Very nice commentary from Jens Braband and Andreas Harner on behalf of the IEC. http://iec2016.org/index.php/it-security.html?utm_source=IEC+80th+General+Meeting+Frankfurt+2016&utm_campaignMa7ef374e-IT+Security&utm_medium=email&utm_term=0_6305786e7e-4da7ef374e-19961785 Let me emphasise John Knight's perennial point that standards may drive certain engineering enterprise, as Jens makes clear is true in other fields besides the perennial example of telecommunications, but we are shooting ourselves in the foot if we can't refer to them in university teaching because of the high-cost/restrictive-copyright ISO/IEC business model.
http://www.bbc.co.uk/news/world-europe-35622753 "Swedish carmaker Volvo is recalling 59,000 cars across 40 markets over a fault that can temporarily shut down the engine. The software fault is restricted to five-cylinder diesels from the 60 and 70 series constructed from the middle of 2015. Group spokesman Stefan Elfstrom told Associated Press the fault could be "unpleasant" for drivers. However, he said there had been no recorded accidents as a result. The glitch can shut down the engine and electrical system while the car is on motion, but Mr Elfstrom said they would then both restart immediately. The glitch had been reported by drivers of new Volvos who said the engine could cut out without warning, creating a brief absence of steering and braking."
Nissan Leaf (electric cars) seem to be vulnerable to a variety of attacks through the telematics units, some of which are privacy related (e.g., the status of the battery, all past trips you've made), and others can affect the behavior (e.g., turn the heat on/off, which would affect driving range). The specifics seem to differ from country-to-country, and not clear whether Leafs (Leaves?) are vulnerable in all countries. Nissan has been informed, but has yet to announce any solutions. [Leafs much to be desired? NOT? PGN] The only thing you need to launch these attacks is the VIN, which is relatively public information, or in the worst case can be discovered through enumeration. The Internet of Things is not necessarily your friend. http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html?m=1
Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to a prominent security researcher. ... Mr Hunt said the root of the problem was that the firm's NissanConnect app needed only a car's vehicle identification number (Vin) to take control. The code is usually stenciled into a car's windscreen, making it relatively easy to copy. The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm's headquarters. So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. "Normally it's only the last five digits that differ," he explained. "There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. "They would then get a response that would confirm which vehicles exist." http://www.bbc.com/news/technology-35642749 What could ... Oh, nevermind. [Quoth the Maven ...? PGN] Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Leanna Garfield, *Business Insider*, 18 Feb 2016 A robot made by British programmer Joshua Browder, 19 handles questions about parking-ticket appeals in the UK. Since launching in late 2015, it has successfully appealed $3 million worth of tickets. Browder's isn't even the first lawyer bot. The startup Acadmx's bot creates perfectly formatted legal briefs. The company Lex Machina does data mining on judges' records and makes predictions on what they will do in the future http://www.businessinsider.com/joshua-browder-bot-for-parking-tickets-2016-2 Washington, DC needs one of these. Good luck beating even the most egregiously issued tickets there. But can a robot judge be far behind, responding to the robot lawyer's missives? Robot appeals court judges? Robot Supremes? Then, of course robot senators advising/consenting on the code behind judges/justices. (Wait, don't we already have those senators programmed to NOT advise/consent?)
