The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 13

Tuesday 5 August 2014

Contents

Canada: China hacked into National Research Council computers
Larry Werring
CIA admits to spying on Senate
TheHill via David Farber
Driverless cars and speed limits
Michael Bacon
Tappan Zee Bridge: Left Coast Lifter gets tech upgrade?
Theresa Juva-Brown via Gene Wirchenko
"The EPA doesn't know what clouds it has—and neither do you"
David Linthicum via Gene Wirchenko
BBC: Russia enacts 'draconian' law for bloggers and online media
Lauren Weinstein
Chinese Communist Party-Backed Tech Giants Bring Censorship To The Global Stage
Techcrunch via NNSquad
It's Legal to Unlock Your Cell Phone
*The White House* via Dave Farber
How safe are your quantified selfies?
Symantec item via Henry Baker
Google scans your e-mail for child porn, and reports to law enforcement when it finds same
Herb Lin via Dave Farber
The Visual Microphone: Passive Recovery of Sound from Video
YouTube via NNSquad
Forget "Heart Bleed"; meet "Heart Rate"
Henry Baker
Re: 'Big Brother' airport installs world's first ...
Adam Shostack
Rob Bailey
Re: Fouling the NEST; Who's roo(s)ting in your home?
Alister Wm Macintyre
Re: Smart grid hack worries to raise insurance rates?
Brian Inglis
Info on RISKS (comp.risks)

Canada: China hacked into National Research Council computers

"Larry Werring" <larry.werring@cyberunitss.com>
Thu, 31 Jul 2014 21:44:22 -0400
http://www.thestar.com/news/canada/2014/07/29/canadian_spy_agency_says_chinese_hacked_into_national_research_council_computers.html

The Canadian government took the unusual step Tuesday of pointing fingers
squarely at Beijing after a cyber attack on a prominent federal scientific
research agency.  The federal government's chief information officer
confirmed Tuesday that the National Research Council of Canada (NRC) was the
target of a cyberattack from a "highly sophisticated Chinese state-sponsored
actor."

Laurentius (Larry) Werring, VP Systems Security, Cyberun IT Security
Services, 207 Bank Street, Suite 168, Ottawa, ON K2P 2N2 Canada 1-613-297-9232

  [Also noted by Suzanne Johnson.  PGN]


CIA admits to spying on Senate | TheHill

"David Farber via ip" <ip@listbox.com>
Thu, 31 Jul 2014 14:10:20 -0400
http://thehill.com/policy/technology/213933-cia-admits-to-wrongly-hacking-into-senate-computers

CIA officials improperly hacked the Senate Intelligence Committee's
computers ahead of a report on `enhanced interrogation' techniques, the spy
agency's inspector general has concluded.

In a statement shared with The Hill, CIA spokesman Dean Boyd said that the
internal watchdog determined “that some CIA employees acted in a manner
inconsistent with the common understanding'' between the agency and the
committee about access to the network they used to share documents.

CIA chief John Brennan told Intel Committee Chairwoman Dianne Feinstein
(D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) about the findings
“and apologized to them for such actions by CIA officers,'' Boyd added.


Driverless cars and speed limits

Michael Bacon <michaelbacon@tiscali.co.uk>
Fri, 1 Aug 2014 08:14:54 +0100
It is interesting to contemplate what confusion will be caused when a
driverless car passes a speed camera at a speed above the posted limit, say,
in temporary road works.

It is then amusing to contemplate the scenario of a faulty speed camera
falsely pinging a driverless car.  An "Oh no I wasn't." / "Oh yes you
were." pantomime dialogue between computers might ensue.

This brings to mind the situation reported a great many years ago when the
UK changed the dialing code for the telephone operator.  After consumers
complained of having no power, a faulty electricity substation was
discovered to be repeatedly sending an automated status report to which
another automated system was responding: "You no longer dial '0' for the
operator.  Please replace your receiver and dial '100'.

The RISK is that no-one will have thought of all the RISKS.  Unless, of
course, they are avid readers here.


Tappan Zee Bridge: Left Coast Lifter gets tech upgrade? (Theresa Juva-Brown)

Gene Wirchenko <genew@telus.net>
Thu, 31 Jul 2014 20:37:33 -0700
Theresa Juva-Brown, tjuva@lohud.com 30 Jul 2014
The famous Left Coast Lifter—the ginormous crane that will help build the
new Tappan Zee Bridge—just got a new computer system
http://www.lohud.com/story/news/local/tappan-zee-bridge/2014/07/28/tappan-zee-bridge-left-coast-lifter-gets-tech-upgrade/13287985/

selected text:

This week Hiti's team finished installing the crane's new computer software
and hardware, including a flat panel touch screen for the operator.  The
computer now uses Windows 7 and has a solid-state hard drive instead of one
with cooling fans, which tend to erode in a marine environment, he said.

