The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 50

Friday 6 February 2015

Contents

Dangers of emoticons that we Had Not Considered
Mark Brader
The curious case of the disappearing Polish S*?
Gene Spafford
"New High-Tech Farm Equipment Is a Nightmare for Farmers"
Kyle Wiens via Prashanth Mundkur
Hackers could open doors of BMW's with "Connected Drive" option
Anthony Thorn
Huge Security Flaw Leaks VPN Users' Real IP-Addresses
TorrentFreak via David Farber
Anthem hacked, millions of records likely stolen
Lauren Weinstein
Anthem: Experts Suspect Lax Security Left Anthem Vulnerable to Hackers
NYT via NNSquad
Sony Hack: Koreans? Russians? Tricksy foreigners?
Chris Beck
"The worst of the worst phishing scams"
Stu Sjouwerman via Gene Wirchenko
"Adware found in Google Play store app that has been downloaded millions of times"
Candice So via Gene Wirchenko
Susan Crawford: The Internet Is Back to Solid Regulatory Ground
Seth Johnson
Tom Wheeler makes history with full-on Net neutrality proposal
Paul Venezia via Gene Wirchenko
UK access to NSA mass surveillance data was illegal, court rules
David Meyer via Dewayne Hendricks
PSA: Your crypto apps are useless unless you check them for backdoors
Dan Goodin via Dewayne Hendricks
Why Nadella's Second Year as Microsoft CEO Will Be a Lot Harder
Gabe Goldberg
NSA/FBI will want you to "vaccinate" your computer
Henry Baker
We *literally* have nothing to fear but fear itself
Yuval Noah Harari) via Henry Baker
Re: Being clever vs. being smart
Amos Shapir
Re: Sustained Investment in Research Is Needed to Combat Cyberthreats
Martyn Thomas
Info on RISKS (comp.risks)

Dangers of emoticons that we Had Not Considered

Mark Brader
Fri, 6 Feb 2015 07:03:00 -0500 (EST)
Emoticons in texts can rack up huge bills
Jane Wakefield, BBC, 5 February 2015
http://www.bbc.co.uk/news/technology-31148424

Many people use icons in text messages as a way of expressing emotions

  'More diverse' emoji faces planned
  New emojis developed for smartphones
  Apple seeks greater emoji diversity

People using emoticons (emojis) that denote happy, sad or other emotions in
their text messages could be racking up big bills, the BBC has learned.
Consumer website MoneySavingExpert has received a large number of complaints
about the issue.  It seems to affect older models of phones, including some
Samsung and Apple handsets.  In Scotland, a woman ran up bills totaling
over 1,000 after adding emoticons to text messages.  Sad face

The issue revolves around how the handset interprets the icons, known as
emoticons or emojis.  In some cases, especially on older handsets, the
emoticons are converted into MMS (multi-media service) messages, which can
cost up to 40p each depending on the network.  [PGN-ed...  This is enough
to make some people emote even more.  (:< ]


The curious case of the disappearing Polish S*?

Gene Spafford <spaf@purdue.edu>
Tue, 3 Feb 2015 10:18:05 -0500
This is an interesting story of how a combination events over decades
resulted in a small annoying bug.  The conclusion is that given enough time,
there won't be people around who recognize the history and reasons.  An
implication is that it may be more difficult to find such bugs.

I think the regular RISKS reader can generalize this to a much broader set
of things that may start popping up in decades to come.

Takeaway: assumptions and workarounds are contextual, and context changes
with time.

https://medium.com/medium-eng/the-curious-case-of-disappearing-polish-s-fa398313d4df

  [* We need Reverse Polish ASCII to include this S-variant character from
  Polish keyboards.  This is really a nifty item, and a nice illustration
  of a really convoluted risk.  PGN]


"New High-Tech Farm Equipment Is a Nightmare for Farmers" (Kyle Wiens)

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Fri, 6 Feb 2015 10:20:05 -0800
Kyle Wiens, WiReD, 02.05.2015
http://www.wired.com/2015/02/new-high-tech-farm-equipment-nightmare-farmers/

  The cost and hassle of repairing modern tractors has soured a lot of
  farmers on computerized systems altogether. In a September issue of Farm
  Journal, farm auction expert Greg Peterson noted that demand for newer
  tractors was falling. Tellingly, the price of and demand for older
  tractors (without all the digital bells and whistles) has picked up.  “As
  for the simplicity, you've all heard the chatter.  There's an increasing
  number of farmers placing greater value on acquiring older simpler
  machines that don't require a computer to fix.''  (Machinery Pete)


Hackers could open doors of BMW's with "Connected Drive" option

Anthony Thorn <anthony.thorn@atss.ch>
Fri, 06 Feb 2015 09:40:53 +0100
According to BMW this vulnerability has now been patched.

