The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 11

Thursday 19 November 2015

Contents

House panel examines safety risks and benefits of the Internet of Cars
USA Today
Signs Point to Unencrypted Communications Between Terror Suspects
Bob Hinden
Anonymous vs. ISIS: Netpolitik After the Pari s Attacks
Charlie Firestone
DO SOMETHING: After Paris, flailing to protect us
Ashley Carman and others via Henry Baker
CIA snooping on Congress
EPIC and the NYTimes via PGN
Feds bugged steps of Silicon Valley courthouse
Dan Goodin
When TV Turns Itself Off
NYTimes
CMU cybersecurity warrant canary dies
Henry Baker
Carnegie Mellon denies it was paid to help the FBI crack Tor
Ashley Carman
On Fake Instagram, a Chance to Be Real
NYTimes
Re: My first purchase with a chipped card
John Levine
Info on RISKS (comp.risks)

House panel examines safety risks and benefits of the Internet of Cars

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Nov 2015 15:43:39 PST
  Today's hearing of a House Committee panel:

WASHINGTON—Technology that connects cars to the Internet has the
potential to prevent crashes and save thousands of lives, but it also could
allow hackers to grab control of vehicles, experts say.

http://www.usatoday.com/story/news/2015/11/18/house-panel-examines-safety-risks-and-benefits-internet-cars/76001022/
http://usat.ly/1O3Ekgy


Signs Point to Unencrypted Communications Between Terror Suspects

Bob Hinden <bob.hinden@gmail.com>
November 18, 2015 at 5:22:22 PM EST
According to this article they didn't use encryption:

https://theintercept.com/2015/11/18/signs-point-to-unencrypted-communications-between-terror-suspects/>


Anonymous vs. ISIS: Netpolitik After the Pari s Attacks (Charlie Firestone)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 19 Nov 2015 12:05:35 PST
Charlie Firestone (Executive Director, Aspen Institute),
*Huffington Post*, 18 Nov 2015

Anonymous vs. ISIS: Netpolitik After the Paris Attacks

There have been many government and citizen reactions to the horrors of the
Paris attacks of November 13, 2015. France is effectively declaring war on
ISIS, legislatures debate their nation's role in response, and many people
around the globe show solidarity with the French people by personal acts
such as laying wreaths or superimposing French flags on their Facebook
profile pictures.

But there is one reaction that so exemplifies the current state of the
networked world that it warrants closer analysis. That is the filmed
declaration of Anonymous to take down ISIS. It is the epitome of the theory
of Netpolitik, which Leshuo Dong and I wrote about earlier this year. In
that piece, entitled, "Netpolitik: What the Emergence of Networks Means for
Diplomacy and Statecraft," we postulated that "realpolitik" and
"international liberalism" no longer sufficed as diplomatic models to
resolve world problems. The Westphalian concept of sovereign nations dealing
with each other as states has limited application to a world where networks
are the dominant form of organization.

Borders are porous to different degrees when it comes to keeping out
climate, disease, pollution, crime, currencies, economic effects, and
information. Networks of people, organizations, and even governments
transverse borders as well. If our businesses rely on the network
organizational form, our military engages in net-centric warfare, and even
our enemies persist as networks, we postulated, then governments should
employ network principles to assert national interests in the world of
diplomacy.

Now, however, we see a wrinkle: the cyber-vigilante group Anonymous has
declared war on ISIS. That is, a non-governmental network of anonymous
hackers will fight against an international network of violent terrorists on
the cyber-war field. They will no doubt employ those network principles we
mentioned in "Netpolitik", and many more that we can learn from them, in
pursuit of the new global bad guy. For example, just as biological organisms
have to fight against viruses, communications networks become vulnerable at
their weakest spot. The terrorist network that has been so savvy with new
media now faces a network of accomplished hackers in a potentially
formidable challenge to the group.

This, then, is a prime example of netpolitik, the engagement of networks to
counter networks - though in this case it goes beyond diplomacy. It is an
early episode in guerilla cyber-warfare. At the least this development bears
close watching. Hopefully, Anonymous will announce its victories as ISIS
does theirs.

The fight against ISIS will take all kinds of efforts, in the air, on the
ground, and now, over the ether. But who do you have confidence in to make a
significant dent in the job? The countries that have professed to defeat
ISIS and its antecedents again and again? (Not that I think they are
shirking from their responsibilities.) Or a cyber-savvy network who can find
another net's vulnerability and dismantle its communications capabilities?

