The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 45

Monday 12 January 2015

Contents

Ford recalls SUVs because drivers are accidentally turning them off
Ben Rothke
Green Bank, WV: The Town Without Wi-Fi
Monty Solomon
Risks in Using Social Media to Spot Signs of Mental Distress
Monty Solomon
EU response to free speech killings? More Internet censorship!
Gigaom via Lauren Weinstein
Snowden: U.S. puts too much emphasis on cyber-offense, needs defense
Dewayne Hendricks
Biometric Identification
Anthony Thorn
Memory corruption
Martyn Thomas
Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online Site
Nathaniel Popper via Monty Solomon
US banks trace credit fraud to Chick-fil-A locales in possible data breach
Ars via Monty Solomon
Re: "Could e-voting be on its way in the UK?"
Amos Shapir
Tony Finch
An oldie but goodie ODBC risk
Bernard Peek
Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm
Cieply and Barnes via Monty Solomon
World's first *known* bootkit for OS X can permanently backdoor Macs
Dan Goodin
Spotlight search in OS X Yosemite exposes private user details to spammers
Monty Solomon
Apps Everywhere, but No Unifying Link
Monty Solomon
Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL Traffic
Bob Gezelter
ASUS Routers reportedly vulnerable to local area network command execution exploit
Bob Gezelter
Re: Too many pilots can't handle an emergency
Craig Burton
Re: Lenovo recalls more than 500,000 power cords
david lewis
Dick Mills
Info on RISKS (comp.risks)

Ford recalls SUVs because drivers are accidentally turning them off

Ben Rothke <brothke@hotmail.com>
Tue, 6 Jan 2015 19:09:51 -0500
Perhaps Ford didn't do enough UI testing...
http://www.autonews.com/article/20141231/RETAIL05/141239986/lincoln-mkc-recalled-to-move-push-button-start-from-near-touchscreen

Ford is recalling about 13,500 2015 Lincoln MKC because drivers are shutting
the vehicle off by mistake.

Drivers are mistakenly touching the crossover SUV's push-button ignition
button while the car is driving, Ford found.

“Due to the switch's close proximity to other controls occupants are
inadvertently shutting off the engine while driving,'' Ford said in a
statement.


Green Bank, WV: The Town Without Wi-Fi

Monty Solomon <monty@roscom.com>
Sun, 11 Jan 2015 23:42:20 -0500
The residents of Green Bank, West Virginia, can't use cell phones, wifi, or
other kinds of modern technology due to a high-tech government telescope.
Recently, this ban has made the town a magnet for technophobes, and the
locals aren't thrilled to have them.

http://www.washingtonian.com/articles/people/the-town-without-wi-fi/


Risks in Using Social Media to Spot Signs of Mental Distress

Monty Solomon <monty@roscom.com>
Fri, 26 Dec 2014 21:32:18 -0800
http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html

The ill-fated introduction in Britain of an app to detect predictors of
suicide shows what may happen when social media posts are scrutinized for
cues about a person's mental health.


EU response to free speech killings? More Internet censorship!

Lauren Weinstein <lauren@vortex.com>
Mon, 12 Jan 2015 09:46:02 -0800
(Gigaom):
https://gigaom.com/2015/01/11/eu-response-to-free-speech-killings-more-internet-censorship/?utm_medium=social&utm_campaign=socialflow&utm_source=twitter&utm_content=eu-response-to-free-speech-killings-more-internet-censorship_905730

  The interior ministers of France, Germany, Latvia, Austria, Belgium,
  Denmark, Spain, Italy, the Netherlands, Poland, Sweden and the U.K.  said
  in a statement (PDF) that, while the Internet must remain “in scrupulous
  observance of fundamental freedoms, a forum for free expression, in full
  respect of the law.'' ISPs need to help “create the conditions of a swift
  reporting of material that aims to incite hatred and terror and the
  condition of its removing, where appropriate/possible.''

 - - -

European leaders seem lately to be reliably wrong on most free speech issues
coming down the pipe. It's especially damaging when they try to extend their
misguided, counterproductive views on this subject to the world beyond
Europe. Censorship doesn't work in the Internet era.  Trying to remove or
de-index materials you fear or dislike only drives them underground in more
dangerous ways.


