The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 36

Friday 18 March 2016

Contents

China bans wordplay in attempt at pun control
Tania Branigan
Pentagon skips tests on key component of U.S.-based missile defense system
David Willman
Microsoft servers to bottom of ocean
I-HLS
U.S. war on Tor encryption
I-HLS
Brazen Heist of Millions Puts Focus on the Philippines
NYTimes
Denver Police Caught Misusing Databases Got Light Punishments
NYTimes
Where Computers Defeat Humans, and Where They Can't
NYTimes
How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest
The Register
Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist
NYTimes
This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA
Ars Technica
CRYPTO-GRAM, March 15, 2016
Bruce Schneier
Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million
NYTimes
Re: Hackers steal $81M from Bangladesh
John Levine
Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank ...
Bob Frankston
Info on RISKS (comp.risks)

China bans wordplay in attempt at pun control

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 16 Mar 2016 18:51:59 PDT
Chinese is a language that to Westerners seems rife with puns, with many
words pronounced similarly (if you ignore the four tones) that have quite
different meanings and completely different ideograms.  Many native Chinese
may presume those different words that are phonetically confusing to
foreigners may not be thought to be puns—they are just different words.
However, intentionally contrived puns in spoken Chinese languages that
introduce clever ambiguities and humor apparently have been deemed
threatening to Chinese culture.  (Incidentally, quite intentional puns are
rampant throughout many Shakespeare plays.)  PGN

  Tania Branigan, *The Guardian*, 28 Nov 2014 [old item, but still timely]
  Officials say casual alteration of idioms risks nothing less than
  `cultural and linguistic chaos', despite their common usage.

  From online discussions to adverts, Chinese culture is full of puns.  But
  the country's print and broadcast watchdog has ruled that there is nothing
  funny about them.  It has banned wordplay on the grounds that it breaches
  the law on standard spoken and written Chinese, makes promoting cultural
  heritage harder, and may mislead the public—especially children.  The
  casual alteration of idioms risks nothing less than `cultural and
  linguistic chaos', it warns.

  Chinese is perfectly suited to puns because it has so many homophones.
  Popular sayings and even customs, as well as jokes, rely on wordplay.

  But the order from the State Administration for Press, Publication, Radio,
  Film and Television says: “Radio and television authorities at all levels
  must tighten up their regulations and crack down on the irregular and
  inaccurate use of the Chinese language, especially the misuse of idioms.''
  ...

http://www.theguardian.com/world/2014/nov/28/china-media-watchdog-bans-wordplay-puns?CMP=share_btn_fb

  [Thanks to Laura S. Tinnel for pun-ting this one to me.  PGN]


Pentagon skips tests on key component of U.S.-based missile defense system (David Willman)

Henry Baker <hbaker1@pipeline.com>
Thu, 17 Mar 2016 12:21:09 -0700
  * From the government's perspective: If we don't test it, then we don't
  know that it won't work, so we don't have to include the cost of fixing it
  in our current budget.  That way, the cost overruns won't have to be
  offset from other spending.

  * From the contractor's perspective: If they don't know it won't work,
  then we get paid.  And when they find out later it won't work, we get paid
  again to fix it.

    [BTW, does anyone else recall that none of the U.S. submarine torpedoes
    in WWII worked until quite late into the war?  I don't believe that it
    was acknowledged at the time—due to secrecy—and then after the war
    no one cared because we won.  HB]

David Willman, *LA Times*, 17 Mar 2016
Pentagon skips tests on key component of U.S.-based missile defense system
http://www.latimes.com/nation/la-na-missile-defense-hot-fire-testing-20160317-story.html

Against the advice of its own panel of outside experts, the U.S. Missile
Defense Agency is forgoing tests meant to ensure that a critical component
of the nation's homeland missile defense system will work as intended.

The tests that are being skipped would evaluate the reliability of small
motors designed to help keep rocket interceptors on course as they fly
toward incoming warheads.

The components, called alternate divert thrusters, are vital to the
high-precision guidance required to intercept and destroy an enemy warhead
traveling at supersonic speed—a feat likened to hitting one speeding
bullet with another.

The interceptors, deployed in underground silos at Vandenberg Air Force Base
in Santa Barbara County and at Ft. Greely, Alaska, are the backbone of the
Ground-based Midcourse Defense system (GMD)—the nation's main defense
against a sneak attack by North Korea or Iran.

The interceptors are multi-stage rockets, each with a 5-foot-long *kill
vehicle* at its tip.  The 150-pound kill vehicle is designed to separate
from its rocket in space, fly independently at 4 miles per second and crash
into an enemy warhead, destroying it.

The performance of the divert thrusters, which are supposed to keep the kill
vehicles on course during their final approach to their targets, has been a
source of concern for several years.  In response, the Missile Defense
Agency oversaw development of a new and supposedly better version, the
alternate divert thruster.

An outside panel of experts privately advised the agency to put the
alternate divert thrusters through *hot fire* testing, in which they would
be revved up on the ground to see whether they burned smoothly and delivered
adequate propulsion.

But in order to stay on schedule for a planned expansion of the GMD system,
none of the 40 thrusters that are being installed on 10 new interceptors
will undergo hot-fire testing, government officials told the Los Angeles
Times.

