The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 53

Monday 23 February 2015

Contents

Too-real simulation
David Magda
"Regulating the Drone Economy"
NYTimes
Obama hedges position on encryption. It's good. It's bad.
David Kravets
Scottish Police Blame Program Error for Deleted 20,000 Records
Slate via Monty Solomon
Bank hackers' malware steals millions
Sanger and Perlroth
Recent $1 billion international cyber bank robbery could have been prevented with simple security steps, expert says
GSN
Russian Researchers Expose Breakthrough U.S. Spying Program: Equation Group
Joseph Menn
Gemalto is Shocked, Shocked re NSA Sim Card hacking
Mark Scott via Henry Baker
Spies Can Track You Just by Watching Your Phone's Power Use
Andy Greenberg via Dewayne Hendricks
Paedo Spy Barbie
Iain Thomson via Henry Baker
Visa wants to track your smartphone to combat fraud
AP
Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections
Ars via NNSquad
"Lenovo shows us why we need to reinvent Web security"
Paul Venezia
Lenovo says Superfish not a 'security concern', own advisory marks it highly severe
Chris Duckett via Bob Frankston
"Lenovo: 'We were as surprised as you'"
Simon Phipps
Superfish points fingers over ad software security flaws
Lauren Weinstein
Samsung's smart TVs fail to encrypt voice commands
BBC
"Millennials becoming known as Generation Leaky"
Taylor Armerding
Hard disk firmware infection campaign detected
Peter Houppermans
More "Right To Be Forgotten" nonsense from "The Guardian"
Lauren Weinstein
Welcome to CMU_NOT
DKross
Future Crimes
Marc Goodman
Re: "Vint Cerf Warns of 'Digital Dark Age'"
Amos Shapir
Re: Microsoft patch killed Powerpoint
Peter Houppermans
Re: Internet providers lobby against backup power rules for phone lines
Ted Blank
PSA: Your crypto apps are useless unless you check them for backdoors
David Gillett
Re: Jeb Bush publishes e-mail personal info of Florida residents online
Vassilis Prevelakis
Re: "Can Open-Source Voting Tech Fix the U.S. Elections System?"
John Sebes
Re: KB 3023607 breaks Cisco VPN
Dimitri Maziuk
Re: Study concludes use of GOTOs in code is *not* harmful in practice
Bob Frankston
"Remember when URLs were short?"
Simson Garfinkel
Info on RISKS (comp.risks)

Too-real simulation

David Magda <dmagda@ee.ryerson.ca>
Mon, 16 Feb 2015 21:56:58 -0500
Add to the list of incidents when a nuclear attack was almost triggered:

> So how did it happen? A computer program that simulated a nuclear attack
> by the Soviet Union had been fed through NORAD's network. Terrifyingly,
> NORAD and everyone else in the network mistook their own drill program as
> a real attack.

> http://gizmodo.com/1686123550

The movie *WarGames* is mentioned in the article: art imitating life.

To remedy the situation a $16M test facility was built so simulations
wouldn't be plugged into the production system.


"Regulating the Drone Economy"

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Feb 2015 10:12:54 PST
The Editorial Board, *The New York Times*, 19 Feb 2015

http://www.nytimes.com/2015/02/19/opinion/regulating-the-drone-economy.html

Interest in drones has been growing faster than government rules about how
they can be used. That's what makes the Obama administration's proposed
rules for unmanned aircraft by businesses and federal agencies so
important. The measures include many good ideas but do not do enough to
protect the privacy of Americans.

Drones have played ever more important military roles, particularly in
tracking suspected terrorists abroad in places like Pakistan. But these
flying robots also have commercial uses, like monitoring energy pipelines,
photographing real estate and managing large farms.

With few exceptions, however, the Federal Aviation Administration has
prohibited the commercial use of drones. On Sunday, the agency proposed
allowing commercial use as long as operators pass a written test every two
years. The proposal would also restrict when and how the devices can be
used. On the same day, President Obama imposed some restrictions on how
federal agencies like the F.B.I. and Customs and Border Protection collect
information from drones and what they do with it.

The F.A.A.'s proposal would require that drone operators always be able to
see the aircraft without the aid of binoculars, cameras or other
devices. The aircraft can be no heavier than 55 pounds, cannot be flown
higher than 500 feet or faster than 100 miles per hour. The devices can be
used only during daylight hours and cannot be flown over people not involved
in their use. That means a movie director could fly a drone over a film set
but not over a pedestrian on the street.

Some businesses like Amazon, which says it plans to deliver packages by
drones, complain that the rules are too restrictive because operators will
have to stay close to their machines. But the rules are a sensible starting
point for a new technology. Most drones cannot yet sense and avoid
obstacles, making them a hazard to people and property. In recent months,
drones, mostly operated by hobbyists, have had near misses with airplanes
and one crashed on the South Lawn of the White House. As drone technology
advances, officials can change the rules.

