The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 46

Wednesday 21 January 2015

Contents

Potential nationwide weakness in hospital emergency power
Gerrit Muller
The Patient Will See You Now
Eric Topol via Gabe Goldberg
Today's Apps Are Turning Us Into Sociopaths?
Matthew Kruk
Getting the Most Out of Apple iOS 8
Monty Solomon
Wireless device in two million cars wide open to hacking
Ars via Lauren Weinstein
Schneider Electric SCADA Gateway contains hardcoded credentials
Bob Gezelter
IoT silliness: Headless devices without a UI
Galen Gruman via Gene Wirchenko
The NY Times reports establishment of an "Exchange" for Hacking Tasks
Bob Gezelter
David Cameron seemingly calls for ban or weakening of Internet crypto
Lauren Weinstein
WhatsApp and iMessage could be banned under new surveillance plans
Lauren Weinstein
Why Western Governments Want to Destroy Computer Security—and Your Security Along the Way
Lauren Weinstein
ISIS Is Cited in Hacking of Central Command's Twitter and YouTube Accounts
Monty Solomon
Report Finds No Substitute for Mass Data Collection
Monty Solomon
Passengers' Personal Data At Risk
Gabe Goldberg
Algorithms now have PR
Christian Sandvig
FCC wants to RELAX telemarketing rules for cell phones
Lauren Weinstein
Need Some Espionage Done? Hackers Are for Hire Online
Monty Solomon
4th-Party Collection: NSA's Wink Wink Nod Nod to the 4th Amendment
Henry Baker
Ethics related to malware
George Ledin via PGN
Info on RISKS (comp.risks)

Potential nationwide weakness in hospital emergency power

Gerrit Muller <gerrit.muller@gmail.com>
Sat, 17 Jan 2015 21:20:49 +0100
An incident in a hospital in Roermond, the Netherlands, uncovered a problem
that may be present in more hospitals.

a free summary/translation of ,
http://nos.nl/artikel/2004721-tno-noodstroom-ziekenhuizen-onzeker.html>

In the Roermond hospital, the emergency power did not start due to a poorly
charged battery of the computer controlling the emergency power. This
battery ought to be charged continuously. The poor charging state had not
been detected by regular checks and tests.

The battery has a normal life time of 10 years and was only 3 years old at
the moment of failure. Batteries are normally changed after 5 years.

Switching back when power was available again also went wrong. TNO (the
Dutch applied research institute who investigated the failure) suspect the
low voltage caused by the poor battery. TNO recommend to use redundant
batteries.

Sampling other hospitals showed similar configurations in at least 10 other
hospitals.

Gerrit Muller (part-time employed at TNO,
however, not related to the department that did this research)
Gaudi System Architecting homepage <http://www.gaudisite.nl/>


The Patient Will See You Now (Eric Topol)

Gabe Goldberg <gabe@gabegold.com>
Tue, 20 Jan 2015 12:31:32 -0500
Print headline on this: Soon your phone will be as smart as your doctor

Topol sees a future in which "your smartphone will become central to labs,
physical exams, and even medical imaging; and you can have ICU-like
[intensive-care unit] monitoring in the safety, reduced expense, and
convenience of your home."  This is a book full of technical wizardry and
intriguing questions about the nature—and the future—of diagnosing,
monitoring and healing.

...and insurance companies will limit coverage to buying cheap phones and
medical apps up to $0.99; doctors no longer needed. At least it will be
easier getting appointments with your phone.

http://www.washingtonpost.com/opinions/book-review-the-patient-will-see-you-now-on-future-of-medicine-by-eric-topol/2015/01/16/4b345b00-9761-11e4-aabd-d0b93ff613d5_story.html

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Today's Apps Are Turning Us Into Sociopaths?