  As noted in alt.folklore.computers by Walter Bushell:

"IIUC the license for Windows always states it's not to be used in critical
operations.
Why oh why do people insist on using OSes outside their design regions?"


"The EPA doesn't know what clouds it has—and neither do you" (David Linthicum)

Gene Wirchenko <genew@telus.net>
Fri, 01 Aug 2014 10:02:16 -0700
David Linthicum | InfoWorld, 01 Aug 2014
A federal audit shows what's probably true at most enterprises: Cloud
services are hiding in the shadows of IT
http://www.infoworld.com/d/cloud-computing/the-epa-doesnt-know-what-clouds-it-has-and-neither-do-you-247150

opening text:

Do you know how much cloud computing is really going on in your
organization? If you're like IT management in most companies and government
agencies, you don't have a clue.

For example, the Environmental Protection Agency (EPA) doesn't know how many
cloud computing contracts it has or how secure they are, according to a
recent audit by the agency's inspector general, in a report released last
week. In at least one instance, the EPA may not have had access to a
subcontractor's cloud for investigative purposes. Worse, that same
subcontractor was not compliant with the Federal Risk and Authorization
Management Program (FedRAMP), which sets security standards for cloud
providers.


BBC: Russia enacts 'draconian' law for bloggers and online media

Lauren Weinstein <lauren@vortex.com>
Fri, 1 Aug 2014 09:33:11 -0700
  "A new law imposing restrictions on users of social media has come into
  effect in Russia.  It means bloggers with more than 3,000 daily readers
  must register with the mass media regulator, Roskomnadzor, and conform to
  the regulations that govern the country's larger media outlets.  Internet
  companies will also be required to allow Russian authorities access to
  users' information.  One human rights group called the move
  "draconian". The law was approved by Russia's upper house of parliament in
  April. It includes measures to ensure that bloggers cannot remain
  anonymous, and states that social networks must maintain six months of
  data on its users.  The information must be stored on servers based in
  Russian territory, so that government authorities can gain access."  BBC
  via NNSquad   http://www.bbc.com/news/technology-28583669

 - - -

Don't worry, Czar Putin knows what's good for you, comrade.


Chinese Communist Party-Backed Tech Giants Bring Censorship To The Global Stage

Lauren Weinstein <lauren@vortex.com>
Sat, 2 Aug 2014 22:52:55 -0700
Techcrunch via NNSquad
http://techcrunch.com/2014/08/02/chinese-communist-party-backed-tech-giants-bring-censorship-to-the-global-stage/

  "It should come as no surprise, then, that the Portuguese version of Baidu
  produces heavily censored results on topics considered sensitive to the
  Chinese leadership.  Compare search results between Google's Portuguese
  edition and Baidu's. On Google.br.com, a search for Tank Man (el hombre
  del tanque) turns up photos, documentary video and news articles about the
  lone rebel who stood in the way of approaching tanks outside of Tiananmen
  Square in 1989 ..."

 - - -

The result when one country or group of countries tries to impose its
own censorship desires onto the entire planet.


It's Legal to Unlock Your Cell Phone (via Dave Farber)

*The White House* <info@mail.whitehouse.gov>
Friday, August 1, 2014
*Note: You're receiving this email because you've previously petitioned the
White House on cell phone unlocking.*

It's Legal to Unlock Your Cell Phone

Last week, Congress passed a bill legalizing cell phone unlocking --
and this afternoon, President Obama signed that bill into law.

This effort began as a result of the petition you signed, "Make Unlocking
Cell Phones Legal." Two weeks after the petition crossed the threshold, we
laid out steps that the Federal Communications Commission (FCC), industry,
and Congress could take.

Your effort culminated in the Unlocking Consumer Choice and Wireless
Competition Act that President Obama signed today. The bill not only
restores the rights of consumers to unlock their phones, but ensures that
they can receive help doing so if they lack the technological savvy to
unlock on their own.

It's the first time a We the People petition has led to a legislative fix.

[...]

The White House, 1600 Pennsylvania Ave NW, Washington, DC 20500 202-456-1111


How safe are your quantified selfies? (Symantec item)

Henry Baker <hbaker1@pipeline.com>
Mon, 04 Aug 2014 09:05:54 -0700
FYI—More about the vulnerabilities associated with Fitbit/Nike/Garmin/etc.

