The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 14

Wednesday 2 December 2015

Contents

NTSB: Controllers, Software Complicit In Wrong-Runway Landings
Aviation Week via Steve Golson
Database Error Complicit In Turkish Airlines Landing Accident
Steve Golson
Software Cut Off Fuel Supply In Stricken A400M
Steve Golson
Everyone is lying about the downed Russian jet
Motherboard
Tech fails led to 'Spooky' strike on Drs Without Borders hospital
Sean Gallagher
One-person one-vote principle in Texas
Voting News Weekly
Hacking in Argentina
Nicole Perlroth
China accused of hacking Australian Bureau of Meteorology and more
IBTimes
Hello Barbie can spy for crooks
*The Guardian*
VTech hacker exposes the personal information of more than 200,000 kids and millions of parents
Lorenzo Franceschi-Bicchierai
Google Maps hacked to show "Kalusunan" instead of Luzon
Dan Jacobson
Embedded vulnerability
Sec-Consult & Carnegie CERT/CC
MagSpoof disables chip and pin
Help Net
Electrical incompatibility
Android
Cops complain about civilian encryption use, but conduct tactical ops in the clear
NNSquad
After Paris attacks, US politics shift on government phone data collection; Rubio sees opening
AP
L.A. License Plate Readers proposed for john-shaming
Nick Selby
The Serial Swatter
NYTimes
UK ISP boss points out massive technical flaws in Investigatory Powers Bill
Ars Technica
Reply@not.possible? For how long?
Dan Jacobson
Re: The Right to Tinker With Cars' Software
Steve Lamont
Info on RISKS (comp.risks)

NTSB: Controllers, Software Complicit In Wrong-Runway Landings

Steve Golson <sgolson@trilobyte.com>
Sat, 28 Nov 2015 09:06:54 -0500
http://aviationweek.com/commercial-aviation/ntsb-controllers-software-complicit-wrong-runway-landings

In the Atlas incident, the Boeing 747-400LCF set up for a GPS approach to
Runway 19L at McConnell Air Force Base near Wichita, Kansas, but ultimately
landed on the 6,100-ft.-long Runway 18 at the Col. James Jabara general
aviation airport, 8 nautical miles short of McConnell's 12,000-ft.-long
runway.  While the MSAW [minimum safe altitude warning] system was active,
the software was programmed so as to not distinguish between nearby airports
and the correct airport, and did not issue an alert even though the 747 was
well below the approach path to McConnell.

In the Southwest incident, the pilot was on approach to the Branson Airport
in Missouri, but was mistakenly redirected to the Downtown Airport, 6
nautical miles short of the intended destination—using up all but the
last 629 feet of a much shorter runway than anticipated.  [PGN-ed; the
article mentions proposed remediation would have controllers withhold
landing clearance until nearby airports have been passed.]


Database Error Complicit In Turkish Airlines Landing Accident

Steve Golson <sgolson@trilobyte.com>
Sat, 28 Nov 2015 07:52:44 -0500
http://aviationweek.com/blog/database-error-complicit-turkish-airlines-landing-accident

... the pilots let the autopilot continue the approach until 14 ft. above
the ground, where presumably they finally saw the runway and attempted to
flare the aircraft a bit too late – it hit the runway with a vertical
acceleration of 2.7G. A hard landing on centerline is one thing, but this
A330’s nose wheel was offset 85 ft. to the left of the centerline ...

... what put the A330 far off centerline—and pretty much in the exact
location of the faulty runway end coordinates, thanks to the advanced
navigation and automation systems on modern aircraft like the A330—were
some very important missing digits in the degrees, minutes and seconds
marking the latitude and longitude of the runway end. Missing were the three
digits to the right of the decimal point of the seconds field.


Software Cut Off Fuel Supply In Stricken A400M

Steve Golson <sgolson@trilobyte.com>
Sat, 28 Nov 2015 09:09:54 -0500
http://aviationweek.com/defense/software-cut-fuel-supply-stricken-a400m

The crash of an Airbus A400M airlifter that killed four people on May 9 may
have been caused by new software that cut off the engine-fuel supply,
industry sources have said.

