The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 25

Tuesday 9 September 2014

Contents

Space station launches satellites without permission
Irene Klotz via Paul Saffo
Hacker Breached HealthCare.gov Insurance Site
Monty Solomon
Hackers Breach Security of a Health Exchange Server
Monty Solomon
UCLA, Cisco & more join forces to replace TCP/IP
Lauren Weinstein
Kill switches for weaponry
Jonathan Zittrain
Fake cell towers discovered
PGN
BBC: ISPs should assume that heavy VPN users are pirates
Lauren Weinstein
"Apple iCloud backup quirk could have allowed hackers to access 'deleted' files"
John E. Dunn via Gene Wirchenko
Apple Says It Will Add New iCloud Security Measures After Celebrity Hack
Brian X. Chen via Monty Solomon
Redactions in U.S. Memo Leave Doubts on Data Surveillance Program
Monty Solomon
Online Privacy: Maybe Not So Unreasonable, After All
NYT via Monty Solomon
"Data shows Home Depot breach could be largest ever"
Jaikumar Vijayan via Gene Wirchenko
"Data shows Home Depot breach could be largest ever"
Jaikumar Vijayan
"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors"
Woody Leonhard via Gene Wirchenko
GM to Introduce Hands-Free Driving in Cadillac Model
Gabe Goldberg
Phil Smith III
Re: Software errors in Galileo Satellites
Erling Kristiansen
Re: Regarding Tesla's cash cow
Richard I Cook
Erling Kristiansen
Huffington continues trying to "disappear" their discredited "email creator" series
Lauren Weinstein
"Why Is Huffington Post Running A Multi-Part Series To Promote The Lies Of A Guy Who Pretended To Invent Email?"
Techdirt via Lauren Weinstein
Re: zero-day bounties
Henry Baker
Live Webinar: Building a Software Security Initiative
Cigital
Info on RISKS (comp.risks)

Space station launches satellites without permission (Irene Klotz)

Paul Saffo <paul@saffo.com>
Sat, 6 Sep 2014 16:23:32 -0700
Irene Klotz, Space Station's Cubesat Launcher has Mind of its Own,
Discovery, 5 Sep 2014
http://news.discovery.com/space/space-stations-cubesat-cannon-has-mind-of-its-own-140905.htm

Last night, two more of Planet Lab's shoebox-sized Earth imaging satellites
launched themselves from aboard the International Space Station, the latest
in a series of technical mysteries involving a commercially owned CubeSat
deployer located outside Japan's Kibo laboratory module.

Station commander Steve Swanson was storing some blood samples in one of the
station's freezers Friday morning when he noticed that the doors on
NanoRack's cubesat deployer were open, said NASA mission commentator Pat
Ryan.

Flight controllers at the Johnson Space Center in Houston determined that
two CubeSats had been inadvertently released.

“No crew members or ground controllers saw the deployment. They reviewed
all the camera footage and there was no views of it there either,'' Ryan
said.

The satellites, owned by San Francisco-based Planet Labs, are part of a
planned 100-member network designed to collect images of the entire Earth
every 24 hours.

So far, 12 of 32 CubeSats delivered to the space station aboard a Cygnus
cargo ship in July have been deployed, including four launched
inadvertently, said NanoRacks spokeswoman Abby Dickes.

In addition to the two Planet Labs satellites launched Thursday night, two
more of the company's satellites were released accidentally 23 Aug, a NASA
status report shows.

The latest inadvertent deployment followed unsuccessful attempts Wednesday
night to return NanoRack's CubeSat dispenser to service.  efforts included
jiggling the small robotic arm holding the dispense in an attempt to get its
doors to open, Ryan added.

Flight control teams are assessing whether to bring the deployer back inside
the station or to try to release the remaining CubeSats still awaiting
launch.


Hacker Breached HealthCare.gov Insurance Site

Monty Solomon <monty@roscom.com>
Thu, 4 Sep 2014 21:23:30 -0400
The Hacker Uploaded Malicious Software, But Consumers' Personal Data
Didn't Appear to Be Taken

Danny Yadron, WSJ, 4 Sep 2014

A hacker broke into part of the HealthCare.gov insurance enrollment website
in July and uploaded malicious software, according to federal officials.

Investigators found no evidence that consumers' personal data were taken or
viewed during the breach, federal officials said. The hacker appears only to
have gained access to a server used to test code for HealthCare.gov, the
officials said.

