The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 95

Thursday 24 September 2015

Contents

Crooked software: VW Is Said to Cheat on Diesel Emissions; U.S. to Order Big Recall
NYTimes
Ethics in Engineering: Volkswagen's Diesel Fiasco
Hackaday via LW
OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought
Hackaday
Sensors You Can Swallow Could Be Made of Nutrients and Powered by Stomach Acid
Neil Savage
Trojan targets online poker sites, peeks at players' cards
Ars Technica
India Draft Encryption Policy Doc lays out horrendous requirements
Deity
Oops! Error by Systema Software exposes millions of records with insurance claims data and internal notes
Data Breaches
Researchers say South Korea-backed child monitoring app was wide open to hackers
AP
D-Link Oops
Help Net
AVG privacy -not- policy
Softpedia
"Sloppy dev practices allowed malware into Apple App Store"
Fahmida Y. Rashid
Apple Confirms Discovery of Malicious Code in Some App Store Products
NYTimes
Skype Service Problems for Some Users Worldwide
NYTimes
Syndry risky thoughts caused by weekend's SLASHDOT articles
Werner U
Symantec employees fired for issuing rogue HTTPS certificate for Google
Ars Technica
iPhone 6s's Hands-Free Siri Is an Omen of the Future
NYTimes
As Head-Up Displays Become Common, Distraction Becomes an Issue
NYTimes
France tells Google to remove search results globally, or face big fines
Ars Technica
Yes, the FCC might ban your operating system
PRPL
Re: One Symptom in New Medical Codes: Doctor Anxiety
William Ehrich
Re: Researcher Hacks Self-driving Car Sensors
Martin Ward
LW
Re: "The Web's 10 most dangerous neighborhoods"
John Levine
Re: Why We Positively, Absolutely, Can't Trust the Government with Encryption
William Ehrich
Re: Unwanted data transmissions by Windows 10
Carl Byington
Re: How to make the Internet worse for everyone except the slimeballs
Dan Jacobson
Lauren Weinstein
Re: Vehicles with keyless ignition systems...
Dan Jacobson
Info on RISKS (comp.risks)

Crooked software: VW Is Said to Cheat on Diesel Emissions; U.S. to Order Big Recall (Coral Davenport)

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Sep 2015 12:11:49 -0700
Coral Davenport, *The New York Times*, 18 Sep 2015
http://www.nytimes.com/2015/09/19/business/volkswagen-is-ordered-to-recall-nearly-500000-vehicles-over-emissions-software.html

  The Obama administration on Friday directed Volkswagen to recall nearly a
  half-million cars, saying the automaker illegally installed software in
  its diesel-power cars to evade standards for reducing smog.  The
  Environmental Protection Agency accused the German automaker of using
  software to detect when the car is undergoing its periodic state emissions
  testing.  Only during such tests are the cars' full emissions control
  systems turned on. During normal driving situations, the controls are
  turned off, allowing the cars to spew as much as 40 times as much
  pollution as allowed under the Clean Air Act, the E.P.A. said.

  `The Environmental Protection Agency issued the company a notice of
  violation and accused the company of breaking the law by installing
  software known as a `defeat device' in 4-cylinder Volkswagen and Audi
  vehicles from model years 2009-15.  The device is programmed to detect
  when the car is undergoing official emissions testing, and to only turn on
  full emissions control systems during that testing.  Those controls are
  turned off during normal driving situations, when the vehicles pollute far
  more heavily than reported by the manufacturer, the E.P.A. said.

  “Using a defeat device in cars to evade clean air standards is illegal
  and a threat to public health,'' said Cynthia Giles, the E.P.A.'s
  assistant administrator for the Office of Enforcement and Compliance.
  “Working closely with the California Air Resources Board, E.P.A. is
  committed to making sure that all automakers play by the same rules.
  E.P.A. will continue to investigate these very serious violations.''

