The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 28

Thursday 25 February 2016

Contents

Great Interview on Safety+Security
Braband/Harner via Peter Bernard Ladkin
"Volvo recalls 59,000 cars over software fault"
Martyn Thomas
Nissan Leaf vulnerable to unauthenticated queries
Jeremy Epstein
Gabe Goldberg
A 19-year-old made a free robot lawyer that has appealed $3 million in parking tickets
Leanna Garfield
Hacked mid-air while writing an Apple-FBI story
Steven Petrow via geoff goodfellow
Apple's external and internal messages about "FBI vs. Apple"
TechCrunch
Popular home security system SimpliSafe can be easily disabled by burglars
Lucian Constantin
Reporting Cyber Risks in USA
DHS via Al Mac
Is it time to consider key escrow again?
Tad Taylor
Robots Are Reading Trader Chats to Stop Next Wave of Bank Fines
Bloomberg
*WarGames* and Cybersecurity's Debt to a Hollywood Hack
NYTimes
N Korea nuke tests & the volcano
Al Mac
Trimble date problem
Tim Young via Donald B. Wagner
Re: KB 3123862 eerily resembles Microsoft's earlier Get Windows 10 patch
Jack Christensen
Re: NSA's TAO Head on Internet Offense and Defense
Rogier Wolff
Re: Doing University exams on computers?
Rogier Wolff
Info on RISKS (comp.risks)

Great Interview on Safety+Security (Braband/Harner)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 19 Feb 2016 11:33:18 +0100
Very nice commentary from Jens Braband and Andreas Harner on behalf of the IEC.

http://iec2016.org/index.php/it-security.html?utm_source=IEC+80th+General+Meeting+Frankfurt+2016&utm_campaignMa7ef374e-IT+Security&utm_medium=email&utm_term=0_6305786e7e-4da7ef374e-19961785

Let me emphasise John Knight's perennial point that standards may drive
certain engineering enterprise, as Jens makes clear is true in other fields
besides the perennial example of telecommunications, but we are shooting
ourselves in the foot if we can't refer to them in university teaching
because of the high-cost/restrictive-copyright ISO/IEC business model.


"Volvo recalls 59,000 cars over software fault"

Martyn Thomas <martyn@thomas-associates.co.uk>
Sat, 20 Feb 2016 18:00:06 +0000
http://www.bbc.co.uk/news/world-europe-35622753

"Swedish carmaker Volvo is recalling 59,000 cars across 40 markets over a
fault that can temporarily shut down the engine.  The software fault is
restricted to five-cylinder diesels from the 60 and 70 series constructed
from the middle of 2015.  Group spokesman Stefan Elfstrom told Associated
Press the fault could be "unpleasant" for drivers.  However, he said there
had been no recorded accidents as a result.

The glitch can shut down the engine and electrical system while the car is
on motion, but Mr Elfstrom said they would then both restart immediately.
The glitch had been reported by drivers of new Volvos who said the engine
could cut out without warning, creating a brief absence of steering and
braking."


Nissan Leaf vulnerable to unauthenticated queries

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 24 Feb 2016 11:54:09 -0500
Nissan Leaf (electric cars) seem to be vulnerable to a variety of attacks
through the telematics units, some of which are privacy related (e.g., the
status of the battery, all past trips you've made), and others can affect
the behavior (e.g., turn the heat on/off, which would affect driving range).

The specifics seem to differ from country-to-country, and not clear whether
Leafs (Leaves?) are vulnerable in all countries.  Nissan has been informed,
but has yet to announce any solutions.   [Leafs much to be desired? NOT? PGN]

The only thing you need to launch these attacks is the VIN, which is
relatively public information, or in the worst case can be discovered
through enumeration.

The Internet of Things is not necessarily your friend.

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html?m=1


Nissan Leaf electric cars hack vulnerability disclosed (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Thu, 25 Feb 2016 00:29:30 -0500
Some of Nissan's Leaf cars can be easily hacked, allowing their heating and
air-conditioning systems to be hijacked, according to a prominent security
researcher. ...

