause-deadly-failures-when-anesthesia-device-is-connected-to-cell-phones/

Dan Goodin, Ars Technica, 22 Apr 2014

Federal safety officials have issued an urgent warning about software
defects in an anesthesia delivery system that can cause life-threatening
failures at unexpected times, including when a cellphone or other device is
plugged into one of its USB ports.

The ARKON anesthesia delivery system is used in hospitals to deliver oxygen,
anesthetic vapor, and nitrous oxide to patients during surgical
procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which
issued a recall in March. A bug in Version 2.0 of the software running on
the device is so serious that it could cause severe injury or death, the US
Food and Drug Administration warned last week in what's known as a Class I
recall. In part, the FDA advisory read:

  Reason for Recall: Spacelabs Healthcare is recalling the ARKON
  Anesthesia System with Version 2.0 Software due to a software defect.
  This software issue may cause the System to stop working and require
  manual ventilation of patients. In addition, if a cell phone or other
  USB device is plugged into one of the four USB ports for charging, this
  may also cause the System to stop working.

  This defect may cause serious adverse health consequences, including
  hypoxemia and death. Spacelabs Healthcare received one report related to
  the software defect. There has been no injuries or deaths associated
  with this malfunction. [...]

   [Also noted by Tony Finch, who gives new meaning to
      “Blue screen of death?''
   and Monty Solomon:
      “It's not clear why anyone would ever connect a phone to a
        medical device.''
   to which PGN comments, and yet that's effectively how heart pacemakers
   and other medical devices are controlled.  Whether it is a dedicated
   remote controller or a mobile phone makes very little difference in
   practice, except for accidental events such as butt-dialing.  PGN]


Another good-news story

ishikawa <ishikawa@yk.rim.or.jp>
Thu, 17 Apr 2014 12:53:43 +0900
I saw the following incidence on TV news when the above article from Mark
Brader came in.  A coincidence?

In Japan, a man who was live-streaming his talk to a group of listeners
suffered a minor brain stroke, resulting in an unclear speech and strange
repetition of words.  The listeners got worried and suggested that the
speaker consult the doctor immediately.  But the speaker, a man who called
himself "a stone-headed old fart" or stone-headed man in the live streaming,
was adamant that he was just tired, and did not listen.

The listeners got really worried because the symptoms were so obvious. So
someone managed to contact him via Skype (with video) next day to persuade
the man to see the doctor.  During the conversation, the man was talked into
showing his social insurance card (government medical care a la Obama care
on steroid) on the screen, and the keen-eyed caller took note of the address
and name, and called the ambulance (in Japan, ambulance service is offered
by municipalities and basically free of charge.)

The man was hospitalized and diagnosed as having suffered a minor brain
stroke, but is now OK with medication.  On TV news, he thanked the
listeners.

A good story, indeed.

Of course, I think we need to educate the society, "Don't show your ID cards
on video phone" (!?) :-(

Cf. I found a mention of the incidence in geek-oriented media: (in Japanese)
http://news.livedoor.com/article/detail/8723618/


Automated license plate reader mistake risks

Thomas Dzubin <dzubint@vcn.bc.ca>
Thu, 24 Apr 2014 12:22:00 -0700 (PDT)
http://arstechnica.com/tech-policy/2014/04/due-to-license-plate-reader-error-cop-approaches-innocent-man-weapon-in-hand/

Mistaking a "7" for a "2" on wanted Oldsmobile, not a BMW, leads to traffic
stop with one of the officers approaching the car with his gun out.

"Typically, LPRs can read 60 license plates per second and match observed
plates against a "hot list" of wanted vehicles, stolen cars, or criminal
suspects. Today, tens of thousands of LPRs are being used by law enforcement
agencies all over the country. Practically every week, local media report on
some LPR expansion. And often, the data captured by the LPR which plate,
when and where it was seen is kept for weeks, months, or sometimes
indefinitely. It can create a major pool of data, leaving the very real
possibility for an occasional misread"


"Task Force on Cyber Risk Formed to Advance Research"

"Alex Krutov" <alex.krutov@gmail.com>
Sun, 20 Apr 2014 18:15:26 -0800
This effort is quite unusual in that it (1) takes a very broad view of the
risk, (2) includes cyber-risk insurance in its scope, and (3) directly
invites participation by other parties.  The main goals are research and
education.