"Matthew Kruk" <mkrukg@gmail.com>
Mon, 19 Jan 2015 06:22:45 -0700
http://www.wired.com/2014/02/outsourcing-humanity-apps/


Getting the Most Out of Apple iOS 8

Monty Solomon <monty@roscom.com>
Fri, 16 Jan 2015 15:14:51 -0500
The new operating system can help you monitor battery use better, help take
better photos and make Siri easier to use.
http://www.nytimes.com/2015/01/15/technology/personaltech/tips-to-get-the-most-out-of-apple-ios-8.html


Wireless device in two million cars wide open to hacking (Ars)

Lauren Weinstein <lauren@vortex.com>
Tue, 20 Jan 2015 13:44:15 -0800
Ars via NNSquad
http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide-open-to-hacking/

  "An electronic dongle used to connect to the onboard diagnostic systems of
  more than two million cars and trucks contains few defenses against
  hacking, an omission that makes them vulnerable to wireless attacks that
  take control of a vehicle, according to published reports.  US-based
  Progressive Insurance said it has used the SnapShot device in more than
  two million vehicles since 2008. The dongle tracks users' driving to help
  determine if they qualify for lower rates. According to security
  researcher Corey Thuen, it performs no validation or signing of firmware
  updates, has no secure boot mechanism, no cellular communications
  authentication, and uses no secure communications protocols. SnapShot
  connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck,
  according to Forbes. From there, it runs on the CANbus networks that
  control braking, park assist and steering, and other sensitive functions."

 - - -

Waiting to hear what FLO has to say about this ...


Schneider Electric SCADA Gateway contains hardcoded credentials

"Bob Gezelter" <gezelter@rlgsc.com>
Wed, 21 Jan 2015 13:26:19 -0700
Much has been made of the benefits and detriments of the Internet of Things
(IoT). Security, integrity, and privacy problems are a particular
challenge. Implementing ease of use while maintaining security is a
challenge. There have been many cases of consumer and SOHO devices coming
with pre-installed credentials and backdoors. The problem is even more
serious with industrial systems where compromised credentials can permit
conversion of a network attack into an attack with serious physical
consequences.  Reportedly, the Schneider Electric SCADA Gateway comes with
pre-installed, known FTP credentials. An update is reported to permit FTP
access to be disabled, but the credentials remain.  The original article is
at:
http://threatpost.com/hard-coded-ftp-credentials-found-in-schneider-electric-scada-gateway/110565

Bob Gezelter, http://www.rlgsc.com


IoT silliness: Headless devices without a UI (Galen Gruman)

Gene Wirchenko <genew@telus.net>
Tue, 13 Jan 2015 09:17:34 -0800
Galen Gruman, InfoWorld, 13 Jan 2015
Many Internet of things devices can be controlled via smartphone only.
What could possibly go wrong?
http://www.infoworld.com/article/2867356/internet-of-things/beware-this-iot-fallacy-the-headless-device.html


The NY Times reports establishment of an "Exchange" for Hacking Tasks

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 16 Jan 2015 06:35:04 -0700
*The NY Times* Dealbook column has reported the establishment of Hacker's
List, a website providing an exchange allowing those in "need" of hacking
attacks to interact with providers of the services.  Exchanges that
facilitate monetized hacking, serve to reduce the costs of hacking to a
level compatible with consumer purchases is not a positive development.
Exchanges for such activities accentuate the trend of hacking for profit,
which has been building for nearly two decades.  The original article is at:
http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/

Bob Gezelter, http://www.rlgsc.com


David Cameron seemingly calls for ban or weakening of Internet crypto

Lauren Weinstein <lauren@vortex.com>
Mon, 12 Jan 2015 11:10:37 -0800
Spies should be able to monitor all online messaging, says David Cameron

*The Telegraph* via NNSquad
http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html

  The Security Services will be given the powers to read all messages sent
  over the Internet, if the Conservatives win the general election.  David
  Cameron, the Prime Minister, made the pledge at a campaign event attended
  by up to 100 Conservative activists in Nottingham.  The police and the
  intelligence agencies have expressed concerns that they are not able to
  access the content of some of the new ways to communicate over the
  Internet.

 - - -

At face value, he appears to be saying that he wants to ban or weaken TLS
and PGP, etc.


WhatsApp and iMessage could be banned under new surveillance plans

Lauren Weinstein <lauren@vortex.com>
Mon, 12 Jan 2015 22:28:03 -0800
*The Independent* via NNSquad
http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html

  "The Prime Minister said today that he would stop the use of methods of
  communication that cannot be read by the security services even if they
  have a warrant. But that could include popular chat and social apps that
  encrypt their data, such as WhatsApp.  Apple's iMessage and FaceTime also
  encrypt their data, and could fall under the ban along with other
  encrypted chat apps like Telegram."


