The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 32

Monday 7 March 2016

Contents

Risk to babies' health due to an alleged cover up of patient information system failures: Israeli clinics converted to new system
Omer Zak
Cisco NX-OS switch risk
Martyn Thomas
France to Jail Tech Execs over Encryption
The Register
Big Brother is tracking all of us...except for terrorists
via Paul Saffo
Apple vs FBI—Another Constitutional Issue
David E. Ross
Apple VP: The FBI wants to roll back safeguards that keep us a step ahead of criminals
WashPo
Competing Interests on Encryption Divide Top Obama Officials
NYTimes
Joining Together to Avoid a Troubling Legal Precedent
Google
Re: ISIS turns to foreign encryption products as Apple-FBI fight rages in U.S.
Amos Shapir
Re: NY Judge rules in Apple favor
John Levine
Re: Apple vs FBI ...
Peter Bernard Ladkin
Keith Medcalf
Henry Baker
Re: IRS identity theft story—wanna bet it is much, much bigger?
John Levine
Drone conflict update
ACLU+ via AlMac
Info on RISKS (comp.risks)

Risk to babies' health due to an alleged cover up of patient information system system failures: Israeli clinics converted to new system

Omer Zak <w1@zak.co.il>
Mon, 07 Mar 2016 00:30:05 +0200
(Article in Hebrew, use Google Translate)
http://www.nrg.co.il/online/1/ART2/759/045.html

There is a serious problem in the information system serving the "Tipat
Chalev" (Drop of Milk) network of clinics in Israel. Those clinics monitor
the health of babies, their growth, and vaccinate them.

The problems are that wrong data is recorded for the babies—no record of
vaccinations which were administered, vaccinations that were not in fact
administered have been recorded, information about baby's development
recorded for the wrong patient, etc. There are also interruptions during
data entry, causing the nurses in the clinics not to be sure if the data was
actually entered into the system.

The problem was caused by conversion from one computerized system into
another computerized system. There are allegations that the Ministry of
Health is covering up the problem. However, now the problem was brought to
the attention of the Knesset.


Cisco NX-OS switch risk

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 4 Mar 2016 13:15:08 +0000
Sigh!

“A vulnerability in Cisco NX-OS Software running on Cisco Nexus 3000 Series
Switches and Cisco Nexus 3500 Platform Switches could allow an
unauthenticated remote attacker to log in to the device with the privileges
of the /root /user with bash shell access.''

The vulnerability is due to a user account that has a default and static
password. This account is created at installation and cannot be changed or
deleted without impacting the functionality of the system."

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k


France to Jail Tech Execs over Encryption (The Register)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 4 Mar 2016 16:11:12 PST
http://www.theregister.co.uk/2016/03/04/france_to_jail_tech_execs_over_encryption/


Big Brother is tracking all of us...except for terrorists

Paul Saffo <paul@saffo.com>
Sat, 5 Mar 2016 09:47:21 -0800
[From a friend who prefers not to be identified.]

> Date: March 5, 2016
> Subject: Big Brother is tracking all of us...except for terrorists

> Interesting video (in French, sorry, but the picture speaks for itself)
> sent by an unknown Middle-eastern technician to his "brothers and sisters"
> explaining how to disable the remote tracking features of a Galaxy4 smart
> phone.

> As the instructor says, "don't panic"...


Apple vs FBI—Another Constitutional Issue

"David E. Ross" <david@rossde.com>
Thu, 3 Mar 2016 17:21:05 -0800
The U.S. Supreme Court ruled in both the "Citizens United" and the "Hobby
Lobby" cases that corporations are persons no less than living, breathing
persons.  That is, the Supreme Court eliminated the distinction between
corporeal persons and corporate persons.

The FBI is demanding that Apple perform a task that Apple would not
otherwise do.  The 13th amendment to the U.S. Constitution prohibited
involuntary servitude.  It makes no exception for national security,
criminal investigations, or acts of terrorism.

In any case, I have not heard that the FBI is willing to pay Apple's costs
for subverting the security of its iPhone.  Those costs would not merely be
the labor costs of actually unlocking one phone; they would also include the
costs of lost sales when potential customers stop trusting Apple.  Lacking
any offer of compensation, what the FBI proposes would be a violation of the
last phrase of the 5th amendment of the Constitution: "nor shall private
property be taken for public use, without just compensation."