"The CAS Task Force on Cyber Risk will engage in research activities and
provide educational opportunities in the analysis of cyber risk, with a
particular focus on contingent events arising from cyber risk and the
financial implications of these events."  The analysis of potential
financial consequences of cyber-related events is an important part of this.

"While there is a growing body of research on some of the specific IT
aspects of the risk, it is particularly difficult to tie that research to
financial outcomes and insurance coverage. The Task Force on Cyber Risk
intends to contribute to this ongoing research, but its primary research
goal is to utilize a multidisciplinary approach in order to gain a more
comprehensive and accurate view of cyber risk."  It's broad, ambitious,
which also means it's easier said than done.

"We believe that in addressing the challenge of cyber risk analysis, it is
essential to follow a multidisciplinary approach that brings together
experts in actuarial science, cybersecurity and information technology, big
data analytics, legal and other fields," said the task force chair. "We
encourage other professionals and organizations to join us in the important
effort of advancing research and education in the area of rapidly evolving
cyber risk." http://prn.to/1r6iz21 and http://bit.ly/QyfJWj  It's a direct
invitation.


"12 ethical dilemmas gnawing at developers today" (Peter Wayner)

Gene Wirchenko <genew@telus.net>
Mon, 21 Apr 2014 14:01:06 -0700
Peter Wayner | InfoWorld, 21 Apr 2014
As software takes over more of our lives, the ethical ramifications
of decisions made by programmers only become greater
http://www.infoworld.com/d/application-development/12-ethical-dilemmas-gnawing-developers-today-240574


Dogs are genetically modified human babies?

<"Charles C. Mann">
Sun, 20 Apr 2014 15:15:22 +0000 (UTC)
This comic strip summarizes about half the discussions you see on the Internet:
  http://wondermark.com/1k20/


"Intuit's secret campaign to block free tax filing" (Bill Snyder)

Gene Wirchenko <genew@telus.net>
Thu, 17 Apr 2014 09:08:21 -0700
Bill Snyder, InfoWorld, 17 Apr 2014
Intuit has launched a fake grassroots campaign to beat a proposal
that would allow some taxpayers to file at no cost
http://www.infoworld.com/d/the-industry-standard/intuits-secret-campaign-block-free-tax-filing-240663


Mystery attack drops avalanche of malicious messages on Twitter (Dan Goodin)

Monty Solomon <monty@roscom.com>
Thu, 24 Apr 2014 11:00:20 -0400
Scammers abuse thousands of compromised accounts linked to third-party
services.

Dan Goodin, Ars Technica, 23 Apr 2014

Note the "via weheartit.com" tag in the bottom right of the malicious tweet.

Twitter has been hit by an avalanche of malicious tweets that are being sent
by thousands of compromised user accounts. The ongoing attack, which was
about two hours old and showed no signs of abating as this post was about to
go live, appeared to be linked to security breaches affecting third-party
sites and apps. ...

http://arstechnica.com/security/2014/04/mystery-attack-drops-avalanche-of-malicious-messages-on-twitter/


"Mysterious malware steals Apple credentials from jailbroken iOS devices" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 25 Apr 2014 09:40:58 -0700
Lucian Constantin, InfoWorld, 22 Apr 2014
Some iOS users found a malicious library of unknown origin on their
jailbroken devices
http://www.infoworld.com/d/security/mysterious-malware-steals-apple-credentials-jailbroken-ios-devices-240954

opening text:

A malware campaign of yet-to-be-determined origin is infecting jailbroken
iPhones and iPads to steal Apple account credentials from SSL encrypted
traffic.

The threat was discovered after some users reported on Reddit that they
experienced crashes in some applications as a result of a mysterious
MobileSubstrate add-on called Unflod.


Citing fraud, Maine to put photos on EBT cards (Alanna Durkin)

Monty Solomon <monty@roscom.com>
Sat, 19 Apr 2014 19:01:49 -0400
Alanna Durkin  | Associated Press, 19 Apri 2014

AUGUSTA, Maine - Maine will begin putting photo identification on welfare
benefit cards this month, first in Bangor and then across the state in an
effort to target fraud and abuse, the administration of Governor Paul
LePage, a Republican, said on Friday.

The state will require that the heads of households and secondary card
holders have photos placed on EBT cards, which low-income families use to
buy food and other necessities.