  The software was designed to conceal the cars' emissions of the pollutant
  nitrogen oxide, which contributes to the creation of ozone and smog. The
  pollutants are linked to a range of health problems, including asthma
  attacks and other respiratory diseases.

It will be interesting to see if VW can negotiate the fines for this
massive fraud down to something less than staggering.

  [Henry Baker noted that the affected diesel models include:
   * Jetta (Model Years 2009  2015)
   * Beetle (Model Years 2009  2015)
   * Audi A3 (Model Years 2009  2015)
   * Golf (Model Years 2009  2015)
   * Passat (Model Years 2014-2015)]

  [See also
https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/

  [We've noted in RISKS previously that this kind of shenanigan could easily
  be used in voting machines (especially proprietary ones), which when run
  in test mode do everything correctly, but when run in live elections might
  surreptitiously do whatever else they might have been programmed to do.
  PGN]


Ethics in Engineering: Volkswagen's Diesel Fiasco (Hackaday)

"People For Internet Responsibility <pfir@pfir.org>
Wed, 23 Sep 2015 10:41:16 -0700
http://hackaday.com/2015/09/23/ethics-in-engineering-volkswagens-diesel-fiasco/

  Like the Space Shuttle Challenger disaster, like the Johnstown flood, and
  like that one scene at the beginning of Fight Club, this will be one for
  the engineering ethics text books. If this does turn into a criminal
  investigation - and chances of that are good - we will eventually learn
  how this complete abdication of law and social responsibility came to be.
  Until then, we're left to guess how one of the biggest blunders of
  automotive history came to be, and where Volkswagen and the diesel car
  will be in the years to come.

I have for many years publicly asserted that ethics are a *fundamental*
aspect of engineering—including software engineering. I have
frequently faced arguments from persons claiming that I'm wrong—that
engineers should just write the code as they're told to do, and that
their role is not to independently apply any ethical considerations
whatsoever. I cannot even really begin to explain how strongly I
disagree with that view, or how devastating to consumer and user trust
that view can be.   [Lauren Weinstein]


OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought (Hackaday via LW)

PRIVACY Forum mailing list <privacy@vortex.com>
Wed, 23 Sep 2015 10:29:35 -0700
  One of the scariest parts of the massive cybersecurity breaches at the
  Office of Personnel Management just got worse: The agency now says 5.6
  million people's fingerprints were stolen as part of the hacks.  That's
  more than five times the 1.1 million government officials estimated when
  the cyberattacks were initially disclosed over the summer. However, OPM
  said Wednesday the total number of those believed to be caught up in the
  breaches, which included the theft of the Social Security numbers and
  addresses of more than 21 million former and current government employees,
  remains the same.

  [CNBC: “We recently learned that as far back as 2007, the Inspector
  General was warning that OPM was vulnerable to a breach, but nothing was
  done to prevent it. ... US Gov blames China for breach, ignoring
  implications of their own front door back door mentality.'']

And this is the same government that wants access to our encryption keys.
But don't worry! Simply change your passwords and fingerprints and you'll be
just fine.  Yeah.  LW


Sensors You Can Swallow Could Be Made of Nutrients and Powered by Stomach Acid (Neil Savage)

"ACM TechNews" <technews@hq.acm.org>
Wed, 23 Sep 2015 11:59:39 -0400 (EDT)
Neil Savage, IEEE Spectrum, 21 Sept 2015, via ACM TechNews, 23 Sep 2015

