The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 86

Friday 14 August 2015

Contents

Security Researchers Hack a Car and Apply the Brakes Via Text
Samuel Gibbs
Vulnerability in Automobile immobiliser transponders
Anthony Thorn
Moscow-based antivirus firm Kaspersky Lab faked malware to harm rivals, claim ex-employees
Joseph Menn
Harvard student loses Facebook internship after pointing out privacy flaws
The Boston Globe
"IBM finds another Android phone bug"
Tim Greene
Mass. pot dispensary accidentally shares patients' email addresses
Adam Vaccaro
FTC Files complaints against Sequoia One and Gen X Marketing Group for Misuse of Financial Data
Bob Gezelter
If This is Accurate, It's Unbelievably Bad: "A Traffic Analysis of Windows 10"
Local Ghost
Even when told not to, Windows 10 just can't stop talking to Microsoft
Ars Technica
Lenovo puts crapware (malware?) in the BIOS
Chris Williams via Henry Baker
Audit Shows Extent of Snail Mail Surveillance
Ron Nixonaug
Denmark's most devastating hacker attack?
Donald B. Wagner
Retaliation against China is the wrong reaction to OPM hack
Jeffrey Carr via Henry Baker
Info on RISKS (comp.risks)

Security Researchers Hack a Car and Apply the Brakes Via Text (Samuel Gibbs)

ACM TechNews <technews@hq.acm.org>
Fri, 14 Aug 2015 12:35:19 -0400 (EDT)
Samuel Gibbs, *The Guardian*, 12 Aug 2015

A serious weak point in vehicle security enables hackers to remotely control
a vehicle, according to researchers at the University of California, San
Diego (UCSD).  The team demonstrated the vulnerability on a Corvette by
turning on the windshield wipers, applying the brakes, or even disabl[ing]
them at low speed.  The flaw involves the small black dongles that are
connected to the onboard diagnostic ports of vehicles to enable insurance
companies and fleet operators to track them and collect data such as fuel
efficiency and miles driven.  The researchers found the dongles could be
hacked by sending them short-message-service text messages, which relay
commands to the car's internal systems.  “We acquired some of these things,
reverse-engineered them, and along the way found that they had a whole bunch
of security deficiencies,'' says UCSD professor Stefan Savage.  The
researchers warn the compromised dongles enable hackers to control almost
any aspect of the car, including steering and locks, and note that any of
the thousands of cars equipped with the dongles were potentially vulnerable.
The researchers will present their work this week at the Usenix security
conference in Washington, D.C.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-df9dx2d22dx062537&


Vulnerability in Automobile immobiliser transponders

Anthony Thorn <anthony.thorn@atss.ch>
Fri, 14 Aug 2015 11:48:46 +0200
The concept of the transponder challenge and response is secure.
Unfortunately the execution - (briefly) massively reduced entropy in the 96
bit key, and the use of standard (per manufacturer) or no write protection
PIN in the control unit.

Two classic RISKS stories - Key entropy and "global keys".

More in increasing detail:

http://arstechnica.com/security/2015/08/researchers-reveal-electronic-car-lock-hack-after-2-year-injunction-by-volkswagen/

In German:
http://www.heise.de/newsticker/meldung/VW-Wegfahrsperre-Volkswagen-Hack-endlich-veroeffentlicht-2778632.html

https://www.usenix.org/sites/default/files/sec15_supplement.pdf

I won't go into the 2 year delay in publishing caused by an injunction...

http://www.itpro.co.uk/security/20313/curious-case-volkswagens-fight-car-hacking-scientists


Report: Moscow-based antivirus firm Kaspersky Lab faked malware to harm rivals, claim ex-employees (Joseph Menn)

Lauren Weinstein <lauren@vortex.com>
Fri, 14 Aug 2015 09:54:10 -0700
Joseph Menn, Reuters via NNSquad
http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814

  "Kaspersky Lab [may have] manipulated false positives off and on for more
  than 10 years, with the peak period between 2009 and 2013."

  Beginning more than a decade ago, one of the largest security companies in
  the world, Moscow-based Kaspersky Lab, tried to damage rivals in the
  marketplace by tricking their antivirus software programs into classifying
  benign files as malicious, according to two former employees.  They said
  the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV
  (AVG.N), Avast Software and other rivals, fooling some of them into
  deleting or disabling important files on their customers' PCs.


