The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 51

Thursday 12 February 2015

Contents

Can Open-Source Voting Tech Fix the U.S. Elections System?
Techonomy
Stop the Mass Hacks Attacks: Use Strong 2-Factor Authentication or Go to Jail!
Lauren Weinstein
Study concludes use of GOTOs in code is *not* harmful in practice
Peerj
Report Sees Weak Security in Cars' Wireless Systems
Aaron M. Kessler
NSA datacenter said to provoke attacks against Utah state
Mark Thorson
Sites featuring terrorism or child pornography to be blocked in France
Lauren Weinstein
Internet providers lobby against backup power rules for phone lines
Ars
Report Sees Weak Security in Cars' Wireless Systems
Aaron M. Kessler via Monty Solomon
Uncovering security flaws in digital education products for schoolkids
NYTimes via Monty Solomon
New Microsoft Outlook app could infringe on businesses' privacy
Candice So via Gene Wirchenko
Microsoft Active Directory bug permits remote code execution
Bob Gezelter
Samsung's privacy policy warns: customers' smart TVs are listening
Lauren Weinstein
Samsung SmartTV voice commands could present an intrusion into user privacy
Candice So via Gene Wirchenko
How a Lone Hacker Shredded the Myth of Crowdsourcing
Lauren Weinstein
Jeb Bush publishes e-mail personal info of Florida residents online
The Verge
Outflow-valve controllers
Craig Burton
Re: Dangers of emoticons that we Had Not Considered
Dmitri Maziuk
Info on RISKS (comp.risks)

Can Open-Source Voting Tech Fix the U.S. Elections System? (Techonomy)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 7 Feb 2015 9:37:37 PST
http://techonomy.com/2015/02/can-open-source-voting-tech-fix-u-s-election-systems

American voting technology is trapped in the last millennium.  This lifeline
to democracy is kept secret—closed off from public inspection and
controlled by large businesses.  It is decades old to boot.  Our voting
methods ought to be at least as cutting edge as our selfie apps, but they're
not.

“Our nation's elections systems and technology are woefully antiquated.
They are officially obsolete,'' says Greg Miller of the TrustTheVote
Project, an initiative to make our voting system accurate, verifiable,
transparent, and secure. He adds: “It's crazy that citizens are using
twentieth-century technology to talk to government using twentieth-century
technology to respond.''

Miller and others are on a mission to change that with an entirely new
voting infrastructure built on open-source technology. They say open source,
a development model that;s publicly accessible and freely licensed, has the
power to upend the entire elections technology market, dislodging incumbent
voting machine companies and putting the electorate at the helm.

With Miller's system, we'd still go to the polls to vote and use a machine
to cast our ballot. But the software on that machine would be completely
open to public inspection. While coders wouldn't be able to edit or tamper
with the code, technically literate citizens would be able to, in effect,
cross-examine the processes tabulating all of our votes, verifying their
integrity and assuring accountability.

The organization behind TrustTheVote, the Open Source Elections Technology
Foundation (OSET), believes open-source voting software can instill
confidence that people's votes are being counted.  “Make that machine a
glass box instead of a black box,'' says Miller, who chairs OSET. He says
that will get more voters to the polls.

Other organizations like the California Association of Voting Officials
(CAVO) are also working to bring open-source principles to American
elections.  “Every ballot that's cast in the United States is counted by a
machine, so we owe it to the voters and the public to use the most secure,
most transparent, most auditable technology,'' says former CAVO President
Kammi Foote, who is also the elected registrar of voters for Inyo County,
California.  “Open source has proven itself in the private sector,'' says
Foote.  “Now governments around the world are starting to look at open
source as a good business model.''

  [Long item PGN-truncated for RISKS.  Of course, open-source systems would
  be a huge advance over proprietary vendor-controlled systems, but are of
  course only one piece of the puzzle that also involves compromised
  registration processes, gerrymandering, insider manipulations, unlimited
  contributions for the best elections money can buy, and many other risks.
  PGN]


Stop the Mass Hacks Attacks: Use Strong 2-Factor Authentication or Go to Jail!