Carnegie Mellon University (CMU) researchers are working on designs for an
ingestible sensor that would combine silicon circuitry and nutrients and
could be powered by stomach acid.  One of the major hurdles when designing
ingestible sensors is convincing regulators they would be safe.  The
approach of Christopher Bettinger's team at CMU is to use organic and
biodegradable materials that are already considered safe to ingest.  They
envision silicon logic circuits encapsulated in a biodegradable hydrogel,
which would enable it to squeeze through tight openings.  The antennas and
electronics would be made of small amounts of digestible minerals such as
manganese, magnesium, and copper.  In addition, the silicon Bettinger's team
proposes using to power the logic circuits of their ingestible sensors can
be converted by the body into silicic acid.  The sensor would be powered by
a battery with a cathode made of melanin and an anode made of manganese
oxide.  When the battery reaches the stomach, acidic gastric juices would
act as an electrolyte and transport current.  During testing, the design has
been able to provide 5 milliwatts of power for up to 20 hours.  The
researchers say ingestible sensors could be used to study the microbiome,
look for infections, and monitor medication uptake.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e1e8x2d43fx063701&

  [Fascinating possibilities here. Remotely reprogrammable? remotely
  surveillable? what about integrity risks?  privacy risks?  and what could
  happen maliciously, accidentally, or even *in-jestibly*?  stupid
  gas-tric(k)s? PGN]


Trojan targets online poker sites, peeks at players' cards (Ars)

Lauren Weinstein <lauren@vortex.com>
Fri, 18 Sep 2015 09:08:48 -0700
Ars Technica via NNSquad
http://arstechnica.com/security/2015/09/trojan-targets-online-poker-sites-peeks-at-players-cards/

  Anybody who has ever played poker, online or offline, always suspects that
  they might be the victim of cheating when the cards aren't going their
  way.  Now there's evidence to suspect that the hunch is real when it comes
  to two of the world's most popular online gambling portals.  "Several
  hundred" gamblers on the Pokerstars and Full Tilt Poker platforms have
  been hit with a cheating trojan, according to ESET security researcher
  Robert Lipovsky.

But don't worry boys and girls, Internet voting would be perfectly safe!
Nothing can go wrong! No th ing ca n g o wr


India Draft Encryption Policy Doc lays out horrendous requirements

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Sep 2015 21:00:58 -0700
http://deity.gov.in/sites/upload_files/dit/files/draft%20Encryption%20Policyv1.pdf

  Users / Organizations within B group (i.e. B2B Sector) may use Encryption
  for storage and communication. Encryption algorithms and key sizes shall
  be prescribed by the Government through Notifications from time to
  time. On demand, the user shall be able to reproduce the same Plain text
  and encrypted text pairs using the software / hardware used to produce the
  encrypted text from the given plain text. Such plain text information
  shall be stored by the user/organisation/agency for 90 days from the date
  of transaction and made available to Law Enforcement Agencies as and when
  demanded in line with the provisions of the laws of the country.


Oops! Error by Systema Software exposes millions of records with insurance claims data and internal notes

Lauren Weinstein <lauren@vortex.com>
Sat, 19 Sep 2015 20:45:05 -0700
Data Breaches via NNSquad
http://www.databreaches.net/oops-error-by-systema-software-exposes-millions-of-records-with-insurance-claims-data-and-internal-notes/

According to a source who contacted DataBreaches.net, as part of research on
data leaks, the self-described "technology enthusiast" ("TE") downloaded
some random data from a publicly available subdomain on Amazon Web Services
(AWS).  Inspection of the files revealed many GB of SQL database backups
with "names, social security numbers, addresses, dates of birth, phone
numbers, as well as various financial and medical injury data."  TE informs
DataBreaches.net that after discovering the treasure trove of personal
information on or about August 30, he immediately began to notify the proper
agencies and authorities.  DataBreaches.net withheld publication until now
to give TE time to notify more entities and to give the software firm time
to notify its affected clients.


Researchers say South Korea-backed child monitoring app was wide open to hackers (AP)

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Sep 2015 19:51:55 -0700
(AP): http://www.usnews.com/news/business/articles/2015/09/20/apnewsbreak-south-korea-backed-app-puts-children-at-risk

  Security researchers say they found critical weaknesses in a South Korean
  government-mandated child surveillance app—vulnerabilities that left
  the private lives of the country's youngest citizens open to hackers.  In
  separate reports released Sunday, Internet watchdog group Citizen Lab and
  German software auditing company Cure53 said they found a catalogue of
  worrying problems with "Smart Sheriff," the most popular of more than a
  dozen child monitoring programs South Korea requires for new smartphones
  sold to minors.