Harvard student loses Facebook internship after pointing out privacy flaws (*The Boston Globe*)

Monty Solomon <monty@roscom.com>
Thu, 13 Aug 2015 12:36:22 -0400
http://www.boston.com/news/nation/2015/08/12/harvard-student-loses-facebook-internship-after-pointing-out-privacy-flaws/zASZFdUjn6PoliUiR9kVHJ/story.html


"IBM finds another Android phone bug" (Tim Greene)

Gene Wirchenko <genew@telus.net>
Thu, 13 Aug 2015 16:37:37 -0700
Tim Greene, NetworkWorld, 10 Aug 2015
Flaw means 55 percent of Android phones are vulnerable to being taken
over; a patch is available
http://www.infoworld.com/article/2968403/mobile-security/ibm-finds-another-android-phone-bug.html


Mass. pot dispensary accidentally shares patients' email addresses (Adam Vaccaro)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 13 Aug 2015 19:44:10 -0600
Adam Vaccaro, *The Boston Globe*, 13 Aug 2015

Buying medical marijuana in Massachusetts got a little less anonymous
Thursday morning, when the state's lone pot dispensary accidentally shared
some of its patients' email addresses with other patients.  State health
officials are investigating.

Salem's Alternative Therapies Group sent an email addressed Dear Patient, to
157 email addresses. A copy of the email obtained by Boston.com listed the
addresses in the CC line, meaning the recipients could see each other's
addresses. The dispensary had meant to send the email as a blind CC, or BCC,
which would have kept the email addresses from being seen by all.

http://www.boston.com/business/news/2015/08/13/mass-pot-dispensary-accidentally-shares-patients-email-addresses/JLel4hAbjEYMzVhPV2OW4L/story.html

[If the dispensary had sent the email from a gmail account, could they
have unsent it?]


FTC Files complaints against Sequoia One and Gen X Marketing Group for Misuse of Financial Data

"Bob Gezelter" <gezelter@rlgsc.com>
Wed, 12 Aug 2015 11:43:52 -0700
The FTC has filed complaints against In a complaint filed last week, the
agency said that Sequoia One for providing financial and other personal data
to third parties, enabling fraudulent bank transactions against over 500,000
payday loan customer accounts, reportedly resulting in excess of US$ 7.1M in
fraudulent transactions.  The moral is as always: Be careful when providing
bank account and PII to third parties.  The complete NY Times article is at:
http://bits.blogs.nytimes.com/2015/08/12/when-online-loan-applications-lead-to-unauthorized-bank-account-debits

Bob Gezelter, http://www.rlgsc.com


If This is Accurate, It's Unbelievably Bad: "A Traffic Analysis of Windows 10"

Lauren Weinstein <lauren@vortex.com>
Wed, 12 Aug 2015 15:20:26 -0700
[I really hope this is *not* accurate! - Lauren]

http://localghost.org/posts/a-traffic-analysis-of-windows-10

  All text typed on the keyboard is stored in temporary files, and sent
  (once per 30 mins) to: oca.telemetry.microsoft.com.nsatc.net
  pre.footprintpredict.com reports.wes.df.telemetry.microsoft.com There
  isn't a clear purpose for this, considering there there's no
  autocorrect/prediction anywhere in the OS. The implications of this are
  significant: because this is an OS-level keylogger, all the data you're
  trying to transmit securely is now sitting on some MS server. This
  includes passwords and encrypted chats.  This also includes the on-screen
  keyboard, so there is no way to authenticate to a website without MS also
  getting your password ... Everything that is said into an enabled
  microphone is immediately transmitted to: oca.telemetry.microsoft.com
  oca.telemetry.microsoft.com.nsatc.net vortex-sandbox.data.microsoft.com
  pre.footprintpredict.com i1.services.social.microsoft.com
  i1.services.social.microsoft.com.nsatc.net telemetry.appex.bing.net
  telemetry.urs.microsoft.com cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com If
  this weren't bad enough, this behaviour still occurs after Cortana is
  fully disabled/uninstalled ... [and much more - Lauren]


Even when told not to, Windows 10 just can't stop talking to Microsoft (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Wed, 12 Aug 2015 21:07:27 -0700
http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/