Apple VP: The FBI wants to roll back safeguards that keep us a step ahead of criminals (WashPo)

Lauren Weinstein <lauren@vortex.com>
Sun, 6 Mar 2016 18:16:08 -0800
*The Washington Post* via NNSquad
https://www.washingtonpost.com/opinions/apple-vp-the-fbi-wants-to-roll-back-safeguards-that-keep-us-a-step-ahead-of-criminals/2016/03/06/cceb0622-e3d1-11e5-a6f3-21ccdbc5f74e_story.html

  That's why it's so disappointing that the FBI, Justice Department and
  others in law enforcement are pressing us to turn back the clock to a
  less-secure time and less-secure technologies. They have suggested that
  the safeguards of iOS 7 were good enough and that we should simply go back
  to the security standards of 2013. But the security of iOS 7, while
  cutting-edge at the time, has since been breached by hackers.  What's
  worse, some of their methods have been productized and are now available
  for sale to attackers who are less skilled but often more malicious.


Competing Interests on Encryption Divide Top Obama Officials (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 5 Mar 2016 17:02:58 -0500
While the White House denies any internal disagreement over its legal battle
with Apple, the differences in the administration have become increasingly
apparent.
http://www.nytimes.com/2016/03/06/us/politics/competing-interests-on-encryption-divide-top-obama-officials.html


Joining Together to Avoid a Troubling Legal Precedent

Lauren Weinstein <lauren@vortex.com>
Thu, 3 Mar 2016 19:55:11 -0800
  [Google via NNSquad]

  Today, Google joined a variety of technology companies to file an amicus
  brief in US federal court. Together, we are voicing concern about the use
  of a broad statute from the 18th century, the All Writs Act, to require
  companies to re-engineer important security features that protect people
  and their data.

http://googlepublicpolicy.blogspot.com/2016/03/joining-together-to-avoid-troubling.html

  [PGN suggests also:
http://www.apple.com/pr/library/2016/03/03Amicus-Briefs-in-Support-of-Apple.html


Re: ISIS turns to foreign encryption products as Apple-FBI fight rages in U.S. (RISKS-29.31)

Amos Shapir <amos083@gmail.com>
Sun, 6 Mar 2016 18:44:09 +0200
It's yet another reminder:

If strong encryption is outlawed, only outlaws would have strong encryption;
If encryption tools without backdoors are outlawed, only outlaws would have
encryption tools without backdoors; If encryption without keys escrow is
outlawed, only outlaws would have encryption without keys escrow; etc.,
etc...


Re: NY Judge rules in Apple favor (Macintyre, RISKS-29 31))

"John Levine" <johnl@iecc.com>
4 Mar 2016 02:26:00 -0000
I read the 50-page James Orenstein decision ,,, (you should, it's pretty
interesting.)  It has many references to the California case so it obvious
the judge expects it to be used as a precedent.

I blogged about it here:  https://jl.ly/Internet/nyapple.html


Re: Apple vs FBI ... (Houppermans, RISKS-29.31)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 4 Mar 2016 09:18:46 +0100
Peter Houppermans discusses the implications of the FBI winning the lawsuit
to make Apple build tools to break the security of a specific iPhone.

I don't disagree that whatever precedent the Apple vs FBI lawsuit sets,
there are lots of similar lawsuits waiting to be decided the same way. But I
dispute that companies will find it "more economical" to build pervasive
backdoors into their kit.

Global companies have been dealing with country-local restrictive
legislation for a long time, and move their centres of operations around as
they see fit. Banks and financial services firms, for example.

There is a far larger global market for data privacy than the US alone. The
European Union itself is (at least) a third larger in terms of population
and its members implement legal systems which support data privacy and which
will exist for the foreseeable future.

I would guess that privacy-supporting kit will continue to be developed,
because global companies such as Apple can sell it in markets where privacy
is protected, such as most EU countries. Savvy US residents could avail
themselves of trips to such places to obtain such kit, and US Homeland
Security would have a new task trying to stop such kit from entering the
US. There is a precedent for such a state of affairs, and it's not been
pretty for most of the last century.

>  The implications of a win are that it will no longer be possible to
>   protect ANY information held on US provided equipment and services.

May well be. US companies who wish to protect their data could find ways
to use Canadian or EU cloud services, maybe set up by global companies such
as Apple, Amazon and Google.

