The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 64

Saturday 16 May 2015

Contents

Amtrak Says It Was Just Months Away From Installing Safety System
NYTimes
Self-driving cars are getting into accidents in California
LATimes
Worker fired for disabling GPS app that tracked her 24 hours a day
David Kravets via Jim Reisert
Banned Researcher Commandeered a Plane
Kim Zetter
United launches bug bounty (but in-flight systems off limits)
Jeremy Kirk
A Phantom Offer Sends Avon's Shares Surging
NYTimes
The big drug database in the sky: One firefighter's year-long legal nightmare
Gabe Goldberg
"Rombertik malware destroys computers if detected"
Jeremy Kirk
Extremely serious virtual machine bug threatens cloud providers everywhere
Ars Technica
"Google Confirms Cops Can Wiretap Your Hangouts"
Vice.com
Cybersecurity company accused of extortion
Henry Baker
Former federal employee busted for attempted cyber-attack to sell nuclear secrets
Gabe Goldberg
Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked
Krebs via Lauren Weinstein
Team cracks Nvidia GPUs with malware for Windows and OS X
Digital Trends
Penn State severs engineering network after "incredibly serious" intrusion
Ars Technica
Anonymous accused of running a botnet using thousands of hacked home routers
Daily Dot
Witness Accounts in Midtown Hammer Attack Show the Power of False Memory
NYTimes
Trains re: All cars must have tracking devices
David Damerell
Re: Computer Scientists Use Twitter to Predict UK General Election Result
Gene Wirchenko
Re: Dealing with rogue drones, Copping a 'copter
Dick Mills
Re: Authentication vs Identification ...
John Levine
Info on RISKS (comp.risks)

Amtrak Says It Was Just Months Away From Installing Safety System

Monty Solomon <monty@roscom.com>
Thu, 14 May 2015 21:24:14 -0400
http://www.nytimes.com/2015/05/15/us/amtrak-says-it-was-just-months-away-from-installing-safety-system.html

The railroad said technical and regulatory roadblocks had delayed operation
of the system, which might have prevented this week's train derailment.


Self-driving cars are getting into accidents in California

Monty Solomon <monty@roscom.com>
Tue, 12 May 2015 08:55:59 -0400
http://www.latimes.com/business/la-fi-self-driving-accidents-20150512-story.html


Worker fired for disabling GPS app that tracked her 24 hours a day (David Kravets)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 11 May 2015 19:02:15 -0600
"This intrusion would be highly offensive to a reasonable person."

David Kravets, Ars Technica, 11 May 2015
http://arstechnica.com/tech-policy/2015/05/worker-fired-for-disabling-gps-app-that-tracked-her-24-hours-a-day/

Let's just jump to the end of the article, shall we?

"The app had a "clock in/out" feature which did not stop GPS monitoring,
that function remained on. This is the problem about which Ms. Arias
complained. Management never made mention of mileage. They would tell her
co-workers and her of their driving speed, roads taken, and time spent at
customer locations. Her manager made it clear that he was using the program
to continuously monitor her, during company as well as personal time."


Banned Researcher Commandeered a Plane (Kim Zetter)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 15 May 2015 21:12:42 PDT
  (Courtesy of Dan Farmer: Fly the unfriendly skies?)

Kim Zetter, Feds Say That Banned Researcher Commandeered a Plane
http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

A security researcher kicked off a United Airlines flight last month after
tweeting about security vulnerabilities in its system had previously taken
control of an airplane and caused it to briefly fly sideways, according to
an application for a search warrant filed by an FBI agent.

Chris Roberts, a security researcher with One World Labs, told the FBI agent
during an interview in February that he had hacked the in-flight
entertainment system, or IFE, on an airplane and overwrote code on the
plane's Thrust Management Computer while aboard the flight. He was able to
issue a climb command and make the plane briefly change course, the document
states.

FBI Special Agent Mark Hurley: “He stated that he thereby caused one of the
airplane engines to climb resulting in a lateral or sideways movement of the
plane during one of these flights, He also stated that he used Vortex
software after comprising/exploiting or hacking the airplane's networks. He
used the software to monitor traffic from the cockpit system.''

