The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 70

Tuesday 16 June 2015

Contents

Armenia loses Internet access
PGN
Encryption "would not have helped" at OPM, says DHS official
Ars
Report: Russia, China Crack Snowden Docs
Daily Beast via LW
LastPass hacked—here's what to do now
ComputerWorld via LW
Sex, lies and debt potentially exposed by OPM data hack—and more
Arshad Mohammed and Joseph Menn plus Conor Friedersdorf via Henry Baker
St. Louis Cardinals Investigated by FBI for Hacking Astros
Michael S. Schmidt via Gabe Goldberg
"Be paranoid: 10 terrifying extreme hacks"
Roger A. Grimes
Re: Chris Roberts and Avionics Security
Rogier Wolff
Re: Corvette battery cable
Dimitri Maziuk
Info on RISKS (comp.risks)

Armenia loses Internet access

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 15 Jun 2015 19:01:20 PDT
  [Thanks to Paul Saffo.  PGN]

A 75-yr old woman digging for scrap metal cut into a fiber cable and cut off
Internet access for all of Armenia!

http://www.theguardian.com/world/2011/apr/06/georgian-woman-cuts-web-access

  [Perhaps she will get Armenial Servertude?]


Encryption "would not have helped" at OPM, says DHS official (Ars)

Lauren Weinstein <lauren@vortex.com>
Tue, 16 Jun 2015 12:59:18 -0700
Ars Technica via NNSquad
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

  But even if the systems had been encrypted, it would have likely not
  mattered. Department of Homeland Security Assistant Secretary for
  Cybersecurity Dr. Andy Ozment testified that encryption would "not have
  helped in this case" because the attackers had gained valid user
  credentials to the systems that they attacked--likely through social
  engineering. And because of the lack of multifactor authentication on
  these systems, the attackers would have been able to use those credentials
  at will to access systems from within and potentially even from outside
  the network.

NO 2-FACTOR CREDENTIALS. Pretty much criminal negligence at this point.


Report: Russia, China Crack Snowden Docs

Lauren Weinstein <lauren@vortex.com>
Sat, 13 Jun 2015 21:38:48 -0700
The Daily Beast via NNSquad
http://www.thedailybeast.com/cheats/2015/06/13/russia-china-got-snowden-files.html

  Russia and China have allegedly decrypted the top-secret cache of files
  stolen by whistleblower Edward Snowden, according to a report from The
  Sunday Times, to be published tomorrow. The info has compelled British
  intelligence agency MI6 to withdraw some of its agents from active
  operations and other Western intelligence agencies are now actively
  involved in rescue operations.

 - - -

If this report is true, it seems safe to assume that Snowden has likely lost
any chance he ever had of asylum or any other "minimum incarceration" return
to the West.


LastPass hacked—here's what to do now

Lauren Weinstein <lauren@vortex.com>
Mon, 15 Jun 2015 15:53:06 -0700
ComputerWorld via NNSquad
http://www.computerworld.com/article/2936144/cloud-computing/lastpass-hacked-itbwcw.html?shr=t

  LastPass, the cloud-based password manager, has been hacked. If you use
  LastPass, it's probably time for a precautionary master-password
  change. It might also be a good idea to check out the other options for
  securing your account.

I don't use cloud-based password services. Now you know why.


Sex, lies and debt potentially exposed by OPM data hack

Henry Baker <hbaker1@pipeline.com>
Mon, 15 Jun 2015 15:59:26 -0700
FYI—I'm very sorry about this OPM data breach, because some members of my
family may also be victims, but perhaps some of these very same government
officials may now "get religion" re privacy issues.

Either keep such information secure—using strong non-backdoorable
encryption—or don't keep it at all.  These 2 articles talk about the
risks & costs of *keeping* such information.

By Arshad Mohammed and Joseph Menn
Sex, lies and debt potentially exposed by U.S. data hack
https://ca.news.yahoo.com/sex-lies-debt-potentially-exposed-u-data-hack-054657057.html

WASHINGTON (Reuters)—When a retired 51-year-old military man disclosed in
a U.S. security clearance application that he had a 20-year affair with his
former college roommate's wife, it was supposed to remain a secret between
him and the government.