  Unfortunately for privacy advocates, these controls don't appear to be
  sufficient to completely prevent the operating system from going online
  and communicating with Microsoft's servers.  For example, even with
  Cortana and searching the Web from the Start menu disabled, opening Start
  and typing will send a request to www.bing.com to request a file called
  threshold.appcache which appears to contain some Cortana information, even
  though Cortana is disabled. The request for this file appears to contain a
  random machine ID that persists across reboots ...  Some of the traffic
  looks harmless but feels like it shouldn't be happening. For example, even
  with no Live tiles pinned to Start (and hence no obvious need to poll for
  new tile data), Windows 10 seems to download new tile info from MSN's
  network from time to time, using unencrypted HTTP to do so. While again
  the requests contain no identifying information, it's not clear why
  they're occurring at all, given that they have no corresponding tile.
  Other traffic looks a little more troublesome. Windows 10 will
  periodically send data to a Microsoft server named ssw.live.com. This
  server seems to be used for OneDrive and some other Microsoft
  services. Windows 10 seems to transmit information to the server even when
  OneDrive is disabled and log-ins are using a local account that isn't
  connected to a Microsoft Account. The exact nature of the information
  being sent isn't clear--it appears to be referencing telemetry
  settings--and again, it's not clear why any data is being sent at all.


Lenovo puts crapware—malware?—in the BIOS

Henry Baker <hbaker1@pipeline.com>
Wed, 12 Aug 2015 16:53:47 -0700
It's such a short distance between crapware in the BIOS and malware in the
BIOS; oh, and need anyone be reminded that Lenovo machines are made in
*China* ?

Now, why anyone should trust Microsoft, either, after their Windows 10
Privacy^H^H^H^H^H^H^H Spying Policy is beyond me.

"To think a manufacturer would essentially rootkit their own machines is
testament to how bad things have become."

So much for Intel's "root of trust"...

Chris Williams, *The Register*, 12 Aug 2015
CAUGHT: Lenovo crams unremovable crapware on Windows laptops  by hiding
it in the BIOS; And how Microsoft made it possible
http://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

Analysis

Lenovo has sold laptops bundled with unremovable software that features a
bonus exploitable security vulnerability.

If the crapware is deleted, or the hard drive wiped and Windows reinstalled
from scratch, the laptop's firmware will quietly and automatically reinstall
Lenovo's software on the next boot-up.

Built into the firmware on the laptops' motherboard is a piece of code
called the Lenovo Service Engine (LSE).  If Windows is installed, LSE is
executed before the Microsoft operating system is launched.

LSE makes sure C:\Windows\system32\autochk.exe is Lenovo's variant of the
autochk.exe file; if Microsoft's official version is there, it is moved out
of the way and replaced.  The executable is run during startup, and checks
the computer's file system to make sure it's free of any corruption.

Lenovo's variant of this system file ensures LenovoUpdate.exe and
LenovoCheck.exe are present in the operating system's system32 directory,
and if not, it will copy the executables into that directory during boot up.
So if you uninstall or delete these programs, the LSE in the firmware will
bring them back during the next power-on or reboot.

LenovoCheck and LenovoUpdate are executed on startup with full administrator
access.  Automatically, and rather rudely, they connect to the internet to
download and install drivers, a system "optimizer", and whatever else Lenovo
wants on your computer.  Lenovo's software also phones home to the Chinese
giant details of the running system.

To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table
(WPBT) feature.  This allows PC manufacturers and corporate IT to inject
drivers, programs and other files into the Windows operating system from the
motherboard firmware.

The WPBT is stored in the firmware, and tells Windows where in memory it can
find an executable called a platform binary to run.  Said executable should
take care of the job of installing files before the operating system starts.

"During operating system initialization, Windows will read the WPBT to
obtain the physical memory location of the platform binary," Microsoft's
documentation states.

"The binary is required to be a native, user-mode application that is
executed by the Windows Session Manager during operating system
initialization.  Windows will write the flat image to disk, and the Session
Manager will launch the process."

Crucially, the WPBT documentation stresses:

  The primary purpose of WPBT is to allow critical software to persist even
  when the operating system has changed or been reinstalled in a `clean'
  configuration ...  Because this feature provides the ability to
  persistently execute system software in the context of Windows, it becomes
  critical that WPBT-based solutions are as secure as possible and do not
  expose Windows users to exploitable conditions.

