The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 74

Wednesday 1 July 2015

Contents

Israel's comptroller: Biometric database full of flaws
Hanan Cohen
Most Internet anonymity [VPN service] software leaks users' details
QMUL
The latest RISKS items from TechWeekEurope
Werner U
*The Washington Post* to Deploy More Secure HTTPS Across Site
Gabe Goldberg
WiFi Offloading is Skyrocketing
Werner U
The sharp elbows of driverless cars
Mark Thorson
"Sad day for developers: SCOTUS denies Google's appeal on APIs"
Simon Phipps
"Microsoft quietly pushes 17 new trusted root certificates to all Windows systems"
Woody Leonhard
"Tap your iPad to order: Restaurant automation nobody needs"
Galen Gruman
Automation dependency: Children of the Magenta
Henry Baker
The Future of Car Keys? Smartphone Apps, Maybe
NYTimes
ISIS and the Lonely Young American
NYTimes
Leap Second problem
Bob Frankston
Growing opposition to the Leap Second
oMark Thorson
California mandatory vaccination harbinger of anti-virus software?
Henry Baker
Analyses of root causes?
Martyn Thomas
Info on RISKS (comp.risks)

Israel's comptroller: Biometric database full of flaws

Hanan Cohen <hanan@info.org.il>
Sun, 28 Jun 2015 08:34:50 +0300
Report says there is not enough information to determine whether the data-
gathering system is even worthwhile. Meanwhile, Interior Minister Shalom
orders extension of the trial period of the project.
http://www.haaretz.com/news/israel/.premium-1.662605


Most Internet anonymity [VPN service] software leaks users' details

Lauren Weinstein <lauren@vortex.com>
Tue, 30 Jun 2015 07:57:36 -0700
QMUL via NNSquad
http://www.qmul.ac.uk/media/news/items/se/158459.html

  The study of fourteen popular VPN providers found that eleven of them
  leaked information about the user because of a vulnerability known as
  'IPv6 leakage'.  The leaked information ranged from the websites a user is
  accessing to the actual content of user communications, for example
  comments being posted on forums. Interactions with websites running HTTPS
  encryption, which includes financial transactions, were not leaked.  The
  leakage occurs because network operators are increasingly deploying a new
  version of the protocol used to run the Internet called IPv6. IPv6
  replaces the previous IPv4, but many VPNs only protect user's IPv4
  traffic. The researchers tested their ideas by choosing fourteen of the
  most famous VPN providers and connecting various devices to a WiFi access
  point which was designed to mimic the attacks hackers might use.


The latest RISKS items from TechWeekEurope

Werner U <werneru@gmail.com>
Sun, 28 Jun 2015 23:05:16 +0200
(btw, the need for collaboration was the main point I made in a talk at the
FIRST-conference in St.Louis in the early 90's)

 IBM Security CTO: Cloud Security Needs Collaboration
<http://www.techweekeurope.co.uk/security/ibm-security-cto-cloud-collaboration-171387>

WATCH: Cloud security needs to go beyond transparency to keep up with
global coordinated attacks, according to IBM's Martin Borrett
 Ben Sullivan <http://www.techweekeurope.co.uk/author/bsullivan>, June 26,
2015, 4:02 pm

 Third Of British Firms Targeted By Ransomware
<http://www.techweekeurope.co.uk/e-regulation/british-firms-ransomware-171347>

New study reveals alarming number of British firms have been held to ransom
by hackers
 Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
2015, 2:29 pm

 Apple iPhones Hit With Blue Screen Of Death Bug
<http://www.techweekeurope.co.uk/mobility/apple-iphones-blue-screen-death-bug-171316>

T-Mobile users in the US take to the Internet to share their anger at
mystery outage
 Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
2015, 11:21 am

 Seven-Day Healthcare? Good Luck Without Mobile
<http://www.techweekeurope.co.uk/mobility/mobile-apps/mubaloo-mobile-healthcare-smartphones-171384>

Mubaloo's Alana Saunders tells us why the NHS needs to embrace mobile
technology in order to provide a fuller service to patients
 Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
2015, 3:38 pm

 Apple Co-Founder Wozniak Predicts AI Will Treat Humans As Pets
<http://www.techweekeurope.co.uk/e-innovation/apple-ai-humans-pets-171372>
Steve Wozniak changes his mind about artificial intelligence and predicts
benevolent machines

 Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
2015, 2:32 pm
 Have Password Management Services Been Hacked To Death?
http://www.techweekeurope.co.uk/security/password-management-hacked-171367

