The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 06

Friday 30 October 2015

Contents

China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems
The Onion
EFF Wins Petition to Inspect and Modify Car Software
EFF
Brain-dead email from medical practice
Gabe Goldberg
It ain't just squirrels vs. power lines. Now it's drones
LA Times
World Series Drama: A Four-Minute Blackout
NYTimes
Report says "You've been hacked!"
Merrill Lynch RIC
Allegations of San Francisco voter fraud
EFF
Xen patch addresses 7-year old privilege escalation flaw
Ars Technica
Cars' Voice-Activated Systems Distract Drivers
NYTimes
Re: Most Americans would be fine with some Internet surveillance if ..
PGN
E-mail encryption is still an oxymoron
SIGCOMM paper and Joseph Cox via Henry Baker
Re: Encrypted VoIP Leaks: Can You Hear Me Now?
Jeremy Epstein
Henry Baker
Re: Cops are asking Ancestry.com and 23andMe for their customers' DNA
R. G. Newbury
If You REALLY Want to Change the World ...
Kressel and Winarsky via PGN
Info on RISKS (comp.risks)

China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Wed, 28 Oct 2015 18:57:52 -0700
http://www.theonion.com/article/china-unable-recruit-hackers-fast-enough-keep-vuln-51719

BEIJING --Despite devoting countless resources toward rectifying the issue,
Chinese government officials announced Monday that the country has struggled
to recruit hackers fast enough to keep pace with vulnerabilities in
U.S. security systems.  “With new weaknesses in U.S. networks popping up
every day, we simply don't have the manpower to effectively exploit every
single loophole in their security protocols,'' said security minister Liu
Xiang, who confirmed that the thousands of Chinese computer experts employed
to expose flaws in American data systems are just no match for the United
States' increasingly ineffective digital safeguards.  “We can't keep track
of all of the glaring deficiencies in their firewall protections, let alone
hire and train enough hackers to attack each one. And now, they're failing
to address them at a rate that shows no sign of slowing down anytime
soon. The gaps in the State Department security systems alone take up almost
half my workforce.''  At press time, Liu confirmed that an inadequate labor
pool had forced China to outsource some of its hacker work to Russia.

  [Caveat lector: Your moderator is an Onion Rooter, and appreciates
  onion routers.  PGN]


EFF Wins Petition to Inspect and Modify Car Software

*EFF Press* <press@eff.org>
Tuesday, October 27, 2015
Electronic Frontier Foundation Media Alert
<https://supporters.eff.org/civicrm/mailing/view?reset=1&id=1234>.

EFF Wins Petition to Inspect and Modify Car Software
Exemption Requests Also Approved for Tweaking Abandoned Videogames,
  Jailbreaking Phones and Tablets, and Remixing Videos

Washington, D.C. - The Librarian of Congress has granted security
researchers and others the right to inspect and modify the software in their
cars and other vehicles, despite protests from vehicle manufacturers.  The
Electronic Frontier Foundation (EFF) filed the request for software access
as part of the complex, triennial rulemaking process that determines
exemptions from Section 1201 of the Digital Millennium Copyright Act (DMCA).

Because Section 1201 prohibits unlocking access controls on the software, car
companies have been able to threaten legal action against anyone who needs
to get around those restrictions, no matter how legitimate the reason. While
the copyright office removed this legal cloud from much car software
research, it also delayed implementation of the exemption for one year.

EFF Staff Attorney Kit Walsh: “This access control rule is supposed to
protect against unlawful copying, But as we've seen in the recent Volkswagen
scandal—where VW was caught manipulating smog tests—it can be used
instead to hide wrongdoing hidden in computer code. We are pleased that
analysts will now be able to examine the software in the cars we drive
without facing legal threats from car manufacturers, and that the Librarian
has acted to promote competition in the vehicle aftermarket and protect the
long tradition of vehicle owners tinkering with their cars and tractors. The
year-long delay in implementing the exemptions, though, is disappointing and
unjustified. The VW smog tests and a long run of security vulnerabilities
have shown researchers and drivers need the exemptions now.''

EFF also won an exemption for users who want to play video games after the
publisher cuts off support. For example, some players may need to modify an
old video game so it doesn't perform a check with an authentication server
that has since been shut down. The Librarian also granted EFF's petition to
renew a previous exemption to jailbreak smartphones, and extended that to
other mobile devices, including tablets and smartwatches. This clarifies the
law around jailbreaking, making clear that users are allowed to run
operating systems and applications from any source, not just those approved
by the manufacturer. EFF also won the renewal and partial expansion of the
exemptions for remix videos that use excerpts from DVDs, Blu-Ray discs, or
downloading services.