Snowden: U.S. puts too much emphasis on cyber-offense, needs defense

"Dewayne Hendricks" <dewayne@warpspeed.com>
Jan 8, 2015 2:45 PM
  [via Dave Farber]

Sean Gallagher, Ars Technica, 8 Jan 2015
In PBS NOVA interview, Snowden warns that U.S. cyber warfare strategy could
backfire.

http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/

In an on-camera interview with James Bamford for an upcoming episode of PBS'
NOVA, Edward Snowden warned that the U.S. Department of Defense and National
Security Agency have over-emphasized the development of offensive network
capabilities, placing the U.S.'s own systems at greater risk. With other
countries now developing offensive capabilities that approach those of the
NSA and the U.S. Cyber Command, Snowden believes the U.S. has much more at
stake.

The raw transcript of the NOVA interview showed Snowden in full control, to
the point of giving direction on questions and even suggesting how to
organize the report and its visual elements. Snowden frequently steered
questions away from areas that might have revealed more about NSA
operations, or he went into areas such as White House policy that he
considered "land mines." But the whistleblower eloquently discussed the
hazards of cyber warfare and the precariousness of the approach that the NSA
and Cyber Command had taken in terms of seeking to find and exploit holes in
the software of adversaries. In fact, he says the same vulnerabilities are
in systems in the U.S.. "The same router that's deployed in the United States
is deployed in China," Snowden explained. "The same software package that
controls the dam floodgates in the United States is the same as in
Russia. The same hospital software is there in Syria and the United States."

Some of the interview, which took place last June in Russia, possibly
foreshadowed the cyber attack on Sony Pictures. Snowden said that the
capabilities for cyber attacks such as the "Shamoon" malware attack in 2012
and other "wiper" attacks similar to what happened to Sony Pictures were
"sort of a Fisher Price, baby's first hack kind of a cyber campaign,"
capable of disruption but not really of creating long-term damage. But he
said more sophisticated organizations, including nation-state actors, are
"increasingly pursuing the capability to launch destructive cyber attacks as
opposed to the disruptive kinds that you normally see online...and this is a
pivot that is going to be very difficult for us to navigate."

"I don't want to hype the threat," Snowden told Bamford. "Nobody's going to
press a key on their keyboard and bring down the government. Nobody's going
to press a key on their keyboard and wipe a nation off the face of the
earth." But Snowden emphasized that the U.S. should be focusing more on
defending against adversaries than trying to penetrate their networks to
collect information and do damage.

"When you look at the problem of the U.S. prioritizing offense over defense,
imagine you have two bank vaults, the United States bank vault and the Bank
of China," Snowden explained. "The U.S. bank vault is completely full. It goes
all the way up to the sky. And the Chinese bank vault or the Russian bank
vault or the African bank vault or whoever the adversary of the day is,
theirs is only half full or a quarter full or a tenth full." But because the
U.S. has focused on being able to break into other networks, he said, it has
made its own technology vulnerable—and other countries can use the same
vulnerabilities to attack the U.S.'s networks.  [...]


Biometric Identification

Anthony Thorn <anthony.thorn@atss.ch>
Wed, 07 Jan 2015 12:14:43 +0100
The recent CCC (Chaos Computer Club) presentation about defeating biometric
identification using cameras demonstrates the vulnerability of Iris, Face
and Fingerprint methods.  The theoretical risk is obvious, but here are the
practical demonstrations.

Dubbed in English:
https://www.youtube.com/watch?v=VVxL9ymiyAU&feature=youtu.be

Should be good for sales of gloves, latex, pencils...


Memory corruption

Martyn Thomas <martyn@thomas-associates.co.uk>
Tue, 06 Jan 2015 08:48:36 +0000
https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf

"In this paper, we expose the vulnerability of commodity DRAM chips to
disturbance errors.  By reading from the same address in DRAM, we show that
it is possible to corrupt data in nearby addresses.  More specifically,
activating the same row in DRAM corrupts data in nearby rows. We demonstrate
this phenomenon on Intel and AMD systems using a malicious program that
generates many DRAM accesses.  We induce errors in most DRAM modules (110
out of 129) from three major DRAM manufacturers."


Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online Site

Monty Solomon <monty@roscom.com>
Wed, 7 Jan 2015 03:33:01 -0500
Nathaniel Popper, *The New York Times* blog, updated version, 5 Jan 2015

In mid-December, a posting appeared on the Internet site Pastebin offering
six million account records, including passwords and login data for clients
of Morgan Stanley.

Two weeks later, a new posting on the information-sharing site offered a
teaser of actual records from 1,200 accounts, and provided a link for people
interested in purchasing more, according to a person briefed on the
matter. The link pointed to a website that sells digital files for virtual
currencies like Bitcoin. In this case, the files were being sold for a more
obscure currency, Speedcoin.

The offer was quickly taken down the same day, 27 Dec, after Morgan Stanley
discovered the leak. In short order, the bank traced the breach to a
financial adviser working out of its New York offices, a 30-year-old named
Galen Marsh, according to a person involved in the investigation who spoke
on the condition of anonymity. ...

http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/


US banks trace credit fraud to Chick-fil-A locales in possible data breach

Monty Solomon <monty@roscom.com>
Thu, 1 Jan 2015 00:46:11 -0500
http://arstechnica.com/security/2014/12/us-banks-trace-credit-fraud-to-chick-fil-a-locales-in-possible-data-breach/


Re: "Could e-voting be on its way in the UK?"

Amos Shapir <amos083@gmail.com>
Wed, 7 Jan 2015 19:00:57 +0200
The most important point that should not be missed, is that Internet voting
should be compared to postal votes, not traditional public voting station
methods.  In the rush to make Internet voting more secure, we should not
forget that - like postal voting - it lacks the basic features: making
voting public, but the vote contents itself confidential.

The public aspect of traditional voting methods assures that everyone who is
eligible to vote can do it, freely and confidentially.  Internet voting
misses this aspect, no matter how secure it can be made.

This is not a technical issue!


Re: Could e-voting be on its way in the UK? (Walker, RISKS-28.44)

Tony Finch <dot@dotat.at>
Thu, 8 Jan 2015 13:23:07 +0000
A couple of months ago I read an electoral court judgment on voting fraud
in the UK which was handed down in July 2013:

http://www.bailii.org/ew/cases/EWHC/QB/2013/2572.html

The judge goes off on a massive rant about the disgraceful state of voting
security in the UK and the lack of interest from the authorities in
dealing with it. I expect online voting will make it even worse. The whole
judgment is quite readable and informative. The rant starts:

> Sadly, therefore, this is yet another case where the United Kingdom's
> shambolic electoral system has led to an election being challenged on
> the ground of widespread fraud.
>
> The system of electoral registration has always been very insecure and
> remains so. The problems this caused were, in the past, largely
> mitigated by the fact that 'absent' voting (voting by post or by proxy)
> was very limited in scope and hedged about with procedural difficulties.
> The introduction of postal voting on demand in 2001, however, laid the
> electoral system wide open to massive and well-organised fraud. Warnings
> that this might be the case were blithely ignored by Parliament and, to
> some extent, by the Electoral Commission.


An oldie but goodie ODBC risk

Bernard Peek <bap@shrdlu.com>
Tue, 06 Jan 2015 21:20:19 +0000
Not very long ago I came across an accounting and HR package which used ODBC
connections from each client computer to its central Microsoft SQL Server
database. Installing the client software required the creation of a "data
source" file on each client. This file can then be used by any ODBC client,
such as Microsoft Office software, without needing the user to know the
password.

I discovered that the supplier's engineers had persuaded the IT team to let
them use the default SA (System Administrator) ID when creating the data
sources. As a result of this any other ODBC software installed on a client
machine could be used to gain anonymous read/write/delete access to the
entire finance and HR databases without needing to use a password. I offered
to save the CFO some work by signing off my own invoices but he declined the
offer.

Once I bypassed the supplier's helpdesk and contacted their CTO directly the
issue was quickly resolved. We reconfigured the client machines and the
database servers to eliminate the "SA" login completely.

