The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 01

Saturday 3 October 2015

Contents

NSA's Trojan Horse Scored Gold at Athens Olympics
Henry Baker
Xerox "more secure" Supply Chain
Gizmodo via AlMac
Newly found TrueCrypt flaw allows full system compromise
PGN
Google's Cute Cars And The Ugly End Of Driving
Lauren Weinstein
Nerves rattled by highly suspicious Windows Update
Ars
France pushes for global surveillance
EFF
Michael Chertoff on encryption, etc.
HuffPost
Experian hack exposes 15 million people's personal information
The Guardian and Ars Technica
Gigabytes of user data from hack of Patreon donations site dumped online
Dan Goodin
A billion Android phones are vulnerable to new Stagefright bugs
Dan Goodin
Drop-dead simple exploit completely bypasses Macs malware Gatekeeper
Dan Goodin
UN proposes massive Internet censorship
WashPo
Open Office on Ubuntu
SMB via PGN
Re: EPA v VW cheatware, AI & "machine learning"
Paul Fenimore
Re: VW Scandal
Pete Kaiser
Adblock sells out—refuses to identify the buyer
NextWeb
The ad-block-alypse has arrived: a mobile carrier has for the first time begun blocking *all* ads on its customers' phones
Monty Solomon
Re: Ad-blocking
John Levine
Info on RISKS (comp.risks)

NSA's Trojan Horse Scored Gold at Athens Olympics

Henry Baker <hbaker1@pipeline.com>
Wed, 30 Sep 2015 10:13:42 -0700
The NSA—with the secret approval of the Greek govt—installed a malware
implant that utilized existing 'lawful intercept' capabilities of the
Ericsson system to spy during the Athens Olympics.  But since the 'lawful
intercept' capabilities of the Ericsson system had never been legally
approved or paid for, the logging function of the 'lawful intercept' system
was never turned on.

However, post-Olympics, the implants were not only not removed, but upgraded
to subsequently spy on the the top officials of the Greek govt.  The
Ericsson telephone system in Greece became a *roach motel*—the NSA
implants checked in, but they never checked out.

We now know why FBI Director Comey loves 'lawful intercept' capabilities of
phone systems so much; they supply a substantial attack surface that's easy
to subvert!

Incredible irony: in the ancient Greek world, the "Olympic Truce" protected the Games from war-like behavior:

https://en.wikipedia.org/wiki/Olympic_Truce

'During the Truce period (lasting up to three months), wars were suspended,
armies were prohibited from threatening the Games, legal disputes were
stopped, and death penalties were forbidden'

'2004 Athens Summer Games: The Olympic Truce was promoted through Olympic
Flame Relay [NSA's "Olympic Frame Relay" !?!] events.  The UN supported the
IOC in asking the nations of the world to stop all wars for 16 days during
the Games.'

Some quotes from this too-long article:

“The world will be watching and so will NSA!''

“The key to the operation was hijacking a particular piece of software, the
`lawful intercept' program.''

“Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA.''

“But without the IMS [logging] program there would be no audit trail.''

'But less than a week later, long after the Olympic Torch had been
extinguished, new malware was implanted.'

“They [NSA] said when the Olympics is over, we'll turn [the interception
capability] off and take it away.  And after the Olympics they turned it off
but they didn't take it away and they turned it back on and the Greeks
discovered it.''

“They never [remove the malware implants].  Once you have access, you have
access.  You have the opportunity to put implants in, that's an
opportunity.''

“From the very start, according to a former senior Greek official involved
in the investigation, there was no doubt within the highest levels of
government that the U.S. was behind the bugging.''

Snowden docs pertinent to the Athens Olympic Trojan Horse:
https://cryptome.org/2015/09/nsa-rogue-olympics.zip

James Bamford, A Death in Athens: Did a Rogue NSA Operation Cause the Death
of a Greek Telecom Employee?, 29 Sep 2015
https://theintercept.com/2015/09/28/death-athens-rogue-nsa-operation/

Documents published with James Bamford's item:

  Another Successful Olympics Story
  Exploiting Foreign Lawful Intercept Roundtable
  Gold Medal Support for Olympic Games
  NSA Team Selected for Olympics Support
  SID Trains for Athens Olympics


Xerox "more secure" Supply Chain (Gizmodo)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 29 Sep 2015 18:49:23 -0500
Some new technology comes out, which we are told is so much more secure than
the prior alternatives, as to be fool proof, until history repeats with the
new stuff.  But we were also told something similar when the older
technology first came out.

We are now told that the following are no good:

.       Bar codes;
.       Holograms;
.       RFID chips.