Regardless of what the final rule says, the F.A.A. could find it difficult
to enforce the regulation. It will have to rely on complaints from the
public and local law enforcement. Also, the agency, which is in the middle
of a major upgrade to the nation's air traffic system to reduce congestion,
may not have enough resources to monitor the thousands of drones that could
take to the sky once this rule is finalized in the coming months. The agency
has about 7,200 employees in its aviation safety division, a number that has
not increased much in recent years.

Mr. Obama's action on drone use by government agencies is much more
problematic. For example, the president's memorandum says the government
should not retain personally identifiable information collected by drones
for more than 180 days. But agencies can keep the data for longer if it is
“determined to be necessary to an authorized mission of the retaining
agency''—a standard that grants officials far too much latitude.
Moreover, the administration says agencies have to provide only a `general
summary' of how they use drones, and only once a year. Law enforcement
agencies like the F.B.I. and local police departments are already using
drones and manned aircraft for surveillance, often without obtaining
warrants, but they have said little publicly about what they are doing with
the information collected.

The use of drones is likely to grow, and the devices could become as common
as utility and delivery trucks. At the dawn of this technology, it's
appropriate to set sound safety and privacy rules.


Obama hedges position on encryption. It's good. It's bad. (David Kravets

Dewayne Hendricks <dewayne@warpspeed.com>
Tuesday, February 17, 2015
David Kravets, Ars Technica, 17 Feb 2015, via Dave Farber
Obama: "Public's going to demand answers, if there's a terrorist attack."
http://arstechnica.com/tech-policy/2015/02/obama-hedges-position-on-encryption-its-good-its-bad/

President Barack Obama is making his position on encryption known: he is a
supporter and "believer in strong encryption" but also "sympathetic" to law
enforcement's needs to prevent terror attacks.

"I think the only concern is... our law enforcement is expected to stop
every plot. Every attack. Any bomb on a plane. The first time that attack
takes place, where it turns out we had a lead and couldn't follow up on it,
the public's going to demand answers. This is a public conversation that we
should be having," Obama said in a Friday interview with Re/Code. "I lean
probably further in the direction of strong encryption than some do inside
law enforcement. But I am sympathetic to law enforcement, because I know the
kind of pressure they're under to keep us safe. And it's not as black and
white as it's sometimes portrayed. Now, in fairness, I think those in favor
of air tight encryption also want to be protected from terrorists."

Encryption became a hot-button topic in the wake of the summer 2013 leaks
by National Security Agency whistleblower Edward Snowden. His documents,
including some seemingly showing that Skype has a backdoor, highlighted a
broad online global surveillance society and set off a cottage industry of
encryption companies.

Both the FBI and the Justice Department are demanding that companies—like
Apple and Google that are beginning to outfit mobile phone devices with
encryption by default—should build backdoors to allow law enforcement
access. Without a backdoor, the encryption likely prevents authorities from
physically accessing contents directly from the phones' hardware, even with
a warrant.

The chief executive isn't faulting companies for building encrypted tools.
"I think they are properly responding to a market demand." But the
president, his second remarks on the topic in a month, said "we can't
pretend" that there's not a tradeoff between civil liberties and safety.

One of the interesting things about being in this job, is that it does give
you a bird's-eye view. You are smack dab in the middle of these tensions
that exist. But, there are times where folks who see this through a civil
liberties or privacy lens reject that there's any tradeoffs involved. And,
in fact, there are. And you've got to own the fact that it may be that we
want to value privacy and civil liberties far more than we do the safety
issues. But we can't pretend that there are no tradeoffs whatsoever. [...]


Scottish Police Blame Program Error for Deleted 20,000 Records

Monty Solomon <monty@roscom.com>
Sat, 21 Feb 2015 22:41:51 -0500
http://www.slate.com/blogs/future_tense/2015/02/20/scottish_police_attribute_accidental_deletion_of_20_000_records_to_programming.html


Bank hackers' malware steals millions (Sanger and Perlroth)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 16 Feb 2015 16:50:17 PST
In late 2013, an ATM in Kiev started dispensing cash at seemingly random
times of day.  No one had put in a card or touched a button.  Cameras showed
that the piles of money had been swept up by customers who appeared lucky to
be there at the right moment. [...]

