The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 23

Thursday 28 August 2014

Contents

Why Internet voting is a very dangerous idea
Marc Ambinder via PGN
Denmark's most devastating hacker attack
zapkatakonk1943
JPMorgan and Other Banks Struck by Cyberattack
Monty Solomon
Feds warn first responders of dangerous hacking tool: Google Search
Sean Gallagher
"Microsoft ships replacement patch KB 2993651 with two known bugs"
Woody Leonhard via Gene Wirchenko
Stealing Encryption Keys Through the Power of Touch
Peter Bright
The Future Could Work, if We Let It
Matthew Kruk
Leaving Money and Privacy on the Table
Adam Tanner via Monty Solomon
Why zero-day bounties won't secure the Internet
Henry Baker
Regarding Tesla's cash cow
danny burstein
Baker's doesn't?
via PGN
Info on RISKS (comp.risks)

Why Internet voting is a very dangerous idea (Marc Ambinder)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 28 Aug 2014 15:11:47 PDT
Marc Ambinder: *The Week*, 28 Aug 2014
http://theweek.com/article/index/267191/why-internet-voting-is-a-very-dangerous-idea

Unless you're one of those ornery folks who believe that only politically
engaged Americans should vote, there aren't many good reasons to oppose
efforts to expand access to the ballot. Voter fraud is quite rare, and
voting fraud—an organized effort to illegally disrupt elections—is
hard to organize.  So you might think that any restriction on the way
someone can vote will unfairly marginalize potentially legitimate voters.

That's true, with one big exception: Internet voting.

No doubt—nationwide Internet voting has an intuitive appeal. It would
decrease the costs of elections. It would dramatically increase turn-out. It
would allow marginalized communities to avoid harassment at polling
sites. It would speed the vote count. A majority of voters regularly endorse
the idea.

There are two main reasons, though, why Internet voting is, at best, a dream
best realized 20 years in the future—if ever.

The Internet is not secure. It does not matter whether results are sent to
an air-gapped system, because there's plenty of technologies that jump
air-gaps, and we know that big governments (like ours) use them to spy.

It does not matter whether complicated identification schemes involving
fingerprints and complex PINs are used to verify identities. Every end of
the system is vulnerable to cyber-attack; the browsers, the software, the
processing, and even the commands you type into the computer to register to
vote. Man-on-the-side attacks, spoof ballots, denial-of-service attacks --
there is absolutely no way to create a closed system that would filter out
bad code.

It does not matter whether previous (small-scale) experiments have been
successful. An American Internet election would be a ripe target for hackers
belonging to nation-states, criminal gangs, and all sorts of people who
spend their days looking for the latest vulnerability to exploit.(How many
times has Microsoft had to update Internet Explorer to fix a major bug in
the past two years? What confidence could you possibly have?)

It's hard to steal elections conducted in person or with ballots printed on
something that isn't made up of invisible electronic bits. It would be much
easier to steal, alter, or influence elections that are conducted
online. Technology may never advance to the point where our online
transactions are safe enough. For some activities, like online shopping,
we're willing to allow a margin for error. If someone steals our credit card
number and uses it to make online purchases, we'll probably discover it
quickly. We gossip about friends because we're pretty sure that they're not
going to hack into our caches. We conduct politics online because if someone
hijacks our identity, we can get the word out quickly.

Voting, however, is more intrinsically sacred than e-commerce, and really,
any of these other activities. There would not be any way to know whether a
virus or a hacker changed your vote after you voted, even if you were able
to print out a receipt for your vote at home and turn that in for later
auditing.

Bubble-in optical scan-voting systems are vulnerable to hacking, but the
paper ballot remains intact. You can screw with the computers that read the
ballots and screw with the software that counts them, but you can't change
the laws of physics, unless you somehow steal paper ballots in advance and
treat them with magic disappearing ink that would...actually, I can't come
up with even a fanciful way for an election using optically scanned ballots
to be stolen or fudged on a massive scale. That's why election supervisors
who know their stuff tend to want to use them.