Today, nations should not have to rely on the white masks of digital
vigilantes. Rather, they need cyber-rangers with the capabilities - talent,
resources, resolve - to defeat their enemies, who more likely than not, will
be networks, not nations.


DO SOMETHING: After Paris, flailing to protect us

Henry Baker <hbaker1@pipeline.com>
Wed, 18 Nov 2015 10:18:23 -0800
I'm having a hard time understanding how making our phones and computers
vulnerable to Russian and North Korean criminals will make us all safer from
the ISIS jihadis.

Also, the ISIS "junior varsity" appears to be quite sophisticated about
using computers; that "backdoor" Brennan, Comey, et al, crave is just the
ticket for an ISIS "cyber Pearl Harbor" within a year or so.

Revenge is a dish best served cold.  First, do no harm.
Good advice for those contemplating possible responses.

Ashley Carman, The Verge, 18 Nov 2015
Encryption is enemy number one; The U.S. government doesn't know what
technology to blame for the Paris attacks
https://www.theverge.com/2015/11/18/9755582/paris-attacks-cause-investigation-cia-fcc-encryption-internet

First they blamed encryption.  Then they wanted websites taken down.  Now,
they're proposing additional legislation.

Just days after the shocking attacks in Paris, there's a new push in
Washington to crack down on encryption and other security tools in an effort
to prevent future attacks.  Members of Congress have proposed mandatory
backdoor provisions, website shutdowns, and expanded surveillance powers.
But none of the suggestions have any clear connection to methods used in the
attacks, which is resulting in a strange hodgepodge of ideas.  Many in the
government aren't sure which technologies to blame.

The loudest voice so far comes from CIA director John Brennan, who blames
encryption for intelligence failures leading up to the attacks.  "There are
a lot of technological capabilities that are available right now that make
it exceptionally difficult, both technically as well as legally, for
intelligence and security services to have the insight they need to uncover
it," he said during a speech at the Center for Strategic and International
Studies.  "And I do think this is a time for particularly Europe, as well as
here in the United States, for us to take a look and see whether or not
there have been some inadvertent or intentional gaps that have been created
in the ability of intelligence and security services to protect the people
that they are asked to serve."

http://csis.org/files/attachments/151116_GSF_OpeningSession.pdf

Despite Brennan's assertions, investigators still don't how these attacks
were planned.  There was initial speculation the terrorists communicated via
the unencrypted PlayStation Network, which turned out to be false.  In
another twist, given the physical proximity of many of the already-named
attackers, it's unclear if electronic devices were used at all during
planning.

Others have sought to blame disk encryption, particularly the security
measures protecting iPhones, which law enforcement officials have been
looking to circumvent for years.  Many in law enforcement, including the
Manhattan District Attorney today, have pushed for a universal power that
would allow police to unlock any disk-encrypted device once the appropriate
legal rulings were obtained.  However, early reports from Paris indicate
disk encryption wasn't protecting the attackers' phones, which makes it
unlikely those powers would have helped prevent these attacks or catch
perpetrators afterward.

http://manhattanda.org/sites/default/files/11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety.pdf

At the same time, other legislators have focused on ISIS's web presence.
Yesterday, during a hearing with the Federal Communications Commission
(FCC), US Representative Joe Barton (R-TX) suggested shutting down ISIS
websites and social media networks.  "They're using the Internet in
extremely offensive and inappropriate ways against us," he said after noting
websites "pop up like weeds" and asking if the government could just "shut
those Internet sites down."

FCC Chairman Tom Wheeler responded, "I'm not sure that our authority extends
to picking and choosing among websites, but I do think there are specific
things that we can do."  Among those things the agency could do is have
Congress update the definition of a "lawful intercept" under the
Communications Assistance for Law Enforcement Act (CALEA), which could force
companies to build backdoors into their technology and decrypt any encrypted
communications.  When asked if Wheeler and his agency would help lawmakers
update that law, Wheeler replied, "A capital yes, sir."  Reports out of
Washington indicate Wheeler might just get that opportunity with interest in
CALEA building, along with further anti-encryption legislation.

http://csis.org/files/attachments/151116_GSF_OpeningSession.pdf

While investigators sort through evidence and determine how these events
transpired, even if the attackers used an encrypted chatting app, such as
WhatsApp, plenty of non-terrorists use it, too, and want their
communications kept private.  Plus, a backdoor built for law enforcement can
be used by anyone who discovers it, which makes many in the technology world
reluctant to build one.