David E. Sanger and Nicole Perlroth, *The New York Times*, dated 14 Feb 2015
http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

  [Up'N AT'M!  PGN]

    [Also noted by Allan Davidson.  PGN]


Recent $1 billion international cyber bank robbery could have been prevented with simple security steps, expert says (GSN Magazine)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Feb 2015 9:36:51 PST
Recent $1 billion international cyber bank robbery could have been prevented
with simple security steps, expert
http://r20.rs6.net/tn.jsp [No response for me, but browsing on the
  subject line works fine.  PGN]

A multinational gang of cyber criminals has stolen up to $1 billion from
about 100 international banks over the past two years, according to an
announcement earlier this week from the Russian cybersecurity form Kaspersky
Lab.  Responsibility for the robbery rests with a multinational gang of
cybercriminals from Russia, Ukraine and other parts of Europe, as well as
from China according to Kaspersky, which worked with INTERPOL, Europol and
authorities from different countries to uncover the massive heist.  Though
the criminals' take may be huge, many banks—along with other
organizations—can take basic steps to reduce the risk of theft of money
and information, according to Udi Shamir, chief security officer at Sentinel
Labs, who recently spoke with Government Security News. Organizations can
take steps including educating employees about the dangers of spear phishing
emails (which can download malware) to keeping proprietary business
systems separate from the Internet..


Russian Researchers Expose Breakthrough U.S. Spying Program: Equation Group (Joseph Menn)

"ACM TechNews" <technews@hq.acm.org>
Wed, 18 Feb 2015 11:57:52 -0500 (EST)
Joseph Menn (Reuters) 16 Feb 2015 via ACM TechNews, 18 Feb 2015

Kaspersky Lab on Monday said a group it calls the Equation group has
developed spyware that can lurk in the firmware of most hard drives
currently on the market.  Although Kaspersky did not explicitly make the
connection, the Equation group is widely believed to be a euphemism for the
U.S. National Security Agency (NSA).  Kaspersky says developing the spyware,
which has been found on hard drives from all of the market's major players,
would have required access to the hard drives' source code.  Hard drive
manufacturers have denied supplying NSA with their source code, but experts
say the spy agency has numerous ways of obtaining the source code, including
routine government security audits.  Kaspersky found personal computers
infected with the Equation group's spyware in 30 countries, primarily in
Iran, Russia, and Pakistan, but also in Afghanistan, China, Mali, Syria,
Yemen, and Algeria.  Targets included government and military institutions,
telecom firms, banks, energy companies, nuclear researchers, media, and
Islamic activists.  In addition to the spyware, Kaspersky also described
other Equation group programs, including compromising jihadist websites,
infected USB drives and CDs, and a self-spreading computer worm dubbed Fanny
that was used to deliver the spyware and may have links to the Stuxnet worm
used to target Iran's nuclear program several years ago.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d617x2c67cx062018&


Gemalto is Shocked, Shocked re NSA Sim Card hacking

Henry Baker <hbaker1@pipeline.com>
Fri, 20 Feb 2015 07:01:22 -0800
Old Gemalto had a factory;
E-I-E-I-O;
And in this factory they made some chips;
E-I-E-I-O;
With a wink-wink here, and a nod-nod there;
Here a wink, there a nod;
...

Collaborators in WWII had their hair cut off (if they were lucky); I'd say
that -7.5% qualifies as a haircut.

Mark Scott, *The New York Times* 20 Feb 2015
Chip Maker to Investigate Claims of Hacking by NSA and British Spy Agencies,
http://www.nytimes.com/2015/02/21/world/europe/chip-maker-to-investigate-claims-of-hacking-by-nsa-and-british-spy-agencies.html

LONDON—Gemalto, a French-Dutch digital security company, said on Friday
that it was investigating a possible hacking by United States and British
intelligence agencies that may have given them access to worldwide mobile
phone communications.

The investigation follows news reports on Thursday that the National
Security Agency in the United States and the Government Communications
Headquarters in Britain had hacked Gemalto's networks to steal SIM card
encryption codes.  The claims—reported on a website called The Intercept
-- were based on documents from 2010 provided by Edward J. Snowden, the
former N.S.A. contractor.

The American and British intelligence agencies are said to have stolen the
encryption key codes to so-called smart chips manufactured by Gemalto, which
are used in cellphones, passports and bank cards around the world.

Gemalto is the world's biggest maker of SIM cards, the small chips in
cellphones that hold an individual's personal security and identity
information.  [...]


Spies Can Track You Just by Watching Your Phone's Power Use (Andy Greenberg)

Dewayne Hendricks <dewayne@warpspeed.com>
Thursday, February 19, 2015
Andy Greenberg, *WiReD*, 19 Feb 2015
http://www.wired.com/2015/02/powerspy-phone-tracking/

Smartphone users might balk at letting a random app like Candy Crush or
Shazam track their every move via GPS. But researchers have found that
Android phones reveal information about your location to every app on your
device through a different, unlikely data leak: the phone's power
consumption.

Researchers at Stanford University and Israel's defense research group
Rafael have created a technique they call PowerSpy, which they say can
gather information about an Android phone's geolocation merely by tracking
its power use over time. That data, unlike GPS or Wi-Fi location tracking,
is freely available to any installed app without a requirement to ask the
user's permission. That means it could represent a new method of stealthily
determining a user's movements with as much as 90 percent accuracy—though
for now the method only really works when trying to differentiate between a
certain number of pre-measured routes.