*I got hacked mid-air while writing an Apple-FBI story* *Steven Petrow, Special for USA TODAY * 12:44 p.m. EST February 24, 2016 “I don't really need to worry about online privacy, '' I used to think. “I've got nothing to hide. And who would want to know what I'm up to, anyway?'' Sure, I'm a journalist, but I'm not an investigative reporter, not a political radical, not of much interest to anyone, really. That was last week, when the standoff between the FBI and Apple seemed much more about principle than practice to me. That's when I thought I'd write a column on whether this legal fight matters to regular folk—people like my mother, a retired social worker; my best friend, who works in retail; or even my 20-year-old niece in college. That was before I found out—in a chillingly personal way ” just why it does matter. To all of us. Just before midnight last Friday, my plane touched down in Raleigh after a three-hour flight from Dallas. As usual, I'd spent much of the flight working, using American Airlines GoGo in-flight Internet connection to send and answer emails. As I was putting on my jacket, a fellow in the row behind me, someone I hadn't even noticed before, said: “I need to talk to you.'' A bit taken aback, I replied, “It's late—I need to get home.'' “You're a reporter, right?'' “Um, yes.'' “Wait for me at the gate.'' [I didn't answer, but I did wait.] “How did you know I was a reporter?'' I asked while we started walking. “Are you interested in the Apple/FBI story?'' he responded, ignoring my question. “Kind of. Why are you asking me that?'' I thought he was some kind of creepy mind reader. Then he dropped the bombshell. “I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.'' He had verbatim detail of a long email that he repeated back to me essentially word for word. In fact, as Steve Nolan, GoGo's vice president of communications, told me, the service is “public'' and “operates in the same ways as most open Wi-Fi hotspots on the ground.'' He cautioned against “accessing sensitive materials while in flight.'' One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue. [...] http://www.usatoday.com/story/tech/columnist/2016/02/24/got-hacked-my-mac-while-writing-story/80844720/
Apple has released an external letter on this topic, at: http://www.apple.com/customer-letter/answers/ An internal email is also now being widely distributed. I don't like leaked internal emails, but since it's now public all over the world and is important, here's an associated story link: http://techcrunch.com/2016/02/22/in-employee-email-apple-ceo-tim-cook-calls-for-commission-on-interaction-of-technology-and-intelligence-gathering/ See also: "FBI vs. Apple: A New Crypto Commission to Be Ignored?": http://lauren.vortex.com/archive/001156.html
IDG News Service, Feb 18, 2016 7:37 AM According to Andrew Zonenberg, a researcher with security consultancy firm IOActive, attackers can easily disable SimpliSafe alarms from up to 30 meters away, using a device that costs around $250 to create a replay attack. http://www.pcworld.com/article/3034956/hubs-controllers/popular-home-security-system-simplisafe-can-be-easily-disabled-by-burglars.html
US DHS (Dept of Homeland Security) guidelines on how to share Cyber Threat info. * Report a cyber incident <https://www.us-cert.gov/forms/report?> * Report a phishing incident <https://www.us-cert.gov/report-phishing> * Report Malware and vulnerabilities to DHS by e-mail to email@example.com and firstname.lastname@example.org. I hope they have the capacity to handle the volume of people who may be reporting problems. There are places to which we can forward our spam, share firewall logs of break-in attempts, and other threats. I hope those places share with DHS, so the millions of people getting the same attacks do not need to individually report them to DHS. I believe more people would report suspicious things if there was an ap on browser to click on when we see something that ought to be reported, then pull down for us to select or key in what the problem appears to be. At the present time, I screen print the offending site, copy paste the url, then walk that over to my local police station along with self-id, and ask that it be faxed to FBI or Secret Service, because this looks to me like it is a threat to National Security, or a mass shooting being planned, or some other bad stuff. Most phishing to me these days comes by telephone: call claiming to be * from my bank, or credit card company, without identifying it, seeking PII info they should already have, if it is really them; * from my health services company, without naming it, seeking PII info they should already have, if they are the real McCoy * from a Windows Service Center following up on malware allegedly detected on my PC, I tell the caller to fix his resume & get out of there, since the FBI will be raiding your crooked employer any day now. I don't consider these outfits to be in the same league as cyber security threats, but they sure are threats. http://www.dhs.gov/how-do-i/report-cyber-incidents http://www.dhs.gov/cybersecurity-publications http://www.bankinfosecurity.com/dhs-issues-guidance-on-how-to-share-cyberthreat-data-a-8877 DHS hopes individuals in the private sector will tip off gov to troubles gov may have been oblivious to, then gov to turn around and warn more places. Cyber Security Information Sharing Act (CISA) means people cannot be sued for sharing such info with the government. There might not be protection for whistle blower employees, reporting company vulnerabilities, that employers did not give permission to reveal. http://www.technewsworld.com/story/83127.html http://www.nextgov.com/cybersecurity/2016/02/homeland-security-wants-see-something-say-something-campaign-internet/126008/