EFF Senior Staff Attorney Mitch Stoltz: “We're pleased that the Librarian
of Congress and the Copyright Office have expanded these legal protections
to users of newer products like tablets, wearable computers, and Blu-Ray
discs.''

Today's ruling is a victory for users, artists, and researchers. However,
the laborious process required to remove a legal cloud over clear fair uses
highlights the need for fundamental reforms.

EFF Legal Director Corynne McSherry: “It's absurd that we have to spend so
much time, every three years, filing and defending these petitions to the
copyright office. Technologists, artists, and fans should not have to get
permission from the government—and rely on the contradictory and often
nonsensical rulings—before investigating whether their car is lying to
them or using their phone however they want, But despite this ridiculous
system, we are glad for our victories here, and that basic rights to modify,
research, and tinker have been protected.''

EFF's remix petition was drafted and co-submitted with the Organization for
Transformative Works. EFF's remaining petitions received invaluable
assistance from the NYU Technology Law & Policy Clinic, attorney Marcia
Hofmann, and former EFF intern Kendra Albert.

For the full ruling from the Library of Congress:
http://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf

For more on the DMCA rulemaking:
https://www.eff.org/cases/2015-dmca-rulemaking

Contacts:

Corynne McSherry, Legal Director, corynne@eff.org, +1 415-436-9333 x 122
Mitch Stoltz, Senior Staff Attorney, mitch@eff.org, +1 415-436-9333 x 142
Kit Walsh, Staff Attorney, kit@eff.org, +1 415-436-9333 x 163


Brain-dead email from medical practice

Gabe Goldberg <gabe@gabegold.com>
Mon, 26 Oct 2015 20:11:58 -0400
After seeing a new medical practice today—one which I'm likely to never
visit again—I received this note tonight;
  Subject was: Your patient portal has a new message.

It said:

  Please use following URL to complete registration process on patient
  portal for the X X X Center:

    https://www.xxx.com/web/Account/Register

  To login, enter your email address as your username, and create a new
  password of your choice.

  Please fill out the demographic information if it is not filled out
  already.  Please do not attempt to fill in the insurance information. We
  will fill it in for you and confirm it during your visit.

So anyone intercepting this non-secured note could register as me,
impersonate me, establish "my" account and access MY records.

My first attempt to register failed because I omitted the essential special
character required by their ultra-secure password rules: Password must be at
least 8 characters long and include a capital letter, a lower case letter, a
number, and a special character (!@#$%^&*).

So they sort-of consider security, just incompletely/badly. But wait, it's
even lamer. The message I had to register to read was about my UPCOMING
(that is, today's, already past) appointment.


It ain't just squirrels vs. power lines. Now it's drones

danny burstein <dannyb@panix.com>
Wed, 28 Oct 2015 00:58:08 -0400 (EDT)
[LA Times]

Authorities are looking for the pilot of a drone that flew into power lines
Monday in West Hollywood and knocked out service to hundreds of Southern
California Edison customers, officials said.

Witnesses reported seeing a drone buzz into the wires lining Larrabee Street
and Sunset Boulevard about 1:15 p.m. knocking one to the ground, said
Lt. Edward Ramirez of the Los Angeles County Sheriff's Department.

rest:
http://www.latimes.com/local/lanow/la-me-ln-drone-power-west-hollywood-20151027-story.html


World Series Drama: A Four-Minute Blackout

Monty Solomon <monty@roscom.com>
Wed, 28 Oct 2015 08:02:06 -0400
Fox temporarily lost power on Tuesday night in Kansas City, Mo.

http://www.nytimes.com/2015/10/28/sports/baseball/world-series-drama-a-four-minute-blackout.html

  [The Fox Sports Net TV broadcast had at least TWO power outages,
  apparently in the truck outside the stadium, each of which caused the
  coverage to shift back to the studio.  PGN]


A Merrill Lynch RIC Report says "You've been hacked!"

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 27 Oct 2015 16:41:54 PDT
"Cybersecurity is one of the top global risks today. There have been 80-90
million cybersecurity events per year, or up to 250,000 attacks per day in
recent years—with 70% of attacks thought to be going undetected. The
global cybersecurity solutions market continues to grow and is estimated at
US$75-77 billion in 2015, and is expected to reach US$170 billion by 2020."