"For example in one app that tracks sexual activity, the app makes specific
requests to an analytics service URL at the start and end of each session."
http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-tracking-monitoring-and-wearable-tech

Tracking, monitoring, and wearable tech, Symantec, 30 Jul 2014

Each day, millions of people worldwide are actively recording every aspect
of their lives, thoughts, experiences, and achievements in an activity known
as self-tracking (aka quantified self or life logging).  People who engage
in self-tracking do so for various reasons.  Given the amount of personal
data being generated, transmitted, and stored at various locations, privacy
and security are important considerations for users of these devices and
applications.  Symantec has found security risks in a large number of
self-tracking devices and applications.  One of the most significant
findings was that all of the wearable activity-tracking devices examined,
including those from leading brands, are vulnerable to location tracking.

Our researchers built a number of scanning devices using Raspberry Pi
minicomputers and, by taking them out to athletic events and busy public
spaces, found that tracking of individuals was possible.

Symantec also found vulnerabilities in how personal data is stored and
managed, such as passwords being transmitted in clear text and poor session
management.

www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf

  [Long item pruned for RISKS. Main section headings include:
  * How do self-tracking systems work?
  * So just how safe is your quantified self?
  * Location tracking of wearable devices
  * Transmission of tracking and personal data in clear text
    (20 percent of apps transmitted user credentials in clear text.)
  * Lack of privacy policies
    (52 percent of apps examined did not have privacy policies.)
  * Unintentional data leakage
    (The maximum number of unique domains contacted by a single app was 14
    and the average was five.)
  * Other security weaknesses
  * What can you do about this?
  * More information: latest paper
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf


Google scans your e-mail for child porn and reports to law enforcement when it finds same (via Dave Farber)

Herb Lin <HLin@nas.edu>
Monday, August 4, 2014
Interesting thought.

http://www.telegraph.co.uk/technology/google/11010182/Why-Google-scans-your-emails-for-child-porn.html

Why Google scans your e-mail for child porn

Google trawls both the public internet and your private data to look for
images of child abuse, it has been revealed, after a convicted sex offender
is arrested over the contents of his GMail account

A convicted sex offender has been arrested after Google flagged images of
child abuse found in his GMail account to authorities, according to reports,
revealing that the search giant is quietly but methodically watching our
email activity for illegal images.

Google spotted that the man had illegal images of a young girl stored in
his GMail account during an automated search and reported it to the US
non-profit National Center for Missing and Exploited Children. A subsequent
police investigation lead to his arrest. [...]

So, this process opens all kinds of opportunities for malicious behavior.  A
wants to harass B. So A sends B a known child porn image through gmail, even
though B has not requested it in any way.  Google identifies the image, and
notifies law enforcement authorities.  B is now the target of an
investigation—the criminal offense being the receipt of child
pornography.

Even worse—if the email is not opened or goes into spam, Google probably
still scans it, so B never knows he has to report anything to law
enforcement authorities even though Google is reporting it to them.

Folks, please think about a fix for this—and don't propose a solution
that says Google should not scan those emails.  Is there a way to get both
the benefit of the scans and to prevent the harassment problem described
above?

[For those of you who want to know how Google knows an image is child porn
-- they compute a hash of the image and compare it against a database of
hashes of known CP images, that is images that have been adjudicated to be
CP in court.]

Thoughts? Thanks, Herb Lin


The Visual Microphone: Passive Recovery of Sound from Video

Lauren Weinstein <lauren@vortex.com>
Mon, 4 Aug 2014 08:44:29 -0700
YouTube via NNSquad
https://www.youtube.com/watch?v=FKXOucXB4a8

Using video (even consumer video) to recover sound from silent video, even
from outside rooms. Using a laser bouncing off window glass has long been a
technique for recovering room sounds remotely. The technology described here
emphasizes the need to keep external windows completely covered during
sensitive communications! Also, we can safely assume that intelligence
agencies (at a minimum) have been using this technique for some time.


Forget "Heart Bleed"; meet "Heart Rate"

Henry Baker <hbaker1@pipeline.com>
Sun, 03 Aug 2014 14:23:17 -0700
FYI—"[Low Resting Heart Rate] might be used to help predict future risk
among criminals" Do you really want to share your FitBit/Nike/Garmin
information with the FBI and the NSA ?  Just sleep in the cloud...