Sources have told *Aviation Week* that aircraft MSN23, destined for Turkey,
featured new software that would trim the fuel tanks, allowing the aircraft
to fly certain military maneuvers.


Everyone is lying about the downed Russian jet

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 29 Nov 2015 10:31:57 PST
http://motherboard.vice.com/read/belgian-physicists-calculate-that-everyone-is-lying-about-the-downed-russian-jet


Tech fails led to 'Spooky' strike on Drs Without Borders hospital (Sean Gallagher)

Henry Baker <hbaker1@pipeline.com>
Tue, 01 Dec 2015 09:34:59 -0800
FYI—[Note to self: mark home in large letters with *infrared visible*
paint, so that "Santa Claus" can find it in the dark.]

"Since it was night, and the aircrew was working from infrared video, they
were *unable to see the markings* on the building identifying it as a
hospital."

Sean Gallagher, 30 Nov 2015
How tech fails led to Air Force strike on MSF's Kunduz hospital
Sensor and network failures put crosshairs on the wrong target.
http://arstechnica.com/information-technology/2015/11/how-tech-fails-led-to-air-force-strike-on-msfs-kunduz-hospital/

On November 25, General John F. Campbell, the commander of US Forces in
Afghanistan, announced the findings of an initial investigation into the air
strike by an Air Force AC-130 gunship that hit a Médecins Sans Frontières
(MSF, or Doctors Without Borders) trauma center in Kunduz, Afghanistan on
October 3.  The strike—in which the AC-130 attacked using its onboard
cannon, killing 30 patients and members of the MSF hospital staff and
injuring another 34—lasted nearly a half-hour.

Campbell called the strike "a tragic, but avoidable accident caused
primarily by human error."  But among the secondary factors cited in the
report, he noted, there were several contributing technical failures,
including a networking failure that could have provided information that
would have prevented the mistaken targeting of the hospital.  Furthermore,
information systems available to the command responsible for the aircraft
failed to alert those on duty in the operations center that the target
selected by the aircraft was on a no-strike list.

http://www.defense.gov/News/News-Transcripts/Transcript-View/Article/631359/department-of-defense-press-briefing-by-general-campbell-via-teleconference-fro


One-person one-vote principle in Texas (The Voting News Weekly)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 29 Nov 2015 12:18:03 PST
The Voting News Weekly, 29 Nov 2015

The Supreme Court's docket is crowded with voter redistricting disputes this
term, including a Texas case that could redefine the principle of "one
person, one vote". State redistricting battles continue in Florida and North
Carolina. Georgia Secretary of State Brian Kemp plans to hire top auditing
agency Ernst & Young to review his technology department in the wake of a
data breach that exposed private information of more than 6 million
voters. Supreme Court Justice Anthony M. Kennedy ordered officials in Hawaii
not to count ballots or name the winners of an election there in which only
people of native Hawaiian ancestry could vote. Weeks before he leaves
office, Kentucky Governor Steven Beshear issued an executive order that
immediately granted the right to vote to about 140,000 nonviolent felons who
have completed their sentences. Violent protest erupted in Haiti after
results were announced for a run-off election that international observers
say was marred by systemic fraud, voter confusion and intimidation, and in
some areas disenfranchisement, while Pakistan has abandoned plans to offer
Internet voting to overseas voters.

More: http://thevotingnews.com/tvn-weekly-11292015/

[See Data breach in Georgia could affect 6 million voters, RISKS-29.12.  PGN]


Hacking in Argentina (Nicole Perlroth)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 30 Nov 2015 10:12:05 PST
Want to learn how to break into the computerized heart of a medical device
or an electronic voting machine? Maybe a smartphone or even a car?  Thanks
to the legacy of military rule and a culture of breaking rules of all sorts,
Argentina has become one of the best places on earth to find people who
could show you how.

http://www.nytimes.com/2015/12/01/technology/in-a-global-market-for-hacking-talent-argentines-stand-out.html?_r=0


China accused of hacking Australian Bureau of Meteorology and more

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 2 Dec 2015 12:01:05 PST
Australia's largest supercomputer was hacked, linked to other government
agencies as well.  Multiple sources.  A good place to start might be
http://www/ibtimes.com/china-accused-massive-hack-australias-bureau-meteorology-attack-could-impact-other-2207298


Hello Barbie can spy for crooks (*The Guardian*)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 26 Nov 2015 23:15:24 -0600
WiFi Hello Barbie is a toy doll with conversations with children.  It
connects with Mattel and ToyTalk to get upgrades of various kinds, such as
improving speech recognition state-of-art.  It has great educational
potential to aid child development, provided it is not taken over by crooks.
It is hackable.  What hackers can do:

* Spy on children, their home, and everywhere the child goes, with
  audio surveillance.