Security is the major concern, but access is another. Until almost every
eligible voter has equal access to a computer, Internet voting would raise
the political power of the connected majority over the non-networked
minority; the richer over the poorer, the people who would still have to
send in a mail-in ballot or travel to a polling location.  Unless the advent
of Internet voting were accompanied somehow by a mass online
enfranchisement, the vote would be unforgivably skewed, and skewed against
those who are traditionally screwed by obstacles to voting anyway.

For some small groups, Internet voting makes sense. Military computer
networks tend to be harder to hack than the regular old Internet, and
without some type of Internet-based balloting, a large number of registered
voters overseas might be disenfranchised. Even here, though, the Internet is
best used to facilitate the distribution of ballots, but not necessarily to
receive them or send them back to be counted.

With Internet voting, elections could be stolen even before they were held.


Denmark's most devastating hacker attack

<zapkatakonk1943.6.22@gmail.com>
Thu, 28 Aug 2014 12:27:16 +0200
http://cphpost.dk/news/police-were-warned-during-hacker-attack.10116.html

Denmark's most devastating hacker attack could have been prevented from
escalating if the national police Rigspolitiet and the IT company CSC had
reacted to a critical report by Deloitte in June 2012, Politiken reports.

By the time Deloitte had warned authorities that their systems were
sensitive to cybercrime, hackers had already gained access to personal data
from the driving licence database and a register of wanted persons in the
Schengen Region.

Over a period lasting at least four and half months in 2012, the hackers
stole four million Danish driving licence ID numbers from the police
database. However, it took a tip-off from the Swedish authorities nine
months later, in March 2013, before the Danish police and CSC realised the
seriousness of the case.

dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund Denmark
Tel. +45-3331 2581  http://donwagner.dk


JPMorgan and Other Banks Struck by Cyberattack

Monty Solomon <monty@roscom.com>
Wed, 27 Aug 2014 23:49:33 -0400
The hackers stole gigabytes of data, including account information. It is
not yet clear if the attacks were financially motivated or part of a
cyberespionage campaign.

http://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html

  [PGN mutters once again, why is it that almost every computer-based system
  is innately vulnerable to attack/misuse/compromise/..., whereas
  governmental coercion would like to have additional backdoors in
  everything?  When is "good" security really good enough?  The answer seems
  to be NEVER, and this suggests we are in real trouble for the indefinite
  future.  Stay tuned to RISKS for more of the same in reporting such items,
  REPEATEDLY.  Your frustrated moderator regrets that so much of the Risks
  Forum has devolved into sad tales of security woe.]


Feds warn first responders of dangerous hacking tool: Google Search (Sean Gallagher, via Dave Farber)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Aug 27, 2014 7:47 PM
Sean Gallagher, Ars Technica, 27 Aug 2014
http://arstechnica.com/security/2014/08/feds-warn-first-responders-of-dangerous-hacking-tool-google-search/

In a restricted intelligence document distributed to police, public safety,
and security organizations in July, the Department of Homeland Security
warned of a malicious activity that could expose secrets and security
vulnerabilities in organizations' information systems. The name of that
activity: *Google dorking*.

“Malicious cyber actors are using advanced search techniques, referred to
as Google Dorking, to locate information that organizations may not have
intended to be discoverable by the public or to find website vulnerabilities
for use in subsequent cyber attacks,'' the for-official-use-only Roll Call
Release warned.  “By searching for specific file types and keywords,
malicious cyber actors can locate information such as usernames and
passwords, e-mail lists, sensitive documents, bank account details, and
website vulnerabilities.''

That's right, if you're using advanced operators for search on Google, such
as site:arstechnica.com or filetype:xls, you're behaving like a `malicious
cyber actor'.  Some organizations will react to you accessing information
they thought was hidden as if you were a cybercriminal, as reporters at
Scripps found out last year. Those individuals were accused of `hacking'
the website of free cellphone provider TerraCom after discovering sensitive
customer data openly accessible from the Internet via a Google search and an
“automated “ hacking tool: GNU's Wget.