"Are Fitbit, Nike, and Garmin Planning to Sell Your Personal Fitness Data?"
http://www.motherjones.com/politics/2014/01/are-fitbit-nike-and-garmin-selling-your-personal-fitness-data

David Kohn, Calm Hearts, Bad Behavior, *The New Yorker*, 2 Aug 2014
http://www.newyorker.com/tech/elements/calm-hearts-bad-behavior

For the past two years, researchers in Hong Kong interviewed the parents of
three hundred and thirty-four adolescents about the aggressive and
antisocial behavior of their children.  Did the kids hurt others to win a
game?  Were they concerned about the feelings of their peers?  The
scientists also measured the heart rate of the children and found that low
resting heart rate (L.R.H.R.)—usually an indicator of good cardiovascular
health and the envy of distance runners and endurance athletes—was linked
to bad behavior.

Adrian Raine, the lead author of the Hong Kong study, which appeared in the
July issue of the journal Aggressive Behavior, has been examining this odd
correlation since 1977, when he studied a group of fifteen-year-old boys and
found that those with a low heart rate were more likely to be convicted of
crimes.  Since then, Raine, a criminologist and psychologist at the
University of Pennsylvania, and the author of *The Anatomy of Violence*, has
become an expert on L.R.H.R. and other possible biological markers of
antisocial behavior, such as brain size and neurotransmitter levels.

He says that it's still not clear how the trait is connected to bad
behavior.  “We've established that the link exists.  But we haven't nailed
down why.''

There are several theories, but Raine tends to favor the fearlessness
hypothesis, which says that some of those with L.R.H.R. remain undaunted by
the threats that would keep most of us in check.  When you get scared, your
heart rate goes up, because your body activates to deal with the imminent
hazard.  By definition, people with less fear tend not to get activated in
situations that others find threatening.

“These people don't learn that it's wrong to be aggressive,'' Laura Wilson,
a research psychologist at Virginia Tech University who has studied the
topic, told me.  “They don't fear consequences.  They don't get sculpted
into the law-abiding citizens that most people become.''

Another possibility is that people with L.R.H.R. are chronically
under-aroused.  “Having a low heart rate can be uncomfortable.  It kind of
feels like boredom,'' Amy Gower, a psychology researcher at the University
of Minnesota, says.  “To relieve that, some people seek stimulation through
aggression.''

Raine's skeptics argue that L.R.H.R. and other biological factors play a
relatively minor role in determining who becomes a criminal.  “The evidence
is pretty consistent that biological traits don't have a large effect,''
Robert Sampson, a social scientist at Harvard University who has studied the
topic for more than two decades, told me.  “Social and environmental
characteristics have much more weight.''  He notes that crime rates vary
widely from country to country (Spain's murder rate, for instance, is
twenty-five times lower than Brazil's, and four times lower than in the
United States), even though the biology of humans in those countries differs
very little.  Sampson says that L.R.H.R. may not be biological but, rather,
the result of the same environmental factors that lead to crime: some people
may adapt to chronic stress with a lower heart rate.

Raine suggests that L.R.H.R. might be used to help predict future risk among
criminals.  Information about heart rate might help when deciding whether a
prisoner should be released early, or which sort of prison best fits a
particular offender.  If this idea, in which the fate of a prisoner would be
determined in part by biological data, evokes thoughts of eugenics, Raine,
whose research on so-called `neurocriminology' has been controversial for
decades, acknowledges that the proposal does, in fact, bring up difficult
issues about science, probability, and social control.  He agrees that
L.R.H.R. is far from the sole determinant of criminality; his review of the
research indicates that the trait accounts for about five per cent of all
antisocial behavior (and that the rest can be explained by social and
biological factors such as upbringing, neighborhood, education, income
level, brain chemistry and structure, and so on).  L.R.H.R. should be seen,
Raine says, as a potential warning sign rather than a definitive mark of
inevitable criminality.  “Low heart rate is one piece of the jigsaw puzzle.
It's not the whole story, but it's not trivial either.''


Re: 'Big Brother' airport installs world's first ... (RISKS-28.12)

Adam Shostack <adam@shostack.org>
Fri, 1 Aug 2014 11:09:21 -0400
The Seattle mesh network has been at least temporarily turned off as a
result of a local activism group, the Seattle Privacy Coalition.  Details
about that network have been requested under local freedom of information
laws.

Some additional links for details:
https://www.seattleprivacy.org/the-sort-of-thing-we-are-curious-about/
http://www.dailydot.com/politics/seattle-police-mesh-network-shut-down/
https://twitter.com/SeattlePD/status/410248692264759297


Re: 'Big Brother' airport installs world's first real-time passenger tracking system (RISKS-28.12)

Rob Bailey <rob@wm8s.com>
Thu, 31 Jul 2014 19:42:46 -0500
In addition to cameras, Houston's TRANSTAR traffic monitoring system uses
your toll tag's serial number to track your location around the region, and
not just where you pay tolls. It then uses your location over time to
estimate average speeds on the various roads along your route. And lest you
think that you can avoid tracking by not getting a toll tag (something that
will make your travel more difficult, since they've restricted some roads to
tag-holders only), the system also uses the hardware address of your
Bluetooth devices (phone, car media system, etc.), for the same purpose.

