The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 60

Monday 27 Apr 2015

Contents

Obama's unclassified e-mail hacked by Russians
NYTimes via PGN
Computer Attacks Spur Congress to Act on Cybersecurity Bill Years in the Making
NYTimes via Monty Solomon
How computerized trading in the hands of a nobody in Britain allegedly crashed the stock market
WashPost via Gene Spafford
Next-Gen Navigation - CEA
Gabe Goldberg
Civilization near collapse; all Starbucks stores close due to point-of-sale failure
Jeremy Epstein
Wi-Fi software security bug could leave Android, Windows, Linux open to attack
Ars Technica via Lauren Weinstein
"HTTPS snooping flaw affected 1,000 iOS apps with millions of users"
Lucian Constantin via Gene Wirchenko
"Apple's OS X 'Rootpipe' patch flops, fails to fix flaw"
Gregg Keizer Gene Wirchenko
Shamir Reveals Sisyphus Algorithm
John Young
'Flash Crash' 101: How could one guy do that?
CNBC via Monty Solomon
All times are in UTC, any included timezone is ignored
Dan Jacobson
Court: Iowa casino doesn't have to pay $41M jackpot error
StLToday
Security scholarship awardees announced
Jeremy Epstein
Re: "Bob Wachter on Technology and Hospitals at Medium"
Gene Wirchenko
Re: Kali Linux security is a joke!
Henry Baker
Info on RISKS (comp.risks)

Obama's unclassified e-mail hacked by Russians

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 27 Apr 2015 10:34:55 PDT
Here's another item on the general theme of the pervasiveness of security
vulnerabilities.

http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html


Computer Attacks Spur Congress to Act on Cybersecurity Bill Years in the Making

Monty Solomon <monty@roscom.com>
Wed, 22 Apr 2015 11:48:02 -0400
http://www.nytimes.com/2015/04/23/us/politics/computer-attacks-spur-congress-to-act-on-cybersecurity-bill-years-in-making.html

The House is expected to pass a bill pushing companies to share data with
federal investigators in the wake of breaches at Sony, Target and the health
insurer Anthem.

  [So, these companies—and the Congress—might eventually realize that
  every computer system connected to the Internet is inherently vulnerable,
  as well as all the systems not even connected?  And that ubiquitous
  abilities for surveillance can only make it worse?  PGN]


How computerized trading in the hands of a nobody in Britain allegedly crashed the stock market

Gene Spafford <spaf@cerias.purdue.edu>
Wed, 22 Apr 2015 08:57:31 -0700
*The Washington Post*, 22 Apr 2015
http://www.washingtonpost.com/news/morning-mix/wp/2015/04/22/how-computerized-trading-in-the-hands-of-a-nobody-in-britain-allegedly-crashed-the-stock-market/

Next-Gen Navigation - CEA

Gabe Goldberg <gabe@gabegold.com>
Sat, 25 Apr 2015 22:11:07 -0400
It's a common refrain among car buyers: “Why do I need a built-in
navigation system when I can use the maps app on my smartphone?''  Now
automakers are answering, turning factory-installed navigation systems and
the maps that support them into crucial components of new advanced driver
assistance systems (ADAS) and safety systems.  No longer just a convenience
item, in-dash navigation systems are evolving both technologically and
strategically and someday will help drive not just autonomous vehicles, but
new business models, as well. ...

(15-years out concept car):

Pedestrians can't see inside the vehicle to give passengers privacy.
Passengers in the F 015 can see only partly out the side windows, so giant
4K resolution displays in the door panels and a car width 5K display in the
dashboard show representations of the vehicle's surroundings as they're
detected by the vehicle's various sensors and cameras.  A `Guided Path' menu
item accesses the navigation system's point-of-interest (POI) database to
show places the car will pass along its route—in a timeline fashion, with
photorealistic imagery—giving passengers the opportunity to program a
stop.  Certain POIs also are linked to 360-degree photos, letting passengers
get acquainted with destinations before they arrive. There are no buttons in
the cars. For controls and menu selections, all the side displays are
touch-sensitive and have proximity sensors.

http://www.ce.org/i3/Features/2015/March-April/Next-Gen-Navigation

What could...

Gabriel Goldberg, Computers and Publishing, Inc.  gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042   (703) 204-0433


Civilization near collapse; all Starbucks stores close due to point of sale failure

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sat, 25 Apr 2015 20:28:56 -0400
Starbucks says an outage that affected all of their point of sale terminals
was "caused by an internal failure during a daily system refresh and was not
the result of an external breach".  I find that a strange explanation, since
the failure hit mid-day in the US, and I would think that a "daily system
refresh" would be during the overnight hours.

(During the outage, some locations gave away free drinks, some went
cash-only, and other closed.  No riots reported by caffeine addicts.)