* Over-ride privacy features, communicate directly with the child.

* Take over the home's wifi network, of other Internet of Things.

* Access the doll's system information, account information, stored audio
  files, and direct access to the microphone.

http://www.msn.com/en-us/news/technology/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children/ar-AAfGyq6
http://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Chicago-353434911.html
http://time.com/3740348/privacy-group-eavesdropping-wifi-barbie-is-seriously-creepy/
http://www.nytimes.com/2015/03/29/technology/a-wi-fi-barbie-doll-with-the-soul-of-siri.html?_r=0


VTech hacker exposes the personal information of more than 200,000 kids and millions of parents (Lorenzo Franceschi-Bicchierai)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 27 Nov 2015 16:25:50 -0700
Lorenzo Franceschi-Bicchierai, *Motherboard*, 27 Nov 2015
One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids

The personal information of almost 5 million parents and more than 200,000
kids was exposed earlier this month after a hacker broke into the servers of
a Chinese company that sells kids toys and gadgets, Motherboard has learned.

The hacked data includes names, email addresses, passwords, and home
addresses of 4,833,678 parents who have bought products sold by VTech, which
has almost $2 billion in revenue. The dump also includes the first names,
genders and birthdays of more than 200,000 kids.

http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids

  [Includes a huge list of what was released.  PGN]


Google Maps hacked to show "Kalusunan" instead of Luzon

Dan Jacobson <jidanni@jidanni.org>
Sat, 28 Nov 2015 00:41:30 +0800
Holy smokes, Google Maps has been hacked to show "Kalusunan" instead of Luzon!

Were talking about the fourth most populous island in the world, right
behind Great Britain. It's the main island of the Philippines.
https://www.google.com/maps/@16,121,4z
http://maps.googleapis.com/maps/api/staticmap?size=340x340&markers=Luzon+Island&zoom=4

Hmmm, their Feedback tool is of course broken.
I know, I'll just ummm, email all the newspapers in the Philippines...
No this time I don't think I blew it again:
https://www.google.com/search?q=Kalusunan
About 2,180 results
https://www.google.com/search?q=Luzon
About 19,600,000 results


Embedded vulnerability (Sec-Consult & Carnegie CERT/CC)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 27 Nov 2015 14:04:42 -0600
At least 4 million embedded devices, exposed on the Internet, from some 50
manufacturers, share the same hard-coded X.509 certificate.

This impacts

 * 3.2 million Secure HTTPS hosts, or 9 % of the web, and

 * 0.9 million Secure SSH hosts, or 6% of them.

 * An unknown volume of vulnerable devices are not directly connected to
   the Internet, but are on local area networks, where if someone is able
   to penetrate the network, they can also penetrate the vulnerable devices.

 * Possibly more at risk, not yet uncovered.

The firmware is of smart phones, routers, IP cameras, VoIP phones, modems
wifi gateways, networking gear, PCs, Internet of Things, etc.  Many devices
are exposed to the web by vendor choice, without user awareness.

http://www.kb.cert.org/vuls/id/566724

Vendors include: ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha
Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco,
Clear, Comtrend, D-Link, Deutsche Telekom, DrayTek, Edimax, General Electric
(GE), Green Packet, Huawei, Infomark, Innatech, Linksys, Motorola, Moxa,
NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opengear, Pace, Philips,
Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart
RG, TP-LINK, TRENDnet, Technicolor, Tenda, Totolink, Unify, UPVEL, Ubee
Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and
ZyXEL.