Area drivers are given this assurance:

"The MAC addresses read by AWAM [Anonymous Wireless Address Matching] are
not directly associated with a specific user and do not contain any
personal data or information that could be used to identify or 'track' an
individual's whereabouts. In addition, all addresses collected by AWAM are
anonymized through encryption immediately upon receipt. Users who have
privacy concerns are also able to turn off the Bluetooth discovery function
of their device which prevents it from being read by AWAM at all."

http://traffic.houstontranstar.org/bluetooth/transtar_bluetooth.html


Re: Fouling the NEST; Who's roo(s)ting in your home? (RISKS-28.12)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 31 Jul 2014 20:14:50 -0500
The severity of security breach has not been fully embraced due to the
traditional assumption that thermostat cannot function more than a
thermostat even though users are enjoying its smartness.

Wasn't the TARGET breach a variation on this? . They had a system to help
manage refrigeration, and the hackers got in thru that system to do how much
damage?  The more complicated the system, the easier for hackers to spoof
the people who made it complicated.


Re: Smart grid hack worries to raise insurance rates? (RISKS-28.10,11)

Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
Thu, 31 Jul 2014 19:43:59 -0600
There may be more immediate issues for power companies and insurers to worry
about.

CBC News reports "SaskPower to remove 105,000 smart meters following fires"
subheaded "8 unexplained fires associated with new devices that measure
power consumption" at http://www.cbc.ca/news/canada/saskatchewan/1.2723046
and says the Saksatchewan government has ordered the provincial power
utility to remove all "smart" meters installed so far across the
province. The costs are estimated at $45/meter ("dumb" presumably) and $45
labour, costing $9.5M. The utility also has 100,000 more meters in stock,
and estimates the effort will take 6-8 months and total cost will reach
$14M.

Little of this is mentioned in their Smart Meters FAQ:
http://www.saskpower.com/our-power-future/construction-projects/smart-meters

CBC quotes the vendor as saying "Sensus underscores the critical importance
of careful meter installation procedures, including the examination of meter
boxes and wiring at installation, training of meter installers and the need
to have rapid remedial action when field problems are observed".

This may indeed point to an issue when installing 105,000 meters in a year
across areas of a large, sparsely populated province, on existing (outside)
meter bases, where the annual temperature range may be (a dry) -40C to +40C.

A quick web search indicates that these problems have been widespread across
North America and large deployments of "smart" meters have been canceled
and reversed due to some fires in a number of states. The same vendor name
crops up in a number of these cancellations.

Risk of not checking the reputation of the vendor and product, and possibly
installers too, or inadequately weighting such evidence against many
governments' requirement to accept the lowest bid offered.

Published reports on the causes and subsequent post-installation inspections
mention inadequate retraining of meter readers as installers, problems
reusing existing older meter bases, corrosion of bases, boxes, and
connectors, broken connection blocks, melted conductors, and loose wiring
connections as some of the installation issues identified.

Risk of not understanding the possible impact of opening up and fiddling
with an installation which may have been untouched for years or decades, and
not following manufacturers recommendations on installer training,
inspection and replacement practices, and prerequisites for equipment
installation.

Also mentioned in some of those reports where "smart" meter installation
resumed, sometimes with different equipment from a different vendor, meter
readers would be retrained and redeployed as meter inspectors, to monitor
the condition and safety of the new meters. Risk of accounting only for
savings from the great new thing, and ignoring any potential requirements
and associated costs of going the new way.

Also mentioned at the bottom of the CBC article:
"Among the features of the new meters was an ability to transmit power usage
data through a radio frequency, making it unnecessary for a meter reader to
enter a home.  That feature had not been implemented for the new meters
already installed but was part of the overall plan for the new technology."

My experience and understanding of "smart" meter deployment benefits has
been that the costs are mainly justified by being able to have meter
"readers" drive by meter locations with wireless equipment to interrogate
the meter and receive the meter and usage data.  Thereby getting actual
usage more accurately, frequently, and cheaply than occasional meter
location visits and manual usage recording, with estimated usage billed
between visits.

The paragraph quoted above implies that a further installation or feature
enabling visit would have been necessary to gain any benefit from the new
meters.  Risk of having someone change something twice rather than doing
everything (hopefully properly) at once doubles the chances that some issue
will occur to let out the magic smoke, doubling the remediation costs (at
least, as these events demonstrate).

Please report problems with the web pages to the maintainer

Top