The disclosure last week that hackers had penetrated a database containing
such intimate and possibly damaging facts about millions of government and
private employees has shaken Washington.

The hacking of the White House Office of Personnel Management (OPM) could
provide a treasure trove for foreign spies.

The military man's affair, divulged when he got a job with a defense
contractor and applied to upgrade his clearance, is just one example of the
extensive potential for disruption, embarrassment and even blackmail arising
from the hacking.

The man had kept the affair secret from his wife for two decades before
disclosing it on the government's innocuously named Standard Form 86 (SF
86), filled out by millions of Americans seeking security clearances.

His case is described in a judge's ruling, published on the Pentagon
website, that he should keep his security clearance because he told the
government about the affair. His name is not given in the administrative
judge's decision.

The disclosure that OPM's data had been hacked sent shivers down the spines
of current and former U.S. government officials as they realized their
secrets about sex, drugs and money could be in the hands of a foreign
government.

The data that may be compromised by the incident, which was first reported
by the Associated Press, included the detailed personal information on the
SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to
U.S. officials.

U.S. SUSPECTS LINK TO CHINA

As with another cyberattack on OPM disclosed earlier this month,
U.S. officials suspect it was linked to China, though they have less
confidence about the origins of the second attack than about the first.

China denies any involvement in hacking U.S. databases.

While the Central Intelligence Agency does its own clearance investigations,
agencies such as the State Department, Defense Department and National
Security Agency, which eavesdrops on the world, all use OPM's services to
some degree.

It was not immediately clear how many Americans' information may have been
compromised, nor precisely how many fill out form SF 86.  As of Oct. 1,
there were 4.51 million people cleared or eligible to receive national
security information, according to a report by the Office of the Director of
National Intelligence.

Intelligence veterans said the breach may prove disastrous because China
could use it to find relatives of U.S. officials abroad as well as evidence
of love affairs or drug use which could be used to blackmail or influence
U.S. officials.

An even worse scenario would be the mass unmasking of covert operatives in
the field, they said.

"The potential loss here is truly staggering and, by the way, these records
are a legitimate foreign intelligence target," said retired Gen. Michael
Hayden, a former CIA and NSA director.  "This isn't shame on China. This is
shame on us."

The SF 86 form, which is 127-pages long, is extraordinarily comprehensive
and intrusive.

Among other things, applicants must list where they have lived; contacts
with foreign citizens and travel abroad; the names and personal details of
relatives; illegal drug use and mental health counseling except in limited
circumstances.

A review of appeals of security denials published on the web shows the
variety of information now in possession of the hackers, including financial
troubles, infidelities, psychiatric diagnoses, substance abuse, health
issues and arrests.

"It's kind of scary that somebody could know that much about us," said a
former senior U.S. diplomat, pointing out the ability to use such data to
impersonate an American official online, obtain passwords and plunder bank
accounts.

SOME AGENCIES LESS VULNERABLE

A U.S. official familiar with security procedures, but who declined to be
identified, said some agencies do not use OPM for clearances, meaning their
employees' data was at first glance less likely to have been compromised.

However, the former senior diplomat said someone with access to a complete
set of SF 86 forms and to the names of officials at U.S. embassies, which
are usually public, could compare the two and make educated guesses about
who might be a spy.

"Negative information is an indicator just as much as a positive
information," said the former diplomat.

The case of the 51-year-old former military man who told the government, but
not his wife, about his 20-year affair came to light when he filed an appeal
because his effort to upgrade his security clearance ran into trouble.

According to a May 13 decision by an administrative judge who heard his
case, the man revealed the affair in the "Additional Comments" section of SF
86 in January 2012, ended the affair in 2013, and told his wife about it in
2014.

"DOD (Department of Defense) is aware of the affair because Applicant
disclosed it on his SF 86; the affair is over; and the key people in
Applicant's life are aware of it," the judge wrote, according to a Defense
Office of Hearings and Appeals document posted online.

His access to classified information was approved.