Paris hasn't changed the fundamental question of whether strong privacy
protections should be allowed on the web for most privacy advocates.  "These
[Paris] attacks are reprehensible," said Harley Geiger, senior counsel and
advocacy director at the Center for Democracy & Technology, in an interview
with The Verge.  Noting the investigations are ongoing, he continued, "the
debate about government-mandated cybersecurity vulnerabilities in this
country has been going on for many years, and the dangers of a
government-mandated backdoor into encryption have not changed simply because
we've had these reprehensible attacks."


CIA snooping on Congress

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 17 Nov 2015 21:38:15 PST
  [Thanks to Marc Rotenberg, head of the Electronic Privacy Information
  Center.]

The NY Times calls out CIA Director Brennan regarding the hacking of Senate
staff.

It was an EPIC FOIA lawsuit that uncovered the facts of that case:
CIA Releases Redacted Report on Surveillance of Congress

Several months after EPIC filed a Freedom of Information Act lawsuit against
the Central Intelligence Agency, the agency has released the Inspector
General's report on the agency's surveillance of Congress. The Inspector
General launched an investigation after the Senate accused the CIA of
improperly accessing the computers of Senate staff who were investigating
CIA torture practices. The Inspector General found that CIA personnel
improperly accessed Senate computers multiple times. The Inspector General
also found that the CIA's accusations that Senate staff had improperly
removed CIA files were baseless. EPIC will pursue release of the full,
unredacted report. (Jan. 15, 2015)

https://epic.org/2015/01/cia-releases-redacted-report-o.html
http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-answer-to-fighting-terrorism.html

Mass Surveillance Isn't the Answer to Fighting Terrorism
*The New York Times*, Editorial Board, 17 Nov 2015

It's a wretched yet predictable ritual after each new terrorist attack:
Certain politicians and government officials waste no time exploiting the
tragedy for their own ends. The remarks on Monday by John Brennan, the
director of the Central Intelligence Agency, took that to a new and
disgraceful low.

Speaking less than three days after coordinated terrorist attacks in Paris
killed 129 and injured hundreds more, Mr. Brennan complained about “a lot
of hand-wringing over the government's role in the effort to try to uncover
these terrorists.''

What he calls hand-wringing was the sustained national outrage following the
2013 revelations by Edward Snowden, a former National Security Agency
contractor, that the agency was using provisions of the Patriot Act to
secretly collect information on millions of Americans' phone records. In
June, President Obama signed the USA Freedom Act, which ends bulk collection
of domestic phone data by the government (but not the collection of other
data, like emails and the content of Americans' international phone calls)
and requires the secretive Foreign Intelligence Surveillance Court to make
its most significant rulings available to the public.

These reforms are only a modest improvement on the Patriot Act, but the
intelligence community saw them as a grave impediment to anti-terror
efforts. In his comments Monday, Mr. Brennan called the attacks in Paris a
wake-up call, and claimed that recent policy and legal actions “make our
ability collectively, internationally, to find these terrorists much more
challenging.''

It is hard to believe anything Mr. Brennan says. Last year, he bluntly
denied that the C.I.A. had illegally hacked into the computers of Senate
staff members conducting an investigation into the agency's detention and
torture programs when, in fact, it did. In 2011, when he was President
Obama's top counterterrorism adviser, he claimed that American drone strikes
had not killed any civilians, despite clear evidence that they had. And his
boss, James Clapper Jr., the director of national intelligence, has admitted
lying to the Senate on the N.S.A.'s bulk collection of data. Even putting
this lack of credibility aside, it's not clear what extra powers Mr. Brennan
is seeking.

Most of the men who carried out the Paris attacks were already on the radar
of intelligence officials in France and Belgium, where several of the
attackers lived only hundreds of yards from the main police station, in a
neighborhood known as a haven for extremists. As one French counterterrorism
expert and former defense official said, this shows that “our intelligence
is actually pretty good, but our ability to act on it is limited by the
sheer numbers.''  In other words, the problem in this case was not a lack of
data, but a failure to act on information authorities already had.

In fact, indiscriminate bulk data sweeps have not been useful. In the more
than two years since the N.S.A.'s data collection programs became known to
the public, the intelligence community has failed to show that the phone
program has thwarted a terrorist attack. Yet for years intelligence
officials and members of Congress repeatedly misled the public by claiming
that it was effective.

The intelligence agencies' inability to tell the truth about surveillance
practices is just one part of the problem. The bigger issue is their
willingness to circumvent the laws, however they are written. The Snowden
revelations laid bare how easy it is to abuse national-security powers,
which are vaguely defined and generally exercised in secret.