At the time of my initial investigation, ConnectedDrive included six
security vulnerabilities:
  -BMW uses the same symmetric keys in all vehicles.
  -Some services do not encrypt messages in transit between the car
   and the BMW backend.
  -The ConnectedDrive configuration data isn't tamper-proof.
  -The Combox discloses the VIN via NGTP error messages.
  -NGTP data sent via text messages is encrypted with the insecure
   DES method.
  -The Combox does not implement protection to guard against replay
   attacks.

Details:
http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html

My "Risks" lessons - some old stories:

The use of "Global Keys" in a large network is a SIN! (point 1 above)

Vulnerabilities often result from backward compatibility. In this case the
hacker can reverse engineer the oldest (cheapest) BMW he can find with
Connected Drive.

Security through obscurity is vulnerable, because reverse-engineering
techniques have become alarmingly powerful.

The high-level design may be (fairly) secure, but vulnerabilities can be
found in the configuration details.


Huge Security Flaw Leaks VPN Users' Real IP-Addresses (TorrentFreak)

"David Farber via ip" <ip@listbox.com>
Sun, 1 Feb 2015 16:20:51 -0500
http://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/


Anthem hacked, millions of records likely stolen

Lauren Weinstein <lauren@vortex.com>
Wed, 4 Feb 2015 21:31:05 -0800
  Anthem said Wednesday that its database has been hacked, potentially
  exposing personal information about 80 million of its customers and
  employees.  The health insurer said the breach exposed "names, birthdays,
  social security numbers, street addresses, email addresses and employment
  information, including income data," but added that no financial
  information, including credit card details, was compromised.
  [Source: CNBC via NNSquad]
    http://www.cnbc.com/id/102398852#

"Income data" isn't financial information?


Anthem: Experts Suspect Lax Security Left Anthem Vulnerable to Hackers

Lauren Weinstein <lauren@vortex.com>
Thu, 5 Feb 2015 19:37:00 -0800
*The New York Times* via NNSquad
http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html?partner=rss&emc=rss

  "The hackers are thought to have infiltrated Anthem's networks by using a
  sophisticated malicious software program that gave them access to the
  login credential of an Anthem employee."

 - - -

Looks like no 2-factor in use. Of course. I'm thinking more and more
that 2-factor systems are going to have to be mandated in some manner.


Sony Hack: Koreans? Russians? Tricksy foreigners?

"Chris Beck" <cbeck@pacanukeha.net>
Feb 5, 2015 8:02 PM
A report that the Sony hack is a) ongoing and b) done by Russians.

http://consumerist.com/2015/02/05/report-russians-not-just-north-korea-behind-sony-data-hack-are-still-doing-it-right-now/


"The worst of the worst phishing scams" (Stu Sjouwerman)

Gene Wirchenko <genew@telus.net>
Thu, 05 Feb 2015 10:15:23 -0800
Stu Sjouwerman, *CSO*, 3 Feb 2015
http://www.csoonline.com/article/2879028/social-engineering/the-worst-of-the-worst-phishing-scams.html

The depths a phishing scammer will stoop to in order to gain a buck are
remarkable. Here are some of the bottom feeders to guard against in your
inbox. [...]


"Adware found in Google Play store app that has been downloaded millions of times" (Candice So)

Gene Wirchenko <genew@telus.net>
Wed, 04 Feb 2015 11:38:27 -0800
Candice So, *IT Business*, 3 Feb 2015

http://www.itbusiness.ca/news/adware-found-in-google-play-store-app-that-has-been-downloaded-millions-of-times/53578


Susan Crawford: The Internet Is Back to Solid Regulatory Ground

Seth Johnson <seth.p.johnson@gmail.com>
February 5, 2015 at 21:00:06 EST
[Note: This item comes comes to RISKS via Dewayne Hendricks via Dave Farber)

One thing that can clearly be said at this point. We do not yet see Wheeler
actually applying Title II properly, in a way consistent with the limits
described here (and his commentary has clearly been inconsistent with this
characterization, both all along and at the moment of this announcement of
the policy approach), but he has chosen the correct substantive basis to
proceed on. The basis in Title II does put the law back on the grounds on
which it's supposed to be based.  Seth

 - - - -

Susan Crawford, The Internet Is Back to Solid Regulatory Ground
Feb 5 2015

http://www.nytimes.com/roomfordebate/2015/02/04/regulate-internet-providers/the-internet-is-back-to-solid-regulatory-ground

The news that the head of the Federal Communications Commission just
proposed that the agency should use its authority—under Title II of the
Telecommunications Act—to oversee high-speed Internet access services
should be welcomed by all who use the Internet.