(Reporting by Arshad Mohammed in Washington and Joseph Menn in San Francisco; Additional reporting by Mark Hosenball; Editing by David Storey, Sue Horton and Alan Crosby)

  - - - -

Conor Friedersdorf, *The Atlantic*, Jun 2015
Adjusting to a World Where No Data Is Secure
If government and corporations cannot safeguard their digital files, then they should regularly purge sensitive information.
http://www.theatlantic.com/politics/archive/2015/06/what-if-no-data-held-by-government-or-corporations-is-secure/395810/

Imagine a piece of information that would be useful to store digitally if it
could be kept secure, but that would do more harm than good if it ever fell
into the wrong hands.  With Friday's news that “hackers have breached a
database containing a wealth of sensitive information from federal
employees' security background checks,'' just that sort of fraught
information has arguably been exposed to hackers.

One of the documents that they got, the Questionnaire for National Security
Positions, asked federal workers and contractors seeking security clearances
“to disclose everything from mental illnesses, financial interests, and
bankruptcy issues to any brush with the law, major and minor drug and
alcohol use as well as a robust listing of an applicant's family members,
associates, or former roommates,'' my colleague Adam Chandler explains.
“At the bottom of each page, a potential employee must submit his or her
social security number.  Given the length, that means if you;re filling out
this document, you will write your SSN over 115 times.''

That trove of information was useful to the national security bureaucracy in
its efforts to stop espionage, monitor potential blackmail, and otherwise
police its employees.

Yet it now seems like the U.S. would have been better off reviewing
information about cleared employees on intake and then destroying it, rather
than retaining the records.  “These forms contain decades of personal
information about people with clearances,'' Joel Brenner, a former
high-ranking intelligence official told the Washington Post, “which makes
them easier to recruit for espionage on behalf of a foreign country.''

In hindsight, retaining the documents betrayed a degree of hubris: National
security officials had excessive confidence in their ability to keep these
secrets from falling into the hands of malicious actors, so they risked
storing them indefinitely.

What else falls in this `better to destroy than to have stolen' category?

After Chelsea Manning, Edward Snowden, and numerous successful hacks of
various federal databases, perhaps the government should perform an audit
and a purge on the theory that it won't ever be competent enough to reliably
safeguard information.

Isn't there good reason to surmise that is true?

Perhaps the privacy activists who want to pass data retention laws forcing
private corporations to purge the data that they hold at periodic intervals
also have a point.  Would it be a national security threat if the Google
search histories and iPhone location data of all members of Congress,
U.S. military personnel, and American CEOs fell into the hands of Vladimir
Putin or China's government?  If so, perhaps it makes more sense to prohibit
retaining such information for longer than two years, even though the
precision of Internet ads might suffer as a result.

National security officials and Google leaders have institutional and
psychological incentives to assert and believe that if they're just careful
enough going forward, they can safeguard the information that they hold.
And we have an incentive to believe them.  Wouldn't it be great if our
government and corporations that make cool products for us could exploit the
benefits of unlimited data retention without any costs?

But I no longer believe that they can.  If you disagree, what sort of leak
or hack or data breach would it take to persuade you otherwise?  I expect
you'll see it sooner, rather than later.


St. Louis Cardinals Investigated by FBI for Hacking Astros (Michael S. Schmidt)

Gabe Goldberg <gabe@gabegold.com>
Tue, 16 Jun 2015 17:53:24 -0400
Michael S. Schmidt, *The New York Times*, 16 Jun 2015

The FBI and Justice Department prosecutors are investigating front-office
officials for the St. Louis Cardinals, one of the most successful teams in
baseball over the past two decades, for hacking into the internal networks
of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a
network of the Houston Astros that housed special databases the team had
built, according to law enforcement officials. Internal discussions about
trades, proprietary statistics and scouting reports were compromised, the
officials said.

The officials did not say which employees were the focus of the
investigation or whether the team's highest-ranking officials were aware of
the hacking or authorized it. The investigation is being led by the FBI's
Houston field office and has progressed to the point that subpoenas have
been served on the Cardinals and Major League Baseball for electronic
correspondence.

The attack represents the first known case of corporate espionage in which a
professional sports team has hacked the network of another team.  Illegal
intrusions into companies' networks have become commonplace, but it is
generally conducted by hackers operating in foreign countries, like Russia
and China, who steal large tranches of data or trade secrets for military
equipment and electronics.