Listening to Mr. Brennan and other officials, like James Comey, the head of
the Federal Bureau of Investigation, one might believe that the government
has been rendered helpless to defend Americans against the threat of future
terror attacks.

Mr. Comey, for example, has said technology companies like Apple and Google
should make it possible for law enforcement to decode encrypted messages the
companies' customers send and receive. But requiring that companies
build such back doors into their devices and software could make those
systems much more vulnerable to hacking by criminals and spies. Technology
experts say that government could just as easily establish links between
suspects, without the use of back doors, by examining who they call or
message, how often and for how long.

In truth, intelligence authorities are still able to do most of what they
did before—only now with a little more oversight by the courts and the
public. There is no dispute that they and law enforcement agencies should
have the necessary powers to detect and stop attacks before they happen. But
that does not mean unquestioning acceptance of ineffective and very likely
unconstitutional tactics that reduce civil liberties without making the
public safer.


Feds bugged steps of Silicon Valley courthouse

Henry Baker <hbaker1@pipeline.com>
Wed, 18 Nov 2015 09:04:23 -0800
FYI --

BTW, have you ever wondered about the expectation of privacy in:
* an airline seat
* a restaurant
* a hotel lobby
* a park bench
* a city bus
* a ball game
* a hotel room

Dan Goodin, Ars Technica, 17 Nov 2015
http://arstechnica.com/tech-policy/2015/11/feds-bugged-steps-of-silicon-valley-courthouse/

Defense claims covert recordings violated Constitution, moves to have them
thrown out.

Defense attorneys have asked a federal judge to throw out more than 200
hours of conversations FBI agents recorded using hidden microphones planted
near the steps of a county courthouse in Silicon Valley.

The lawyers are representing defendants accused of engaging in an illicit
real estate bid-rigging and fraud conspiracy.  The steps to the San Mateo
County courthouse are frequently the scene of public auctions for foreclosed
homes.  Federal prosecutors have admitted that on at least 31 occasions in
2009 and 2010, FBI agents used concealed microphones to record auction
participants as they spoke, often in hushed voices with partners, attorneys,
and others.  Because the federal agents didn't obtain a court order, the
defense attorneys argue the bugging violated Constitutional protections
against unreasonable searches and seizures.

In a court brief filed Friday in the case, attorneys wrote:

http://ia601404.us.archive.org/35/items/gov.uscourts.cand.281645/gov.uscourts.cand.281645.58.0.pdf

  It bears repeating that this particular public place was immediately
  outside a courthouse. Defendants' expectation that discreet conversations
  outside a courthouse would remain private is surely one that society is
  prepared to recognize as reasonable.  Private affairs are routinely
  discussed as citizens, their lawyers, and even judges walk to and from
  court, and lawyers often take clients aside outside the courthouse for
  privileged conversations.  Common experience and everyday expectations
  teach that individuals frequently have private conversations near the
  courthouse despite the public's access to this location, and expect that
  such conversations are not subject to the type of dragnet electronic
  eavesdropping that took place in this case.

A metal sprinkler box, a planter box and nearby vehicles

According to the filing, agents planted eavesdropping devices in at least
three locations: a metal sprinkler box attached to a wall near the
courthouse entrance, a large planter box to the right of the courthouse
entrance, and vehicles parked on the street in front of the courthouse
entrance.  All three areas are locations where people have a reasonable
expectation to have private conversations and where lawyers and clients
could reasonably be expected to have privileged conversations, the defense
argued.

According to the court filing:

  Generally, the recording devices were activated more than an hour before
  the auctions began, and they would run for a period of time after the
  auctions had concluded.  Some of the devices intercepted every
  communication that occurred in their vicinity over a period of more than
  five hours.  For example, the Government recorded individuals having
  private conversations on their cellphones in an area away from the
  auctions.  In one instance, the Government was able to capture an alleged
  co-conspirator talking on his cell phone with the other party to the call
  partially audible through the cellphone's receiver.  And the Government
  repeatedly hid an eavesdropping device immediately adjacent to the spot
  where one of the bidders usually set up a chair from which he conducted
  business and communicated with his joint venture partners.  These
  recordings captured far more than just the bids and public pronouncements
  that were made during the auctions.

  The surreptitious recording came in addition to a confidential informant
  and undercover agent who were regularly on the steps monitoring the
  auctions.  The FBI's decision to covertly record conversations those
  individuals couldn't hear is tacit admission the intercepted
  communications were private for purposes of the Fourth Amendment, the
  brief argued.