Hurley filed the search warrant application last month after Roberts was
removed from a United Airlines flight from Chicago to Syracuse, New York,
because he published a facetious tweet suggesting he might hack into the
plane's network. Upon landing in Syracuse, two FBI agents and two local
police officers escorted him from the plane and interrogated him for several
hours. They also seized two laptop computers and several hard drives and USB
sticks. Although the agents did not have a warrant when they seized the
devices, they told Roberts a warrant was pending.

A media outlet in Canada obtained the application for the warrant today and
published it online.

http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/

The information outlined in the warrant application reveals a far more
serious situation than Roberts has previously disclosed.

Roberts had previously told WIRED that he caused a plane to climb during a
simulated test on a virtual environment he and a colleague created, but he
insisted that he had not interfered with the operation of a plane while in
flight.

He told WIRED that he did access in-flight networks about 15 times during
various flights but had not done anything beyond explore the networks and
observe data traffic crossing them. According to the FBI affidavit, however,
he mentioned this to agents as well last February but also added that he had
briefly commandeered a plane during one of those flights. He told the FBI he
accessed the flights in which he accessed the in-flight networks more than a
dozen times occurred between 2011 and 2014, but the affidavit does not
indicate exactly which flight he allegedly caused to turn to the side.

He obtained physical access to the networks through the Seat Electronic Box,
or SEB. These are installed two to a row, on each side of the aisle under
passenger seats, on certain planes. After removing the cover to the SEB by
`wiggling and Squeezing the box', Roberts told agents he attached a Cat6
ethernet cable, with a modified connector, to the box and to his laptop and
then used default IDs and passwords to gain access to the inflight
entertainment system. Once on that network, he was able to gain access to
other systems on the planes.

Reaction in the security community to the new revelations in the affidavit
have been harsh. Although Roberts hasn't been charged yet with any
crime, and there are questions about whether his actions really did cause
the plane to list or he simply thought they did, a number of security
researchers have expressed shock that he attempted to tamper with a plane
during a flight.

“I find it really hard to believe but if that is the case he deserves going
to jail,'' wrote Jaime Blasco, director of AlienVault Labs in a tweet.

Alex Stamos, chief information security officer of Yahoo, wrote in a tweet,
“You cannot promote the (true) idea that security research benefits
humanity while defending research that endangered hundreds of innocents.''

  [Wonderful long item truncated for RISKS.  PGN]


United launches bug bounty (but in-flight systems off limits) (Jeremy Kirk)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 16 May 2015 10:35:30 PDT
Jeremy Kirk (CSO), 15 May 2015
http://www.cso.com.au/article/575093/united-launches-bug-bounty-in-flight-systems-off-limits/

United Airlines is offering rewards to researchers for finding flaws in its
websites but the company is excluding bugs related to in-flight systems,
which the U.S. government says may be increasingly targeted by hackers.

The bug bounty program rewards people with miles that can be used for the
company's Mileage Plus loyalty program as opposed to cash, which web giants
such as Google, Facebook and Yahoo pay.


A Phantom Offer Sends Avon's Shares Surging

Monty Solomon <monty@roscom.com>
Fri, 15 May 2015 08:29:44 -0400
http://www.nytimes.com/2015/05/15/business/dealbook/a-phantom-offer-sends-avons-shares-surging.html


The big drug database in the sky: One firefighter's year-long legal nightmare

Gabe Goldberg <gabe@gabegold.com>
Tue, 12 May 2015 22:17:17 -0400
Together, Miller and Smith form the basis for what is now known as the
"third-party doctrine." In its simplest form, the doctrine says that
whenever someone hands over a private piece of information to a third party
for a specific purpose, the Fourth Amendment doesn't protect her from a
warrantless search of this information by authorities since she has already
given up her privacy interest in the information by sharing it.

The doctrine "has been problematic throughout the years, and with every
passing year the problems get more and more stark," said Nathan Wessler, a
staff attorney at the American Civil Liberties Union who is litigating a
prescription drug database case in Oregon. Nearly everything we do online
reveals information to a third party, from e-mail stored in the cloud to
photo sharing to instant messaging to browsing the Web to geolocation.