The server was connected to more sensitive parts of the website that had
better security protections, the officials said. That means it would have
been possible, if difficult, for the intruder to move through the network
and try to view more protected information, an official at the Department of
Health and Human Services said. There is no indication that happened, and
investigators suspect the hacker didn't intend to target a HealthCare.gov
server. ...

http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043


Hackers Breach Security of a Health Exchange Server

Monty Solomon <monty@roscom.com>
Thu, 4 Sep 2014 23:39:39 -0400
Hackers downloaded malicious software onto a test server of HealthCare.gov,
but did not steal any personal information on consumers, Obama
administration officials said.

http://www.nytimes.com/2014/09/05/us/hackers-breach-security-of-healthcaregov.html

  [up? down? which way does the staircase go?  PGN]


UCLA, Cisco & more join forces to replace TCP/IP

Lauren Weinstein <lauren@vortex.com>
Thu, 4 Sep 2014 16:38:05 -0700
UCLA, Cisco & more join forces to replace TCP/IP

*Network World* via NNSquad
http://www.networkworld.com/article/2602109/lan-wan/ucla-cisco-more-join-forces-to-replace-tcpip.html

  "Their aim is to put forth an Internet architecture that's more secure,
  able to support more bandwidth and friendlier to app developers.
  Cryptographic authentication, flow balance and adaptive routing/forwarding
  are among the key underlying principles."

 - - -

Except in some comparatively specialized scenarios and situations,
don't hold your breath for TCP/IP going away anytime soon.


Kill switches for weaponry (via Dave Farber)

Jonathan Zittrain <zittrain@law.harvard.edu>
Wednesday, September 3, 2014
I just wrote a piece for Scientific American about kill switches for ...
medium and heavy weapons.  I know I've long inveighed against vendor (and,
by proxy, government) control over consumer technology, and I still think
that's a central threat to both open code and free speech.  But all of that
otherwise-worrisome tech applied to weapons seems to invert the equities.
http://www.scientificamerican.com/article/the-case-for-kill-switches-in-military-weaponry/
 [...]

Jonathan Zittrain, Harvard Law School | Harvard Kennedy School of Government
 | Harvard School of Engineering and Applied Sciences and
 Berkman Center for Internet & Society  http://cyber.law.harvard.edu>


Fake cell towers discovered

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 6 Sep 2014 8:59:35 PDT
http://betanews.com/2014/09/03/mystery-fake-cellphone-towers-discovered-across-america/


BBC: ISPs should assume that heavy VPN users are pirates

Lauren Weinstein <lauren@vortex.com>
Mon, 8 Sep 2014 21:58:18 -0700
  "In a submission to the Australian Government on the issue of online
  piracy, the BBC indicates that ISPs should be obliged to monitor their
  customers' activities. Service providers should become suspicious that
  customers could be pirating if they use VPN-style services and consume a
  lot of bandwidth, the BBC says."   Torrent Freak via NNSquad
http://torrentfreak.com/bbc-isps-should-assume-heavy-vpn-users-are-pirates-140908/

 - - -
And what should we assume the folks running the BBC are? Pick your synonym
for "dangerous fools" ...


"Apple iCloud backup quirk could have allowed hackers to access 'deleted' files" (John E. Dunn)

Gene Wirchenko <genew@telus.net>
Fri, 05 Sep 2014 10:37:02 -0700
John E. Dunn | Techworld, InfoWorld, 04 Sep 2014
iCloud on iOS secretly keeps last three backups, says Check Point
Software researcher
http://www.infoworld.com/d/mobile-technology/apple-icloud-backup-quirk-could-have-allowed-hackers-access-deleted-files-249749


Apple Says It Will Add New iCloud Security Measures After Celebrity Hack (Brian X. Chen)

Monty Solomon <monty@roscom.com>
Sat, 6 Sep 2014 00:24:59 -0400
Brian X. Chen, *NYTimes* blog, 4 Sep 2014

Apple said on Thursday that it would strengthen its security measures after
a recent episode where hackers broke into the Apple accounts of a number of
celebrities, stole their nude photos and leaked them on the Internet.

The company said it would add alerts to tell people about activities that
could be signs of a break-in.