Why Western Governments Want to Destroy Computer Security—and Your Security Along the Way

<lauren@vortex.com>
Thu, 15 Jan 2015 14:26:10 -0800
 Lauren Weinstein's Blog Update, 15 Jan 2015
http://lauren.vortex.com/archive/001084.html

It's always illuminating when the longtime enemies of security and free
speech come out from the shadows, making their intentions and sensibilities
crystal clear for all to see and understand.

Nope, I'm not talking about terrorists of whatever stripes—we've always
known how criminal scum like that thinks and how they desire to remake the
world in the image of their tiny minds and 13th century mindsets.

Nor am I speaking of Putin, Kim Jong-un, Ali Khamenei, Xi Jinping, or the
like—the iron fist with which these leaders desire to control speech and
suppress domestic dissent is all too obvious even at a glance.

No. I'm painfully forced to note the new threat matrix aimed squarely at
shedding our free speech and security rights that is spewing squarely from
Western governments—from the U.S., U.K, and across the length and breadth
of Europe.

It's tempting to suggest that this renewed push to strip us of these
fundamental rights was triggered by the recent devastating terrorist attack
in Paris—but that horrendous event serves only as an excuse for a long
simmering, long sought crackdown on Internet speech and security that has
been smoldering for ages.

Going all the way back to 1993 and the fiasco of the proposed U.S. "Clipper
Chip" reveals the U.S. intelligence community's fear of strong
cryptography. And today, the EU's enthusiastic embrace of the nightmarish
"Right to Be Forgotten" concept, and their push to apply that EU censorship
system across the entire world, gives us clues to European motives along
these lines.

So for anyone really paying close attention to these matters, the dots were
already pretty much in place, certainly sufficiently so that the latest
proposals from Western leaders shouldn't come as any kind of significant
surprise.

And those repulsive proposals have been arriving hot and heavy over the last
few days.

President Obama is reportedly to offer a vast expansion of criminal
penalties for "computer hacking" broadly defined, and as part of that
legislative package also to vastly expand the definition of hacking in the
process.

If you thought the late Aaron Swartz really had the book thrown at him by
DOJ, the new proposals would likely make that look like a paperback novel
compared with a wall of ancient encyclopedias dumped on the heads of future
defendants.

The details we've heard so far reportedly suggest that at the discretion of
prosecutors, merely clicking the wrong link on a public site, or conducting
perfectly legitimate cybersecurity research, could net you being shackled in
a federal cell for a decade or more.

But it gets worse.

Western leaders, led by David Cameron of the UK, appear poised to demand
that all Internet communications be subject to data retention and monitoring
by governments, and that no applications be permitted to deploy encryption
that the government could not disable or defeat on demand. Prime Minister
Cameron has said this explicitly of late, and is seeking support from other
European leaders and President Obama for this disastrous concept.

Let's be crystal clear about this. While the initial discussion might
revolve around instant messaging apps, it's obvious that the logical and
inevitable extension of this concept is to require the undermining of all
Internet encryption. Email. PGP. The works.

And what you can't backdoor or otherwise undermine you simply outlaw, with
criminal penalties draconian enough to scare off all but the most dedicated
or masochistic of free speech and security activists.

The word "security" is critical here, because while these leaders are
claiming that such proposals would enhance security to "protect us from the
terrorists"—in reality the proposed decimation of the foundational
structures of cryptographic systems would put all of us—our personal
information, our power systems, our industrial facilities, and so many other
aspects of our lives—at the mercy of cyberattacks newly enabled by such
weakened and so inevitability exploitable encryption ecosystems.

Without any exaggeration, this may easily be the most serious threat to
Internet security—and so to the entire global community that now depends
on the Internet for so many facets of our lives—since the first ARPANET
messages clattered over a teletype at UCLA decades ago.

Legitimate and measured means to fight against the scourge of terrorism are
essential. But those do not include trying to convert the secure
communications of law abiding citizens—billions of them—into "tap on
demand" portals for government snoops, no matter how ostensibly laudable or
graphically terrifying those officials attempt to frame their arguments.

We've all come to expect the "government owns your communications"
propaganda from Putin and his ilk.

To hear the same sort of twisted reasoning—no matter how candy coated or
sprinkled with excuses—flinging forth from our Western leaders is
disheartening in the extreme, and must not be accepted without vigorous
challenge, debate, and due consideration for the enormous damage such
proposals could easily wreak on us all.