"It's totally clear that this doctrine has no place today in the digital
age," Wessler added. "It's really impossible to participate in modern life,
in social life, in work and business, to get medical care and legal advice
without using digital technology and leaving behind a trail and digital
bread crumbs."

http://arstechnica.com/tech-policy/2015/05/the-big-drug-database-in-the-sky-one-firefighters-year-long-legal-nightmare/

Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042
(703) 204-0433 gabe@gabegold.com


"Rombertik malware destroys computers if detected" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Thu, 14 May 2015 09:55:51 -0700
Jeremy Kirk, InfoWorld, 5 May 2015
Rombertik is designed to steal any plain text entered into a browser window
http://www.infoworld.com/article/2918401/security/rombertik-malware-destroys-computers-if-detected.html

A new type of malware resorts to crippling a computer if it is detected
during security checks, a particularly catastrophic blow to its
victims. [...]


Extremely serious virtual machine bug threatens cloud providers everywhere (Ars Technica)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 13 May 2015 13:48:13 PDT
http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/

http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/

  [This may be the tip of an iceberg in recognizing more broadly the risks
  inherent in outsourcing to a provider of unknown trustworthiness.  PGN]


"Google Confirms Cops Can Wiretap Your Hangouts" (Vice.com)

Lauren Weinstein <lauren@vortex.com>
Tue, 12 May 2015 09:12:25 -0700
http://motherboard.vice.com/read/google-confirms-cops-can-wiretap-your-hangouts

  "We asked Google to clarify, or elaborate, on Monday, and a spokesperson
  confirmed that Hangouts doesn't use end-to-end encryption. That makes it
  technically possible for Google to wiretap conversations at the request of
  law enforcement agents, even when you turn on the "off the record"
  feature, which actually only prevents the chat conversations from
  appearing in your history--it doesn't provide extra encryption or
  security.  It's unclear how many times this actually happens, however. In
  all likelihood, it's a rare occurrence."

There has never been a claim of end-to-end crypto for Hangouts. Given the
integration of Hangouts to both mobile and desktop, and the various history
options, end-to-end crypto in that environment would be a nontrivial
undertaking. Not every service is appropriate for every kind of
communication.

  [LATER NOTE FROM LAUREN ADDED BY PGN;}
    The video of the discussion Hangout I hosted yesterday on the topic of
    the EU's "Right To Be Forgotten" and its ramifications is now available.
    Special thanks to the participants for a thoughtful hour!
      https://www.youtube.com/watch?v=ZSdhMfsxWOs


Cybersecurity company accused of extortion

Henry Baker <hbaker1@pipeline.com>
Thu, 14 May 2015 11:57:24 -0700
A cybersecurity company has been accused of using FBI/NSA-style
"cybersecurity" extortion against clients.  Clearly, private companies like
LabMD are less willing than the US Congress to abide these extortion
attempts.  Tell me that cover story again about that "drunken govt employee"
who "inadvertently" flew his "private" drone onto the White House lawn...

Apparently, when govt spooks go into private business, they forget to change
their modus operandi...

Jose Pagliery, CNNMoney, 7 May 2015
Whistleblower accuses cybersecurity company of extorting clients
http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html

A cybersecurity company faked hacks and extorted clients to buy its
services, according to an ex-employee.  In a federal court this week,
Richard Wallace, a former investigator at cybersecurity company Tiversa,
said the company routinely engaged in fraud—and mafia-style shakedowns.
To scare potential clients, Tiversa would typically make up fake data
breaches, Wallace said.  Then it pressured firms to pay up.  "Hire us or
face the music," Wallace said on Tuesday at a federal courtroom in
Washington, D.C..  CNNMoney obtained a transcript of the hearing.