Residents who are younger than 19, older than 60, blind, disabled, or
victims of domestic violence will be exempt, according to details about the
administration's efforts laid out in a letter to the US Department of
Agriculture obtained by the Associated Press through a Freedom of Access Act
request. ...

http://www.bostonglobe.com/metro/2014/04/18/citing-fraud-maine-put-photos-ebt-cards/vVUKLEiknCky8U2AiADF9I/story.html


Credit card fraud detection Catch-22, and more

Rex Sanders <rsanders@usgs.gov>
Wed, 16 Apr 2014 18:01:04 -0700
For several years, I've had a monthly bill of $4 to $10 automatically
charged to the same credit card.

A few months ago, the fraud detection system started flagging that small
transaction as fraudulent, every month. A robocall to my home land line asks
me to confirm; and the card is locked until I confirm. Sometimes I'm not
home for days, and often I travel in areas with no cell coverage.

So with no effective warning, I can't make purchases far from home, and
other automatic charges can bounce. I use automatic charges so I can travel
and still pay bills on time. Catch-22.

After several rounds of complaints, we are at workaround #3. I'll see what
happens next month.

Among other nonsense:

- The fraud detection system does not maintain any transaction history.

- Everyone assumes that card holders have continuous telephone access. I was
told several times, by different people, "we'll give you a special number to
call when this happens", moments after I explained this happens when I have
no telephone access.

Yes, there are other workarounds I could use; all would cost more in time,
money, reliability, or reputation. Why should I bear that cost?

One more stupidity they fixed: The robocall leaves a message with a
toll-free number to call back, which is not on my credit card. Until
recently, when you called, the first thing you were asked to enter was
several digits from your Social Security Number. I immediately hung up the
first couple of times this happened. The rest of this story is too
depressing to recount.


FBI Informant Is Tied to Cyberattacks Abroad (Mark Mazzetti)

Monty Solomon <monty@roscom.com>
Thu, 24 Apr 2014 01:22:02 -0400
Mark Mazzetti, *The New York Times*, 23 Apr 2014

WASHINGTON - An informant working for the FBI coordinated a 2012 campaign
of hundreds of cyberattacks on foreign websites, including some operated by
the governments of Iran, Syria, Brazil and Pakistan, according to documents
and interviews with people involved in the attacks.

Exploiting a vulnerability in a popular web hosting software, the informant
directed at least one hacker to extract vast amounts of data - from bank
records to login information - from the government servers of a number of
countries and upload it to a server monitored by the FBI, according to court
statements.

The details of the 2012 episode have, until now, been kept largely a secret
in closed sessions of a federal court in New York and heavily redacted
documents. While the documents do not indicate whether the FBI directly
ordered the attacks, they suggest that the government may have used hackers
to gather intelligence overseas even as investigators were trying to
dismantle hacking groups like Anonymous and send computer activists away for
lengthy prison terms. ...

http://www.nytimes.com/2014/04/24/world/fbi-informant-is-tied-to-cyberattacks-abroad.html


AP: Putin declares the Internet to be a "CIA Project"

Lauren Weinstein <lauren@vortex.com>
Thu, 24 Apr 2014 13:56:32 -0700
(Salon/AP): http://www.salon.com/2014/04/24/russias_putin_calls_the_internet_a_cia_project/

  "President Vladimir Putin on Thursday called the Internet a CIA project
  and made comments about Russia's biggest search engine Yandex, sending the
  company's shares plummeting. The Kremlin has been anxious to exert greater
  control over the Internet, which opposition activists—barred from
  national television—have used to promote their ideas and organize
  protests.  Russia's parliament this week passed a law requiring social
  media websites to keep their servers in Russia and save all information
  about their users for at least half a year. Also, businessmen close to
  Putin now control Russia's leading social media network, VKontakte."