Customers will receive emails and alerts called push notifications, which
are messages that show up prominently on iPhones and iPads, when someone
tries to change the password for their iCloud account, upload their
backed-up account data to a new device or log into their accounts for the
first time from an unknown device, the company said.  The notifications will
be added in two weeks. ...

http://bits.blogs.nytimes.com/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/


Redactions in U.S. Memo Leave Doubts on Data Surveillance Program

Monty Solomon <monty@roscom.com>
Sun, 7 Sep 2014 11:19:35 -0400
Questions persist after the release of a newly declassified version of a
legal memo approving the National Security Agency's Stellarwind program, a
set of warrantless surveillance and data collection activities secretly
authorized after the terrorist attacks of Sept. 11, 2001.

http://www.nytimes.com/2014/09/07/us/redactions-in-us-memo-leave-doubts-on-data-surveillance-program.html


Online Privacy: Maybe Not So Unreasonable, After All

Monty Solomon <monty@roscom.com>
Sun, 7 Sep 2014 11:24:49 -0400
As our online personal information has become less and less personal, the
privacy pendulum may now ready to switch directions.

http://bits.blogs.nytimes.com/2014/09/07/rethinking-privacy-on-the-internet/


"Data shows Home Depot breach could be largest ever" (Jaikumar Vijayan)

Gene Wirchenko <genew@telus.net>
Fri, 05 Sep 2014 10:34:59 -0700
Jaikumar Vijayan | Computerworld, 03 Sep 2014
The breach occurred at nearly all of Home Depot's 2200 U.S. stores
http://www.infoworld.com/d/security/data-shows-home-depot-breach-could-be-largest-ever-249732

opening text:

It looks like Home Depot may have earned the dubious distinction of being
responsible for the biggest compromise ever involving credit and debit card
data.


"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 08 Sep 2014 16:04:46 -0700
Woody Leonhard | InfoWorld, 8 Sep 2014
August's Windows Installer Service patch causes wide range of
inscrutable problems on Windows 7 and Windows 8 machines
http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973


Re: GM to Introduce Hands-Free Driving in Cadillac Model

Gabe Goldberg <gabe@gabegold.com>
Mon, 08 Sep 2014 13:04:56 -0400
"With Super Cruise, when there's a congestion alert on roads like
California's Santa Monica Freeway, you can let the car take over and drive
hands free and feet free through the worst stop-and-go traffic around,"
Barra said in the speech at Cobo Center in Detroit. "If the mood strikes you
on the high-speed road from Barstow, California, to Las Vegas, you can take
a break from the wheel and pedals and let the car do the work. Having it
done for you—that's true luxury."

But...

GM's Super Cruise technology is not a self-driving car and the feature will
require drivers to remain alert and ready to take the wheel if traffic
conditions become too complex, Lauckner told reporters at a briefing before
Barra's speech.

http://www.bloomberg.com/news/2014-09-07/gm-to-introduce-hands-free-driving-in-cadillac-model.html

Let the car do the work ... BUT remain alert.

"What could possibly go wrong?" seems a profoundly inadequate degree of
skepticism.

Comments on the article question the ability of a company that for many
years shipped faulty ignition switches to get this bit of technology right.

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Re: GM to Introduce Hands-Free Driving in Cadillac Model (Jclcabal)

"Phil Smith III" <phs3@akphs.com>
Mon, 8 Sep 2014 14:07:45 -0400
We have dynamic cruise on our Sienna, and it's great on the highway.
Doesn't function below 28mph, alas.

But on the Interstate, I get behind someone I like going fast enough and not
weaving/etc., lock it in a click or two above their speed, and now it's just
steering, not playing with the gas. Really makes long trips less stressful.


Re: Software errors in Galileo Satellites (RISKS-28.24)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 05 Sep 2014 15:53:13 +0200
The title of this item is misleading: As you can read in the linked article,
the fault causing the satellites to be injected into the wrong orbit was in
the launcher, not the satellites.

You may consider this a technicality. But since the launcher and the
satellites come from different manufacturers, I think it is important to
point to the right entity when discussing the failure.


Re: Regarding Tesla's cash cow (Burstein, RISKS-28.23)

Richard I Cook MD <ricookmd@gmail.com>
Fri, 5 Sep 2014 09:11:05 +0200
Comments on solar power:

> Aside from the general economic issue, the big concern is that solar power
> is intermittent and can cut out at any second.

Actually, solar power is about a reliable and predictable a source of energy
delivery in a usable form that I can imagine. The yearly flux of solar
illumination is almost constant.