The results were disastrous for at least one company that stood up to
Tiversa and refused to pay.  In 2010, Tiversa scammed LabMD, a cancer
testing center in Atlanta, Wallace testified.  Wallace said he tapped into
LabMD's computers and pulled the medical records.  The cybersecurity firm
then alerted LabMD it had been hacked.  Tiversa offered it emergency
"incident response" cybersecurity services.  After the lab refused the
offer, Tiversa threatened to tip off federal regulators about the "data
breach."  When LabMD still refused, Tiversa let the Federal Trade Commission
know about the "hack."  [... LONG ITEM truncated for RISKS.  PGN]


Former federal employee busted for attempted cyber-attack to sell nuclear secrets

Gabe Goldberg <gabe@gabegold.com>
Thu, 14 May 2015 16:31:44 -0400
A former employee of the U.S. Department of Energy and U.S. Nuclear
Regulatory Commission was busted in an FBI sting for allegedly attempting to
set off a "spear fishing" cyber-attack to extract nuclear information from
the agency for personal gain.

http://www.foxnews.com/politics/2015/05/09/former-department-energy-employee-busted-for-attempted-cyber-attack-to-sell/

Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042
(703) 204-0433  gabe@gabegold.com


Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

Lauren Weinstein <lauren@vortex.com>
Thu, 14 May 2015 19:41:51 -0700
http://krebsonsecurity.com/2015/05/mobile-spy-software-maker-mspy-hacked-customer-data-leaked/

  mSpy, the makers of a dubious software-as-a-service product that claims to
  help more than two million people spy on the mobile devices of their kids
  and partners, appears to have been massively hacked.  Last week, a huge
  trove of data apparently stolen from the company's servers was posted on
  the Deep Web, exposing countless emails, text messages, payment and
  location data on an undetermined number of mSpy "users."

Live by the sword, die by the sword.

 [Also noted by Henry Baker, who remarked:
   “Any pot with this much honey will get hacked.  Any bets on how long
   before Bluffdale gets hacked (again)?''
  PGN]


Team cracks Nvidia GPUs with malware for Windows and OS X (Digital Trends)

"Bob Frankston" <bob19-0501@bobf.frankston.com>
15 May 2015 19:39:46 -0400
http://www.digitaltrends.com/computing/graphics-cards-beware-a-new-style-of-osx-malware-can-hide-in-the-ram-of-gpus/


Penn State severs engineering network after "incredibly serious" intrusion (Ars Technica via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Fri, 15 May 2015 14:34:54 -0700
http://arstechnica.com/security/2015/05/penn-state-severs-engineering-network-after-incredibly-serious-intrusion/

  "Penn State's College of Engineering has been disconnected from the
  Internet so it can recover from two serious computer intrusions that
  exposed personal information for at least 18,000 people and possibly other
  sensitive data, officials said Friday.  The group responsible for one of
  the attacks appears to be based in China, a country many security analysts
  have said actively hacks and trawls the computer networks of western
  nations for a wide range of technical data.  University officials said
  there's no evidence that the intruders obtained research data, but they
  didn't rule the possibility out.  Officials have known of the breach since
  November 21, when the FBI reported an attack on the engineering college
  network by an outside entity."


Anonymous accused of running a botnet using thousands of hacked home routers (Daily Dot)

Lauren Weinstein <lauren@vortex.com>
Tue, 12 May 2015 08:27:14 -0700
http://www.dailydot.com/politics/botnet-incapsula-research-report-default/

  "Lazy security has allowed various groups of hackers, likely including
  Anonymous, to hijack hundreds of thousands of home and office Internet
  routers, according to a new report from cybersecurity firm Incapsula."

Well, "lax" security, anyway.


Witness Accounts in Midtown Hammer Attack Show the Power of False Memory

Monty Solomon <monty@roscom.com>
Fri, 15 May 2015 09:04:11 -0400
http://www.nytimes.com/2015/05/15/nyregion/witness-accounts-in-midtown-hammer-attack-show-the-power-of-false-memory.html

Two people who saw a police encounter on Wednesday reported different
details; surveillance videotape showed that both of them were wrong.


Trains re: All cars must have tracking devices (Levine, RISKS-28.63)

David Damerell <damerell@chiark.greenend.org.uk>
Wed, 13 May 2015 18:49:44 +0100
An increasingly common arrangement (in the UK, at least) is that the signal
control room can observe the level crossing via CCTV. That, especially with
in-cab signaling, might allow the train to start a brake application before
the driver or radar could see the stranded vehicle, either not hitting it or
buying time.