I do not see what, conceptually, the new Xerox printed memory, is doing
which could not be done with RFID chips, other than maybe expense.  I wonder
how printers to generate such labels, compare in cost to other alternatives.
In my former day job, we had a supply chain tracking label system which
added $ 0.001 to unit product cost, but some supply chain participants opted
out of even that, because lowest possible cost was more important to them
than: supply chain tracking; counterfeit and defect avoidance; or inventory
accuracy.

Thin flexible memory chips are printed on a product label.  This memory is
re-writable via wi fi reader in a smart phone, or other hand held device,
with or without Internet connection.  Encryption theoretically limits access
to the many thousands of business enterprises authorized to be in the supply
chain, many of which have probably been hacked.  We are not told about any
back door which NSA may have requested.

In theory, supply chain tracking tech, wants to help businesses keep track
of their inventory, maximize quality at minimum cost, back trace defects to
responsible parties, and not fall prey to actions of crooks, and other
parties, interested in:

.  Selling counterfeits (Last year Uncle Sam confiscated $ 1.2 billion in
counterfeit goods);

.  Manipulating prices (when store checkout uses price inside this tech,
some people buy it almost for free);

.  Preventing shop lifting (consumer walks out door, with merchandise the
check out person has not yet deactivated);

.  Finding new hacker pathways;

.  Delivering malware;

.  Violating privacy.

Each upgrade needs to consider security against all risks, and consider all
needs.

Otherwise upgrading, for one purpose, can invite vulnerabilities in other
areas.

http://gizmodo.com/xeroxs-printable-memory-labels-can-store-data-to-combat-1731011329
http://www.pddnet.com/news/2015/09/xerox-introduces-counterfeit-opposing-printed-electronic-labels
http://www.thinfilm.no/news/xerox-uses-thinfilm-memory-to-fight-counterfeiting/

This may be old news, but I just found out about it.


Newly found TrueCrypt flaw allows full system compromise

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 30 Sep 2015 0:54:04 PDT
IT World is reporting this!  Recall that Truecrypt was WITHDRAWN by its
developer(s), perhaps a year ago, under circumstances that were never quite
clear.

http://www.itworld.com/article/2987438/newly-found-truecrypt-flaw-allows-full-system-compromise.html


Google's Cute Cars And The Ugly End Of Driving

Lauren Weinstein <lauren@vortex.com>
Thu, 1 Oct 2015 08:53:57 -0700
  The main thing you should know about autonomous vehicles is that they
  are utterly inevitable.
http://www.buzzfeed.com/mathonan/googles-cute-cars-and-the-ugly-end-of-driving#.yvrGvxNqOO

Leaving aside technical, financial, and cultural issues for the moment, the
question I'd really like to see us thinking about now—before we really
need the full answers—is how we're going to prevent mass government abuse
of these vehicles.

The amount of video and other data these vehicles will be collecting will be
immense. You can bet governments will want it, both in individual cases and
en masse. Governments will want to know where every car is or was, every
moment. They will make license plate scanners totally obsolete.

They will want remote control capabilities. Whether or not vehicles can be
started. Whether they will keep running or automatically pull over to the
side of the road to await a police vehicle (or drive into the nearest police
station, with the windows and doors locked?) if they believe a suspect is
inside. Whether or not you can drive if you haven't been paying your bills
or are having a legal dispute. They will want the ability to block all
vehicles from areas where they don't want to be observed, and shoo all
vehicles already there out of the area. This means individual and en masse
remote control. Pretty powerful stuff.

And remote control is likely to come irrespective of law enforcement,
because it's the most practical way to deal with situations beyond the scope
the car's AI (unusual weather or road conditions, accident and construction
sites with authorities giving voice instructions to drivers, etc.), assuming
a human driver capable of taking over in such situations is not present.

Remote control capabilities for authorities are also likely to be mandated
at some point due to LEO concerns (already being widely discussed) of
unoccupied vehicles (the "vehicle on demand" scenario) being used in
criminal or terrorist plots.

Most of these issues have already been covered quite convincingly by
prescient science fiction for many decades.

Autonomous vehicle proponents would do well to consider how they're going to
respond to government demands along these lines. 'Cause you can be sure that
there are teams already in governments around the world brainstorming about
their side of this equation.


Nerves rattled by highly suspicious Windows Update

Lauren Weinstein <lauren@vortex.com>
Wed, 30 Sep 2015 12:03:01 -0700
http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/

  People around the world are receiving a highly suspicious software
  bulletin through the official Windows Update, raising concerns that
  Microsoft's automatic patching mechanism may be broken or, worse, has been
  compromised to attack end users.  This Web search, which queries the
  random-appearing string included in the payload, suggests that it's being
  delivered to people in multiple regions. The same unexplained and almost
  certainly unauthorized patch is being reported in a variety of online
  posts, including this one hosted by Microsoft. The updates appear to be
  coming directly from servers that are cryptographically certified to be
  part of Microsoft's Windows Update system.