Lauren Weinstein <lauren@vortex.com>
Sat, 7 Feb 2015 09:54:23 -0800
        http://lauren.vortex.com/archive/001085.html

I'm opposed to capital punishment for a whole slew of reasons, but every
time I hear about a hack attack exposing masses of innocent persons'
information, I find myself reconsidering that penalty—not for the
hackers, but for the irresponsible system administrators and their bosses
who leave their operations so incredibly exposed when effective solutions
are available—and have been for quite some time.

OK, perhaps capital punishment for them would be going a bit too far, but
I'll bet that spending a couple of years shackled in a cell with their new
best friend "Bubba" would impress upon them the seriousness of the
situation.

If we look at what is publicly known about the recent Sony hack, and the
just announced and potentially much more devastating Anthem attack—plus a
whole list of other similar mass data thefts, a number of common threads
quickly emerge.

First, these typically have nothing to do with failures of communications
link security. They weren't attacks on SSL/TLS, they didn't involve
thousands of supercomputer instances chomping on data for months to enable
the exploits. Nor were they in any way the fault of weak customer passwords
-- which are bad news for those customers of course, but shouldn't enable
mass exploits.

By and large, what you keep hearing about these case is that they were based
on the compromise of administrative credentials.

What this means in plain English is that an attacker managed to get hold of
some inside administrator's login username and password, typically via email
phishing or some other "social engineering" technique.

When these successful attacks are belatedly reported to the affected
customers and the public, they're almost always framed as "incredibly
sophisticated" in nature.

That's usually bull, a way to try convince people that "Golly, those hackers
were just so incredibly smart that even our crack IT team didn't have a
chance against them!"

Usually though, the attacks are incredibly unsophisticated—they're simply
relentless and keep pounding away until somebody with high level
administrative access falls for them. Then, boom!

It's often argued that important financial and similar data should be kept
encrypted—and this is certainly true. But so long as system
administrators have the need and ability to access data in the clear,
encryption alone doesn't address these problems. Rigorous control and
auditing systems to prevent unnecessary access to data en masse can also
help ("Does Joe really need to copy 80 million customer records to a Dropbox
account?")—but this won't by itself solve the problem either.

The foundational enabling feature of so many successful mass attacks is
failures of authentication protocols and processes in the broadest sense,
and ironically, getting a handle on authentication is at least relatively
straightforward.

Many firms aren't terribly interested in implementing even middling quality
authentication, because they have faith in their firewalls to keep external
attacks at bay.

This is an incredibly risky attitude. Over-reliance on firewalls—that is,
perimeter computer security—is sucker bait, because once an intruder
obtains high level administrative credentials, they can often plant software
inside the firewall, and send data out in various ways with relative
impunity. After all, most corporate firewalls are designed to keep outsiders
out, not to wall insiders off from the public Internet.

To put this another way, a properly designed security system should in most
instances be location agnostic—employees should be able to work from home
with the same (hopefully high) level of security they would have at the
office. This isn't to say that secure deployment and administration of VPNs
and associated systems are trivial, but they aren't rocket science, either.

Yet the real elephant in the room is at the basic authentication level, the
usernames and passwords that most firms still rely upon as their only means
of administrator authentication on their internal systems. And so long as
this is the case, we're going to keep hearing about these mass attacks.

Yes, you can try force employees to choose better passwords. But passwords
that are hard to remember get written down, and forcing them to be changed
too often can make matters worse rather than better. The problem cannot be
solved with passwords alone.

And—"surprise, surprise, surprise" (as Gomer Pyle used to say—go
ahead, Google him)—the technology to drastically improve the
authentication environment not only exists, but is already in use in many
applications that arguably are of a less critical nature in most cases than
financial and insurance data.

I'm speaking of 2-factor or "multiple factor" authentication/verification
systems, the requirement that system access is based on "something you know"
and "something you have"—not on just one or the other.