ISIS Is Cited in Hacking of Central Command's Twitter and YouTube Accounts

Monty Solomon <monty@roscom.com>
Tue, 13 Jan 2015 08:25:24 -0500
http://www.nytimes.com/2015/01/13/us/isis-is-cited-in-hacking-of-central-commands-twitter-feed.html


Report Finds No Substitute for Mass Data Collection

Monty Solomon <monty@roscom.com>
Fri, 16 Jan 2015 15:06:40 -0500
A federal study found that there was no reliable way to get at the
communications of terrorism suspects without sweeping up records of every
call in the United States.
http://www.nytimes.com/2015/01/16/us/politics/report-finds-no-alternative-to-bulk-collection-of-phone-data.html


Passengers' Personal Data At Risk

Gabe Goldberg <gabe@gabegold.com>
Tue, 20 Jan 2015 12:24:36 -0500
Mining For Dollars

Remember a few years after 9/11 when the airlines started requiring you to
use your full name as it appears on a government issued ID, date of birth
and gender when you buy a plane ticket?

That's so the TSA can check you against the Federal No-Fly List.

But there is more than meets the eye.

In 2012, TSA rolled out "PreCheck" (or "Pre✓®"). Exempt
from Federal privacy laws, the PreCheck database contains detailed personal
information, including name, birthdate, biometric information, physical
characteristics, Social Security Number and financial information.

TSA now plans to release applicant's data to federal, state, tribal, local,
foreign governments and debt collectors.

http://strandedpassengers.blogspot.com/

...a stinky bouquet of "What could go wrong?"

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Algorithms now have PR

Christian Sandvig <csandvig@umich.edu>
Thu, 15 Jan 2015 13:05:54 -0500
Sorting, personalization, recommendation, and search algorithms now have
their own public relations, complicating the need for transparency about how
important computer systems operate.  Examples covered: quicksort represented
as a Hungarian folk dance, a cartoon that explains how Google search works,
a social media consultant that explains that Facebook is like a 19th Century
grist mill, and an advertising campaign for ask.com proclaiming that "The
Algorithm Constantly Finds Jesus."

Seeing the Sort
http://median.newmediacaucus.org/art-infrastructures-information/seeing-the-sort-the-aesthetic-and-industrial-defense-of-the-algorithm/


FCC wants to RELAX telemarketing rules for cell phones

Lauren Weinstein <lauren@vortex.com>
Sat, 17 Jan 2015 09:23:16 -0800
*Daily Finance* via NNSquad
http://www.dailyfinance.com/on/fcc-relax-robocall-rule/

  "But now the Federal Communications Commission is considering relaxing a
  key rule and allowing businesses to call or text your cellphones without
  authorization if they say they called a wrong number. The banking industry
  and collections industry are pushing for the change."

 - - -

Really bad idea—because it hands the perfect excuse to the really
evil players.


Need Some Espionage Done? Hackers Are for Hire Online

Monty Solomon <monty@roscom.com>
Fri, 16 Jan 2015 15:22:10 -0500
No longer just the domain of intelligence agencies, `hacktivists' or
criminal gangs, there is a growing cottage industry of ordinary people
hiring hackers for much smaller acts of espionage.

http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/


4th-Party Collection: NSA's Wink Wink Nod Nod to the 4th Amendment

Henry Baker <hbaker1@pipeline.com>
Tue, 20 Jan 2015 11:23:59 -0800
FYI—You scratch my back and I'll scratch yours, whether or not I even
know you.  The NSA's "4th Party Collection" provides the mechanism for
gathering information that the NSA can't legally collect on its own.  By
spying on other spies, the NSA avoids a problem the FBI ran into in the
1950's, when there were sometimes so many illegal taps on a labor union's
phone lines that the labor unionists could barely hear the person at the
other end of the phone conversation.  The NSA has already run into computers
& routers with surveillance malware from spy organizations from multiple
countries simultaneously!

“The practice of letting other intelligence services do the dirty work and
then tapping their results is so successful that the NSA even has a name for
it: Fourth Party Collection.''

http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html

The Digital Arms Race: NSA Preps America for Future Battle

By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn,
Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael
Sontheimer

The NSA's mass surveillance is just the beginning.  Documents from Edward
Snowden show that the intelligence agency is arming America for future
digital wars—a struggle for control of the Internet that is already well
underway.  .........