    [Some wag must have noticed the similarity between Putin and Rasputin --
    who was a very controversial figure in the time of the Romanovs.  That
    seems really Ba-Czar to me.  I note here that RazPutin might be an
    appropriate nickname for Putin, where "raz" is a somewhat colloquial
    alternative for "odin" in Russian, with multiple meanings such as (the)
    number one, or first, or once.  PGN]


Russia bans anonymous blogging, orders bloggers to register

Lauren Weinstein <lauren@vortex.com>
Thu, 24 Apr 2014 15:32:39 -0700
TechDirt via NNSquad
http://www.techdirt.com/articles/20140423/09130227004/russian-net-clampdown-continues-now-its-turn-blogs-vkontakte.shtml

  "Clearly those onerous conditions are designed to make any blogger think
  twice or three times before publishing anything at all controversial or
  embarrassing for the authorities. The article notes that the new law may
  be challenged before Russia's Constitutional Court, and that there's a
  huge loophole in the form of blogs located overseas, which are not covered
  by the legislation. The fear has to be that the Russian government will
  now move on to blocking them too.  Moreover, not content with intimidating
  independent blogs, the Russian authorities also seem to be tightening
  their grip on VKontakte, the Russian Facebook."


"The sky is falling! Hackers target satellites" (Roger A. Grimes)

Gene Wirchenko <genew@telus.net>
Tue, 22 Apr 2014 09:30:21 -0700
Roger A. Grimes, InfoWorld, 22 Apr 2014
IOActive reports finds serious risks—and slim prospects for fixes
-- in satellite communications
http://www.infoworld.com/d/security/the-sky-falling-hackers-target-satellites-240934


The trouble with Canada's Digital Privacy Act (Tony Drake)

Gene Wirchenko <genew@telus.net>
Tue, 22 Apr 2014 09:33:55 -0700
Tony Drake, *IT Business*, 21 Apr 2014
http://www.itbusiness.ca/blog/the-trouble-with-canadas-digital-privacy-act/48129

opening text:

Ontario privacy commissioner Ann Cavoukian has been in the news this week,
following her investigation into Canada's practice of sharing personal
(health) information stored by the Canadian Police Information Centre with
U.S. border officials.

Cavoukian discovered—as reported by the CBC—that details of some
19,000 encounters between police services in Ontario and individuals
struggling with mental illness have been uploaded to the CPIC database, to
which the FBI and U.S.  Customs and Border Patrol have free access. The
issue came to light late last year, when one Canadian woman was denied entry
into the U.S., ostensibly because of her history of hospitalisation for
depression and a suicide attempt.


How Urban Anonymity Disappears When All Data Is Tracked

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 20 Apr 2014 21:58:56 -0600
http://bits.blogs.nytimes.com/2014/04/19/how-urban-anonymity-disappears-when-all-data-is-tracked/?emcíit_th_20140420&nl=todaysheadlines&nlid2604355


U.S. Promotes Network to Foil Digital Spying - NYTimes.com

Dave Farber <dave@farber.net>
Mon, 21 Apr 2014 07:08:32 -0400
Wireless routers attached to rooftops in Sayada form a local network that
the developers say is more secure than the Internet. Credit Samuel Aranda
for *The New York Times*  [Long article, truncated for RISKS.  PGN]
http://www.nytimes.com/2014/04/21/us/us-promotes-network-to-foil-digital-spying.html?action=click&contentCollection=Business%20Day&region=Footer&module=TopNews&pgtype=article

SAYADA, Tunisia—This Mediterranean fishing town, with its low,
whitewashed buildings and sleepy port, is an unlikely spot for an experiment
in rewiring the global Internet. But residents here have a surprising level
of digital savvy and sharp memories of how the Internet can be misused.

A group of academics and computer enthusiasts who took part in the 2011
uprising in Tunisia that overthrew a government deeply invested in digital
surveillance have helped their town become a test case for an alternative: a
physically separate, local network made up of cleverly programmed antennas
scattered about on rooftops.

The State Department provided $2.8 million to a team of American hackers,
community activists and software geeks to develop the system, called a mesh
network, as a way for dissidents abroad to communicate more freely and
securely than they can on the open Internet. One target that is sure to
start debate is Cuba; the United States Agency for International Development
has pledged $4.3 million to create mesh networks there.

Even before the network in Sayada went live in December, pilot projects
financed in part by the State Department proved that the mesh could serve
residents in poor neighborhoods in Detroit and function as a digital
lifeline in part of Brooklyn during Hurricane Sandy. But just like their
overseas counterparts, Americans increasingly cite fears of government
snooping in explaining the appeal of mesh networks.

“There's so much invasion of privacy on the Internet,'' said Michael
Holbrook, of Detroit, referring to surveillance by the National Security
Agency.  The N.S.A. is all over it, he added. “Anything that can help to
mitigate that policy, I'm all for it.''