But let's be clear about what this is and isn't.

He's not proposing to "regulate the Internet" or the websites of businesses
that use the Internet to reach customers. This would not constrain what
Americans can say online, nor would it constrain the extraordinary
innovation that has come about because of the Internet's borderless and
permission-free nature.

Tom Wheeler is simply saying that the F.C.C. should have solid legal
authority over the physical wires, tubes and towers located in the United
States that move information from Point A to Point B. And that's all he's
doing.

Today, the private operators of this basic, two-way communications
infrastructure—in effect, the general-purpose replacement for the
telephone network—are free of any oversight. Left to their own devices,
the companies selling Internet access will reasonably act to discriminate
against existing competitors, make entry by new competitors more difficult,
and make more money any way they can from their existing infrastructure --
including by collaborating with one another to divide markets.

The F.C.C. has been worried about this kind of thing for a while now. But
because a prior F.C.C. had taken a sharp deregulatory turn under
then-chairman (now cable industry advocate) Michael Powell—who put
high-speed Internet access in an unregulated category under the Telecom Act
-- the Obama-era F.C.C. was powerless to address these problems. The D.C.
federal court of appeals twice told the F.C.C. that it couldn't regulate
with one hand, by imposing "Open Internet" rules, for example, and
deregulate with the other.

Now, the chairman is saying that the F.C.C. will return to the solid
regulatory ground that made the commercial Internet possible in the first
place. High-speed Internet access is indeed a regulated service. This may
not be good news for Comcast, Verizon, AT&T and Time Warner Cable—who,
among other things, want to make more money by demanding extra payments from
popular online companies like Netflix—but it is great news for every
other part of American society.


Tom Wheeler makes history with full-on Net neutrality proposal (Paul Venezia)

Gene Wirchenko <genew@telus.net>
Thu, 05 Feb 2015 10:01:02 -0800
Paul Venezia, InfoWorld, 4 Feb 2015
http://www.infoworld.com/article/2878968/net-neutrality/fcc-tom-wheeler-internet-vote-title-ii-reclassification.html


UK access to NSA mass surveillance data was illegal, court rules (David Meyer)

"Hendricks Dewayne" <dewayne@warpspeed.com>
Feb 6, 2015 7:19 AM
David Meyer, GigaOM, 6 Feb 2015, via Dave Farber
https://gigaom.com/2015/02/06/uk-access-to-nsa-mass-surveillance-data-was-illegal-court-rules/

The system through which U.K. spy agency GCHQ can access data from NSA mass
surveillance programs was in violation of fundamental rights, the
Investigatory Powers Tribunal has ruled. However, the limits of that finding
have left human rights groups dissatisfied.
<https://gigaom.com/2014/10/28/uk-spies-can-get-intercepted-communications-from-nsa-without-warrant-government-lawyers-admit/>

The decision came as a result of a case brought about by Privacy
International, Liberty and other human rights groups regarding the Prism and
Upstream programs. Prism is the scheme through which U.S. intelligence gets
users' communications from service providers in that country, and Upstream
intercepts bulk data from the Internet's core infrastructure.
<http://www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf>

In December the IPT ruled that it was legal in principle for GCHQ get data
from these programs now—i.e., from December 2014, in the post-Snowden
world, where people actually know what's going on—but it held back on
saying whether there had been historical breaches of human rights.
<https://gigaom.com/2014/12/05/uk-cable-tapping-programs-are-legal-spy-court-rules/>

Having subsequently heard out both the complainants and the intelligence
agencies, the tribunal said on Friday that the data-sharing regime had
violated the rights to privacy and free expression, as set out in Articles 8
and 10 of the European Convention on Human Rights. However, it reiterated
that it believes the system now no longer does so.
<http://www.ipt-uk.com/docs/Liberty-Order6Feb15.pdf>
<http://www.echr.coe.int/Documents/Convention_ENG.pdf>

In a statement on Friday, Privacy International said it and Pakistani NGO
Bytes For All would ask the IPT, which generally acts as a secret court, to
“confirm whether their communications had been unlawfully collected prior
to December 2014 and, if so, demand their immediate deletion.''
<https://gigaom.com/2014/01/09/pakistani-human-rights-group-sues-uk-government-over-surveillance/>

The groups also disputed the December ruling's assertion that the disclosure
of “a limited subset of rules governing intelligence-sharing and mass
surveillance'' made everything OK. They will now appeal that ruling with the
European Court of Human Rights, as will Liberty.