Oh dear.  Secure as possible?  Not in this case: security researcher Roel
Schouwenberg found and reported a buffer-overflow vulnerability in LSE that
could be exploited to compromise the low-level software to gain
administrator-level privileges.

When Lenovo learned of this bug, it decided its LSE was falling foul of
Microsoft's security guidelines for using the powerful WPBT feature  and
pulled the whole thing: the LSE software is no longer included in new
laptops.

Lenovo has also pulled the LSE from new desktop machines, which phone home
system data but do not download and install any extra software, it appears.

A tool quietly released on 31 July will uninstall the engine if it is
present in your machine.  The full list of affected desktop and notebook
models is here, and all were shipped with Windows 7 or 8.x installed.
Think-branded PCs did not include the LSE, we're told.

http://news.lenovo.com/article_display.cfm?article_id=2013

...  [Lots more omitted.  PGN]

http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/

We've asked Microsoft to explain the thinking behind its WPBT feature.  The
Redmond giant was not available for immediate comment.


Audit Shows Extent of Snail Mail Surveillance

Henry Baker <hbaker1@pipeline.com>
Thu, 13 Aug 2015 17:49:57 -0700
“I think they should have to get warrants to get this information,'' said
Frank Askin, a law professor

"the ["mail cover" surveillance] program had been used by a county attorney
and sheriff in Arizona to investigate a political opponent"

http://www.nytimes.com/2015/08/14/us/copy-of-postal-service-audit-shows-extent-of-mail-surveillance.html

Copy of Postal Service Audit Shows Extent of Mail Surveillance
Ron Nixonaug. 13 Aug 2015

WASHINGTON—In what experts say is the first acknowledgment of how the
United States Postal Service's mail surveillance program for national
security investigations is used, the service's internal watchdog found that
inspectors failed to follow key safeguards in the gathering and handling of
classified information.

The overall program, called *mail covers*, allows postal employees working
on behalf of law enforcement agencies to record names, return addresses and
other information from the outside of letters and packages before they are
delivered to the home of a person suspected of criminal activity.

The information about national security mail covers, amid heated public
debate over the proper limits on government surveillance, was contained in
an audit conducted by the Postal Service's inspector general last year.
Although much of the information was public, sections about the national
security mail covers were heavily redacted.  An unredacted copy of the
report was provided to a security researcher in response to a Freedom of
Information Act request this year.  The researcher, who goes by a single
legal name, Sai, shared the report with The New York Times.

https://drive.google.com/file/d/0BzmetJxi-p0VOExOZGo2V1ktWHM/view?pli=1


Denmark's most devastating hacker attack?

"Donald B. Wagner" <zapkatakonk@icloud.com>
Fri, 14 Aug 2015 19:12:04 +0200
http://cphpost.dk/news/it-experts-national-police-still-at-risk-from-hackers.html

"Three years after Denmark's most devastating hacker attack, during which
the national police's IT security was breached and hackers stole millions of
confidential files over the course of several months, the IT interest
organisation IT-Politisk Forening (IT-Pol) has warned the same thing could
happen again."

More from IT-Pol:
http://itpol.dk/presentation-of-it-pol

dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund, Denmark
Tel. +45-3331 2581 http://donwagner.dk

  [Donald also noted the following, although with no indication how
  it might have applied to the above item...  PGN]

Danish Data Protection Agency
http://www.datatilsynet.dk/english/

"The Danish Data Protection Agency conducts an annual series of inspections
of public authorities and private companies that have received the agency's
authorisation to process personal data. The Danish Data Protection Agency
inspects whether the processing of data is carried out in accordance with
the Act on Processing of Personal Data."