With "friends" like the S. Korea government, who needs enemies?


D-Link Oops (Help Net)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 19 Sep 2015 13:13:10 -0500
Software aps get updated by downloading patches, to the software on the
computer.

Hardware aps get updated by downloading firmware into the hardware.

Both have their risks of vendor oops, and vendor policies.

D-Link inadvertently provided purchasers with tools to aid malware
developers.

http://www.net-security.org/secworld.php?id=18869


AVG privacy -not- policy (Softpedia)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 19 Sep 2015 12:45:31 -0500
AVG privacy (not) policy lists data it collects from users, to sell to
advertisers, to fund its fee service. This policy will be implemented
starting October 15. AVG has published a blog post
<http://now.avg.com/understanding-the-new-privacy-policy/>  explaining the
decision to go this route, along with the full privacy policy's content
<http://www.avg.com/gb-en/privacy-new> , so users can read it and decide if
they want to use its services, switch to the paid AVG version,, or to an AVG
competitor.  They claim that the info to be shared will be non-personal,
such as web search history, what aps are on our computers, not personal id
like name e-mail address, info which is used for id theft.

http://news.softpedia.com/news/avg-proudly-announces-it-will-sell-your-browsing-history-to-online-advertisers-492146.shtml


"Sloppy dev practices allowed malware into Apple App Store" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Mon, 21 Sep 2015 14:37:23 -0700
Fahmida Y. Rashid, InfoWorld, 21 Sep 2015
The XcodeGhost malware on iOS and OS X provides an object lesson for
developers: Never rely on unofficial versions or alternative repositories
for your tools

Instead of trying to sneak a malicious iOS app past Apple's verification
process onto the App Store, malware writers went after developers looking
for shortcuts.  [...]

http://www.infoworld.com/article/2985129/security/sloppy-dev-practices-allowed-malware-into-apple-app-store.html


Apple Confirms Discovery of Malicious Code in Some App Store Products

Monty Solomon <monty@roscom.com>
Tue, 22 Sep 2015 18:24:41 -0400
http://www.nytimes.com/2015/09/21/business/apple-confirms-discovery-of-malicious-code-in-some-app-store-products.html

Security researchers said hackers took advantage of the fact that many
Chinese developers use copies of code that are held on Chinese servers,
resulting in a malicious version of Xcode.


Skype Service Problems for Some Users Worldwide

Monty Solomon <monty@roscom.com>
Tue, 22 Sep 2015 18:23:39 -0400
http://www.nytimes.com/2015/09/22/technology/skype-service-disrupted-for-some-users-worldwide.html

Microsoft's Internet calling unit did not specify how many of its roughly
300 million global users were affected.


Sundry risky thoughts caused by weekend's SLASHDOT articles

Werner U <werneru@gmail.com>
Mon, 21 Sep 2015 12:59:13 +0200
Delete, Dump and Destroy: Canada's Government Data Severely Compromised
<http://yro.slashdot.org/story/15/09/20/1658223/delete-dump-and-destroy-canadas-government-data-severely-compromised?sdsrc=prev>

Image Doctoring Is Tough To Spot, Even When We're Looking For It
<http://science.slashdot.org/story/15/09/20/0436230/image-doctoring-is-tough-to-spot-even-when-were-looking-for-it?sdsrc=next>

Private Medical Data of Over 1.5 Million People Exposed Through Amazon
<http://yro.slashdot.org/story/15/09/20/0144248/private-medical-data-of-over-15-million-people-exposed-through-amazon?sdsrc=next>