I don't know anything about running global IT infrastructures, so perhaps
I'm naive, but I would think that rollouts would be done in a rolling
fashion to avoid shutting down the entire company.  I'm sure there any many
cases like this, but I remember one that affected me, when the local cable
TV provider (Cox) did a push update of every cable modem in the county, and
in the process bricked 10s of thousands of units before they were realized
the problem.  It surprised me then that there weren't fail-safe mechanisms
in place - i.e., making sure that units "phoned home" after an upgrade, and
automatically stopping the rollout if any more than epsilon fail the phone
home.

https://news.starbucks.com/news/starbucks-point-of-sale-register-outage-resolved


Wi-Fi software security bug could leave Android, Windows, Linux open to attack

Lauren Weinstein <lauren@vortex.com>
Wed, 22 Apr 2015 14:34:58 -0700
Ars Technica via NNSquad
http://arstechnica.com/security/2015/04/wi-fi-software-security-bug-could-leave-android-windows-linux-open-to-attack/

  "The end result is that an attacker could corrupt information in memory,
  causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could
  essentially be used as a denial-of-service attack on affected devices
  simply by sending out responses to Wi-Fi probe requests or P2P network
  Public Action messages. But it could also expose memory contents during
  the three-way handshake of a peer-to-peer network negotiation (the GO
  negotiation) or potentially allow for the attacker to execute code on the
  target.  A patch for the bug has been posted, and, based on Google's
  involvement, it will likely be part of an Android security update
  shortly. However, the distribution of that fix will depend on Android
  handset manufacturers and carriers to reach end users."

And we can assume that owners of many older Android devices won't be
getting a fix from carriers or Google.


"HTTPS snooping flaw affected 1,000 iOS apps with millions of users" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 23 Apr 2015 10:01:31 -0700
Lucian Constantin, InfoWorld, 21 Apr 2015
Flaw in the third-party library AFNetworking broke HTTPS certificate
validation, enabling man-in-the-middle attacks
http://www.infoworld.com/article/2912440/security/https-snooping-flaw-affected-1000-ios-apps-with-millions-of-users.html

Apps used by millions of iPhone and iPad owners became vulnerable to
snooping when a flaw was introduced into third-party code they used to
establish HTTPS connections. [...]


"Apple's OS X 'Rootpipe' patch flops, fails to fix flaw" (Gregg Keizer)

Gene Wirchenko <genew@telus.net>
Thu, 23 Apr 2015 10:10:41 -0700
Gregg Keizer, Computerworld, 21 Apr 2015
Researcher finds 'trivial way' to exploit privilege escalation
vulnerability after Apple tries to plug Yosemite hole
http://www.infoworld.com/article/2912620/operating-systems/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html


Shamir Reveals Sisyphus Algorithm

John Young <jya@pipeline.com>
April 22, 2015 at 12:24:20 PM EDT
  [An item on many cryptography lists, via Dave Farber,
  on Adi Shamir at the RSA Conference last week.]

Fully secure systems don't exist now and won't exist in the future.

Cryptography won't be broken, it will be bypassed.

Futility of trying to eliminate every single vulnerability in a given piece
of software.

https://threatpost.com/fully-secure-systems-dont-exist/112380#sthash.sKPz03sv.dpuf


'Flash Crash' 101: How could one guy do that?

Monty Solomon <monty@roscom.com>
Sat, 25 Apr 2015 11:08:06 -0400
Trader Charged in 'Flash Crash' Case to Fight Extradition to U.S.
The trader, Navinder Singh Sarao, is facing criminal fraud charges,
including claims that he helped set off a stock market crash in the United
States.
http://www.nytimes.com/2015/04/23/business/dealbook/trader-charged-in-flash-crash-case-to-fight-extradition-to-us.html

How did that UK trader allegedly cause the "flash crash?"
Ex-trader Raj Malhotra breaks it down.
  http://www.cnbc.com/id/102610451


All times are in UTC, any included timezone is ignored

Dan Jacobson <jidanni@jidanni.org>
Sat, 25 Apr 2015 12:38:12 +0800
In http://www.mediawiki.org/w/api.php?action=help&modules=main#main.datatypes
we read "All times are in UTC, any included timezone is ignored."

I say non-UTC timezones should instead raise errors!

Why?

Because one day, when you finally do implement parsing timezones, the system
will be upwardly compatible.

Each day you let users enter timezones that are ignored, one day when you
finally do parse them correctly, you'll have all the more users scratching
their heads as to why are results suddenly different.

(Sure you can blame the users for not reading the instructions. But it is
more likely they have already added a skew to correct for what turns out to
be an ignored time zone.)