Spies might trick a surveillance target into downloading a specific app that
uses the PowerSpy technique, or less malicious app makers could use its
location tracking for advertising purposes, says Yan Michalevsk[y], one of
the Stanford researchers.  “You could install an application like Angry
Birds that communicates over the network but doesn't ask for any location
permissions.  It gathers information and sends it back to me to track you in
real time, to understand what routes you've taken when you drove your car or
to know exactly where you are on the route. And it does it all just by
reading power consumption.''

PowerSpy takes advantage of the fact that a phone's cellular transmissions
use more power to reach a given cell tower the farther it travels from that
tower, or when obstacles like buildings or mountains block its signal. That
correlation between battery use and variables like environmental conditions
and cell tower distance is strong enough that momentary power drains like a
phone conversation or the use of another power-hungry app can be filtered
out, Michalevsky says.

One of the machine-learning tricks the researchers used to detect that
`noise' is a focus on longer-term trends in the phone's power use rather
than those than last just a few seconds or minutes.  “A sufficiently long
power measurement (several minutes) enables the learning algorithm to `see'
through the noise, We show that measuring the phone's aggregate power
consumption over time completely reveals the phone's location and
movement.''

Even so, PowerSpy has a major limitation: It requires that the snooper
pre-measure how a phone's power use behaves as it travels along defined
routes. This means you can't snoop on a place you or a cohort has never
been, as you need to have actually walked or driven along the route your
subject's phone takes in order to draw any location conclusions. The
Stanford and Israeli researchers collected power data from phones as they
drove around California's Bay Area and the Israeli city of Haifa. Then they
compared their dataset with the power consumption of an LG Nexus 4 handset
as it repeatedly traveled through one of those routes, using a different,
unknown choice of route with each test. They found that among seven
possible routes, they could identify the correct one with 90 percent
accuracy.

“If you take the same ride a couple of times, you'll see a very clear
signal profile and power profile,'' says Michalevsky.  We show that those
similarities are enough to recognize among several possible routes that
you're taking this route or that one, that you drove from Uptown to
Downtown, for instance, and not from Uptown to Queens.''

Michalevsky says the group hopes to improve its analysis to apply that same
level of accuracy to tracking phones through many more possible paths and
with a variety of phones—they already believe that a Nexus 5 would work
just as well, for instance. The researchers also are working on detecting
more precisely where in a known route a phone is at any given time.
Currently the precision of that measurement varies from a few meters to
hundreds of meters depending upon how long the phone has been traveling.


Paedo Spy Barbie

Henry Baker <hbaker1@pipeline.com>
Thu, 19 Feb 2015 08:25:17 -0800
FYI—These guys raised $31 million??  Where's the adult supervision at
these VC firms?  At $75, expect this doll to be one of the most hacked
computers of 2015.

Hello Barbie: Hang on, this Wi-Fi doll records your child's voice?
What could possibly go wrong?

19 Feb 2015 at 07:39, Iain Thomson
http://www.theregister.co.uk/2015/02/19/hello_barbie/

Toymaker Mattel has unveiled a high-tech Barbie that will listen to your
child, record its words, send them over the Internet for processing, and
talk back to your kid.  It will email you, as a parent, highlights of your
youngster's conversations with the toy.

If Samsung's spying smart TVs creeped you out, this doll may be setting off
alarm bells too  so we drilled into what's going on.

The Hello Barbie doll is developed by San Francisco startup ToyTalk, which
says it has more than $31m in funding from Greylock Partners, Charles River
Ventures, Khosla Ventures, True Ventures and First Round Capital, and
others.  [...PGN-truncated]


Visa wants to track your smartphone to combat fraud (AP)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Feb 2015 10:29:57 PST
Associated press via the *San Francisco Chronicle*
http://www.sfgate.com/business/article/Visa-wants-to-track-your-smartphone-to-combat-6085910.php

Visa wants to track its customers' smartphones to know when a credit card is
legitimately used in locations away from the holder's home area.  Those days
of calling your bank to let them know that, yes, you really are in Thailand,
and yes, you really did use your credit card to buy $200 in sarongs, may be
coming to an end.  Visa will introduce a feature this spring that will allow
its cardholders to inform their banks where they are automatically, using
the location function found in nearly every smartphone.

Having your bank and Visa know where you are at all times may sound a little
like Big Brother. But privacy experts are applauding the feature, saying
that, if used correctly, it could protect cardholders and cut down on credit
card fraud.