Major League Baseball has been aware of and has fully cooperated with the
federal investigation into the illegal breach of the Astros' baseball
operations database, a spokesman for baseball's commissioner, Rob Manfred,
said in a written statement.

http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html

  [Also noted by Jim Reisert.  PGN]


"Be paranoid: 10 terrifying extreme hacks" (Roger A. Grimes)

Gene Wirchenko <genew@telus.net>
Tue, 16 Jun 2015 12:14:36 -0700
Roger A. Grimes, InfoWorld, 15 Jun 2015
Nothing is safe, thanks to the select few hacks that push the limits
of what we thought possible
http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html


Re: Chris Roberts and Avionics Security (Schneier, RISKS-28.69)

Rogier Wolff <wolff@bitwizard.nl>
Tue, 16 Jun 2015 09:54:09 +0200
> The real issue is that the avionics and the entertainment system are
> on the same network. That's an even stupider thing to do. Also last
> month, I wrote about the risks of hacking airplanes, and said that I
> wasn't all that worried about it. Now I'm more worried.

Are they?

With Boeing saying that "it is impossible" (at least at first), I suspect
that they have taken measures to prevent exactly what Roberts claims to have
accomplished.

Let's take a step back.

Think of a Boeing aviation electronics engineer. Turns out that
ethernet-connectivity on the plane is becoming more and more common. So
instead of having a separate wire running from each of the sensors in the
tail to the cockpit, there now is an ethernet link carrying information from
many different sensors along the plane.  Before you know it, also the
engines have ethernet connectivity and can be commanded over their ethernet
connection.

So, one day he's sitting in his office and a guy from the cabin-electronics
group walks in and says: "We have a plan for a new in-cabin-entertainment
system. We need ethernet connectivity and hear you already have an ethernet
link running along the plane, can we use that?"

Multiple choice time (*): He answers: A) Sure! B) Sure, as long as you
promise not to use more than 50% of the bandwidth, C) WTF are you thinking?

I have enough confidence in Boeing that they got this one right.

A few months later, the cabin-electronics guy walks into the aviation
electronics office again, and asks: "We get questions from the passengers if
they can get technical information about the flight on their infotainment
screen. Stuff like airspeed and altitude. We'd be no trouble at all, we can
gather this information from your flight-computer ourselves."  MC time
again... He suggests: A) Let's buy a hub: cheap, light, no hassle, great! B)
We need to buy a switch, otherwise traffic from the autopilot to the engines
will leak onto the entertainment network. C) We need a firewall.

I still have enough confidence in Boeing that they got this right.  But from
the claims from the FBI and Chris, I strongly suspect that from this point
on some mistakes were made. Somehow the "firewall" function got integrated
into a computer "already there" or the firewall was expanded to have
multiple functions, allowing someone to e.g., gain access by finding a
vulnerability in a web script, and then continue to hack on "the other
side".

My opinion is that if you continue to threaten to throw guys like Chris in
jail, the next time you'll find out about these bugs/design problems is when
a plane is crashed by a teenager who accidentally deletes the engine
calibration data or something like that.

But "allowing" hacking on live planes is troublesome too. Difficult issue.

(*) In many multiple choice tests, the correct answer is often the
longest. In case you haven't noticed: not here.

R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998
Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233


Re: Corvette battery cable (RISKS-28.68,69)]

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 16 Jun 2015 11:55:17 -0500
  [I don't remember this when I saw the original article.  I only though of
  it now.]

Some twenty or so years ago in Australia I heard a story about "back when
electric windows were new". Apparently somebody's fuse blew killing both the
air-conditioner and (closed tight of course) electric windows.  In the 40+C
heat in the middle of nowhere. So the poor guy drove 300 km to the first gas
station where the owner/mechanic told them "this is an electrical problem,
I'm not a licensed electrician, the nearest vehicle electrician is 400 km
that way".

(That's 105+ degrees and 190 & 250 miles resp. in the "standard" units.)

The more things change...

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu

Please report problems with the web pages to the maintainer

Top