Symantec Subsidiary Thawte Issues Rogue Google Certificates
<http://tech.slashdot.org/story/15/09/19/2313220/symantec-subsidiary-thawte-issues-rogue-google-certificates?sdsrc=next>


Symantec employees fired for issuing rogue HTTPS certificate for Google

Lauren Weinstein <lauren@vortex.com>
Mon, 21 Sep 2015 12:39:13 -0700
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rogue-https-certificate-for-google/

  Unauthorized credential was trusted by all browsers, but Google never
  authorized it.


iPhone 6s's Hands-Free Siri Is an Omen of the Future

Monty Solomon <monty@roscom.com>
Tue, 22 Sep 2015 17:47:24 -0400
http://www.nytimes.com/2015/09/24/technology/personaltech/iphone-6s-hands-free-siri-is-an-omen-of-the-future.html

Voice recognition and artificial intelligence have improved so fast that we
are nearing `ambient computing' or robotic assistants that are always on
hand.


As Head-Up Displays Become Common, Distraction Becomes an Issue

Monty Solomon <monty@roscom.com>
Mon, 21 Sep 2015 08:15:04 -0400
http://www.nytimes.com/2015/09/11/automobiles/as-head-up-displays-become-common-distraction-becomes-an-issue.html

The technology, which shows data like a vehicle's speed in front of the
driver, is moving beyond performance cars and appearing in more models.


France tells Google to remove search results globally, or face big fines (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 21 Sep 2015 09:25:26 -0700
http://arstechnica.com/tech-policy/2015/09/france-confirms-that-google-must-remove-search-results-globally-or-face-big-fines/

  Google's informal appeal against a French order to apply the so-called
  "right to be forgotten" to all of its global Internet services and
  domains, not just those in Europe, has been rejected. The president of the
  Commission Nationale de l'Informatique et des Libert?s (CNIL), France's
  data protection authority, gave a number of reasons for the rejection,
  including the fact that European orders to de-list information from search
  results could be easily circumvented if links were still available on
  Google's other domains.

If Google complies with this order, they'll have set the stage for every
country around the world to demand the right to globally censor literally
anything that their governments find *inconvenient* in Google search
results. Not just EU and other Western countries, but Putin's USSR^h^h^h^h
Russia, China, and other repressive regimes. Politicians will rush to
sanitize their search results. Religious entities will want to remove
contradictory references. There will be no end to it. It will be a stampede
to a lowest common denominator of useless pablum. I've been warning of this
for years but now we're at the literal cusp of a global information
censorship disaster. *This must stop now.*


Yes, the FCC might ban your operating system

Lauren Weinstein <lauren@vortex.com>
Mon, 21 Sep 2015 14:09:13 -0700
http://prpl.works/2015/09/21/yes-the-fcc-might-ban-your-operating-system/

  Over the last few weeks a discussion has flourished over the FCC's
  Notification of Proposed Rule Making (NPRM) on modular transmitters and
  electronic labels for wireless devices. Some folks have felt that the
  phrasing has been too Chicken-Little-like and that the FCC's proposal
  doesn't affect the ability to install free, libre or open source operating
  system. The FCC in fact says their proposal has no effect on open source
  operating systems or open source in general. The FCC is undoubtedly wrong.


Re: One Symptom in New Medical Codes: Doctor Anxiety

William Ehrich <ehr844@gmail.com>
Tue, 22 Sep 2015 16:02:06 -0500
Numerical codes for various things were useful on 80 byte punched cards, but
horribly mistake-prone. Memory and processing power have improved a lot
since then, so there is space for plain human readable English. I'm reminded
of this whenever I can't remember the post office's two character
abbreviation for the state in an address.


Re: Researcher Hacks Self-driving Car Sensors

Martin Ward <martin@gkc.org.uk>
Wed, 23 Sep 2015 19:34:16 +0100
> Using such a system, attackers could trick a self-driving car into
> thinking something is directly ahead of it, thus forcing it to slow down.