The situation involving Apple, the FBI, and the San Bernardino shooters iPhone does give me pause. There are clearly conflicting requirements and a meaningful discussion of the issues is warranted. I can’t think of a better forum than RISKS in which to start that discussion. I assume that a majority (possibly vast majority) of RISKS readers favor strong encryption whenever encryption is deployed. There are many valid reasons for this from both a technological and societal perspective. It's hard enough to get right without purposefully weakening the implementation, real backdoors will certainly be discovered and exploited by criminals or hostile nations, etc. On the other hand, I think most would also agree that if the FBI could gain access to the information on the iPhone in question without weakening anyone else's overall security or privacy, that would be okay (perhaps they find the passcode written down somewhere). So, is there a middle ground? It seems to me that key escrow has some potential and should be considered. I think the technical aspects are straightforward enough that we can assume an implementation is possible (not to say it's trivial, but I can imagine a solution). The question becomes: Is this a backdoor or a front door? Imagine that we have a 3-of-5 key escrow solution and key fragments are distributed to the EFF, Anonymous, the court system, an entity designated by the owner (perhaps in a country with strong privacy protections), and Apple (or other device manufacturer). If there's a lawful search warrant and three of these entities agree that the warrant is *reasonable*, would we think that's okay? I'm sure we can spin anecdotes where people would generally think it's okay (dirty bomb about to go off somewhere heavily populated). There are also anecdotes where we'd want the encryption to not be circumvented (e.g., whistle blowers to Wikileaks). Clearly, laws would have to be enacted to really enable this in a secure fashion. Key holders would have to be authorized to not provide keys when they didn't feel the situation warranted it. After all, the court system can be abused. Perhaps it could never be used for civil matters (e.g., divorce, discovery). As I think about this, I believe I'm convincing myself that at the legal and societal hurdles would be just too much to overcome. Still, I think it's worth consideration. Comments? Flames? [There appears to be very little potential for a reasonable middle ground. Consider the realities: Almost all systems we use are *already* vulnerable and likely to remain so; the potential for egregious insider misuse is always going to be present; the Internet itself is a huge source of attacks (among many other arguments). Worse yet, laws cannot enforce adequate pervasive computer-communication security. Nor can technology. Nor can unenforceable policies. PGN]
Robots are automating yet another bank job: the task of sifting through traders' messages to spot foul play, a process currently carried out by legions of human employees. To read the entire article, go to http://bloom.bg/1OsarSs Easier to fool robots or legions of humans, I wonder. Seems robots will only look for what's been described to them but savvy humans can say, "Hmmm, that looks odd" about something they've never seen or heard described.
[via Dave Farber] ... The film—starring Matthew Broderick as a tech-whiz teenager who unwittingly hacks into the computer of the North American Aerospace Defense Command (NORAD) and nearly sets off World War III—opened nationwide on June 3. The next night, President Ronald Reagan watched it at Camp David. And that is where this strange story—culled from interviews with participants and Reagan Library documents—begins. The following Wednesday, back in the White House, Reagan met with his national-security advisers and 16 members of Congress to discuss forthcoming nuclear arms talks with the Russians. But he still seemed focused on the movie. At one point, he put down his index cards and asked if anyone else had seen it. No one had, so he described the plot in detail. Some of the lawmakers looked around the room with suppressed smiles or raised eyebrows. Three months earlier, Reagan had delivered his Star Wars speech, imploring scientists to build laser weapons that could shoot down Soviet missiles in outer space. The idea was widely dismissed as nutty. What was the old man up to now? After finishing his synopsis, Reagan turned to Gen. John W. Vessey Jr., the chairman of the Joint Chiefs of Staff, and asked: “Could something like this really happen?'' Could someone break into our most sensitive computers? General Vessey said he would look into it. One week later, the general returned to the White House with his answer. “WarGames, it turned out, wasn't far-fetched. Mr. president. The problem is much worse than you think.'' http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html
North Korea's underground nuclear tests are approx 72 miles from a volcano, currently not active, which has had fierce eruptions in history. What could go wrong? In past posts, I have shared the topic of man-made earthquakes, thanks to fracking waste waters, hydro-electric dams, and other activities. http://www.nature.com/articles/srep21477 Study published by Nature magazine, that MSM is now illuminating, on the risk that N Korean nuclear tests will cause this now dormant volcano to become active again. Here's where this is on the map: http://mysteriousuniverse.org/2016/02/north-korean-nuclear-tests-could-trigger-volcano-eruption/ https://en.wikipedia.org/wiki/946_eruption_of_Paektu_Mountain Wikipedia on how bad past eruptions have been. N Korea has had a string of tests, progressively more powerful. After prior tests, scientists have detected a rise in Volcano temperature, and speculated what that means. The immediate negative beneficiaries, of the volcano erupting, would be China & North Korea. This mountain is sacred to the Korean religion. China no doubt would pressure N Korea to stop the nuclear tests at that site, a move no doubt welcomed by USA, Japan, S Korea, and other nations. Remember how the 2010 volcanic eruption in Iceland made air travel in Europe impractical for about a week? What's down wind of this guy? A portion of Russia, possibly Japan, then over the Pacific Ocean. According to Hiromitsu Taniguchi a volcano expert from Tohoku University, Mt. Baekdu erupted at least six times between the 14th and 20th centuries, and every time it followed an earthquake in Japan. https://www.rt.com/news/north-korea-nuclear-volcano-757/ Sometimes volcanic eruptions trigger additional aftershocks, and are blamed for more trouble in the ring of fire. Meanwhile, Japan has a nuclear power plant next to an active volcano. What consequences might come from that? http://phys.org/news/2015-08-japan-nuclear-power-safe.html Might this be the snowflake in Avalanche Chaos theory which brings down the stock market? [So, what do the computer models suggest? PGN]