Mr Hunt said the root of the problem was that the firm's NissanConnect app
needed only a car's vehicle identification number (Vin) to take control.

The code is usually stenciled into a car's windscreen, making it relatively
easy to copy.

The initial characters of a Vin refer to the brand, make of car, and country
of manufacture/location of the firm's headquarters.

So, Mr Hunt said, it would only be the final numbers that varied between
different Nissan Leafs based in the same region.

"Normally it's only the last five digits that differ," he explained.

"There's nothing to stop someone from scripting a process that goes through
every 100,000 possible cars and tries and turn the air conditioning on in
every one.

"They would then get a response that would confirm which vehicles exist."

http://www.bbc.com/news/technology-35642749

What could ... Oh, nevermind.   [Quoth the Maven ...?  PGN]

Gabriel Goldberg, Computers and Publishing, Inc.  gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042   (703) 204-0433


A 19-year-old made a free robot lawyer that has appealed $3 million in parking tickets (Leanna Garfield)

Gabe Goldberg <gabe@gabegold.com>
Wed, 24 Feb 2016 23:33:41 -0500
Leanna Garfield, *Business Insider*, 18 Feb 2016

A robot made by British programmer Joshua Browder, 19 handles questions
about parking-ticket appeals in the UK. Since launching in late 2015, it has
successfully appealed $3 million worth of tickets.

Browder's isn't even the first lawyer bot. The startup Acadmx's bot creates
perfectly formatted legal briefs. The company Lex Machina does data mining
on judges' records and makes predictions on what they will do in the future

http://www.businessinsider.com/joshua-browder-bot-for-parking-tickets-2016-2

Washington, DC needs one of these. Good luck beating even the most
egregiously issued tickets there. But can a robot judge be far behind,
responding to the robot lawyer's missives? Robot appeals court judges?
Robot Supremes? Then, of course robot senators advising/consenting on the
code behind judges/justices. (Wait, don't we already have those senators
programmed to NOT advise/consent?)


Hacked mid-air while writing an Apple-FBI story (Steven Petrow)

geoff goodfellow <geoff@iconia.com>
Wed, 24 Feb 2016 08:52:28 -1000
*I got hacked mid-air while writing an Apple-FBI story*
*Steven Petrow, Special for USA TODAY *
12:44 p.m. EST February 24, 2016

“I don't really need to worry about online privacy, '' I used to
think. “I've got nothing to hide. And who would want to know what I'm up
to, anyway?''

Sure, I'm a journalist, but I'm not an investigative reporter, not a
political radical, not of much interest to anyone, really.

That was last week, when the standoff between the FBI and Apple seemed much
more about principle than practice to me. That's when I thought I'd write a
column on whether this legal fight matters to regular folk—people like my
mother, a retired social worker; my best friend, who works in retail; or
even my 20-year-old niece in college. That was before I found out—in a
chillingly personal way ” just why it does matter. To all of us.

Just before midnight last Friday, my plane touched down in Raleigh after a
three-hour flight from Dallas. As usual, I'd spent much of the flight
working, using American Airlines GoGo in-flight Internet connection to send
and answer emails. As I was putting on my jacket, a fellow in the row behind
me, someone I hadn't even noticed before, said: “I need to talk to you.'' A
bit taken aback, I replied, “It's late—I need to get home.''

“You're a reporter, right?''

“Um, yes.''

“Wait for me at the gate.''

[I didn't answer, but I did wait.]

“How did you know I was a reporter?'' I asked while we started walking.

“Are you interested in the Apple/FBI story?'' he responded, ignoring my
question.

“Kind of. Why are you asking me that?'' I thought he was some kind of creepy
mind reader.

Then he dropped the bombshell.

“I hacked your email on the plane and read everything you sent and
received. I did it to most people on the flight.''  He had verbatim detail
of a long email that he repeated back to me essentially word for word.