However - while I'm not disputing that people would do it - the
fundamental problem here seems to be:
 1) your vehicle stops moving on a level crossing.
 2) the level crossing gates close.
 3) you stay in the vehicle.

There is not much the railway can do about that.


Computer Scientists Use Twitter to Predict UK General Election Result (Page, RISKS-28.62)

Gene Wirchenko <genew@telus.net>
Mon, 11 May 2015 18:52:26 -0700
Congratulations to Mr. Page et al. on a very good result, BUT what about the
people who do not use Twitter?  Excluding them could skew results.  There is
a famous precedent: "*The Literary Digest*'s failure to predict the 1936
U.S. presidential election (as covered:
  http://www.math.uah.edu/stat/data/LiteraryDigest.html

Some quotes from that article:

  "The prospective voters were chosen from the subscription list of the
  magazine, from automobile registration lists, from phone lists, and from
  club membership lists."

  "Based on the poll, The Literary Digest predicted that Landon would win
  the 1936 presidential election with 57.1% of the popular vote and an
  electoral college margin of 370 to 161. In fact, Roosevelt won the
  election with 60.8% of the popular vote (27,751,841 to 16,679,491) and an
  electoral college landslide of 523 to 8 (the largest ever in a
  presidential election). Roosevelt won 46 of 48 states, losing only Maine
  and Vermont.

The *Literary Digest*, using similar techniques, had correctly predicted the
outcome of the last four presidential elections. But in this case, the
magazine was not just wrong, it was spectacularly wrong. In part because of
the subsequent loss of prestige and credibility, the magazine died just two
years later.

What went wrong? Clearly the sample was skewed towards wealthier
voters--those who could afford magazine subscriptions, cars, phones, and
club memberships in the depths of the Great Depression. This sort of bias
would not matter if wealthier voters behaved in a similar manner to voters
as a whole (as was basically the case in the previous four elections). But
in 1936, at a time of great tension between economic classes, this was
definitely not the case.

Another problem, not easily understood, is self-selection bias.  Were the
voters who chose to return the questionnaires different, in terms of how
they planned to vote, from the voters who did not respond?"

Note that "The Literary Digest" had been correct for the previous four
elections and then stunningly blew it.  Might we have a repeat coming up?


Re: Dealing with rogue drones, Copping a 'copter (RISKS-28.62)

Dick Mills <dickandlibbymills@gmail.com>
Fri, 15 May 2015 17:45:20 -0400
On the *Economist* article about authorities trying to thwart drones:
They better be careful, I saw this in recent news.

"The Federal Aviation Administration felt the need to issue a statement
Friday asking the general public not to shoot at drones flying over head as
a small Colorado town is considering an ordinance urging townsfolk to shoot
down unmanned aerial vehicles.  Shooting at an unmanned aircraft could
result in criminal or civil liability, just as would firing at a manned
airplane,' the statement from the FAA read.

http://defensetech.org/2013/07/22/faa-to-town-please-dont-shoot-down-drones/

Other news comments warn states and law enforcement about the same legal
liability risk if they did take action against drones. The legal status of
drones needs clarification.


Re: Authentication vs Identification ... (Brodbeck, RISKS-28.63)

"John Levine" <johnl@iecc.com>
12 May 2015 00:24:32 -0000
That horse left the barn several generations ago, unfortunately.

The problem is the fiction that the SSN is secret, so anyone who presents
your SSN must be you.  I'd prefer to address it directly by saying, sure,
they can demand an SSN all they want, but any transaction validated with an
SSN isn't enforceable.

Did they ask for your SSN when you applied for a credit card?  Great!  You
don't have to pay the bill.

Did they use your SSN to request a credit report?  They better not make any
adverse decisions based on it.

This might be a challenge to enforce, but I think the idea is right.  There
are other issues like the lack of a check digit and the dense number space
makes it way too easy to get the number wrong (transpose the last two digits
and you'll likely have the valid SSN of someone else born roughly when and
where you were), but they're side issues compared to the faux secrecy.

Please report problems with the web pages to the maintainer

Top