The recent LastPass breach has dented users' confidence in password
management firms
 Duncan Macrae <http://www.techweekeurope.co.uk/author/dmacrae>, June 26,
2015, 12:54 pm

 Cisco Patches Default SSH Key Virtual Appliance Vulnerabilities
<http://www.techweekeurope.co.uk/security/cisco-default-ssh-key-vulnerabilities-171354>

Cisco urges firms to download fix for flaw that could allow attackers to
gain access to systems and intercept traffic
 Steve McCaskill <http://www.techweekeurope.co.uk/author/smccaskill>, June
26, 2015, 12:46 pm

 Sophos IPO Values UK Security Firm at 1-billion pounds
http://www.techweekeurope.co.uk/security/sophos-ipo-security-london-171342
 Eugene Kaspersky: Internet Of Things? More Like The Internet Of Threats
<http://www.techweekeurope.co.uk/networks/internet-of-things-security-kaspersky-171187>

Security icon sounds dire warning over the security of the Internet of
Things
 Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 25,
2015, 1:53 pm


*The Washington Post* to Deploy More Secure HTTPS Across Site

Gabe Goldberg <gabe@gabegold.com>
Tue, 30 Jun 2015 17:37:00 -0400
  [Now if they'd only fix site navigation and search, it would be worthwhile
  visiting...]

Washington, DC—*The Washington Post* said on Tuesday it will become the
first major news publisher to deploy HTTPS, an Internet protocol that
encrypts data exchanged between browsers and websites, across both its
desktop and mobile sites. The company said the move will give site visitors
the same level of privacy and security as when they conduct e-commerce or
online banking. "We will be able to offer our more than 50 million readers
per month the peace of mind in knowing that their privacy and reading habits
are protected when they are on our site," said CIO Shailesh Prakash. The
Post's homepage, National Security section and The Switch technology policy
blog will be the first to move to HTTPS, with the rest of the site migrating
in the coming months.
https://www.washingtonpost.com/pr/wp/2015/06/30/the-washington-post-becomes-first-major-news-publisher-to-secure-website/
<http://m1e.net/c?47971208-s6soIDZjIiqZY%40316937987-oD3BSyWKJGO8M>

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


WiFi Offloading is Skyrocketing

Werner U <werneru@gmail.com>
Sun, 28 Jun 2015 16:42:52 +0200
[ smurfed from SlashDot—why in RISKS ?  do read the comments... :-]

dkatana <http://mobile.slashdot.org/%7Edkatana> wrote on 25 Jun 2015
<http://mobile.slashdot.org/story/15/06/25/2157218/wifi-offloading-is-skyrocketing>

WiFi Offloading is skyrocketing. This is the conclusion of a new report from
Juniper Research, which points out that the amount of smartphone and tablet
data traffic on WiFi networks will will increase to more than 115,000
petabytes by 2019, compared to under 30,000 petabytes this year,
representing almost a four-fold increase. Most of this data is offloaded to
consumer's WiFi by the carriers, offering the possibility to share your home
Internet connection in exchange for "free" hotspots.  [...] the growing
number of WiFi devices using unlicensed bands is seriously affecting network
efficiency. Capacity is compromised by the number of simultaneously active
devices, with transmission speeds dropping as much as 20% of the nominal
value. With the number of IoT and M2M applications using WiFi continuously
rising, that could become a serious problem soon."*


The sharp elbows of driverless cars

Mark Thorson <eee@sonic.net>
Mon, 29 Jun 2015 13:17:48 -0700
Google's driverless car cut off Delphi's driverless car in Mountain View.
No collision occurred.

http://www.theguardian.com/technology/2015/jun/26/google-delphi-two-self-driving-cars-near-miss


"Sad day for developers: SCOTUS denies Google's appeal on APIs" (Simon Phipps)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jun 2015 09:24:06 -0700
Simon Phipps, InfoWorld, 29 Jun 2015
Supreme Court's decision is bad news for developers targeting the
U.S. market, who will now have to avoid any API not explicitly licensed as open
InfoWorld Tech Watch
http://www.infoworld.com/article/2941103/java/scotus-denies-google-appeal-on-apis.html

opening text:

In an unsurprising ruling today, the Supreme Court balanced a little of the
good it did last week by denying Google's appeal against Oracle in the
matter of the copyrightability of APIs. The case will now be returned to the
lower courts to hear Google's fair use defenses.