One of the best implementations of 2-factor is that deployed by Google,
which offers a variety of means for fulfilling the "what you have"
requirement—text messages, phone calls, phone apps, and cryptographic
security keys.  https://www.google.com/landing/2step/#tab=how-it-works

Different forms of multiple factor have varying relative levels of
protection. For example, the use of "one time passwords" generated by apps
or hardware tokens is not absolutely phishing-proof, but is a damned sight
better than a conventional username and password pair alone. Security keys,
which can interface with user systems via USB or in some cases NFC (Near
Field Communications) technology, are the most secure method to date, and a
single key can protect a whole variety of accounts—even at different
firms—while still keeping the associated credentials isolated from one
another.

And this brings us back to Bubba. While one never wants unnecessary mandates
and legislation, sometimes you can't depend on industry to always "do the
right thing" when it comes to security, when the intrinsic costs for the
sloppy status quo are relatively low.

So while some countries and U.S. states do have laws about encryption of
customer data, or notification of customers when breaches occur, there is
little sense of closing the barn door before—not after—the cows have
escaped.

After all, these careless firms usually have pretty easy outs when big
breaches occur. They offer you free "credit monitoring" after the fact. Gee,
thanks guys. They usually manage to pass along associated costs and fines to
their customers. Another big thank you punch to the gut.

How to really get their attention?

Maybe they'd notice potential prison time for top executives of firms that
deal primarily with sensitive consumer personal information (like banks,
insurance companies, and so on) who voluntarily refuse to implement
appropriate, modern internal security controls—such as strong multiple
factor logins—and then suffer mass consumer data hacks as a result.

I'm not even arguing here and now that they must provide such systems to
their individual customers—though they really, seriously should.  Nor am
I suggesting such sanctions for failure of security systems that were
deployed and operating competently and in good faith. After all, no security
tech is perfect.

But I am putting forth the "modest proposal" that these types of firms be
given some reasonable period of time to implement internal security systems
including strong multiple factor verification, and if they refuse to do so
and then suffer a mass data breach, the associated executives should be
spending some time in the orange or striped jumpsuits.

Perhaps that prospect will light a fire under their you-know-whats.

Now, do I really believe it's likely that anything of this sort will
actually come to pass? Hell no, after all, these are the kinds of firms that
basically own our politicians.

But then again, if enough of these mass data thefts keep occurring, and
enough people get seriously upset, the dynamic might change in ways that
would have seemed fanciful only a few years earlier.

So despite the odds, my free advice to those execs would be to get moving on
those internal multiple factor authentication systems now, even in the
absence of legislative mandates requiring their use.

Because, ya' know, Bubba will be patiently waiting for you.


Study concludes use of GOTOs in code is *not* harmful in practice

Lauren Weinstein <lauren@vortex.com>
Thu, 12 Feb 2015 10:12:39 -0800
Peerj via NNSquad

  "We conclude that developers limit themselves to using goto appropriately
  in most cases, and not in an unrestricted manner like Dijkstra feared,
  thus suggesting that goto does not appear to be harmful in practice."
  https://peerj.com/preprints/826v1/


Report Sees Weak Security in Cars' Wireless Systems (Aaron M. Kessler)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 12 Feb 2015 16:27:29 PST
Aaron M. Kessler, *The New York Times*, 9 Feb 2015

Serious gaps in security and customer privacy affect nearly every vehicle
that uses wireless technology, according to a report being released by
Senator Edward J. Markey.  The report concludes that security to prevent
hackers from gaining control of a vehicle's electronics is “inconsistent
and haphazard'' and that the majority of automakers do not have systems that
can detect breaches or quickly respond to them.  [PGN-ed]

This should not be news to RISKS readers, but does show that someone in the
Senate actually cares.  Next maybe they'll get to the Internet of Things,
the Smart Grid, the Critical National Infrastructures, and everything else.

Tomorrow of course is President Obama's Cybersecurity Summit at Stanford.