There may be more.  Stefan Viehb=F6ck @ Sec-Consult was able to access
firmware images of more than 4,000 embedded devices of over 70 vendors, and
found this much trouble.  Perhaps if more firmware was available for study,
research might find more with similar problems.

Typically a certificate is issued to 1 person, or one company, for 1
purpose.  It is written into software sold to other companies, as a template
of what works.  Those other companies bake the software into their firmware
without getting certificates unique to their company, devices, models, nor
provide other security standards to block unwanted access.  Even more
companies incorporate the hardware in other devices, without any thought to
the security needs of end customers.

This reality can be exploited by a remote, unauthenticated attacker to carry
out impersonation, man-in-the-middle, or passive decryption attacks.  Find
how to access one device, legally purchased, and now in theory able to
access many thousands more, deliver fake updates with malware.

Some vendors plan to fix this.  While waiting, users can manually replace
X.509 certificates, or SSH host keys, with unique ones (if they know how,
and if the device permits this).  It might be wise to seek clarification
from manufacturers of all your embedded devices, whether you are still on
maintenance support with them, or not.

Other solution ideas, and how come millions of devices, on the web, using
identical certificates.

http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
http://www.net-security.org/secworld.php?id=19159=
http://www.itworld.com/article/3009142/millions-of-embedded-devices-use-the-same-hard-coded-ssh-and-tls-private-keys.html
http://www.theregister.co.uk/2015/11/26/lazy_iot_skeleton_keys/
http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola/
https://www.sec-consult.com/download/certificates.html
https://www.sec-consult.com/download/ssh_host_keys.html
https://scans.io/
https://scans.io/series/ssh-rsa-full-ipv4
https://scans.io/study/sonar.ssl
https://censys.io/>


MagSpoof disables chip and pin (Help Net)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 26 Nov 2015 18:45:17 -0600
MagSpoof device can wirelessly spoof credit cards/magstripes, disable
chip-and-PIN protection, predict credit card number and expiration date of
Amex cards after they have reported stolen or lost.

http://www.net-security.org/secworld.php?id=19155


Electrical incompatibility (Android)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 27 Nov 2015 01:15:37 -0600
There are multiple potential problems.

* Many people buy what is cheapest, not what is safest, ignoring industry
  standards like UL or CE.  Should such risky devices even be available for
  consumer sales?

* UL = Underwriter Laboratories http://www.ul.com electrical safety
  standard.

* CE = European standard for health, safety and environmental requirements
  ensuring consumer and workplace safety.

* http://www.batteryspace.com/ul-ce-emc-fcc-and-csa.aspx

* One Plus website is selling USB Type-C cables and adaptors which are not
  up to the real USB Type-C standard.

* So if someone has a 3A power source, without relevant UL CE CCC logo, in
  combination with the OnePlus 3A, they could get a damaged power source.

OnePlus is offering refunds through its web site for some North American
customers. There are strings attached, so check out the details.

http://androidcommunity.com/oneplus-type-c-usb-cables-not-compatible-with-some-3rd-party-chargers-20151126/

http://www.techtimes.com/articles/111171/20151127/oneplus-offers-refunds-for-incompatible-usb-type-c-cable-but-won-t-replace-it.htm


Cops complain about civilian encryption use, but conduct tactical ops in the clear (NNSquad)

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Nov 2015 15:35:42 -0800
https://plus.google.com/+LaurenWeinstein/posts/aHwCRdZg8mt

It appears that most or all of the local authorities' tactical discussions
during the Colorado Springs domestic terrorism attack yesterday were
completely in the clear where scanners and online scanner monitors could hear
them.  Those channels are fascinating to be sure, but hey, guys, the crooks
and murdering domestic terrorists can listen to them too!  Get your damned
systems into the encrypted late 20th century, already.  Law enforcement
bitches about civilian use of crypto, then conducts their critical
operations totally unencrypted.  These were *exactly* the kinds of
discussions that would have been most useful to a shooter or other domestic
terrorist in such situations.