[This is from Tim Young on Facebook. I know nothing about it. Don Wagner] I just realised that the issue I've been trying to solve for the last couple of days was a lovely valentine's day gift from Trimble: TRIMBLE 4700/4800 GPS RECEIVERS WILL STOP WORKING PROPERLY STARTING FEBRUARY 14, 2016 Summary On February 14, 2016, Trimble 4700 and 4800 GPS receivers, that are long obsolete and end of service, will start experiencing erratic and unreliable behavior for time and date reporting. As those receivers will interpret the GPS time in error by 1024 weeks, receiver data outputs will have the wrong time reference. This will negatively impact subsequent systems that are communicating with that receiver, including the rejection of data packages. Real-Time Kinematic operation (RTK) operation is not expected to continue working properly. Newer Trimble GPS/GNSS receivers types, including Trimble 5700/R5/R7/NetR9 Geospatial/NetRS/NetR5, Trimble 5800/R2/R4/R6/R8/R8s/R10/R10LT with current firmware are not impacted by this. Resolution Unfortunately, there is no technical solution available for for Trimble 4700 and 4800 GPS receivers to correct this issue. For Trimble 4700/4800 GPS receivers still in use, please work with the end-user on a receiver replacement solution towards a new or more recent GNSS receiver system. Luckily someone has already developed a fix for this week bug (John Hamilton)—http://www.terrasurv.com/fixweek/FixWeek.zip—since Trimble has no motivation to do so. This affects both my 4700 base and 5800 rover... very frustrating. And what they mean by stop working properly, is that the time stamping of GPS files is now set back to July 1996...
At first I cursed my bad timing since I had just finished applying maintenance to my Windows 8.1 system including the subject patch when I read this RISKS item. But it's been several days now and I have not seen any recurrence of the "Get Windows 10" behavior. This leads me to wonder whether I'm the only person that did not suffer ill effects from KB3123862. (Anyone?) Some small verification would be appropriate before publishing items like this in Risks. Curiously, the InfoWorld article makes allegations but cites no actual occurrences. Indeed, it closes with the statement, "As a matter of fact, at this point nobody seems to have any idea what it does." There's already more FUD available on the web than most of us can enjoy and I'd hope that RISKS could aspire to a higher standard than "eerie resemblance". I'm not necessarily suggesting that submitters of items to Risks be responsible for verification (although I wouldn't discourage anyone so inclined and able), but in this case if the author of the cited article didn't care to do their homework, then perhaps that's not good enough.
> 2. The critical component of APT is the P: persistence. They will just keep > trying, trying, and trying. If you have a temporary vulnerability—the > window between a vulnerability and a patch, temporarily turning off a > defense --- they'll exploit it. Native English speakers sometimes don't realize that some words have two distinct meanings. The word "persistence" is one such word. The P in APT is about establishing a base from where renewed activities can be initiated. Not the "persistence" of "keep on trying and trying". In practical terms, once you have exploited a buffer overrun you might be granted a "root shell" on the target machine. Establishing persistence then is installing/infecting system files so that you have a route-of-entry even if the original buffer overflow is patched. NSA has taken this to another level: They have been patching the BIOS to reinstall a backdoor even after a fresh system re-install has wiped the altered system files. R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233
> Rogier Wolff states: 'You can enforce rules like: "you are not > allowed to go back and correct answers. Your first answer stands".' > 1) Not reviewing one's answers is a very bad habit that could have > nasty Real World consequences. Of course, many real-world situations allow you to think your answers over and exams should allow students to review their answers in such cases. But computer-exams allow examinators to enforce the "no review on this question" policy on SOME questions where that may be appropriate. For example (the previous article was about flying so I have my mind set to flying): ** First answer stands ** You're in a left turn and suddenly the stall warning sounds Do you: A) Apply speedbrake B) push the control stick C) pull on the control stick D) roll left E) roll right F) Push TOGA This is in real life a time-limited life-and-death situation and little or no chance for "whoops that didn't work, lets try something else". This is what pilot trainings are for, that they do the right thing first time around. You might argue that it cruel to fault pilots-to-be that try to hit the right answer but just missed the right click-target. But then again, maybe I don't want that guy piloting my plane either. It is not that I promote that all exams would move to "first answer stands" format, just that computer exams provide the option of adding such questions.
Please report problems with the web pages to the maintainer