Peter Bernard Ladkin, University of Bielefeld and Causalis
www.rvs.uni-bielefeld.de www.causalis.com


Re: Apple vs FBI ... (Houppermans, RISKS-29.31)

"Keith Medcalf" <kmedcalf@dessus.com>
Thu, 03 Mar 2016 18:33:03 -0700
This whole line of reasoning is so wrong on so many fronts.  The reason that
the FBI is requesting Apple to "break into" the iPhone in question is
because Apple has ALREADY CREATED the backdoor into the device that permits
them to do this.  If Apple had not done so, there would be no way for Apple
to comply no matter what tantrums anyone decided to throw.  Just as Apple
has created backdoor access for themselves to turn over backups and so forth
stored in iCloud (the definition of "Cloud" being, of course, Third Party
operated computer system over which the data owner has no control or
influence over the security of what is stored there).

Apple can get itself out of the mess it has created for itself by cutting
the petard of its own making which is being used to hoist them:

Give the user the complete and total ability to control the security of the
Hardware and Software such that not even Apple has access once "Secure" mode
is engaged.  Apple should back up the impenetrable security of such a system
with a $1,000,000.00 bond that once engaged, no one will be able to access
the data on the device or the iCloud unless the correct password is provided
(or guessed within the guessing limits), and that this may entail
application of rubber hoses, waterboards, electric charges, and other
tortures to the person in order to compel disclosure of the password.

Then it will be up to the Device Owner to decide whether they want the
device to be secure or not, and Apple will have no responsibility whatsoever
for the outcomes of that decision.


Re: Apple vs FBI ... (Houppermans, RISKS-29.31)

Henry Baker <hbaker1@pipeline.com>
Fri, 04 Mar 2016 08:58:54 -0800
Among many other things, the Apple case is about campaign contributions.
Apple is one of the most valuable companies on Earth, so some not-so-subtle
suggestions from time to time "It's a nice little company you've got there,
Apple; it would be such a shame for the govt to screw you over with bad laws
and precedents".  And the other tech giants know that they're next on the
menu.

How do we know this?  Check the calendar: it's presidential election season.


Re: IRS identity theft story—wanna bet it is much, much bigger? (RISKS-29.32)

"John Levine" <johnl@iecc.com>
4 Mar 2016 02:02:22 -0000
>I will bet $$$ that this is just the tip of an iceberg, as it is
>breathtakingly stupid for the IRS to have been snookered by a KBA attack.

My tax accountant said a lot of her clients have had refund fraud, and it's
so common that the fix, a form where you swear it wasn't you attached to
your real return, is now quite routine.


Drone conflict update (ACLU+)

"Alister Wm Macintyre" <macwheel99@wowway.com>
Sat, 5 Mar 2016 17:03:19 -0600
ACLU lawsuit regarding US military drone killings., led to a US gov filing
with the court.

http://i2.cdn.turner.com/cnn/2016/images/03/04/ppg.letter.pdf
https://www.aclu.org/issues/national-security/targeted-killing

The court ordered the government to show the judge some key documents on the
secret killing by drone program.

https://www.aclu.org/blog/speak-freely/court-considers-releasing-key-documents-governing-secretive-targeted-killing
https://www.aclu.org/sites/default/files/field_document/65._order_directing_government_to_produce_three_documents_2.25.16.pdf

Obama administration to go public with more details on drone killing
program.

http://www.cnn.com/2016/03/04/politics/drone-program-obama-administration/

Update on how to hack government drone.

This is not a new capability, it is just another well qualified researcher
finding something, that others before him have found out, such as crooks,
and nations we have been spying on.

https://securityaffairs.co/wordpress/45039/hacking/hacking-professional-drones.html
http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mile-away/
https://securityaffairs.co/wordpress/43168/laws-and-regulations/surveillance
-drones-hacking.html

In USA it is illegal to interfere with a drone in flight, because the courts
have ruled that a drone is an aircraft, without differentiating rules for
drones, from rules for their larger cousins.

18 U.S. Code 32, prescribes up to 20 years in prison for anyone who
willfully sets fire to, damages, destroys, disables, or wrecks an aircraft
in flight.
<https://www.law.cornell.edu/uscode/text/18/32>

This also includes bringing down a drone via trained bird, big net, radio
frequency gun, bigger drone, or hacking it.

I hope no penalties if the owner of the drone crashes it, by accident, or
battery depletion, and no damage to anyone else,

Or if on the public highways, a motorist collides with a drone, which did
not have right of way.

http://drones.newamerica.org/primer/
http://www.slate.com/blogs/future_tense/2016/03/04/proposed_connecticut_law_would_ban_putting_guns_on_drones.html

Please report problems with the web pages to the maintainer

Top