Not clear what's going on here yet.


France pushes for global surveillance (EFF)

Lauren Weinstein <lauren@vortex.com>
Thu, 1 Oct 2015 21:13:31 -0700
France's Government Aims to Give Itself--and the NSA--Carte Blanche to
Spy on the World [EFF via NNSquad]

https://www.eff.org/deeplinks/2015/09/frances-government-aims-give-itself-and-nsa-carte-blanche-spy-world

  By legalizing France's own plans to spy on the rest of the world, France
  would take a step to establishing the NSA model as an acceptable global
  norm. Passing the law would undermine France's already weak surveillance
  protections for its own citizens, including lawyers, journalists and
  judges. And it would make challenging the NSA's practices far more
  difficult for France and other states.

You'll recall France is also pushing for its "Right To Be Forgotten"
censorship to apply globally.


Michael Chertoff on encryption, etc. (HuffPost)

Lauren Weinstein <lauren@vortex.com>
Sat, 3 Oct 2015 08:04:46 -0700
http://www.huffingtonpost.com/entry/michael-chertoff-dhs-privacy-security_560ebd9de4b076812701c9f7

  If you can't lock your door, you can't maintain the privacy of your
  home. If you can't encrypt your phone, you can't keep your personal data
  private, either. As tech companies and law enforcement agencies clash over
  encryption, security and privacy, a former Bush administration official is
  coming down forcefully on the side of technology that supports civil
  liberties rather than erodes them.  Michael Chertoff, who served under
  President George W. Bush as the nation's second Secretary of Homeland
  Security, suggested to The Huffington Post that using encryption to keep
  your data or messages personal is like having a quiet, private
  conversation between friends.

Chertoff is an interesting character. Given his actions in the Bush
administration, one would not necessarily have predicted his current
stance on these issues.


Experian hack exposes 15 million people's personal information (The Guardian and Ars Technica)

"David Farber" <farber@gmail.com>
Thu, 1 Oct 2015 17:54:18 -0400
*The Guardian*, 1 Oct 2015
http://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information>

  [Also,
Dan Goodin, Ars Technica, 1 Oct 2015:
  http://arstechnica.com/security/2015/10/highly-personal-data-for-15-million-t-mobile-applicants-stolen-by-hackers/
  PGN]


Gigabytes of user data from hack of Patreon donations site dumped online (Dan Goodin)

Monty Solomon <monty@roscom.com>
Fri, 2 Oct 2015 02:11:49 -0400
Dan Goodin, Ars Technica,  1 Oct 2015
The inclusion of source code and databases suggest breach was extensive.
http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack-of-patreon-donations-site-dumped-online/


A billion Android phones are vulnerable to new Stagefright bugs (Dan Goodin)

Monty Solomon <monty@roscom.com>
Fri, 2 Oct 2015 02:17:46 -0400
Dan Goodin, Ars Technica, 1 Oct 2015
Stagefright 2.0 comes as Android users were still recovering from
Stagefright 1.
http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vulnerable-to-new-stagefright-bugs/


Drop-dead simple exploit completely bypasses Macs malware Gatekeeper (Dan Goodin)

Monty Solomon <monty@roscom.com>
Fri, 2 Oct 2015 02:26:58 -0400
Dan Goodin, Ars Technica, 30 Sep 2015
A key limitation makes it trivial for attackers to skirt Gatekeeper
protections.
http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-completely-bypasses-macs-malware-gatekeeper/


UN proposes massive Internet censorship (WashPo)

Lauren Weinstein <lauren@vortex.com>
Fri, 2 Oct 2015 15:37:25 -0700
The United Nations has a radical, dangerous vision for the future of the Web
https://www.washingtonpost.com/news/the-intersect/wp/2015/09/24/the-united-nations-has-a-radical-dangerous-vision-for-the-future-of-the-web/

  At one point toward the end of the paper, the U.N. panel concludes that
  "political and governmental bodies need to use their licensing
  prerogative" to better protect human and women's rights, only granting
  licenses to "those Telecoms and search engines" that "supervise content
  and its dissemination."  In other words, the United Nations believes that
  online platforms should be (a) generally responsible for the actions of
  their users and (b) specifically responsible for making sure those people
  aren't harassers.  Regardless of whether you think those are worthwhile
  ends, the implications are huge: It's an attempt to transform the Web from
  a libertarian free-for-all to some kind of enforced social commons.