It's unclear when US District Judge Charles R. Breyer will rule on the
motion.  The court challenge was reported earlier by *The Recorder*.


When TV Turns Itself Off

Monty Solomon <monty@roscom.com>
Wed, 18 Nov 2015 09:00:08 -0500
When terrorists strike, television networks respond, sometimes sensitively
and other times perhaps unnecessarily.
http://www.nytimes.com/2015/11/18/arts/television/after-bloodshed-tv-can-be-cathartic-or-insensitive.html


CMU cybersecurity warrant canary dies

Henry Baker <hbaker1@pipeline.com>
Wed, 18 Nov 2015 13:05:15 -0800
FYI—Translation: $1 million from the FBI—we only wish!

"The university ... complies with lawfully issued subpoenas and *receives no
funding for its compliance*."

CMU,18 Nov 2015
https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html

MEDIA STATEMENT

There have been a number of inaccurate media reports in recent days
regarding Carnegie Mellon University's Software Engineering Institute work
in cybersecurity.

Carnegie Mellon University includes the Software Engineering Institute,
which is a federally funded research and development center (FFRDC)
established specifically to focus on software-related security and
engineering issues.  One of the missions of the SEI's CERT division is to
research and identify vulnerabilities in software and computing networks so
that they may be corrected.

In the course of its work, the university from time to time is served with
subpoenas requesting information about research it has performed.  The
university abides by the rule of law, complies with lawfully issued
subpoenas and receives no funding for its compliance.

CMU NEWS, 5000 FORBES AVENUE, PITTSBURGH, PA 15213, (412) 268-2900


Carnegie Mellon denies it was paid to help the FBI crack Tor

Dewayne Hendricks <dewayne@warpspeed.com>
November 18, 2015 at 7:39:15 PM EST
  [Re: Tor Users Matter, RISKS-29.09]

Ashley Carman, *The Verge*, 18 Nov 2015 (via Dave Farber)
It might have done the FBI's work for free, though
http://www.theverge.com/2015/11/18/9757904/Carnegie-Mellon-Tor-Anonymous-Research

Following reports it was paid $1 million to crack anonymous browser Tor for
the FBI, Carnegie Mellon University has denied any wrongdoing. Kind of.

While the university says there has been a number of "inaccurate media
reports" surrounding its cybersecurity research, it also clarified that it
occasionally receives subpoenas for its researchers' work and is legally
obligated to turn over information and findings for free. "The university
abides by the rule of law, complies with lawfully issued subpoenas and
receives no funding for its compliance," the school said. Tor wrote in a
post this past week that more than a year ago, it discovered a publicly
known vulnerability in its browser, one that could de-anonymize users.
Information collection went on for approximately half a year, from early
February to July 4th of 2014.

The university's wording suggests it's only dismissing The Tor Project's
claims that it accepted $1 million from the FBI—not that it disclosed
research that led to the unmasking of possible criminal users. In its
original post from this past week, Tor said it doubted the FBI would have
received a valid warrant because the research and vulnerability exploitation
was not "narrowly tailored to target criminals or criminal activity, but
instead appears to have indiscriminately targeted many users at once." It
also said, if proven true, this attack and fruitful law enforcement /
university relationship would set a "troubling precedent."

We teach law enforcement agents that they can use Tor to do their
investigations ethically, and we support such use of Tor—but the mere
veneer of a law enforcement investigation cannot justify wholesale invasion
of people's privacy, and certainly cannot give it the color of legitimate
research, the blog post says.


On Fake Instagram, a Chance to Be Real

Monty Solomon <monty@roscom.com>
Wed, 18 Nov 2015 08:29:45 -0500
Weary of staging their lives for social media, young people are presenting
their true selves on locked instagram accounts.

http://www.nytimes.com/2015/11/19/fashion/instagram-finstagram-fake-account.html


Re: My first purchase with a chipped card (RISKS-29.10)

"John Levine" <johnl@iecc.com>
17 Nov 2015 21:25:55 -0000
This would be a good time to actually read some of the material the previous
article linked to.  The problem isn't mag stripes, it's poor implementations
of EMV specs, "tamper resistant" terminals you can open up with a
strategically placed paper clip, and threats they hadn't anticipated like
terminals being modified in the warehouse on the way from the manufacturer
to the merchant.

Please report problems with the web pages to the maintainer

Top