On the other hand, a human-driven car can be forced to stop using a simple
laser pointer costing a few dollars.

Caltrops can work equally effectively against both types of vehicle.

Lauren Weinstein responded:
> All you need to do to stop a robo car is stand in front of it (and have
> your friend stand behind).

Agreed. So why is it a story that a self-driving car can be "tricked" into
stopping using a setup costing $60?


Re: Researcher Hacks Self-driving Car Sensors (Ward)

Lauren Weinstein <lauren@vortex.com>
Wed, 23 Sep 2015 11:58:32 -0700
All you need to do to stop a robo car is stand in front of it (and have your
friend stand behind). Or just drop an obstruction in front and rear. Wear
Nixon masks if you're worried about cameras. The robo car is dead in the
water. A human-driven car has a driver who can get out and deal with it. The
robo car (without a cooperative passenger to take the initiative)
... doesn't.


Re: "The Web's 10 most dangerous neighborhoods" (Maria Korolov)

"John Levine" <johnl@iecc.com>
21 Sep 2015 18:24:57 -0000
Something is pretty bogus with this article.  They claim the dirtiest TLD is
.ZIP, but the domain isn't active yet.  Its DNS currently has a temporary
wildcard with an A record of 127.0.53.53 to try to help flush out any old
private usages of the name.


Re: Why We Positively, Absolutely, Can't Trust the Government with Encryption

William Ehrich <ehr844@gmail.com>
Tue, 22 Sep 2015 16:02:22 -0500
Why "the government"? They, especially ours, are the least of the problem.
Whole armies of hackers will compete in the game of finding and exploiting
any backdoor.


Re: Unwanted data transmissions by Windows 10 (Durusau, RISKS-28.93)

Carl Byington <carl@five-ten-sg.com>
Mon, 21 Sep 2015 14:15:05 -0700
One mechanism to prevent some forms of malware involves convincing your
local DNS server that certain names don't exist.

http://www.circleid.com/posts/20100728_taking_back_the_dns/

Modern versions of Bind use rpz (response policy zones) to specify names
that by local policy should be treated specially. The following two lines
could be added to your local rpz zone.

vortex-win.data.microsoft.com   CNAME   .
settings-win.data.microsoft.com CNAME   .

That prevents any machines in your environment from finding the ip addresses
for those names. Of course Microsoft could escalate (like all good virus
writers) and hardcode some starting ip addresses, use fast flux dns servers,
use a random domain name generator to produce domain names to contact for
the telemetry data, etc. But the use of any of those techniques would then
make it even more obvious that Microsoft intends to use your computer,
electricity, and bandwidth for their own purposes, even if that usage
conflicts with your usage.


Re: How to make the Internet worse for everyone except the slimeballs (Weinstein, RISKS-28.95)

Dan Jacobson <jidanni@jidanni.org>
Tue, 22 Sep 2015 07:52:11 +0800
How about a mode where the adblocker still requests the ads from the
network, but just doesn't show them to the user? Bandwidth savings are gone,
but who cares as I have plenty. And the ad companies will just have to work
harder to detect who is really seeing their ads or not.


Re: How to make the Internet worse for everyone except the slimeballs (Jacobson, RISKS-28.96)

Lauren Weinstein <lauren@vortex.com>
Tue, 22 Sep 2015 17:44:36 -0700
Given that the ad blocking proponents keep complaining about "bandwidth"
and "tracking", I have a feeling this wouldn't quiet them.


Re: Vehicles with keyless ignition systems... (RISKS-28.93)

Dan Jacobson <jidanni@jidanni.org>
Tue, 22 Sep 2015 08:12:03 +0800
> or, worse, when a passenger unintentionally has one card read at the
> starting station and a different one read at the final station.

Yup, in which case both cards now are in the "I am now riding in the
vehicle" state...

Please report problems with the web pages to the maintainer

Top