OK I filed https://phabricator.wikimedia.org/T97214


Court: Iowa casino doesn't have to pay $41M jackpot error

Monty Solomon <monty@roscom.com>
Fri, 24 Apr 2015 21:14:09 -0400
http://m.stltoday.com/news/state-and-regional/illinois/court-iowa-casino-doesn-t-have-to-pay-m-jackpot/article_e0299503-e7e7-5003-a918-df7ae3b78bc4.html?mobile_touch=true


Security scholarship awardees announced

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 23 Apr 2015 15:27:17 -0400
We talk on this list about the many risks to security and privacy of
technology.  And it's almost always a pretty bleak picture.

But today, I'd like to mention a sunnier side - getting more women involved
in the field.

Four years ago, ACSA founded the Scholarships for Women Studying Information
Security program (www.swsis.org).  A year ago, HP made a generous
contribution to allow us to grow the program.  (Contributions from others
are welcome - please contact me!)

I'm proud to announce the 16 SWSIS Scholars for 2016-16, each of whom has
received a scholarship to further their undergraduate or masters' degree.
The HP press release can be found at
http://money.cnn.com/news/newsfeeds/articles/marketwire/1188849.htm

Photos and bios of most of the awardees can be found at
https://swsis.wordpress.com/2015-16-awardees/

The 2015-16 SWSIS Scholars are:

Evelyn Brown, Embry Riddle Aeronautical University, Prescott
Priya Chawla, University of Cincinnati
Shelby Cunningham, Carnegie Mellon University
Alejandra Diaz,  University of Maryland Baltimore County
Fumi Honda, Stony Brook University
Ashley Huffman, Northern Kentucky University
Cindy Jong, DePaul University
Madison Oliver, Pennsylvania State University
Mary Sharp, Marshall University
Imani Sherman, Kentucky State University
Angela Sun, Michigan State University
Kebra Thompson, University of Washington, Tacoma
Stefanye Walkes, California State University, Dominguez Hills
Gena Welk, University of Colorado at Boulder
Leah Xu, University of Maryland at College Park
Brooke Young, University of Maryland Baltimore County

Thanks in particular to Rebecca Wright from Rutgers University and CRA-W,
and her team, who sifted through the applications to select the winners.

Jeremy Epstein, Founder, Scholarship for Women Studying Information Security
Applied Computer Security Associates, Inc.


"Bob Wachter on Technology and Hospitals at Medium" (Re: Mundkur, RISKS-28.59)

Gene Wirchenko <genew@telus.net>
Thu, 23 Apr 2015 23:18:06 -0700
> A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The
> Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer
> Age", that would be appreciated by the RISKS audience, collected here:
>   https://medium.com/@Bob_Wachter

I think that Mundkur grossly understated the value of this article series.

I have been reading RISKS for many years, and no other information that I
have read in connection with risks has hit anywhere nearly as hard as this
article series did.

The series is very clear and full of detail so it is easy to see how the
horrific chain of events that is the main story came to happen.

If you have not already read this series, please do so.

  [Gene's `grossly understated' seems *grossly overstated*, considering
  Prashanth did a wonderful thing by mentioning that this series of articles
  would be appreciated by RISKS readers.  As a result, I for one really
  appreciate Bob's efforts, and echo Gene's comments on the significance of
  Bob Wachter's work.  Incidentally, a `Wachter' is a watcher (auf deutsch),
  and that translation of Bob's name would indeed be a gross understatement
  of Bob's role in this five-part series.  It really deserves careful
  scrutiny.  PGN]


Re: Kali Linux security is a joke! (Jackson, RISKS-28.59)

Henry Baker <hbaker1@pipeline.com>
Wed, 01 Apr 2015 06:11:13 -0700
This issue has been discussed at length on the crypto email list, and here
are the conclusions, as I see them:

* md5 itself is broken; there are better hashes around, so the
recommendation of md5 on the Kali web page is indeed a joke (although not
quite the same joke I originally had in mind).

* https/TLS does not solve all SW distribution problems, but using it in
conjunction with various signature mechanisms does make an attacker have to
work harder and actively; http makes passive observation way too easy.  Once
an attacker knows exactly what SW you have, you are much easier to attack.

* http makes a MITM/DOS attack trivial; you may never get a bad piece of SW,
but you may also never get any SW update at all.

Regarding "what would Henry Baker do" when designing a SW update mechanism:
I'm not completely sure.  The threat model for SW distribution today
includes nation-states with "acres of Crays", with no regulatory, budget or
location constraints, and with the entire Internet as a "free fire zone";
this threat model may not have been anticipated by many of the SW
distribution systems in existence today.

SW distribution has been successfully attacked before (Stuxnet), and will
continue to be attacked, because it is a Willie Sutton target—"that's
where the money is".

http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

"You must reboot your computer now to finish installing the latest security
updates.  NSA/GCHQ/... thanks you for your support in their war of^Hn
terror."

Please report problems with the web pages to the maintainer

Top