RISKS readers might like to check their own systems to see whether any of
the Data Sources on their client machines use the SA login. If they do then
I suggest they have words with their suppliers and their DBAs (if they have
them.) Short pithy words are best.


Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm

Monty Solomon <monty@roscom.com>
Wed, 7 Jan 2015 03:33:01 -0500
Michael Cieply and Brooks Barnes, *The New York Times*, 30 Dec 2014

It was three days before Thanksgiving, the beginning of a quiet week for
Sony Pictures. But Michael Lynton, the studio's chief executive, was
nonetheless driving his Volkswagen GTI toward Sony's lot at 6 a.m. Final
planning for corporate meetings in Tokyo was on his agenda - at least until
his cellphone rang.

The studio's chief financial officer, David C. Hendler, was calling to tell
his boss that Sony's computer system had been compromised in a hacking of
unknown proportions. To prevent further damage, technicians were debating
whether to take Sony Pictures entirely offline.

Shortly after Mr. Lynton reached his office in the stately Thalberg building
at Sony headquarters in Culver City, Calif., it became clear that the
situation was much more dire. Some of the studio's 7,000 employees, arriving
at work, turned on their computers to find macabre images of Mr. Lynton's
severed head. Sony shut down all computer systems shortly thereafter,
including those in overseas offices, leaving the company in the digital dark
ages: no voice mail, no corporate email, no production systems. ...

http://www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-grew-into-a-firestorm-.html


World's first *known* bootkit for OS X can permanently backdoor Macs (Dan Goodin)

Monty Solomon <monty@roscom.com>
Fri, 9 Jan 2015 01:52:41 -0500
Dan Goodin, Ars Technica, 7 Jan 2015

Thunderstrike allows anyone with even brief access to install stealthy
malware.

Securing Macs against stealthy malware infections could get more complicated
thanks to a new proof-of-concept exploit that allows attackers with brief
physical access to covertly replace the firmware of most machines built
since 2011.

Once installed, the bootkit-that is, malware that replaces the firmware that
is normally used to boot Macs-can control the system from the very first
instruction. That allows the malware to bypass firmware passwords, passwords
users enter to decrypt hard drives and to preinstall backdoors in the
operating system before it starts running. Because it's independent of the
operating system and hard drive, it will survive both reformatting and OS
reinstallation. And since it replaces the digital signature Apple uses to
ensure only authorized firmware runs on Macs, there are few viable ways to
disinfect infected boot systems. The proof-of-concept is the first of its
kind on the OS X platform. While there are no known instances of bootkits
for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through
maliciously modified peripheral devices that connect to a Mac's Thunderbolt
interface. When plugged into a Mac that's in the process of booting up, the
device injects what's known as an Option ROM into the extensible firmware
interface (EFI), the firmware responsible for starting a Mac's system
management mode and enabling other low-level functions before loading the
OS. The Option ROM replaces the RSA encryption key Macs use to ensure only
authorized firmware is installed. From there, the Thunderbolt device can
install malicious firmware that can't easily be removed by anyone who
doesn't have the new key. ...

http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/


Spotlight search in OS X Yosemite exposes private user details to spammers

Monty Solomon <monty@roscom.com>
Sat, 10 Jan 2015 01:48:15 -0500
Search feature overrides widely used setting blocking remote images.

Dan Goodin, Ars Technica, 9 Jan 2015

Using the Spotlight search feature in OS X Yosemite can leak IP addresses
and private details to spammers and other e-mail-based scammers, according
to tests independently performed by two news outlets.

The potential privacy glitch affects people who have configured the Mac Mail
App to turn off the "load remote content in messages" setting, as security
experts have long advised. Spammers, stalkers, and online marketers often
use remote images as a homing beacon to surreptitiously track people opening
e-mail. Because the images are hosted on sites hosted by the e-mail sender,
the sender can log the IP address that viewed the message, as well as the
times and how often the message was viewed, and the specific e-mail
addresses that received the message. Many users prefer to keep their e-mail
addresses, IP addresses, and viewing habits private, a goal that's
undermined by the viewing of remote images. ...

http://arstechnica.com/security/2015/01/spotlight-search-in-yosemite-exposes-private-user-details-to-spammers/


Apps Everywhere, but No Unifying Link

Monty Solomon <monty@roscom.com>
Tue, 6 Jan 2015 09:43:46 -0500
http://www.nytimes.com/2015/01/06/technology/tech-companies-look-to-break-down-walls-between-apps.html

As people spend more time using apps, their Internet has taken a step
backward, becoming more isolated—more like the web before search engines.


Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL Traffic (Weinstein, RISKS-28.44)

"Bob Gezelter" <gezelter@rlgsc.com>
Mon, 05 Jan 2015 21:57:00 -0700
ArsTechnica reports that Gogo, an inflight Wi-Fi service has been proffering
its own version of other domains certificates (the article refers
specifically to YouTube). This allows Gogo to decrypt traffic intended to
remain encrypted while in-transit. If used for all SSL connections, it would
expose a wide variety of traffic to monitoring, capture, and subsequent
impersonation (e.g., email, banking, corporate applications).  It is not
clear if this is being used on all SSL connection attempts, or only on
certain connections. The justification offered is to enforce a Gogo ban on
streaming applications.  This report reemphasizes the need for users to be
careful accepting a certificate not signed by a well-known signature
authority (CA).  The Ars Technica article is at:
http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/
Bob Gezelter, http://www.rlgsc.com


ASUS Routers reportedly vulnerable to local area network command execution exploit

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 09 Jan 2015 06:19:20 -0700
Apparently, ASUS routers have a weakness in the implementation of infosvr,
which reportedly uses UDP to communicate between different
routers. Designated CVE-2014-09583, this vulnerability allows a user inside
the firewall zone to use a UDP request to inject a command for execution by
the router (e.g., opening ports).  The report includes a command which can
be manually used to shut down the infosvr service each time the router is
restarted.  The Ars Technica article is at:
http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-network-can-probably-hack-it/
Bob Gezelter, http://www.rlgsc.com


Re: Subject: Too many pilots can't handle an emergency (RISKS-28.44)

Craig Burton <craig.alexander.burton@gmail.com>
Wed, 7 Jan 2015 14:42:36 +1100
The most tragic element of the AF447 crash was that the stall warning system
gave a warning up to a critical angle of attack, but actually went silent
after that angle was exceeded on the assumption it could not be possible and
the device should not report a false positive.

This caused the pilots to keep the plane in a stall since when they tried to
take it out of stall by reducing attack angle, the stall alarm sounded.

I think there is the new risk that pilots need to be able to handle a system
failing in a complex way such as this?  Is it reasonable for them to learn
and manage all edge cases in automation?


Re: Lenovo recalls more than 500,000 power cords

david lewis <davidlewis@sympatico.ca>
Wed, 7 Jan 2015 16:14:57 -0500
Both Leonard Finegold and Morton Welinder are wrong on the power dissipation
in a laptop power supply cord, because the power supply is not a resistor,
but a constant power sink, due to the regulator in it, which is designed to
convert power at high efficiency, and supply a fixed power to the batter. So
the current through the power supply is inverse of the voltage.

But the power supply cord is a resistance, so the heat in it is square of
current, or inverse square of the voltage in this case.

Let's take a 55W power supply for simplicity, and a .1 ohm power supply cord
resistance.

At 110V it draws .5 A so the power supply cord dissipates .5 * .5 * .1 .025W.

At 220V it draws .25A so the power supply core dissipates .25 * .25 * .1 .00625W or a factor of 4 less.

  [We received a slew of comments in response on this subject.  I picked
  this one as representative.  PGN]


LOL Re: Lenovo recalls more than 500,000 power cords

Dick Mills <dickandlibbymills@gmail.com>
Wed, 7 Jan 2015 15:01:42 -0500
Len Finegold said

 "As my freshman students know...
  Twinkle twinkle little star
  Power equals I squared R"

50 years ago when I was a freshman I memorized that jingle.  But when
I got into the exam, my brain regurgitated this:

  Little star up in the sky, power equals R squared I.

Please report problems with the web pages to the maintainer

Top