In fact, as Steve Nolan, GoGo's vice president of communications, told me,
the service is “public'' and “operates in the same ways as most open Wi-Fi
hotspots on the ground.'' He cautioned against “accessing sensitive
materials while in flight.''

One of my emails was pretty explicit about the focus of my story and I had
emailed Bruce Schneier, a security expert who had previously written in the
Washington Post about this very issue. [...]

http://www.usatoday.com/story/tech/columnist/2016/02/24/got-hacked-my-mac-while-writing-story/80844720/


Apple's external and internal messages about "FBI vs. Apple"

Lauren Weinstein <lauren@vortex.com>
Mon, 22 Feb 2016 11:44:52 -0800
Apple has released an external letter on this topic, at:
  http://www.apple.com/customer-letter/answers/

An internal email is also now being widely distributed. I don't like leaked
internal emails, but since it's now public all over the world and is
important, here's an associated story link:
  http://techcrunch.com/2016/02/22/in-employee-email-apple-ceo-tim-cook-calls-for-commission-on-interaction-of-technology-and-intelligence-gathering/

See also:
"FBI vs. Apple: A New Crypto Commission to Be Ignored?":
  http://lauren.vortex.com/archive/001156.html


Popular home security system SimpliSafe can be easily disabled by burglars (Lucian Constantin)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 18 Feb 2016 18:00:03 -0700
IDG News Service, Feb 18, 2016 7:37 AM

According to Andrew Zonenberg, a researcher with security consultancy
firm IOActive, attackers can easily disable SimpliSafe alarms from up
to 30 meters away, using a device that costs around $250 to create a
replay attack.

http://www.pcworld.com/article/3034956/hubs-controllers/popular-home-security-system-simplisafe-can-be-easily-disabled-by-burglars.html


Reporting Cyber Risks in USA (DHS)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 19 Feb 2016 02:41:48 -0600
US DHS (Dept of Homeland Security) guidelines on how to share Cyber Threat
info.

* Report a cyber incident <https://www.us-cert.gov/forms/report?>

* Report a phishing incident <https://www.us-cert.gov/report-phishing>

* Report Malware and vulnerabilities to DHS by e-mail to cert@cert.org and
  soc@us-cert.gov.

I hope they have the capacity to handle the volume of people who may be
reporting problems.  There are places to which we can forward our spam,
share firewall logs of break-in attempts, and other threats.  I hope those
places share with DHS, so the millions of people getting the same attacks do
not need to individually report them to DHS.

I believe more people would report suspicious things if there was an ap on
browser to click on when we see something that ought to be reported, then
pull down for us to select or key in what the problem appears to be.  At the
present time, I screen print the offending site, copy paste the url, then
walk that over to my local police station along with self-id, and ask that
it be faxed to FBI or Secret Service, because this looks to me like it is a
threat to National Security, or a mass shooting being planned, or some other
bad stuff.

Most phishing to me these days comes by telephone: call claiming to be

* from my bank, or credit card company, without identifying it, seeking PII
  info they should already have, if it is really them;

* from my health services company, without naming it, seeking PII info they
  should already have, if they are the real McCoy

* from a Windows Service Center following up on malware allegedly detected
  on my PC, I tell the caller to fix his resume & get out of there, since
  the FBI will be raiding your crooked employer any day now.

I don't consider these outfits to be in the same league as cyber security
threats, but they sure are threats.

http://www.dhs.gov/how-do-i/report-cyber-incidents
http://www.dhs.gov/cybersecurity-publications
http://www.bankinfosecurity.com/dhs-issues-guidance-on-how-to-share-cyberthreat-data-a-8877

DHS hopes individuals in the private sector will tip off gov to troubles gov
may have been oblivious to, then gov to turn around and warn more places.

Cyber Security Information Sharing Act (CISA) means people cannot be sued
for sharing such info with the government.

There might not be protection for whistle blower employees, reporting
company vulnerabilities, that employers did not give permission to reveal.

http://www.technewsworld.com/story/83127.html

http://www.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/


Is it time to consider key escrow again?