Credit and debit card fraud costs consumers and banks billions of dollars
each year, and that figure has been growing as data breaches have become
more common. The banking industry had $1.57 billion in debit card fraud in
2013 and $4 billion in credit card fraud in 2012, the latest years for which
data are available, according to the Federal Reserve. [... PGN-Truncated]


Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections (Ars)

Lauren Weinstein <lauren@vortex.com>
Thu, 19 Feb 2015 08:28:56 -0800
Ars via NNSquad
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

  "Lenovo is selling computers that come preinstalled with adware that
  hijacks encrypted Web sessions and may make users vulnerable to HTTPS
  man-in-the-middle attacks that are trivial for attackers to carry out,
  security researchers said.  The critical threat is present on Lenovo PCs
  that have adware from a company called Superfish installed. As unsavory as
  many people find software that injects ads into Web pages, there's
  something much more nefarious about the Superfish package. It installs a
  self-signed root HTTPS certificate that can intercept encrypted traffic
  for every website a user visits. When a user visits an HTTPS site, the
  site certificate is signed and controlled by Superfish and falsely
  represents itself as the official website certificate."

They now are (predictably) trying to back out of this, after initially
suggesting it was OK because *only* their consumer-oriented systems were
affected. Thanks a bunch, guys.

  [See also a later article by Nicole Perlroth, Spyware in Lenovo PCs Is
  Placed at Core of System, *The New York Times*, 23 Feb  2015.  PGN]


"Lenovo shows us why we need to reinvent Web security" (Paul Venezia)

Gene Wirchenko <genew@telus.net>
Fri, 20 Feb 2015 10:27:29 -0800
Paul Venezia, InfoWorld, 19 Feb 2015
What was Lenovo thinking? We can only hope the company's disastrous
decision to install adware on laptops that includes man-in-the-middle
code will inspire the industry to revamp SSL security
http://www.infoworld.com/article/2886792/security/lenovo-shows-us-why-we-need-to-reinvent-web-security.html


Lenovo says Superfish not a 'security concern', own advisory marks it highly severe (Chris Duckett)

"Dewayne Hendricks" <dewayne@warpspeed.com>
Fri, 20 Feb 2015 10:45 AM
[Note:  This item comes from friend Bob Frankston.  DLH]

Chris Duckett, ZDNet, 20 Feb 2015
http://www.zdnet.com/article/lenovo-says-superfish-not-a-security-concern-own-advisory-marks-it-highly-severe/

Summary: A Lenovo security advisory details the models of notebooks impacted
by the Superfish SSL hijacking, while a company statement says that
Superfish is used to 'enhance' users' computing experiences.

Sacrificing one of the core pillars of its devices' security chain for ad
revenue was all in an effort to allow users to "discover interesting
products while shopping", a Lenovo statement said in response to the
Superfish furore.

Lenovo said that Superfish was shipped on its notebook devices between
September and December 2014. In January, as a result of user feedback, the
product was disabled by Superfish on its end, and Lenovo stopped preloading
the software.

"We will not preload this software in the future," the Chinese hardware
manufacturer said.

The company dismissed security concerns that Superfish was able to hijack
SSL/TLS connections via a self-signing root certificate authority that had
the same private key on each and every Lenovo device upon which Superfish
was installed.

"We have thoroughly investigated this technology, and do not find any
evidence to substantiate security concerns," Lenovo's statement said.

"We know that users reacted to this issue with concern, and so we have taken
direct action to stop shipping any products with this software. We will
continue to review what we do and how we do it in order to ensure we put our
user needs, experience, and priorities first."

However, a security advisory published by Lenovo rated the incident as
highly severe.

"Superfish intercept HTTP(S) traffic using a self-signed root certificate.
This is stored in the local certificate store and provides a security
concern," the advisory said.

The advisory also revealed the model numbers for notebooks that suffered
from having Superfish preloaded: [...]

It took mere hours, once the Superfish flaw was known, for the Superfish
private key to be extracted by security expert Robert Graham.

"The consequence is that I can intercept the encrypted communications of
SuperFish's victims (people with Lenovo laptops) while hanging out near them
at a cafe Wi-Fi hotspot," he said. [...]


"Lenovo: 'We were as surprised as you'" (Simon Phipps)

Gene Wirchenko <genew@telus.net>
Fri, 20 Feb 2015 16:19:13 -0800
Simon Phipps, In an exclusive interview, Lenovo's Mark Cohen explains how the
Superfish debacle went down, InfoWorld, 20 Feb 2015
http://www.infoworld.com/article/2886959/laptop-computers/are-you-buying-risk-along-with-your-laptop.html


Superfish points fingers over ad software security flaws

Lauren Weinstein <lauren@vortex.com>
Sat, 21 Feb 2015 12:21:06 -0800
AP/Olympian via NNSquad
http://www.theolympian.com/2015/02/21/3588510/superfish-points-fingers-over.html

  Either way, don't expect a mea culpa. Faced with a withering publicity
  barrage that could jeopardize any startup's future, Superfish CEO Adi
  Pinhas blamed another company for the security flaw and complained about
  what he called "false and misleading statements made by some media
  commentators and bloggers."