Part 2: How the NSA Reads Over Shoulders of Other Spies

In addition to providing a view of the US's own ability to conduct digital
attacks, Snowden's archive also reveals the capabilities of other countries.
The Transgression team has access to years of preliminary field work and
experience at its disposal, including databases in which malware and network
attacks from other countries are cataloged.

The Snowden documents show that the NSA and its Five Eyes partners have put
numerous network attacks waged by other countries to their own use in recent
years.  One 2009 document states that the department's remit is to
"discover, understand (and) evaluate" foreign attacks.  Another document
reads: "Steal their tools, tradecraft, targets and take."

In 2009, an NSA unit took notice of a data breach affecting workers at the
US Department of Defense.  The department traced an IP address in Asia that
functioned as the command center for the attack.  By the end of their
detective work, the Americans succeeded not only in tracing the attack's
point of origin to China, but also in tapping intelligence information from
other Chinese attacks—including data that had been stolen from the United
Nations.  Afterwards, NSA workers in Fort Meade continued to read over their
shoulders as the Chinese secretly collected further internal UN data.  "NSA
is able to tap into Chinese SIGINT collection," a report on the success in
2011 stated.  SIGINT is short for signals intelligence.

The practice of letting other intelligence services do the dirty work and
then tapping their results is so successful that the NSA even has a name for
it: "Fourth Party Collection."  And all countries that aren't part of the
Five Eye alliance are considered potential targets for use of this
"non-traditional" technique—even Germany.

'Difficult To Track, Difficult To Target'

The Snowden documents show that, thanks to fourth party collection, the NSA
succeeded in detecting numerous incidents of data spying over the past 10
years, with many attacks originating from China and Russia.  It also enabled
the Tailored Access Operations (TAO) to track down the IP address of the
control server used by China and, from there, to detect the people
responsible inside the Peoples' Liberation Army.  It wasn't easy, the NSA
spies noted.  The Chinese had apparently used changing IP addresses, making
them "difficult to track; difficult to target."  In the end, though, the
document states, they succeeded in exploiting a central router.

The document suggests that things got more challenging when the NSA sought
to turn the tables and go after the attacker.  Only after extensive "wading
through uninteresting data" did they finally succeed in infiltrating the
computer of a high-ranking Chinese military official and accessing
information regarding targets in the US government and in other governments
around the world.  They also were able to access sourcecode for Chinese
malware.

NSA Docs on Fourth Party Access

Description of an NSA employee on fifth party access / When the targeted
fourth party has someone under surveillance who puts others under
surveillance

http://www.spiegel.de/media/media-35679.pdf

4th-party collection / Taking advantage of non-partner computer network
exploitation activity

http://www.spiegel.de/media/media-35680.pdf

Combination of offensive and defensive missions / How fourth-party missions
are being performed

http://www.spiegel.de/media/media-35681.pdf

Overview of the TRANSGRESSION program to analyze and exploit foreign CNA/CNE
exploits

http://www.spiegel.de/media/media-35682.pdf

NSA example SNOWGLOBE, in which a suspected French government trojan is
analyzed to find out if it can be helpful for own interests

http://www.spiegel.de/media/media-35683.pdf

NSA fourth party access / "I drink your milkshake"

http://www.spiegel.de/media/media-35684.pdf

NSA Program TUTELAGE to instrumentalize third party attack tools

http://www.spiegel.de/media/media-35685.pdf

Codename BYZANTINE HADES / NSA research on the targets of Chinese network
exploitation tools, the targets and actors

http://www.spiegel.de/media/media-35686.pdf

CSEC document on the handling of existing trojans when trojanizing computers

http://www.spiegel.de/media/media-35688.pdf

Analysis of Chinese methods and performed actions in the context of computer
network exploitation

http://www.spiegel.de/media/media-35687.pdf


Ethics related to malware (George Ledin)

"Peter G.Neumann" <neumann@csl.sri.com>
Wed, 21 Jan 2015 11:05:08 -0800
George Ledin <ledin@sonoma.edu> at Sonoma State has written a fairly
comprehensive treatise on the above-cited subject.

http://www.cs.sonoma.edu/ledin/malware/pdf/Sullins_Creds2014.pdf

It should be of interest to white-hat analysts, administrators, law
enforcement and defense lawyers, faculty members and university deans, and
many others.

(George is a strong advocate of not being able to defend against malware if
you don't know malware.  If you knew malware like George does, you'd be
better off.)

Please report problems with the web pages to the maintainer

Top