Act on Processing of Personal Data
http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/

dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund Denmark
Tel. +45-3331 2581  http://donwagner.dk


Retaliation against China is the wrong reaction to OPM hack

Henry Baker <hbaker1@pipeline.com>
Fri, 14 Aug 2015 07:02:42 -0700
"a diplomatic or economic response [to OPM] only distracts from the US
government's most pressing problem: *bolstering security measures to foil
the next attack.*"

"[Deterrence] comes from enabling security protocols that make sensitive or
valuable data so hard to steal that the effort isn't worth the reward."

http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0804/Opinion-Retaliation-against-China-is-the-wrong-reaction-to-OPM-hack

Jeffrey Carr, 4 Aug 2015
Opinion: Retaliation against China is the wrong reaction to OPM hack

Even if Beijing was responsible for breaches that exposed sensitive data on
millions of Americans, a diplomatic or economic response only distracts from
the US government's most pressing problem: bolstering security measures to
foil the next attack.

The Office of Personnel Management breach  the worst in US history 
is a graphic testament to the White House's ongoing inability to identify
and secure its most critical data.

In this case, it lost control of incredibly sensitive and detailed
information on federal employees.  That's a bounty worth many millions of
dollars to foreign intelligence services in a breach for which China is the
"leading suspect," according to Director of National Intelligence James
Clapper.  But even if Beijing is to blame, the way to fix the
administration's cybersecurity problem  and to prevent future data
heists that rival the OPM breach  isn't to retaliate against a foreign
government.

After all, we are living in a world in which this kind of digital espionage
is the new normal.  It's the kind of thing that the National Security Agency
wishes it could do against China.  That is, if the spy agency isn't already
doing it.

Sure, President Obama is upset about the shameful state of security in place
at OPM, and has made limited efforts to correct security problems at
government agencies in a 30-day "Cybersecurity Sprint."  But exacting some
kind of diplomatic or economic toll against China seems like a key play in
the Obama administration's plans.  According to unnamed officials quoted in
The New York Times, Obama staff members are considering a range of options
meant "to disrupt and deter what our adversaries are doing in cyberspace."

Traditional forms of deterrence in cyberspace are only partially effective
even when you're certain about the attacker's identity. And determining that
with absolute certainty is tough.  Hackers working for foreign intelligence
services are trained to hide their identities and use deception techniques
to throw off investigators.  They can mimic tools, techniques, and
procedures used by other hackers to make it look like a different group or
foreign government carried out the strike.

Still, administration officials and at least one large cybersecurity firm
with ties to the government are intent on pointing the finger at China.
There are two key reasons for this blame game: (1) In order for the US to
respond, the responsible party must be another government; (2) Under
international law, the standard of evidence for state responsibility is
solely based upon "reasonableness" versus proof beyond a reasonable doubt.
The administration hasn't publicly presented any proof that China directed
the OPM attacks.

While the US government is expert at denying, disrupting, and deterring
kinetic actions on battlefields in each of the four domains (land, air, sea,
and space), it still hasn't grasped that the digital battlefield is entirely
different.  The recent Times article about retaliating against China makes
that all too clear.

http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html

Deterrence is possible.  But it doesn't come from force or trying to instill
fear.  It comes from enabling security protocols that make sensitive or
valuable data so hard to steal that the effort isn't worth the reward.
The goal of deterrence isn't to keep bad guys out of a network, it's
to make it next to impossible for them to acquire the assets that they're
targeting.  Technically, that's already possible.

So, instead of shifting the focus to China, Mr. Obama should take full
responsibility for the breach (OPM being part of the Executive Office) and
immediately start work on a fulsome solution to the government's
cybersecurity problem.  That requires more than the Cybersecurity Sprint.
It means a complete overhaul of how the government employs security measures
and uses encryption technology across out all of its networks.  It means
ferreting out additional weaknesses in security and correcting them.  It
means identifying those responsible for making that breach possible and
firing them.  It means apologizing to the estimated 20 million Americans
whose personal information is forever compromised.

Without those steps, nebulous talk of retaliation against China only tells
the world the US doesn't understand the limitations of deterrence in
cyberspace.  It shows that the US remains weak and naive when it comes to
battling criminal hackers.  The way to demonstrate strength is to take
actions that show the president understands the limitations and advantages
of the cyberthreat landscape and acts accordingly.  The president and
Congress simply need the will to make it happen.

Jeffrey Carr is an internationally known author, speaker, entrepreneur, and
the founder and president of Taia Global. Follow him on Twitter
@jeffreycarr.

Editor's note: This article was updated after publication to correct James
Clapper's position. He is Director of National Intelligence.

Please report problems with the web pages to the maintainer

Top