Oh give me a break. This isn't rocket science. You screw around with the
certs that way, you're committing a Man in the Middle attack.
Q.E.D. Period. Full stop.


Samsung's smart TVs fail to encrypt voice commands

Lauren Weinstein <lauren@vortex.com>
Wed, 18 Feb 2015 11:33:56 -0800
BBC via NNSquad
http://www.bbc.com/news/technology-31523497

  "Samsung has acknowledged that some of its smart TV models are uploading
  their owners' voices to the Internet in an unencrypted form.  The apparent
  oversight makes it easier for hackers to spy on customers' activities."

 - - -

Yeah, now they say they're fixing it. Great job, guys, your check from the
Russian Security Service is in the mail.


"Millennials becoming known as Generation Leaky" (Taylor Armerding)

Gene Wirchenko <genew@telus.net>
Fri, 20 Feb 2015 10:17:42 -0800
Taylor Armerding, CSO Online, 17 Feb 2015
Millennials, by some accounts, have plenty of tech savvy but not much
when it comes to security. What should your organization do about that?
http://www.csoonline.com/article/2884638/security-awareness/millennials-becoming-known-as-generation-leaky.html


Hard disk firmware infection campaign detected (Reuters)

Peter Houppermans <peter@houppermans.net>
Tue, 17 Feb 2015 10:48:40 +0100
Source:
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216

The U.S. National Security Agency has figured out how to hide spying
software deep within hard drives made by Western Digital, Seagate, Toshiba
and other top manufacturers, giving the agency the means to eavesdrop on the
majority of the world's computers, according to cyber researchers and former
operatives.

That long-sought and closely guarded ability was part of a cluster of spying
programs discovered by Kaspersky Lab, the Moscow-based security software
maker that has exposed a series of Western cyberespionage operations./

I've had hard disks that simply refused to store the word "oversight",
it only worked if I changed that to "trust us".  Now I know why.


More "Right To Be Forgotten" nonsense from "The Guardian"

Lauren Weinstein <lauren@vortex.com>
Wed, 18 Feb 2015 16:01:56 -0800
Guardian via NNSquad
"How Google determined our right to be forgotten"
http://www.theguardian.com/technology/2015/feb/18/the-right-be-forgotten-google-search

 - - -

Reliably nonsensical tripe from *The Guardian*.  I've spent so much time and
so many words ripping apart the disastrous concept that is the "Right To Be
Forgotten" (RTBF) that I won't bend your ears (or rather, eyes) on it again
here, except to note what is likely the most critical element—EU desires
to expand their regional bureaucratic censorship nightmare regime from
regional versions of Google to google.com globally. And it takes no more
than a modicum of intelligence to see the problem with such demands. For if
the EU can do this (and keep in mind we're likely on the cusp of vast new
demands for Internet censorship from politically pandering European and
other leaders promising to control the Net to ostensibly "stop terrorists")
-- then what's to stop Putin, or Kim Jong-un, or the leaders who imprison
citizens for decades for the "crime" of blasphemy or speaking negatively
about their leaders—from making exactly the same kinds of demands for
global censorship? There is no "gentle" path in this realm. All routes
leading from the EU RTBF lead to kicking free speech off the cliff, to the
delight and enrichment of the leaders who view information control as their
permanent meal ticket to political control.


Welcome to CMU_NOT

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Feb 2015 16:29:53 PST
  [Thanks to D Kross]

The new standard

http://www.post-gazette.com/news/education/2015/02/17/CMU-Sorry-your-acceptance-letter-was-sent-by-mistake/stories/201502170196


Future Crimes (Marc Goodman)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 20 Feb 2015 10:19:17 PST
Marc Goodman
FUTURE CRIMES:
  Everything is Connected, Everyone is Vulnerable,
  and What We Can Do About It
Doubleday, 2015,
[The pre-pub copy I have seen is pushing 400 pages, plus copious end-notes]

I noted in RISKS-28.43 that the forthcoming *Future Crimes* book would be
highly relevant to RISKS readers.  I've read it more carefully since then,
and it is worthy of another mention here.  This book is full of valuable
anecdotes that illustrate the seriousness and pervasiveness of existing and
past computer crimes—which are becoming increasingly more prevalent and
 more egregious.  The book exhibits considerable wisdom and serious
understanding of the risks, and I believe has a very realistic view of the
future.  The pithy final chapter considers The Way Forward and how to cope
with the likely future.  Also, the appendix has some useful suggestions for
coping sensibly with the new reality; this provides a strong case for things
*you* can do to protect yourself.  From my own point of view, it seems that
the book does not sufficiently confront the reality that today every system
or network is riddled with security flaws, so that we really need computer
and communication infrastructures that are inherently much more trustworthy
than exist today.  Nevertheless, the book should be very valuable to a wide
range of readers—from naive computer users (who are likely to be shocked
and surprised) to experienced people who have not yet fully understood the
true depth of where we might be heading in the future.  It's nicely
organized, and makes a very good read.