More to the point, a lot of energy is used in areas where the usable
intensity is low for half a year and high for the other half. Weather
effects that exacerbate this are, on average, quite regular on a yearly
basis.

It is true that energy storage is challenging and is likely to remain so for
the foreseeable future.

There is great potential in the equatorial regions, most notably the great
deserts. Building large collection systems there would make solar generation
nearly independent of the time of year, although occasional violent weather
would continue to be a problem. At least as important as producing huge
amounts of power on a regular schedule, adopting such a scheme could become
an economic engine that might offset the disproportionate effect of climate
change on equatorial peoples.


Re: Regarding Tesla's cash cow (Anthony, RISKS 28.24)

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 05 Sep 2014 16:12:03 +0200
> Solar panels do actually work tolerably well in cloudy conditions, and it's
> pretty rare for a cloud to cover an entire country.

Solar panels do, indeed, produce power also in cloudy conditions, but
"tolerably well"?

My experience is:
Lightly overcast: ~30% of peak power
Thick clouds:     ~10% of peak power
Rainy, cloudy winter day: Below threshold at which converter switches on.
In winter, even at the best, sunny days, power is well below summer peak
  level (~50%) due to the low sun.

I live in The Netherlands, where it is not so rare that a cloud covers the
entire country, and more. But it is, of course, a small country.


Huffington continues trying to "disappear" their discredited "email creator" series (via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Sun, 7 Sep 2014 17:04:18 -0700
"Huffington" is continuing trying to "disappear" their discredited five part
series on the "creator" of e-mail. You'll recall that yesterday the links to
the five stories at:
  http://www.huffingtonpost.com/news/the-history-of-email/
led to a sort of editorial apology. Today, four of the five stories have
vanished from the page entirely—leaving a big white gap—and search
results that previously pointed at them now appear to be 404.  And in case
you don't remember what this page looked like originally, I made a
screenshot of it yesterday, because I anticipated something like this.

Screenshot at: (G+): https://plus.google.com/+LaurenWeinstein/posts/f5i8tB4bveC


"Why Is Huffington Post Running A Multi-Part Series To Promote The Lies Of A Guy Who Pretended To Invent Email?"

Lauren Weinstein <lauren@vortex.com>
Wed, 3 Sep 2014 08:11:03 -0700
Techdirt via NNSquad
https://www.techdirt.com/articles/20140901/07280928386/huffpo-publishes-bizarre-misleading-factually-incorrect-multi-part-series-pretending-guy-invented-email-even-though-he-didnt.shtml

  "Again, that might make for a nice story line if there were some factual
  basis behind it, but there isn't. The history of e-mail is well-documented
  from multiple sources and it began way, way before 1978. And while early
  versions were somewhat crude, by 1978 they had basically everything that
  Ayyadurai claims to have invented (it is entirely believable that
  Ayyadurai, as a bright kid, independently came up with the same ideas, but
  he was hardly the first). There was a messaging system called MAILBOX at
  MIT in 1965. You can read all the details of it here, including source
  code. Ray Tomlinson is frequently credited with inventing the modern
  concept of email for the Internet by establishing the @ symbol (in 1972)
  as a way of determining both the user and which computer to send the email
  to. By 1975, there were things like email folders (invented by Larry
  Roberts) and some other basic email apps. As is noted, by 1976—two
  years before Ayyadurai wrote his app—email was 75% of all ARPANET
  traffic."

 - - -

Why? Because Huffington is only interested in the clicks, that's why, and
if they thought they could get more clicks by claiming Caligula invented
e-mail, they'd be running those stories too.


Re: zero-day bounties (Mills, RISKS-28.24)

Henry Baker <hbaker1@pipeline.com>
Fri, 05 Sep 2014 11:54:51 -0700
> "Since the vendors pay for the bounty, introducing bugs into their own
> code is counterproductive" (Mills, RISKS-28.24)

Hmmm...  Let's see.  Suppose employee A works for company M which boasts of
a bug bounty.  Freelancer J colludes with employee A to either induce A to
purposely create a bug, or at least provide information about where such
bugs can be found.  Freelancer J gets bug bounty from M, and shares it with
employee A.  Rinse & repeat.  Everybody wins, except for the poor customers
and their credit ratings after being hacked.