Since this mesh project began three years ago, its original aim—foiling
government spies—has become an awkward subject for United States
government officials who backed the project and some of the technical
experts carrying it out. That is because the N.S.A., as described in secret
documents leaked by the former contractor Edward J. Snowden, has been shown
to be a global Internet spy with few, if any, peers. [...]


"Coding error protects some Android apps from Heartbleed" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Fri, 25 Apr 2014 09:38:13 -0700
Jeremy Kirk, InfoWorld, 23 Apri 2014
Some Android office-productivity apps thought to be vulnerable to
Heartbleed are protected thanks to a mistake in invoking SSL functions
http://www.infoworld.com/d/mobile-technology/coding-error-protects-some-android-apps-heartbleed-241031

selected text:

Some Android apps thought to be vulnerable to the Heartbleed bug were spared
because of a common coding error in the way they implemented their own
native OpenSSL library.

"Therefore, when they try to invoke SSL functions, they directly use the
non-vulnerable OpenSSL library contained within the Android OS, instead of
using the vulnerable library provided by the app."


Heartbleed hacker arrested, charged in connection to malicious bug exploit (David Kravets, via Dave Farber)

Dewayne Hendricks <dewayne@warpspeed.com>
Wed, Apr 16, 2014 at 7:41 PM
David Kravets, (ArsTechnica, 16 Apr 2014) Computer science student is first
arrest in relation to vulnerability.
http://arstechnica.com/tech-policy/2014/04/heartbleed-hacker-arrested-charged-in-connection-to-malicious-bug-exploit/

A 19-year-old student has been arrested for allegedly exploiting the
Heartbleed vulnerability to steal taxpayer data from as many as 900
Canadians, authorities said Wednesday.

The arrest of Stephen Arthuro Solis-Reyes by the Royal Canadian Mounted
Police marks the first time authorities anywhere have publicly levied
charges in connection to the malicious exploitation of a defect in the
widely used OpenSSL cryptography library.

Canada Revenue Agency officials said they had removed public access to
online tax services a day after the defect was discovered earlier this
month.
<http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/>

But it was too late, and the Heartbleed flaw made it possible to pluck
private encryption keys, passwords, and other sensitive data out of the
private computer memory of the revenue agency's servers running vulnerable
versions of the open source library.

"The RCMP treated this breach of security as a high priority case and
mobilized the necessary resources to resolve the matter as quickly as
possible," Assistant Commissioner Gilles Michaud said in a statement.
<http://www.rcmp-grc.gc.ca/ottawa/ne-no/pr-cp/2014/0416-heartbleed-eng.htm>

Solis-Reyes is a computer science student, according to the *London Free
Press*.
<http://www.lfpress.com/2014/04/16/london-teen-charged-in-heartbleed-breach-of-taxpayer-data>

The Heartbleed vulnerability is the result of a failure to carry out a
routine bounds check in OpenSSL code that handles the Transport Layer (TLS)
heartbeat extension. Heartbeat allows a connected Web client or application
that sends messages to keep a connection active during a transfer of data.
According to Netcraft, two-thirds of websites rely on OpenSSL to implement
HTTPS encryption, although not all of them have Heartbeat enabled.

The Canadian Revenue Agency said it's putting in place measures to protect
the people affected by the Heartbleed-enabled breach. It said it would
notify victims by registered mail.

Solis-Reyes faces charges of Unauthorized Use of a Computer and Mischief in
Relation to Data following his Tuesday arrest at his Ontario residence.


Heartbleed Highlights a Contradiction in the Web

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 20 Apr 2014 17:18:56 -0600
http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html?emcíit_th_20140419&nl=todaysheadlines&nlid2604355


Re: heartbleed (Shapiro, RISKS-27.84)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 17 Apr 2014 13:43:51 -0500
> The main impediment to wide adoption of safe languages at this point is
> cost of conversion and the unpredictability of garbage collection
> performance. The first is incrementally getting fixed, and the second
> seems to have given way in the face of recent work on continuous
> concurrent collection.

You forgot the "it's not possible to manage resources other than garbage"
bit. Including file descriptors—and in unix everything is a file.

So yes, safe languages can make openssl safe from buffer overflows. With a
somewhat annoying side-effect of running out of sockets every few minutes.

Dimitri Maziuk, Programmer/sysadmin
BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu

Please report problems with the web pages to the maintainer

Top