With respect to the *Future Crime* subtitle, `Everything is Connected', I am
reminded of Bob Morris's statement for the National Research Council's CTSB
on 19 September 1988: “To a first approximation, every computer in the
world is connected with every other computer.''  That has become ever truer
today; even if the dark net is not searchable, it is still accessible.  PGN

[Marc Goodman is a global strategist with over two decades of experience in
law enforcement, former FBI Futurist-in-Residence, advisor to Interpol and
over 70 countries in transnational cyberrisks, founder of the Future Crimes
Institute, and Chair for Policy, Law, and Ethics at Silicon Valley's
Singularity University.]


Re: "Vint Cerf Warns of 'Digital Dark Age'"

Amos Shapir <amos083@gmail.com>
Thu, 19 Feb 2015 00:57:43 +0200
I find the statement "this digital snapshot would then be uploaded to the
cloud where it could, in theory, live on in perpetuity" somewhat naive.  At
least he says "in theory", because in practice, there's no such place as
"the cloud"—data have to be stored on some physical system eventually.
In order to be kept "in perpetuity", someone must keep an eye on it
constantly, ensuring that it stays useful across system upgrades, hardware
switches, and changes of caretakers.  Any break in the chain might cause
data to be lost, possibly without anyone noticing until it's too late to
save it.


Re: Microsoft patch killed Powerpoint (RISKS-28.52)

Peter Houppermans <peter@houppermans.net>
Tue, 17 Feb 2015 10:41:44 +0100
On that topic, this comment in The Register (a UK e-zine) from a user
"hplasm" is worth sharing:

  "A patch that breaks Powerpoint?  What's wrong with that?"


Re: Internet providers lobby against backup power rules for phone lines (Wallich, RISKS-28.52)

Ted Blank <tedblank@gmail.com>
Mon, 16 Feb 2015 16:52:31 -0800 (PST)
In Risks 28.52, Paul Wallich wrote, "For people who are getting Plain
Internet Service, regulators have already pretty much put the cable
modem/router/access point/whatever on the customer side of the demarc..."

My Fairpoint FIOS fiber-optic phone/Internet service also terminates in my
garage.  (It should be phone/Internet/TV but Cox Cable apparently has better
lawyers in New Hampshire).  Anyway, at the first power outage I was
surprised to find that the rechargeable 7AH gel-cell battery inside the FIOS
equipment box powered only the telephone service, not the Internet service.
Apparently this is all the law requires so that 911 service will have higher
availability.

I remedied this by plugging the power cord for the entire FIOS equipment box
into a separate UPS that I purchased locally.  Now everything including my
Internet service (and my VOIP phone lines) stays up during short outages.


PSA: Your crypto apps are useless unless you check them for backdoors (Goodin, RISKS-28.50)

David Gillett <gillettdavid@fhda.edu>
Thu, 19 Feb 2015 23:53:40 +0000
In Real Life, one should be able to cope with accidental, as well as
malicious, man-in-the-middle attacks.  I have a Linux box awaiting a
"salvage data and reinstall from OS up" exercise, because some of its system
updates were invisibly corrupted in transit by Google's much-ballyhooed
Mountain View wifi network, which it turned out could not be counted on to
detect and resend corrupted packets—I suspect that the Layer 2 checksums
were computed after the corruption was introduced.  Rigorous verification of
digital signatures should have made it possible to at least detect and
contain the damage.

David Gillett, CISSP CCNP


Re: Jeb Bush publishes e-mail personal info of Florida residents online (RISKS-28.51)

Vassilis Prevelakis <prevelakis@ida.ing.tu-bs.de>
Wed, 18 Feb 2015 00:12:47 +0100
In RISKS-28.51, Lauren Weinstein wrote that Jeb Bush published hundreds of
thousands of emails sent to him during his time as governor of Florida.

Since the copyright of each of these letters belongs to the persons who
wrote them, unless he got permission to publish them, he infringed upon
their copyright.


Re: "Can Open-Source Voting Tech Fix the U.S. Elections System?" (Barry Gold, RISKS-28.52?)

John Sebes <jsebes@osetfoundation.org>
Tue, 17 Feb 2015 09:38:45 -0800
Thanks for your thoughtful remarks on "Can Open-Source Voting Tech Fix the
U.S. Elections System?". Given the many challenges you listed, I hope that
any RISKS reader can conclude that it is truly a quixotic quest to build
voting systems where software is 100% trusted to produce correct election
results. I think that yous remarks on this model should convince any RISKS
reader that it is fundamentally impossible to build a perfectly secure
computing system for voting; and also impractical to build a fairly
resilient system that can be operated by not-especially-risks-savvy election
officials and volunteers.