Here's what Liberty legal director James Welch said in the statement:

We now know that, by keeping the public in the dark about their secret
dealings with the National Security Agency, GCHQ acted unlawfully and
violated our rights. That their activities are now deemed lawful is thanks
only to the degree of disclosure Liberty and the other claimants were able
to force from our secrecy-obsessed Government.

But the Intelligence Services retain a largely unfettered power to rifle
through millions of people's private communications, and the Tribunal
believes the limited safeguards revealed during last year's legal
proceedings are an adequate protection of our privacy. We disagree, and will
be taking our fight to the European Court of Human Rights.

“We must not allow agencies to continue justifying mass surveillance
programs using secret interpretations of secret laws,'' Privacy
International deputy director Eric King added. “The world owes Edward
Snowden a great debt for blowing the whistle, and today's decision is a
vindication of his actions.''


PSA: Your crypto apps are useless unless you check them for backdoors (Dan Goodin)

Hendricks Dewayne <dewayne@warpspeed.com>
February 5, 2015 at 7:56:46 AM EST
Dan Goodin, Ars Technica, 4 Feb 2015
Paranoid, or: How I learned to stop griping and love digital signatures.
<http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/>

At the beginning of the year, I did something I've never done before: I made
a new year's resolution. From here on out, I pledged, I would install only
digitally signed software I could verify hadn't been tampered with by
someone sitting between me and the website that made it available for
download.

It seemed like a modest undertaking, but in practice, it has already cost me
a few hours of lost time. With practice, it's no longer the productivity
killer it was. Still, the experience left me smarting. In some cases, the
extra time I spent verifying signatures did little or nothing to make me
more secure. And too many times, the sites that took the time to provide
digital signatures gave little guidance on how to use them. Even worse, in
one case, subpar security practices of some software providers undercut the
protection that's supposed to be provided with digitally signed code. And in
one extreme case, I installed the Adium instant messaging program with no
assurance at all, effectively crossing my fingers that it hadn't been
maliciously modified by state-sponsored spies or criminally motivated
hackers. More about those deficiencies later—let's begin first with an
explanation of why digital signatures are necessary and how to go about
verifying them.

By now, most people are familiar with man-in-the-middle attacks. They're
waged by someone with the ability to monitor traffic passing between an end
user and a website—for instance, a hacker sniffing an unsecured Wi-Fi
connection or the National Security Agency sniffing the Internet
backbone. When the data isn't encrypted, the attacker can not only read
private communications but also replace legitimate software normally
available for download with maliciously modified software. If the attack is
done correctly, the end user will have no idea what's happening. Even when
Web connections are encrypted with the HTTPS standard, highly skilled
hackers still may be able to seed a website with malicious counterfeit
downloads. That's where digital signatures come in.

A prime candidate for such an attack is the OTR plugin for the Pidgin
instant messenger. It provides the means to encrypt messages so (1) they
can't be read by anyone monitoring the traffic sent between two parties and
(2) each party can know for sure that the person on the other end is, in
fact, who she claims to be. Fortunately, the OTR installer is provided
through an encrypted HTTPS connection, which goes a long way to thwarting
would-be man-in-the-middle attackers. But strict security practices require
more, especially for software as sensitive as OTR. That's why the developers
included a GPG signature users can check to verify that the executable file
hasn't been altered in any way.

I ended up burning about 90 minutes figuring out how to verify the signature
using Gpg4win, the Windows-based e-mail encryption suite Ars wrote about
almost two years ago. No doubt, more technically adept people than me would
have spent only a small fraction of the time I did, but that misses the
point. In a post-Snowden era, encryption is no longer the exclusive domain
of developers, hackers, and technology professionals. Increasingly, it's a
prerequisite for lawyers, journalists, and anyone else duty-bound to keep
secrets.