While the decision was foreshadowed by the amicus brief delivered by the
Solicitor General a month ago, it's still bad news for 21st century
developers and open communities. Denying the appeal gives corporations with
a 20th century mindset the ability to require permission from developers
seeking to innovate on top of their platforms. Instead of being able to just
assume that use—especially re-implementation—of an API is OK,
developers will now need to avoid any API that is not explicitly licensed as
open.


"Microsoft quietly pushes 17 new trusted root certificates to all Windows systems" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jun 2015 09:27:00 -0700
Woody Leonhard, InfoWorld, 29 Jun 2015
The aging foundation of Certificate Authorities shows yet another
crack as security experts are caught unaware
http://www.infoworld.com/article/2941594/security/microsoft-quietly-pushes-17-new-trusted-root-certificates-to-all-windows-systems.html

opening text:

Microsoft is under no obligation to notify you or ask your permission before
placing a new trusted root certificate on your Windows PC.  That said, just
last year Microsoft was caught in the embarrassing position of yanking 45
bogus certificates issued under the root certificate authority of the
government of India's Controller of Certifying Authorities. Transparency in
distributing new trusted root certs is a good thing.

A certificate expert who goes by the Twitter handle @hexatomium said in an
article on GitHub over the weekend that Microsoft started pushing the new
trusted root certificates earlier this month to "all supported Windows
systems." It isn't clear how the root certs were pushed, but he does say
Microsoft "did not announce this change in any KB article or advisory."


"Tap your iPad to order: Restaurant automation nobody needs" (Galen Gruman)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jun 2015 09:37:28 -0700
Galen Gruman, InfoWorld, 30 Jun 2015
Self-checkout comes to the food court, with the same mixed experience
as at any self-checkout terminal
http://www.infoworld.com/article/2940565/ipad/tap-your-ipad-to-order-restaurant-automation-nobody-needs.html

opening text:

OTG, one of those companies that manages restaurants at airports, is very
proud of its iPad deployment at Newark Liberty International Airport in New
Jersey. More than 1,000 iPad Airs are in use at restaurant tables in the
airport's food courts, letting travelers order food directly and pay on the
spot—no need to wait for a server to take your order or to process your
payment.

I had a chance to check out this deployment on a recent trip, and I'm not
sure OTG's pride is warranted. As we've seen in other automation efforts,
such as those self-checkout stands at supermarkets and home-improvement
stores, the reality is not as smooth as the promise.  And the goal remains
to remove human labor on the vendor side and have the customer pick up at
least some of that work.

Gene's Comments: 1) Look at the failure modes in the article.  This is
something that is not ready for general use.  2) Me pick up some of the
work?  This clashes with that when I go out, I typically want to be pampered
a bit.


Automation dependency: Children of the Magenta

Henry Baker <hbaker1@pipeline.com>
Sun, 28 Jun 2015 13:33:15 -0700
FYI—"Semi-autonomous" cars are here today, so it is appropriate to
revisit what can go wrong due to "automation dependency".

Roman Mars's 31-minute podcast episode from "99% Invisible" discusses
"Children of the Magenta", who are airline pilots who become such slaves to
their autopilots that they allow their normal piloting skills to
deteriorate.

The real problem with the crash of Air France 447 wasn't the fact that its
air speed sensor failed, but the inability of these "Children of the
Magenta" pilots to respond.

"What's It Doing Now": The user has no good model of what the autopilot is
trying to do, but instead of simply disconnecting it, the pilot tries to
"understand" the autopilot.  An emergency situation is no place to be
debugging your mental model of the autopilot.

The excellent video in which the phrase "Children of the Magenta" first
originated:

https://www.youtube.com/watch?v=pN41LvuSz10

1997 AA presentation about the Levels of Flight Deck Automation and how to
keep out of trouble

http://99percentinvisible.org/episode/children-of-the-magenta-automation-paradox-pt-1/

http://www.podtrac.com/pts/redirect.mp3/media.blubrry.com/99percentinvisible/cdn.99percentinvisible.org/wp-content/uploads/170-Children-of-the-Magenta-Automation-Paradox-pt.-1.mp3

Episode 170: Children of the Magenta (Automation Paradox, pt. 1)

Roman Mars, 23 Jun 2015

On the evening of 31 May 2009, 216 passengers, three pilots, and nine
flight attendants boarded an Airbus 330 in Rio de Janeiro.  This flight, Air
France 447, was headed across the Atlantic to Paris. The take-off was
unremarkable. The plane reached a cruising altitude of 35,000 feet.  The
passengers read and watched movies and slept.  Everything proceeded normally
for several hours.  Then, with no communication to the ground or air traffic
control, flight 447 suddenly disappeared.