NSA datacenter said to provoke attacks against Utah state

Mark Thorson <eee@sonic.net>
Sat, 7 Feb 2015 18:59:13 -0800
Massive increase in attacks on Utah state government attributed to presence
of NSA's datacenter.

http://www.sltrib.com/news/2135491-155/massive-utah-cyber-attacks-may-be


Sites featuring terrorism or child pornography to be blocked in France

Lauren Weinstein <lauren@vortex.com>
Sat, 7 Feb 2015 12:12:49 -0800
Ars via NNSquad
http://arstechnica.com/tech-policy/2015/02/sites-featuring-terrorism-or-child-pornography-to-be-blocked-in-france/

  "Now, the General Directorate of the National Police and its cybercrimes
  unit will be able to request that sites serving terrorist or
  pedophilia-related content be blocked by Internet Service Providers
  serving people in France and its territories. ISPs then have to comply
  with the request within 24 hours. ISPs will be able to request
  compensation from the French government for any extra costs incurred in
  blocking the sites."

Sorry, France!  Not only is that not going to work, but you'll actually be
making matters worse.  Typical.


Internet providers lobby against backup power rules for phone lines

Lauren Weinstein <lauren@vortex.com>
Mon, 9 Feb 2015 10:51:06 -0800
Ars via NNSquad
http://arstechnica.com/business/2015/02/internet-providers-lobby-against-backup-power-rules-for-phone-lines/

  "The Federal Communications Commission is considering whether to impose
  backup power requirements on Internet providers that offer phone service,
  but cable companies and telcos don't want to be required to keep customers
  connected through long power outages."

 - - -

And this, boys and girls, demonstrates most clearly and decisively the
depths of degradation of the dominant ISPs—cable cos, and telcos.
Remember, the telcos are lobbying the FCC to eliminate landline requirements
and have been aggressively forcing customers to move to cable, wireless, and
fiber-based systems that are far less reliable than copper in
emergencies. Depending on consumers to keep backup systems running is a
recipe for utter disaster—yes, and deaths.  Having been through two major
earthquakes here in L.A., this isn't just a theoretical concern to me.


Report Sees Weak Security in Cars' Wireless Systems (Aaron M. Kessler)

Monty Solomon <monty@roscom.com>
Mon, 9 Feb 2015 09:01:21 -0500
Aaron M. Kessler, *The New York Times*, 8 Feb 2015

Washington—Serious gaps in security and customer privacy affect nearly
every vehicle that uses wireless technology, according to a report set to be
released on Monday by a senator's office.

http://www.nytimes.com/2015/02/09/business/report-sees-weak-security-in-cars-wireless-systems.html


Uncovering security flaws in digital education products for schoolkids

Monty Solomon <monty@roscom.com>
Mon, 9 Feb 2015 09:29:14 -0500
http://www.nytimes.com/2015/02/09/technology/uncovering-security-flaws-in-digital-education-products-for-schoolchildren.html

The law has long treated educational information as a category worthy of special protections, like credit or medical records, but the reality is often different.


New Microsoft Outlook app could infringe on businesses' privacy (Candice So)

Gene Wirchenko <genew@telus.net>
Tue, 10 Feb 2015 09:32:28 -0800
Candice So, *IT Business*, 6 Feb 2015

The new Microsoft Outlook app for iOS may be the one of the best email apps
to come out in a while—but according to IT security professionals, it
also presents myriad privacy issues. [...]


Microsoft Active Directory bug permits remote code execution

"Bob Gezelter" <gezelter@rlgsc.com>
Wed, 11 Feb 2015 07:39:59 -0700
for All Windows Versions

Ars Technica reports that Microsoft recently patched a remote code execution
exploit affecting ALL versions of Windows released over the last 15 years.
The report indicates that there are patches available for all versions of
Windows, except for Windows 2003.  The flaw, named Jasbug by its discoverer,
is classified as Microsoft MS15-011. It reportedly allows users who are able
to examine traffic at an intermediate point to launch a man-in-the-middle
attack against the client machine, inserting executable code.  From the
article: "All computers and devices that are members of a corporate Active
Directory may be at risk," warned a blog post published Tuesday by JAS
Global Advisors, one of the firms that (along with simMachines) reported the
bug to Microsoft in January 2014. "The vulnerability is remotely exploitable
and may grant the attacker administrator-level privileges on the target
machine/device. Roaming machines—Active Directory member devices that
connect to corporate networks via the public Internet (possibly over a
Virtual Private Network (VPN))—are at heightened risk."

http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-execution-in-all-versions-of-windows/


Samsung's privacy policy warns: customers' smart TVs are listening

Lauren Weinstein <lauren@vortex.com>
Mon, 9 Feb 2015 17:08:15 -0800
NPR via NNSquad
http://www.npr.org/blogs/thetwo-way/2015/02/09/385001258/samsungs-privacy-policy-warns-customers-their-smart-tvs-are-listening?utm_medium=RSS&utm_campaign=news

  "Please be aware that if your spoken words include personal or other
  sensitive information, that information will be among the data captured
  and transmitted to a third party through your use of Voice Recognition,"
  the privacy policy says.