But this warning from the DHS and the FBI was mostly intended to give law
enforcement and other organizations a sense of urgency to take a hard look
at their own websites' security. Local police departments have increasingly
become the target of `hacktivists'. Recent examples include attacks on
the Albuquerque Police Department's network in March following the shooting
of a homeless man and attacks on St. Louis County police networks in
response to the recent events in Ferguson, Missouri.

Bad queries

It's true that Google hacking, or `dorking', has been used by hackers and
penetration testers for years. Just as the National Security Agency can use
its XKeyscore surveillance data as a targeting system for more intrusive
attacks on intelligence targets, hackers can use Google to find and target
vulnerable sites—including ones where the work of hacking has already
been done for them. A single query based on the signature of a common
PHP-based `shell' malware can be used as a backdoor to access the operating
system of affected websites. This search turns up a list of two dozen sites
that have been hacked with the backdoor left open-most of them in Russia and
Romania.

David Helkowski, the consultant who hacked the University of Maryland's
website and gained access to personal data in a university database, told
Ars that he used Google advanced search to discover pages within UMD sites
that allowed arbitrary Web executable files to be uploaded to them. Google
searches allowed him to discover exploits that pre-existed on the site. ...


"Microsoft ships replacement patch KB 2993651 with two known bugs" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Thu, 28 Aug 2014 11:36:01 -0700
  [I am still running windows XP.  The doom that we XP users were going to
  face does not seem to have materialised.  However, on the Windows 8 front,
  it appears to be rather more exciting.]

Woody Leonhard | InfoWorld, 28 Aug 2014
Microsoft re-releases botched MS14-045/KB 2982791 'Blue Screen 0x50' patch,
buries tip to manually uninstall first patch, and introduces more problems.

http://www.infoworld.com/t/microsoft-windows/microsoft-ships-replacement-patch-kb-2993651-two-known-bugs-249342


Stealing Encryption Keys Through the Power of Touch (Peter Bright)

"ACM TechNews" <technews@hq.acm.org>
Wed, 27 Aug 2014 12:13:30 -0400 (EDT)
Peter Bright, Ars Technica, 21 Aug 2014 via
ACM TechNews; Wednesday, August 27, 2014

Tel Aviv University researchers have demonstrated a side-channel attack
against the GnuPG encryption software that enables them to access decryption
keys by touching exposed metal parts of laptop computers.  The metal parts
of a laptop, such as the shielding around a USB port, are notionally all at
a common ground level, but this level undergoes tiny fluctuations due to the
electric fields within the laptop.  These variations can be measured, and
this can be used to leak information about encryption keys.  Although this
measurement has been demonstrated by directly attaching a digitizer to a
metal part of the laptop, the researchers showed they could retrieve
information with connections at the far end of shielded USB, VGA, and
Ethernet connections.  They also demonstrated that a person in contact with
metal parts of the laptop can in turn be connected to a digitizer, and the
voltage fluctuations can be measured, a technique that works better in hot
weather because of the lower resistance of sweaty fingers.  The researchers
reported their findings to the GnuPG developers, and the software has been
modified to reduce some of the information leaked this way.  However, even
with the alteration, the software is not immune to this side-channel attack,
and different encryption keys can be distinguished from one another.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c6fex2b980x061791&


The Future Could Work, if We Let It

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 28 Aug 2014 03:09:22 -0600
http://www.nytimes.com/2014/08/28/technology/personaltech/technology-and-the-human-factor-the-future-could-work-if-we-let-it.html?emcíit_th_20140828&nl=todaysheadlines&nlid2604355&_r=0


Leaving Money and Privacy on the Table (Adam Tanner)

Monty Solomon <monty@roscom.com>
Wed, 27 Aug 2014 23:59:39 -0400
Adam Tanner's “What Stays in Vegas'' looks at online data mining, how
companies collect personal information to remain competitive and where
invasion of privacy begins.