Days later, several bodies and some pieces of the plane were found floating
in the Atlantic Ocean.  But it would be two more years before most of the
wreckage was recovered from the ocean's depths.  All 228 people on board had
died.  The cockpit voice recorder and the flight data recorders, however,
were intact, and these recordings told a story about how Flight 447 ended up
in the bottom of the Atlantic.

The story they told was was about what happened when the automated system
flying the plane suddenly shut off, and the pilots were left surprised,
confused, and ultimately unable to fly their own plane.

  [Long item—just part one of two—truncated for RISKS.  PGN]


The Future of Car Keys? Smartphone Apps, Maybe

Monty Solomon <monty@roscom.com>
Fri, 26 Jun 2015 23:19:23 -0400
http://www.nytimes.com/2015/06/26/automobiles/wheels/the-future-of-car-keys-smartphone-apps-maybe.html

Apps are increasingly performing the functions of keys, but experts say
there are still kinks to be worked out before, and if, physical keys become
extinct.


ISIS and the Lonely Young American

Monty Solomon <monty@roscom.com>
Sun, 28 Jun 2015 13:32:53 -0400
http://www.nytimes.com/2015/06/28/world/americas/isis-online-recruiting-american.html

For months, Alex had been growing closer to a new group of friends online --
the kindest she had ever had—who were teaching her what it meant to be a
Muslim.


Leap second problem

"Bob Frankston" <bob19-0501@bobf.frankston.com>
30 Jun 2015 16:51:23 -0400
Rather than write something long, I'll point out that he function

   new timeSpan(2 Minutes).Seconds

cannot be implemented—yet is in many libraries. Cannot, as in cannot by
definition.

There is no reason to break that function just because there are
applications which need a more precise calculation relative to the rotation
of the earth. Any programmer should know how to maintain a separate
correction factor for those applications.

So why break a fundamental function like a time span calculation for the
rare applications that need the extra precision?

Yes, I know that in 10,000 years it may matter but I have faith in our
ability to program around it by then - most likely by an approach like time
zones in which we simply create a standard correction factor for alarm
clocks.

http://Frankston.com


Growing opposition to the Leap Second

Mark Thorson <eee@sonic.net>
Mon, 29 Jun 2015 16:51:37 -0700
More calls to abolish the Leap Second because it's alleged to cause problems
for computers.

http://the-japan-news.com/news/article/0002230145

I'm reminded of all those planes that fell out of the sky
when the date rolled over from 1999 to 2000. [!]


California mandatory vaccination harbinger of anti-virus software?

Henry Baker <hbaker1@pipeline.com>
Mon, 29 Jun 2015 18:21:29 -0700
FYI—Whatever you may think of anti-vaxxers, the exact same arguments will
be made to *require* "anti-virus" programs on your computers in order to
connect to the Internet.  Of course, since we know that
NSA/GCHQ/*insert-your-favorite-spy-or-cybercriminal-name-here* put a very
high priority on hacking anti-virus programs, these "vaccination" laws will
-- in effect—*require* the installation of a *back door* onto your
computer.  GAME OVER!

http://www.theguardian.com/us-news/2015/jun/29/california-vaccine-bill-jerry-brown

California mandatory vaccination bill heads to governor's desk

Jerry Brown has not said if he will sign measure which would ban `personal
belief' exemptions for vaccinating schoolchildren in wake of measles
outbreak

Rory Carroll,  29 June 2015

The California legislature has passed a bill mandating vaccinations for
children in public schools, moving the spotlight to Governor Jerry Brown,
who must now decide whether to sign into law one of the strictest
vaccination regimes in the United States.

The senate in Sacramento passed a final vote on Monday to ban exemptions
from state immunization laws based on religious or other personal beliefs, a
contentious measure taken months after a measles outbreak at Disneyland
infected more than 150 people in the US and Mexico.

The law would require nearly all public schoolchildren to be vaccinated
against diseases including measles and whooping cough, with exemptions only
for children with serious health issues. Other unvaccinated children would
need to be homeschooled.


Analyses of root causes

Martyn Thomas <martyn@thomas-associates.co.uk>
Sat, 27 Jun 2015 11:02:37 +0100
Can anyone give me a link to any published analyses that identify the most
common underlying errors in software (or systems) engineering that have led
to exploitable security vulnerabilities or to safety-related failures?

  [Martyn, Try the NIST National Vulnerability Database, with CVE
  Vulnerabilities and lots more.  PGN]

Please report problems with the web pages to the maintainer

Top