So what so we do instead? Some thoughts here about a *different* model where
reasonable methods can be applied to creating a trustworthy election process
that includes but does not trust software that counts ballots ...

1. Evidence based elections

Open source code is not a solution to for fundamental problems in computing;
Reflections on Trusting Trust still rules. Instead, "evidence based
elections" is the term of art used by many election officials and election
techies. Since both computers and people can't be solely trusted for
accurate vote counts, the approach is to derive confidence from a publicly
viewable process that trusts neither. First, voters cast paper
ballots. (Computers can be involved in creating them.) Second, machines
count the paper ballots and record the tallies. (Optical scan, digital image
processing software, etc.) Third, election officials select batches of
machine-counted ballots, and hand count them to detect any variance between
human interpretation and the machine interpretation of the marks on the
ballot. Selection of the batches, and the number of ballots involved, should
follow statistically significant variance.

2. Smaller scope for software assurance

That stated, there is still significant value in software assurance,
including publicly visible source code, independent testing, etc. Even
though the ballot-counting software is not trusted for correctness, it make
sense to invest in software quality. But the *very* important point is that
the quality and assurance are *not* in pursuit of highly trustworthy
software—but rather software that has reasonable quality for doing its
job well, particularly including creating the digital evidence for the "risk
limiting audit" process sketched above. That evidence includes both a
retained image of each ballot, and a "cast vote record" of interpretation
made by software of that image. If the software fails in its duty to create
the digital evidence, then the auditing process may be impaired. (Note that
the audit process can be done with nothing more than batches and roll-up
tallies of each batch, but it is more labor intensive.)

If this sounds unfamiliar or improbable to some readers, let me re-assure:
election officials across the U.S. are demanding exactly this approach to
the next generation of voting systems, and a variety of organizations are
listening and stepping up to help: government orgs (NIST, EAC), standards
bodies (IEEE, NIST), and educational and research orgs like ours, the OSET
Foundation; and technology developers include our TrustTheVote Project

3. Provenance and validation of software

One last point is about software provenance: how do we know that a voting
machine is running the approved software that it is "supposed to"?
Currently, no voting system product that I know of has the ability to do
this. One among several reasons that TrustTheVote Project has been doing
voting tech development form scratch, is to include a boot time validation
capability as a basic part of he design. Such validation is a critical
requirement in our system. However, such validation was not a stated
requirement back in 2002 when the HAVA mandated a move to electronic
voting. Not being required, the vendors then and now very understandably
didn't invest engineering effort in providing it.

I hope that sounds like a more reasonable path that does not require *all*
of the potentially complex mechanisms that your outlined in your RISKS post.

John Sebes, OSET Foundation / TrustTheVote Project


Re: KB 3023607 breaks Cisco VPN (RISKS-28.52)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Mon, 16 Feb 2015 16:12:44 -0600
This is a nice one: work gives you a laptop with site-licensed copy of
Microsoft Windows and AnyConnect setup so that your computer is part of
"the site".  For, among other things, when Windows wants call home and
check it's legit.

Then KB 3023607 installs itself and suddenly you are the Dread Software
Pirate HAM Who Stole Bill's Basic.


Re: Study concludes use of GOTOs in code is *not* harmful in practice

"Bob Frankston" <bob2-53@bob.ma>
21 Feb 2015 17:12:52 -0500
(RISKS-28.51)

Statistical analysis of programs considered harmful?

Indeed much of the use of "goto" is really as a "break" or similar
statement. Perhaps a better question is what is the harm done by simply
avoiding the string "goto". Closely related the is effort to eliminate
multiple returns in programs. Both dogmatic approaches result in programs
that are just as spaghetti code as program rife with goto's.

And that's the real issue—how do does one write programs that can be
understood and maintained. As Dijkstra noted the goal is to give people
reading the static expression of a program better ability to understand the
dynamic state. Too bad that simply point got lost in the focus on purity.

Perhaps the biggest failing of the paper is in not considering the dynamic
state of the practice of programming. In 1968 Goto's only one of the many
problematic practices. Patching branch statements at runtime instead of
using flag variables was not uncommon. Since then we've learned much more
about writing readable code and studying "post Dijkstra" usage begs the
question.


"Remember when URLs were short?"

Simson Garfinkel <simsong@acm.org>
Mon, 16 Feb 2015 16:56:19 -0500
Gene Wirchenko remembers when URLs were fairly short. URLs are long now
because long URLs with "semantic content" translate to higher rankings in
one of Google's ranking algorithms.

Please report problems with the web pages to the maintainer

Top