Allegations of San Francisco voter fraud (EFF item PGN-ed)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 29 Oct 2015 17:06:19 PDT
SF Chronicle:
http://www.sfchronicle.com/politics/article/Allegations-of-voter-fraud-in-Chinatown-surface-6594323.php

SF Examiner:
http://www.sfexaminer.com/democratic-party-may-amend-unworkable-voter-fraud-fix/

Democratic Club Uncovers Voter Fraud in Chinatown Non-Profit Senior Housing
FOR IMMEDIATE RELEASE, October 22, 2015
CONTACT: Tom A. Hsieh, twohsieh@gmail.com, 415-522-7289

The Asian Pacific Democratic Club (APDC) has been gathering reports about
widespread voter fraud in buildings owned or connected to the Chinatown
Community Development Corporation (CCDC).  In recent days, APDC has
encountered multiple statements of stolen ballots from Chinese senior
residents.  In one instance, a blind woman reported her ballot was taken
away and filled out by two female individuals.  Those two individuals then
told the senior that they had voted for Aaron Peskin  on her ballot.

"Senior citizens in these CCDC non-profit buildings are having their ballots
stolen.  These seniors are supposed to be protected by their caregivers but
instead ballots are being harvested from them on a building-wide scale,"
said Tom A. Hsieh, a spokesman of the club, which has been chartered since
1992.  "We should all be concerned about statements released from CCDC,
accusing unnamed individuals of masquerading as CCDC employees and stealing
ballots in their secured buildings,'' said Hsieh.  "It sounds absurdly like
somebody is trying to cover their tracks."

Hsieh is referring to a statement made by CCDC that individuals came into
CCDC buildings pretending to be CCDC employees and asked for ballots.  CCDC
buildings are guarded by locked entrances and security personnel and entry
by non-residents is unlikely.

One senior voter said that every year someone has come to his door to fill
out his ballot, and that his ballot was taken in the last three years by the
same person.  He also stated that this was practiced throughout the whole
building, which is managed by CCDC.  In another incident, an elderly woman
said two women came to her door, asked her to sign a ballot return envelope,
and then took her ballot away.  She said two women were returning to her
building each day to collect ballots from others.  The property, known as
Chinatown's Orangeland building, has a long history with CCDC.

Three buildings managed by or with ties to CCDC have had reports of voter
fraud.  APDC has evidence that a CCDC-owned building called Broadway
Sansome Apartments allowed the Aaron Peskin for Supervisor campaign into
the building in late September in apparent violation to their tax-exempt,
non-profit rules against candidate electioneering. [...]

Other interviews about ballot tampering are even more detailed and
describe a group of people who are systemically committing voter fraud [...]


Xen patch addresses 7-year old privilege escalation flaw

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 30 Oct 2015 00:43:17 -0700
Ars Technica reports that the Xen project has fixed a serious flaw in
Xen guest containment, which could lead to arbitrary damage to the host
and other guest instances.

The flaw, indexed as CVE-2015-7835, is entitled "x86: Uncontrolled
creation of large page mappings by PV guests". The Xen description of
the flaw is:

  The code to validate level 2 page table entries is bypassed when certain
  conditions are satisfied.  This means that a PV guest can create writeable
  mappings using super page mappings.

  Such writeable mappings can violate Xen intended invariants for pages
  which Xen is supposed to keep read-only.

  This is possible even if the "allowsuperpage" command line option is not
  used.

  IMPACT: Malicious PV guest administrators can escalate privilege so as to
    control the whole system.

  VULNERABLE SYSTEMS: Xen 3.4 and onward are vulnerable.
    Only x86 systems are vulnerable.  ARM systems are not vulnerable.
    Only PV guests can exploit the vulnerability.  Both 32-bit and 64-bit PV
    guests can do so. ..."

The complete Ars Technica article is at:
http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/

Bob Gezelter, http://www.rlgsc.com


Cars' Voice-Activated Systems Distract Drivers

Monty Solomon <monty@roscom.com>
Sun, 25 Oct 2015 10:17:13 -0400
research shows that the technology can be a powerful distraction, and a
lingering one.
http://www.nytimes.com/2015/10/22/science/cars-voice-activated-systems-distract-drivers-study-finds.html


Re: Most Americans would be fine with some Internet surveillance if ..