http://www.nytimes.com/2014/08/28/books/what-stays-in-vegas-by-adam-tanner.html


Why zero-day bounties won't secure the Internet

Henry Baker <hbaker1@pipeline.com>
Thu, 28 Aug 2014 08:22:19 -0700
FYI—"nothing backfires quite like a bounty"

"Bounties" for zero days and bugs not only won't work, *they will make the
problem much, much worse,* and bounty proposals only serve to demonstrate
the folly of ignoring history.  Bounties have been well-studied by
economists under the terms "Cobra Effect", "Perverse Incentive" and "Moral
Hazard", and the results aren't pretty.

https://en.wikipedia.org/wiki/Cobra_effect
https://en.wikipedia.org/wiki/Perverse_incentive
https://en.wikipedia.org/wiki/Moral_hazard

The "Freakonomics" radio show & podcast did the best presentation of these
issues, and I highly recommend listening to it, rather than reading the
transcript (omitted here by PGN—much too long for RISKS).

http://feedproxy.google.com/~r/freakonomicsradio/~5/HNcpJA3L_b8/freakonomics_podcast101012.mp3
http://freakonomics.com/2012/10/11/the-cobra-effect-a-new-freakonomics-radio-podcast/

The Cobra Effect: A New Freakonomics Radio Podcast
Stephen J. Dubner, 11 Oct 2012

  [... rest truncated ...  PGN]


Regarding Tesla's cash cow (Baker, RISKS-28.22)

danny burstein <dannyb@panix.com>
Wed, 27 Aug 2014 18:59:22 -0400 (EDT)
All of us watching the encroachment of solar power into the electrical grid
are well aware of the very serious problem they have. Aside from the general
economic issue, the big concern is that solar power is intermittent and can
cut out at any second.

Utilities *must* be able to supply the electrical demand at the exact moment
customers call for it. Hence the huge incentives they provide to customers
(for example, hospitals) with "emergency generators" to turn on their own
power plants at 3 pm on a hot summer day, and, so to speak, "drop off" the
grid.

The next step in the process is when utilities pay the hospitals (again,
just one simple example) additional money if they have extra generation
capacity and can actually backfeed into the grid at those peak demand
periods. Or the similar hefty payouts to companies with quick-action (and
highly polluting) "peaking" generators.

This fluctuation and need for quick power adjustments becomes even more
critical when the base generating supply is intermittent, like, well, with
solar and wind.

The utilities would love it if every home had a 25 kw-hr battery pack in the
garage which they could charge up (with an associated bill, of course) with
lots of power during low demand periods (say, 2 am), give them a slow charge
at modest demand periods (say, 10 am), and cut back to zero at high demand
(that aforementioned 3 pm on a hot summer day). They'd drool over the added
option to not only stop pumping in the electrons at 3 pm, but to also draw
them back.

However, just the "shut off" choice, without the withdrawal, would make them
smile with glee.

So Mr. Musk, where's my payoff for supplying the utilities with that big
storage battery? Where's their handout to my community for the 1,000
batteries, or 25 megawatt-hours, of storage? Why should your company and the
utilities get all the payouts?


Baker's doesn't? (Re: U.S. Electric Grid, RISKS-28.22)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 27 Aug 2014 16:51:56 PDT
One of our regular readers offered these comments on Henry's item
Henry Baker quotes:

> "the 40,000 Tesla vehicles already on the US roads contain about
> 3.3 gigawatts of storage capacity..."

Wrong unit.  If they were gasoline-fueled vehicles, he'd be describing
the size of the fuel tank in gallons per hour.

  [Henry's curious gigawatt analogy was also noted by danny.   PGN]

Henry then writes:
> I encourage Professor Norman to get involved in taking back the Internet
> where we all live and work, and to help make it an expression of a free and
> democratic society which respects the First, Fourth, Fifth and Fourteenth
> Amendments.

The Internet where *I* live has no business respecting *any* part of the
US Constitution.  Especially the Second Amendment.

Please report problems with the web pages to the maintainer

Top