Tad Taylor <tad_taylor@ieee.org>
Fri, 19 Feb 2016 13:08:11 -0500
The situation involving Apple, the FBI, and the San Bernardino shooters
iPhone does give me pause.  There are clearly conflicting requirements and a
meaningful discussion of the issues is warranted.  I can’t think of a better
forum than RISKS in which to start that discussion.  I assume that a
majority (possibly vast majority) of RISKS readers favor strong encryption
whenever encryption is deployed.  There are many valid reasons for this from
both a technological and societal perspective.  It's hard enough to get
right without purposefully weakening the implementation, real backdoors will
certainly be discovered and exploited by criminals or hostile nations, etc.
On the other hand, I think most would also agree that if the FBI could gain
access to the information on the iPhone in question without weakening anyone
else's overall security or privacy, that would be okay (perhaps they find
the passcode written down somewhere).

So, is there a middle ground?  It seems to me that key escrow has some
potential and should be considered.  I think the technical aspects are
straightforward enough that we can assume an implementation is possible (not
to say it's trivial, but I can imagine a solution).  The question becomes:
Is this a backdoor or a front door?  Imagine that we have a 3-of-5 key
escrow solution and key fragments are distributed to the EFF, Anonymous, the
court system, an entity designated by the owner (perhaps in a country with
strong privacy protections), and Apple (or other device manufacturer).  If
there's a lawful search warrant and three of these entities agree that the
warrant is *reasonable*, would we think that's okay?  I'm sure we can spin
anecdotes where people would generally think it's okay (dirty bomb about to
go off somewhere heavily populated).  There are also anecdotes where we'd
want the encryption to not be circumvented (e.g., whistle blowers to
Wikileaks).

Clearly, laws would have to be enacted to really enable this in a secure
fashion.  Key holders would have to be authorized to not provide keys when
they didn't feel the situation warranted it.  After all, the
court system can be abused.  Perhaps it could never be used for civil
matters (e.g., divorce, discovery).  As I think about this, I believe I'm
convincing myself that at the legal and societal hurdles would be just too
much to overcome.  Still, I think it's worth consideration.

Comments? Flames?

  [There appears to be very little potential for a reasonable middle ground.
  Consider the realities: Almost all systems we use are *already* vulnerable
  and likely to remain so; the potential for egregious insider misuse is
  always going to be present; the Internet itself is a huge source of
  attacks (among many other arguments).  Worse yet, laws cannot enforce
  adequate pervasive computer-communication security.  Nor can technology.
  Nor can unenforceable policies.  PGN]


Robots Are Reading Trader Chats to Stop Next Wave of Bank Fines (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Tue, 23 Feb 2016 14:39:00 -0500
Robots are automating yet another bank job: the task of sifting through
traders' messages to spot foul play, a process currently carried out by
legions of human employees.

To read the entire article, go to http://bloom.bg/1OsarSs

Easier to fool robots or legions of humans, I wonder. Seems robots will only
look for what's been described to them but savvy humans can say, "Hmmm, that
looks odd" about something they've never seen or heard described.


*WarGames* and Cybersecurity's Debt to a Hollywood Hack

Suzanne Johnson <fuhn@pobox.com>
February 21, 2016 at 1:44:41 PM EST
  [via Dave Farber]

... The film—starring Matthew Broderick as a tech-whiz teenager who
unwittingly hacks into the computer of the North American Aerospace Defense
Command (NORAD) and nearly sets off World War III—opened nationwide on
June 3.  The next night, President Ronald Reagan watched it at Camp
David. And that is where this strange story—culled from interviews with
participants and Reagan Library documents—begins.

The following Wednesday, back in the White House, Reagan met with his
national-security advisers and 16 members of Congress to discuss forthcoming
nuclear arms talks with the Russians. But he still seemed focused on the
movie.

At one point, he put down his index cards and asked if anyone else had seen
it. No one had, so he described the plot in detail. Some of the lawmakers
looked around the room with suppressed smiles or raised eyebrows. Three
months earlier, Reagan had delivered his Star Wars speech, imploring
scientists to build laser weapons that could shoot down Soviet missiles in
outer space. The idea was widely dismissed as nutty. What was the old man up
to now?