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 30 Oct 2015 08:52:12 PDT
I appreciate responses from several readers who reacted strongly to my
including Lauren's comments on the Daily Dot item in RISKS-29.05.  Although
he did not submit that item to RISKS, it is entirely my fault that I did not
excise his comments about Fox News.  What he wrote exhibited a bias that I
almost always try to eliminate—even if some readers might agree with it.
I apologize for my error of non-omission.  However, I would note that I do
devote considerable effort in "moderating" RISKS that results in what some
of you might call "censorship".  I think that has to be the privilege of a
"moderator".


E-mail encryption is still an oxymoron

Henry Baker <hbaker1@pipeline.com>
Wed, 28 Oct 2015 16:35:48 -0700
Zakir Durumeric et al. [with Alex Halderman as the 10th author],
  Neither Snow Nor Rain Nor MITM ...:
  An Empirical Analysis of Email Delivery Security, SIGCOMM 2015
http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf

"We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all
proactively encrypt and authenticate messages.  However, these best
practices have yet to reach widespread adoption in a long tail of over
700,000 SMTP servers, of which only 35% successfully configure encryption,
and 1.1% specify a DMARC authentication policy. This security patchwork --
paired with SMTP policies that favor failing open to allow gradual
deployment—exposes users to attackers who downgrade TLS connections in
favor of cleartext and who falsify MX records to reroute messages.  We
present evidence of such attacks in the wild, highlighting seven countries
where more than 20% of inbound Gmail messages arrive in cleartext due to
network attackers."

"In this [downgrade] attack, a network actor takes advantage of the
fail-open design of STARTTLS—where SMTP servers fall back to cleartext if
any errors occur during the STARTTLS handshake—to launch a downgrade
attack.  A network actor can manipulate packets containing the STARTTLS
command to prevent mail servers from establishing a secure channel, or alter
a mail server's EHLO response to remove STARTTLS from the list of server
capabilities."

"The STARTTLS RFC does not define how clients should validate presented
certificates. ... However, it also enables network-level attackers to
falsely report MX records that point to an attacker-controlled domain.
Without additional security add-ons (e.g., DANE), this attack remains a real
threat."

Joseph Cox, Email Encryption Is Broken, Motherboard, 28 Oct 2015
http://motherboard.vice.com/read/email-encryption-is-broken

Email was never designed to be private.  When the Simple Mail Transfer
Protocol (SMTP) was first invented, it didn't come with protections or ways
to check that a message really came from where it claimed to.  Those came
later, with the addition of extensions like STARTTLS for encrypting
communications and others for authenticating messages.

Now a study has found that despite those inventions, large chunks of email
traffic are being deliberately stripped of their encryption, or just sent
without any in the first place, leaving them totally open to passive
eavesdroppers.  Some of the findings are truly staggering, with over 95
percent of email sent from Tunisia to Gmail having its protections removed,
or more than 20 percent of inbound Gmail messages in seven countries
arriving in clear text because of network attacks.

The findings come from what researchers at the University of Michigan,
Google, University of Illinois, and Urbana Champaign say is the first report
on global adoption rates of email security extensions.  The researchers had
access to some impressive data sets: logs of SMTP traffic sent to and from
Gmail from January 2014 to April of this year, as well as a snapshot of the
configurations of email servers belonging to the Alexa Top Million domains.
Alexa is a site that ranks the world's websites by traffic.

They found some pleasant news: "from Gmail's perspective, incoming messages
protected by TLS have increased 82% over the last year," the researchers
write, who add that a lot of this is due to several big providers, such as
Yahoo and Outlook, encrypting its traffic.  TLS stands for Transport Layer
Security, and is the cryptographic protocol used to encrypt all sorts of
data, be that web browsing or email.

But that's about it for the good stuff.  For the 700,000 SMTP servers
associated with the top million domains, only 82 percent support TLS, and 35
percent allow proper server authentication.

The researchers also uncovered mass scale attacks of STARTTLS sessions being
stripped of their encryption.  That attack itself isn't new: internet
service providers sometimes do it to monitor users; organizations may use it
to keep an eye on employees; or it may come from a malicious actor.  But
this paper is the first indication of how widespread it is.

And it appears that pretty much everyone, from governments to academic
institutions, is getting in on the act.