Such collusion is legal when A is a law-maker and J is a lobbyist, and such
collusion is rampant and extremely profitable.  Sometimes, A and J are even
the same people, which is called the "revolving door" of agencies such as
the FCC and now, apparently, the NSA (Alexander).

> "the Moral Hazard theory doesn't seem to apply here" *jericho, RISKS-28.24)

The biggest moral hazard is caused by computer hardware & software vendors
who sell software that they're not willing to stand behind; i.e., they use
their own customers as alpha and beta testers (aka "human shields" aka
"collateral damage", in the case of computer hacking & ID theft).  Dan Geer
has already discussed this issue.

Bug bounties don't "drain the swamp", but perversely create an industry
dependent upon the existence of the swamp.  The FBI loves the swamp, because
it enables them to manufacture crimes and once in a while produce a pelt.
The NSA loves the swamp, because it enables them to monitor "terrorists",
and the bigger the swamp, the larger the NSA's budget.

There's also the problem of price.  A hundred dollars for a Twitter bug is
an LOL joke; the cost of such a bug to a large corporate user might be
millions of dollars.  Even $100k for a significant bug pales in comparison
to the millions of dollars that such a bug is worth to a criminal or
nation-state.

Do you ever wonder why the Apple goto-fail bug lasted so long?

Let's assume that some bounty-hunter actually *did* notice Apple's goto-fail
behavior.  Any bounty-hunter worth his salt would quickly check for the
existence of this bug on other Apple devices & versions and notice how
extensive this bug was.  A quick calculation would reveal that the bug was
worth multiple millions of dollars to the right customer.  It's entirely
possible that some bounty-hunter was keeping such a bug in his inventory for
this big pay day.

Consider the recent JP Morgan attacks.  These "Willie Sutton" hackers were
apparently going after serious money, and were obviously willing to expend
considerable resources in the process.  What kind of a bounty would it take
to buy them off?  My best guess: $1 billion.

Talk like a Pirate Day is in 2 weeks (Sept. 19th).  We all know about
pirates (the real kind, who sink ships and murder people, not the MPAA faux
rhinestone kind).  These pirates started off as legal "privateers", but
often ended up being hanged for piracy after the govt stopped its privateer
program.

https://en.wikipedia.org/wiki/Privateer
https://en.wikipedia.org/wiki/William_Kidd

This current bug-bounty-hunting privateer movie isn't going to end any
better than the seafaring privateer movie.  Besides, Errol Flynn and Johnny
Depp will never look as good wielding a mouse and a keyboard.

However, I do *not* recommend paying larger bounties, even though there are
bugs worth far more money.

I *do* recommend spending *just as much money*—i.e., *billions* of
dollars—on *formal methods* which are the only known way to *guarantee*
the lack of certain types of bugs.

I agree with Dan Geer that we need to loose the real privateers—the
plaintiffs bar—on the computer hardware and software industry, so that we
can finally start draining the swamp and make the Internet "safe at any
speed".

https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed

Given the "fat tail" distribution of harm from computer bugs, it's only a
matter of time before the first $1 BILLION loss is incurred (assuming that
it hasn't *already* occurred—in secret—e.g., in Sept 2008), and a
large company loses 50% or more of its market value as a result of being
hacked.

Wouldn't it be preferable to spend $1 billion *proving programs correct*
than a far larger amount to criminals and/or bounty-hunters ?


Live Webinar: Building a Software Security Initiative

Cigital <communications@cigital.com>
Fri, 05 Sep 2014 14:10:52 -0400
Webinar: Building a Software Security Initiative
Thursday, September 25, 2014 1:00 - 2:00 PM EDT
Register:
http://discover.cigital.com/e/28332/tration-html-sco-id-1218490076/3kzhjz/848842747

The increasing frequency and costs of security breaches are driving
customers, senior executives, and board of directors to demand evidence of a
formal program to address software security. Do you know how to start
building a scalable software security initiative?

Join Cigital and Tyler Shields, Senior Analyst at Forrester Research, Inc.,
for a live webinar exploring what it takes to create, restart, or mature a
software security initiative, including:

* Strategies for securing budget and support to build a software security
  initiative
* Identifying foundational components required for an effective software
  security initiative
* Distinguishing key attributes of a scalable software security
  initiative
* Tactics to enable management, security, and engineering groups to make
  immediate software security improvements

Cigital, 21351 Ridgetop Circle, Suite 400, Dulles, VA 20166

Please report problems with the web pages to the maintainer

Top