After finishing his synopsis, Reagan turned to Gen. John W. Vessey Jr., the
chairman of the Joint Chiefs of Staff, and asked: “Could something like
this really happen?''  Could someone break into our most sensitive
computers? General Vessey said he would look into it.

One week later, the general returned to the White House with his answer.
“WarGames, it turned out, wasn't far-fetched. Mr. president.  The problem
is much worse than you think.''

http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html


N Korea nuke tests & the volcano

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 20 Feb 2016 16:37:45 -0600
North Korea's underground nuclear tests are approx 72 miles from a volcano,
currently not active, which has had fierce eruptions in history.

What could go wrong?

In past posts, I have shared the topic of man-made earthquakes, thanks to
fracking waste waters, hydro-electric dams, and other activities.

http://www.nature.com/articles/srep21477
Study published by Nature magazine, that MSM is now illuminating, on the
risk that N Korean nuclear tests will cause this now dormant volcano to
become active again.

Here's where this is on the map:
http://mysteriousuniverse.org/2016/02/north-korean-nuclear-tests-could-trigger-volcano-eruption/

https://en.wikipedia.org/wiki/946_eruption_of_Paektu_Mountain
Wikipedia on how bad past eruptions have been.

N Korea has had a string of tests, progressively more powerful.  After prior
tests, scientists have detected a rise in Volcano temperature, and
speculated what that means.

The immediate negative beneficiaries, of the volcano erupting, would be
China & North Korea.  This mountain is sacred to the Korean religion.

China no doubt would pressure N Korea to stop the nuclear tests at that
site, a move no doubt welcomed by USA, Japan, S Korea, and other nations.

Remember how the 2010 volcanic eruption in Iceland made air travel in Europe
impractical for about a week?

What's down wind of this guy?  A portion of Russia, possibly Japan, then
over the Pacific Ocean.

According to Hiromitsu Taniguchi a volcano expert from Tohoku University,
Mt. Baekdu erupted at least six times between the 14th and 20th centuries,
and every time it followed an earthquake in Japan.
https://www.rt.com/news/north-korea-nuclear-volcano-757/

Sometimes volcanic eruptions trigger additional aftershocks, and are blamed
for more trouble in the ring of fire.

Meanwhile, Japan has a nuclear power plant next to an active volcano.  What
consequences might come from that?

http://phys.org/news/2015-08-japan-nuclear-power-safe.html

Might this be the snowflake in Avalanche Chaos theory which brings down the
stock market?

  [So, what do the computer models suggest?  PGN]


Trimble date problem (Tim Young)

"Donald B. Wagner" <dbwagner@nias.ku.dk>
Thu, 25 Feb 2016 08:10:05 +0000
[This is from Tim Young on Facebook. I know nothing about it. Don Wagner]

I just realised that the issue I've been trying to solve for the last couple
of days was a lovely valentine's day gift from Trimble:

  TRIMBLE 4700/4800 GPS RECEIVERS WILL STOP WORKING PROPERLY STARTING
  FEBRUARY 14, 2016

  Summary

  On February 14, 2016, Trimble 4700 and 4800 GPS receivers, that are long
  obsolete and end of service, will start experiencing erratic and
  unreliable behavior for time and date reporting. As those receivers will
  interpret the GPS time in error by 1024 weeks, receiver data outputs will
  have the wrong time reference. This will negatively impact subsequent
  systems that are communicating with that receiver, including the rejection
  of data packages. Real-Time Kinematic operation (RTK) operation is not
  expected to continue working properly.

  Newer Trimble GPS/GNSS receivers types, including Trimble 5700/R5/R7/NetR9
  Geospatial/NetRS/NetR5, Trimble 5800/R2/R4/R6/R8/R8s/R10/R10LT with
  current firmware are not impacted by this.