"Overall, no single demographic stands out; the distribution is spread over
networks owned by governments, Internet service providers, corporations, and
financial, academic, and health care institutions.  We note that several
airports and airlines appear on the list, including an AS belonging to a
subsidiary of Boingo (AS 10245), a common provider of in-flight and airport
WiFi, ... These attacks are both readily found in the wild and pose a real
threat to users, with more than 20% of mail being sent in cleartext within
seven countries" ... "And although some of this stripping may be done to
facilitate legitimate filtering, perhaps for corporate networks to check for
malicious content, "this technique results in messages being sent in
cleartext over the public Internet, enabling passive eavesdropping and other
attacks."

This should act as a reminder that because of the nature of STARTTLS, even
if Google or anyone else implements encryption onto their email traffic,
someone else can simply reverse all of that work—possibly leaving your
emails open to snooping by whatever server they happen to slip through.

There are solutions, though they are unlikely to spring up over night.  ...

But for the time being, large sections of email traffic are totally
vulnerable to being spied on, something that leads the researchers to
describe the current state of email as a security patchwork.


Re: Encrypted VoIP Leaks: Can You Hear Me Now? (Baker, RISKS-29.05)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Tue, 27 Oct 2015 04:12:24 -0400
"Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on
fon-iks" was published at IEEE Security & Privacy 2011.  There's also a
video of Fabian Monrose's NSF talk about the paper at
http://www.nsf.gov/cise/cns/watch/talks/monrose.jsp


Re: Encrypted VoIP Leaks: Can You Hear Me Now? (RISKS-29.05)

Henry Baker <hbaker1@pipeline.com>
Tue, 27 Oct 2015 05:46:40 -0700
Thanks, Jeremy!  Some people (like me) are a little slow.

Let's see: 2011 was pre-Snowden, and pre Microsoft's (5/10/2011) acquisition
of Skype, after which Microsoft gave the U.S. govt full unencrypted access
to all that supposedly private&secure Skype traffic.  But we didn't know
that then.

Fast forward to 2015.  We can now assume that most/all VoIP is now
completely broken, either because govt's have access to unencrypted traffic,
or because they can read all the encrypted traffic.

SS7 security is a nonsequitur, so SS7+broken VoIP means that most voice
traffic around the world is broken.

Still "going dark", are we, Mr. Comey?


Re: Cops are asking Ancestry.com and 23andMe for their customers' DNA

"R. G. Newbury" <newbury@mandamus.org>
Tue, 27 Oct 2015 14:11:01 -0400
Both Ancestry.com and 23andMe should seriously consider *selling* the entire
database of records, to a corporation in another country, such as Ireland,
and keep *none* of the data in the US. Since the genetic data is tied to
'personal information' it is highly unlikely that an Irish court could or
would order release of the data for what is obviously 'fishing expedition'
level matters. And even in the case of serious crimes, a warrant would
*probably* not be available there, in respect of a crime alleged to occurred
here.

BTW, I thought that probable cause for a warrant required that the place to
be searched might produce evidence about the crime, not evidence connecting
an unknown person to the crime.  Any Fourth Amendment specialists care to
comment??

R. Geoffrey Newbury
(who is an Ontario lawyer, and who does not do criminal law)


If You REALLY Want to Change the World ... (Kressel and Winarsky)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 27 Oct 2015 11:50:26 PDT
Henry Kressel and Norman Winarsky have just had their book published, with
the subject-line title, and a subtitle—A Guide to Creating, Building, and
Sustaining Breakthrough Ventures, Harvard Business Review Press.  xii+215,
2015.  These two men really know whereof they write, speak, and practice.
For example, Norman was the person at SRI who led the creation of more than
sixty ventures, worth over $20 billion—including Nuance, Intuitive
Surgical, Siri, and Fair Issac.  If you are involved in a start-up or
contemplating one with really hot innovative ideas, this book should be
mandatory reading—despite the fact that a Google search might turn up
tens of thousands of other books on the subject.  Perhaps most valuable are
the chapter on Five Fatal Mistakes of Start-Ups, subtitled The most common
venture killers are avoidable, and the chapter on Ensuring the Future. with
seven basic principles.  Overall, the experience distilled by the two
authors is remarkably pithy.

There are also many of you in the research community who believe in changing
the computer world more altruistically—perhaps with open-source
developments.  The prevalence in all development efforts of the five fatal
mistakes described in the book—whether open-source or proprietary --
suggests that there is something in this book for everyone involved in
innovation, helping avoid many of the inherent problems.  It might also
encourage you to do what you are already doing even better.

Please report problems with the web pages to the maintainer

Top