"Samsung SmartTV voice commands could present an intrusion into user privacy" (Candice So)

Gene Wirchenko <genew@telus.net>
Tue, 10 Feb 2015 09:36:30 -0800
http://www.itbusiness.ca/article/samsung-smarttv-voice-commands-could-present-an-intrusion-into-user-privacy

Candice So, *IT Busines*, 9 Feb 2015

Last week, The Daily Beast reported Samsung is doing just that with its
SmartTV, cautioning customers to recognize that anything they say may be
recorded and forwarded to a third-party. The Korean electronics giant
inserted a one-liner in its privacy policy warning people to be careful of
what they say around it.  [...]


How a Lone Hacker Shredded the Myth of Crowdsourcing

Lauren Weinstein <lauren@vortex.com>
Mon, 9 Feb 2015 09:07:16 -0800
*Medium* via NNSquad
https://medium.com/backchannel/how-a-lone-hacker-shredded-the-myth-of-crowdsourcing-d9d0534f1731

  "Meet Adam. He's a mid-level engineer at a mid-level software company in a
  cookie-cutter California office park. He can code a handful of languages,
  has a penchant for computer vision and enjoys soccer and skiing. In short,
  Adam has little to distinguish him from legions of other programmers in
  the Bay Area. Except that over a couple of nights in 2011, he stopped
  thousands of people from sharing in $50,000, nudged the American military
  in a new direction, and may have changed crowdsourcing forever."


Jeb Bush publishes e-mail personal info of Florida residents online

Lauren Weinstein <lauren@vortex.com>
Tue, 10 Feb 2015 14:12:22 -0800
The Verge via NNSquad
http://www.theverge.com/2015/2/10/8013531/jeb-bush-florida-email-dump-privacy

  "Jeb Bush, a rumored 2016 Republican presidential candidate, just decided
  to publish hundreds of thousands of emails sent to him during his time as
  governor of Florida. On its face it seems like a great idea in the name of
  transparency, but there's one huge problem: neither Bush nor those who
  facilitated the publication of the records, including the state
  government, decided to redact potentially sensitive personal information
  from them."


Outflow-valve controllers

Craig Burton <craig.alexander.burton@gmail.com>
Tue, 10 Feb 2015 14:09:11 +1100
In explaining the importance of heterogeneous redundant systems (a concept
still very alien to many it seems) I want to defer to an air crash disaster
I remember caused by the secondary and tertiary cabin-pressure outflow-valve
controllers on a commercial airliner all being from the same supplier as the
primary, and all with the same fault.  I was wrong it associating this with
the crash of Helios Flight 522, (which turned out to be cost-cutting use of
the same alarm for two different very situations in cabin pressure).

I can now not find an example of aircraft safety requirements anywhere that
assert outflow valve controllers must be diverse but conforming
implementations provided by different companies.  It's a nice simple example
for non-IT people.  Do any RISKS readers recall the outflow valve case that
has slipped my mind?


Re: Dangers of emoticons that we Had Not Considered (Brader, R-28.50)

Dmitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 10 Feb 2015 10:03:05 -0600
> Many people use icons in text messages

... at which point the message ceases to be a text message. In other news,
adding salt to water makes water salty, and sticking hand in fire make hand
hurtz.

This is a very bad mis-quote: people *don't* use icons in text messages,
they use [semi]colon-[dash-]parenthesis chords.

The article itself is about helpful DWIM apps combined with lack of clear
indication of what's going on, combined with "no hidden charges" regulations
that exist where article was published.

Please report problems with the web pages to the maintainer

Top