  Resolution

  Unfortunately, there is no technical solution available for for Trimble
  4700 and 4800 GPS receivers to correct this issue. For Trimble 4700/4800
  GPS receivers still in use, please work with the end-user on a receiver
  replacement solution towards a new or more recent GNSS receiver system.

Luckily someone has already developed a fix for this week bug (John
Hamilton)—http://www.terrasurv.com/fixweek/FixWeek.zip—since Trimble
has no motivation to do so. This affects both my 4700 base and 5800
rover... very frustrating.  And what they mean by stop working properly, is
that the time stamping of GPS files is now set back to July 1996...


Re: KB 3123862 eerily resembles Microsoft's earlier Get Windows 10 patch (RISKS-29:25)

Jack Christensen <christensen.jack.a@gmail.com>
Fri, 19 Feb 2016 18:22:55 -0500
At first I cursed my bad timing since I had just finished applying
maintenance to my Windows 8.1 system including the subject patch when I read
this RISKS item.  But it's been several days now and I have not seen any
recurrence of the "Get Windows 10" behavior.

This leads me to wonder whether I'm the only person that did not suffer ill
effects from KB3123862.  (Anyone?)

Some small verification would be appropriate before publishing items like
this in Risks.  Curiously, the InfoWorld article makes allegations but cites
no actual occurrences.  Indeed, it closes with the statement, "As a matter
of fact, at this point nobody seems to have any idea what it does."

There's already more FUD available on the web than most of us can enjoy and
I'd hope that RISKS could aspire to a higher standard than "eerie
resemblance".  I'm not necessarily suggesting that submitters of items to
Risks be responsible for verification (although I wouldn't discourage anyone
so inclined and able), but in this case if the author of the cited article
didn't care to do their homework, then perhaps that's not good enough.


Re: NSA's TAO Head on Internet Offense and Defense

Rogier Wolff <wolff@bitwizard.nl>
Sun, 21 Feb 2016 09:53:44 +0100
> 2. The critical component of APT is the P: persistence. They will just keep
>    trying, trying, and trying. If you have a temporary vulnerability—the
>    window between a vulnerability and a patch, temporarily turning off a
>    defense --- they'll exploit it.

Native English speakers sometimes don't realize that some words have two
distinct meanings.

The word "persistence" is one such word. The P in APT is about establishing
a base from where renewed activities can be initiated.

Not the "persistence" of "keep on trying and trying".

In practical terms, once you have exploited a buffer overrun you might be
granted a "root shell" on the target machine. Establishing persistence then
is installing/infecting system files so that you have a route-of-entry even
if the original buffer overflow is patched.  NSA has taken this to another
level: They have been patching the BIOS to reinstall a backdoor even after a
fresh system re-install has wiped the altered system files.

R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998
   Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233


Re: Doing University exams on computers?

Rogier Wolff <wolff@bitwizard.nl>
Sun, 21 Feb 2016 10:07:19 +0100
> Rogier Wolff states: 'You can enforce rules like: "you are not
> allowed to go back and correct answers. Your first answer stands".'

> 1) Not reviewing one's answers is a very bad habit that could have
> nasty   Real World consequences.

Of course, many real-world situations allow you to think your answers over
and exams should allow students to review their answers in such cases. But
computer-exams allow examinators to enforce the "no review on this question"
policy on SOME questions where that may be appropriate.

For example (the previous article was about flying so I have my mind
set to flying):

** First answer stands **
You're in a left turn and suddenly the stall warning sounds
Do you:
A) Apply speedbrake
B) push the control stick
C) pull on the control stick
D) roll left
E) roll right
F) Push TOGA

This is in real life a time-limited life-and-death situation and little or
no chance for "whoops that didn't work, lets try something else". This is
what pilot trainings are for, that they do the right thing first time
around.

You might argue that it cruel to fault pilots-to-be that try to hit the
right answer but just missed the right click-target. But then again, maybe I
don't want that guy piloting my plane either.

It is not that I promote that all exams would move to "first answer stands"
format, just that computer exams provide the option of adding such
questions.

Please report problems with the web pages to the maintainer

Top