There's no way the UN vision could be implemented without mass global
censorship.


Open Office on Ubuntu

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 29 Sep 2015 17:52:36 PDT
  [Noted by Steve Bellovin, in the context of testing for VW misuse:]

By chance, https://bugs.launchpad.net/ubuntu/+source/cupsys/+bug/255161 just
drifted through my Twitter feed.  To summarize: Open Office couldn't print
on Tuesdays on some versions of Ubuntu because of a problem with the 'file'
command.

Testing is so accurate...


Re: EPA v VW cheatware, AI & "machine learning"

Paul Fenimore <fenimore@swcp.com>
Wed, 30 Sep 2015 06:24:40 -0600
I fail to see why there is no clear path forward after discovering VW
engineered their vehicles to specifically defeat emissions regulations.
Specifically defeating regulations, whether by selecting an adaptive
algorithm or some other means, is an unlawful act. The path forward is
called criminal and civil sanctions for the perpetrators; hiding the human
actions behind a "learning" algorithm is a mis-direction. The car design
process from year to year is under the close supervision of the
manufacturer: there is no rogue software element here.

This *human* responsibility is acutely important in the VW case: Vehicle
emission regulations are life-safety regulations that address the major
cause of mortality that arises from treating the open air as a sewer. In the
USA, for example, air pollution results in vast numbers of premature deaths.
<http://news.mit.edu/2013/study-air-pollution-causes-200000-early-deaths-each-year-in-the-us-0829>

The real question is whether homicide charges are relevant when there is
comparative uncertainty about the death of specific individuals as opposed
to certainty that in aggregate large numbers of people have been killed by
VW's deliberate violation of the law.


Re: VW Scandal

Pete Kaiser <djc@resiak.org>
Tue, 29 Sep 2015 19:34:23 +0200
In the 1980s I worked as a developer for a software company whose sole
product was a big-ticket package sold largely to the US federal government,
where the purchasing process included certain standard benchmarks.  The
complex inner workings of the package included self-checking, plausibility
checks, recovery mechanisms, and so forth, and in normal operation those
deep inner features couldn't be turned off.

But secretly buried deep in the package by the original developer—the
company's sole owner—was code that detected when it was running one of
these standard benchmarks, and turned off all the integrity-checking and
safety features, giving the performance a boost.  I was stunned to find
this, and foolishly brought it up to the owner, not with good results for
me.


Adblock sells out—refuses to identify the buyer

Lauren Weinstein <lauren@vortex.com>
Fri, 2 Oct 2015 13:58:19 -0700
The Next Web, 2 Oct 2015 [via NNSquad]
Adblock extension with 40 million users sells to mystery buyer, refuses to
name new owner
http://thenextweb.com/apps/2015/10/02/trust-us-we-block-ads/

  What's strange is that the company won't disclose who it's been sold to,
  why it was sold, or how much it was sold for.  For the extension's claimed
  40 million users this raises an interesting question: Can the extension
  continue to be trusted if the new proprietor is entirely anonymous?  TNW
  contacted Adblock's remaining staff to ask if they'd disclose the buyer
  but the company refused, saying that the purchaser had specifically asked
  not to be named.  The only thing the team would tell us is that the tool's
  creator Michael Gundlach will no longer have any relationship with the
  company—that probably means he's cashed out.

As you'll recall, this is the extension that requires most firms to pay
extortion to bypass the extension's blocking.


The ad-block-alypse has arrived: a mobile carrier has for the first time begun blocking *all* ads on its customers' phones (

Monty Solomon <monty@roscom.com>
Thu, 1 Oct 2015 08:54:25 -0400
http://www.businessinsider.com/digicel-becomes-first-mobile-carrier-to-sign-up-shine-ad-blocker-2015-9


Re: Ad-blocking (Ross, RISKS-28.96)

"John Levine" <johnl@iecc.com>
29 Sep 2015 20:24:36 -0000
I think the answer is really "because they can", or perhaps "because they
think they can".

People have ignored ads as long as there's been ads, and advertisers have
always hated it.  But until the Internet, they couldn't tell who was looking
at the ads and who wasn't.  Now the users are making it clear just how not
interested in the ads they are, which is very bad for marketers' fragile
egos.

If I ever write an ad blocker, it's going to be the moral equivalent of
going to the kitchen when the TV shows an ad, while leaving the TV on.
It'll still fetch all the web ads in the background, but it won't display
them.  This will give the users what they want, while protecting the
aforementioned fragile egos.

Please report problems with the web pages to the maintainer