After Paris attacks, US politics shift on government phone data collection; Rubio sees opening (AP item via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Fri, 27 Nov 2015 08:28:26 -0800
http://www.newser.com/article/942c0314e6aa400b8125097943b79828/after-paris-attacks-us-politics-shift-on-government-phone-data-collection-rubio-sees-opening.html

  At the same time, a *Washington Post* poll conducted after the Paris
  attacks showed a jump in the percentage of voters favoring investigating
  terrorist threats over protecting personal privacy: 72 percent said the
  government should investigate threats even at the cost of personal
  privacy, and 25 percent said the government shouldn't intrude on personal
  privacy, even if that limits its investigatory abilities.

I will quote from my 2013 blog entry: "Why Edward Snowden May Be the Wackos'
Dream Come True" ( http://lauren.vortex.com/archive/001047.html ) - "And
given one major (or perhaps even minor) new successful terrorist attack, you
can bet that we will move backwards in terms of civil liberties at an
enormous rate, even though this will not stop terrorism, and will help the
terrorists succeed in destroying our country's greatest ideals from within."


L.A. License Plate Readers proposed for john-shaming

Henry Baker <hbaker1@pipeline.com>
Tue, 01 Dec 2015 18:30:03 -0800
[This "john"-shaming has] “the potentially chilling effect that [license
plate reader] technology has on freedom of association and freedom of
transportation.''

[automatically] send to [each vehicle] owner a letter explaining that the
vehicle was seen in area known for prostitution.

I wonder whether a politician who happens to be "campaigning" [ahem] in such
an area would also receive these letters ?

Nick Selby, *Medium*
Los Angeles Just Proposed the Worst Use of License Plate Reader Data in History.
https://medium.com/@nselby/los-angeles-just-proposed-the-worst-use-of-license-plate-reader-data-in-history-702c35733b50#.c9obzyurl


The Serial Swatter

Monty Solomon <monty@roscom.com>
Thu, 26 Nov 2015 13:32:38 -0500
http://www.nytimes.com/2015/11/29/magazine/the-serial-swatter.html

Internet trolls have learned to exploit our over-militarized police.
It's a crime that's hard to stop — and hard to prosecute.


UK ISP boss points out massive technical flaws in Investigatory Powers Bill (Ars Technica via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Thu, 26 Nov 2015 11:55:26 -0800
http://arstechnica.com/tech-policy/2015/11/uk-isp-boss-points-out-massive-technical-flaws-in-investigatory-powers-bill/

  The head of the UK ISP Andrews & Arnold, Adrian Kennard, has pointed out a
  number of major technical issues with the proposed Investigatory Powers
  Bill (aka the Snooper's Charter).  Kennard and other representatives of
  the UK Internet Service Provider's Association (ISPA) met with the Home
  Office on Tuesday, where they presented a number of ethical, technical,
  and privacy related issues with the incoming new law. These issues, plus
  some of the Home Office's responses, can be found in written evidence
  (PDF) penned by Kennard.  Kennard's key point is that the Internet
  Connection Records, which lie at the heart of the UK government's
  proposals, are largely meaningless for most modern online services. He
  recounts that, in the Home Office briefing this week, the example of a
  girl going missing was used once more to illustrate why the authorities
  want to be able to see which services she accessed just before
  disappearing, in the same way that they can track her phone calls. But
  Kennard and the other ISPA members pointed out this example betrayed a
  lack of understanding of how the Internet works today.


reply@not.possible? For how long?

Dan Jacobson <jidanni@jidanni.org>
Fri, 27 Nov 2015 04:00:18 +0800
You know those messages you get with
Reply-To: reply@not.possible
@invalid..., etc.

Well one day when they open up all TLDs, all the bad guys need to do is
register the domains and set up mail systems, and voila, plenty of
misdirected mail with personal details...

They can even send a calming bounce message, while keeping a carbon copy...


Re: The Right to Tinker With Cars' Software

Steve Lamont
Fri, 27 Nov 2015 17:57:45 -0800
> Car owners in the United States can soon play Volkswagen engineer,
> courtesy of the federal government. [. . .]

Just to play Devil's Advocate for the moment, what happens when cars become
self-driving?  The notion of J Random Hacker "tinkering" with the
programming ought to (auto?) give one pause.

Of course, the notion of J Random Hacker behind the wheel of a
non-self-driving car should probably also give one pause.

Please report problems with the web pages to the maintainer

Top