OTR didn't provide instructions, so I'll show how I did it, with the
understanding that installation of Gpg4win, the Mac-based GnuPG, or a
similar program for Linux is a prerequisite. (Fortunately, Gpg4win is
digitally signed with a key that has been verified by a recognized
certificate authority. The digital signature and checksums available online
provide further verification.) First I downloaded the pidgin-otr-4.0.1.exe
installer, the GPG signature for that file, and the public key the OTR
developers used to generate the signature. I then opened Kleopatra, a key
management program included with Gpg4win, clicked the Import button, and
navigated to the directory storing the public key. (Alternatively, I could
have right-clicked on the signature file and highlighted "More GpgEX
options" and selected "Import keys.") Like magic, Kleopatra showed the key
as belonging to the OTR Dev Team. [,,,]


Why Nadella's Second Year as Microsoft CEO Will Be a Lot Harder

Gabe Goldberg <gabe@gabegold.com>
Wed, 04 Feb 2015 09:13:28 -0500
Bloomberg

Internally, Nadella is cutting through Microsoft's bureaucracy to get things
done. He has changed the way engineering teams are structured, largely
eliminating testers to speed software releases...

http://www.bloomberg.com/news/articles/2015-02-04/why-nadella-s-second-year-as-microsoft-ceo-will-be-a-lot-harder

Fasten your seatbelts, it could be a bumpy second year. Eliminating
testers—just bureaucracy, after all— what could go wrong with THAT?

Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042  (703) 204-0433


NSA/FBI will want you to "vaccinate" your computer

Henry Baker <hbaker1@pipeline.com>
Wed, 04 Feb 2015 07:14:16 -0800
Be very, very careful what you wish for.  The exact same arguments for
forcing parents to vaccinate their children will be used to force everyone
to "vaccinate" their computers with NSA/GCHQ-approved spyware prior to being
allowed to connect to the Internet.  The Chinese are nearly there already.

Once everyone's computers have been "vaccinated", it [would then be
considered] "safe" to introduce Internet voting.  From then on, a simple
hack can silently steal elections.

To the computer vaxxers: please don't give totalitarian government to my
tiny, helpless future baby.

To the anti-vaxxers: please don't give measles to my tiny, helpless future baby
Lindy West, *The Guardian*, 3 Feb 2015
http://www.theguardian.com/society/commentisfree/2015/feb/03/anti-vaxxers-vaccination-nature

The anti-vaccination movement is spreading across the US on the back of
ideas about `all-natural' lifestyles.  They're right about one thing: there
is nothing more natural than dying from measles.

  [And of course, you would have to TRUST the vaccination-ware not to
  include deleterious effects, just as you have to trust anti-virus
  software!  PGN]


We *literally* have nothing to fear but fear itself (Yuval Noah Harari)

Henry Baker <hbaker1@pipeline.com>
Mon, 02 Feb 2015 20:23:53 -0800
[I realize that this essay is long, but it should be read in its entirety.]
  [I agree it should be read in its entirety.  But it is still too long
  and perhaps even not quite right for RISKS in its entirety.  PGN]

Modern societies are literally scaring themselves to death.  Just as
auto-immune diseases cause the host to start attacking itself, our
irrational fears have caused an auto-paranoia that is shredding our liberal
democracies before our eyes.

http://www.theguardian.com/books/2015/jan/31/terrorism-spectacle-how-states-respond-yuval-noah-harari-sapiens

Yuval Noah Harari: the theatre of terror

Terrorists have almost no military strength so they create a spectacle.  How
should states respond?  The author of Sapiens, a history of humanity,
reflects on the past, and alarming future, of the fear factor

Yuval Noah Harari, 31 January 2015

As the literal meaning of the word indicates, terror is a military strategy
that hopes to change the political situation by spreading fear rather than
by causing material damage.  This strategy is almost always adopted by very
weak parties, who are unable to inflict much material damage on their
enemies.  Of course, every military action spreads fear.  But in
conventional warfare, fear is a byproduct of material losses, and is usually
proportional to the force inflicting the losses.  In terrorism, fear is the
whole story, and there is an astounding disproportion between the actual
strength of the terrorists and the fear they manage to inspire. [PGN-ed ...]

Yuval Noah Harari is the author of Sapiens: A Brief History of Humankind.


Re: Being clever vs. being smart

Amos Shapir <amos083@gmail.com>
Tue, 3 Feb 2015 00:54:27 +0200
The best distinction I've heard is: "A clever person can get out of
situations, which a wise person would have never gotten himself into in the
first place" :-)


Re: Sustained Investment in Research Is Needed to Combat Cyberthreats (Risks 28.49)

Martyn Thomas <martyn@thomas-associates.co.uk>
Tue, 03 Feb 2015 08:58:46 +0000
A good start would be to follow the advice from the 1968 NATO conference on
Software Engineering.  For example, to use strongly typed languages that
support strong static analysis tools and to act on the insight that testing
can only show the presence of bugs, never the absence.

Please report problems with the web pages to the maintainer

Top