Forgoing the tests “increases the risk for reliability issues going
undetected,'' according to a newly released report by the U.S. Government
Accountability Office.  The report says that such testing “verifies proper
performance and workmanship.'' [...]

http://www.gao.gov/assets/680/675263.pdf


Microsoft servers to bottom of ocean (I-HLS)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 18 Mar 2016 12:53:40 -0500
Microsoft has found that the bottom of the ocean is a good place for
servers, because water at the bottom of an ocean usually stays at a stable
relatively cold temperature, eliminating need for much of the vigorous
cooling traditional data centers require.

What could go wrong with server farms on the bottom of the ocean?  Read
science fiction if the answers are not obvious.

In Missing Man novel, cyber attack takes out an under-water city, by
tampering with the air-conditioning controls.

https://sciencefictionruminations.wordpress.com/2011/10/08/book-review-missing-man-katherine-maclean-1976/

Sea Floor datacenters had better have good off-site (on land) backup, in
case of a leak taking them out of commission, and good insurance if human
technicians are to be sent down there to maintain the hardware (How severe
risk of the bends, and are there sharks down there?).  How difficult would
it be for a drone submarine to hack their contents?  (We know drug smugglers
use narco-subs to transport drugs from the shores of Columbia to the inland
rivers of North America.)

http://i-hls.com/2016/02/68173/

The team behind the project is also looking to wave power generating
equipment to harvest the hydrokinetic energy of the sea, further reducing
operating costs.  That is another area of risk.  If we muck with ocean
currents, that could undermine their path, and if Europe loses the warmth of
the Gulf Stream, that is tantamount to an act of weather war.

https://en.wikipedia.org/wiki/Gulf_Stream

  [Don't forget that certain sea creatures might be attracted to the
  differential warmth, just as squirrels have knocked out SRI's power on
  multiple occasions—more recently at the junction between our
  co-generation plant and PG&E.  PGN]


U.S. war on Tor encryption (I-HLS)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 18 Mar 2016 12:18:06 -0500
A federal judge confirmed that the Software Engineering Institute (SEI
<http://www.sei.cmu.edu/> ) of Carnegie Mellon University (CMU) was
commissioned by the US government to break ultra-secure Tor network
encryption, according to court documents.
<https://assets.documentcloud.org/documents/2719591/Farrell-Weds.pdf> PDF
Prior to this confirmation, the FBI was able to deny or cover up some of the
facts, and people, who believed the FBI, drew erroneous conclusions about
what was going on.  There were also some suspicions when these researchers
canceled a presentation on this topic.  That sometimes happens when there
is a court order to shut up.

This project may have destroyed CERT <http://www.cert.org/> Coordination
Center (CERT/CC) reputation both as an honest broker in protecting
cyber-security, and having the integrity of academic standards that human
beings privacy and civil rights should never be violated by research or
other means, without informed consent, or National Security Letter (NSL), or
proper court approval.  If it was an NSL, recipients may go through their
lawyer to protest it, and SEI-CMU administrators should have realized the
potential damage to their reputations by accepting this mission. The US has
spent $1.73 billion on this?  DoD organized the project, while the FBI got
the advantage from it, leading to some people speculating that the FBI had
conducted this hacking operation.  Perhaps SEI-CMU has decided to exit the
Cert/CC service, and go into different fields of specialty.

US defendants have a right to face their accusers, which includes how the
evidence was obtained, so when the government's evidence was obtained by new
technologies they want to keep secret, they have a choice:

* Use only evidence obtained by means they do not want to keep secret;
* Use the formerly secret evidence gathering, knowing that the trial will
  reveal it;
* Do not prosecute those people;
* Seek secret trial.

As statements come out in court as to how the IP addresses of the defendants
were uncovered, Tor thinks a vulnerability has been identified, that they
can patch, to prevent that from ever happening again.

http://i-hls.com/2016/03/carnegie-mellon-tor-attack-confirmed/
http://thehackernews.com/2016/02/tor-hack.html
https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html
https://www.deepdotweb.com/2016/02/28/court-documents-confirm-cmu-paid-by-government-in-tor-attacks/
http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security-researchers/
https://blog.torproject.org/blog/statement-tor-project-re-courts-february-23-order-us-v-farrell
https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation


Brazen Heist of Millions Puts Focus on the Philippines

Monty Solomon <monty@roscom.com>
Thu, 17 Mar 2016 03:18:34 -0400
The country's lightly regulated casinos and tough bank secrecy laws had
prompted warnings from the United States and money-laundering experts before
the theft.

http://www.nytimes.com/2016/03/17/business/dealbook/brazen-heist-of-millions-puts-focus-on-the-philippines.html


Denver Police Caught Misusing Databases Got Light Punishments

Monty Solomon <monty@roscom.com>
Thu, 17 Mar 2016 09:22:01 -0400
The mining of criminal justice databases for personal use has raised
questions on privacy abuse in cases across the country.

http://www.nytimes.com/2016/03/18/us/denver-police-criminal-databases-personal-use.html


Where Computers Defeat Humans, and Where They Can't

Monty Solomon <monty@roscom.com>
Thu, 17 Mar 2016 09:26:51 -0400
http://www.nytimes.com/2016/03/16/opinion/where-computers-defeat-humans-and-where-they-cant.html

Why it matters that Google's program defeated the world's best [human] Go
player.


How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest

Lauren Weinstein <lauren@vortex.com>
Fri, 18 Mar 2016 11:53:58 -0700
  Windows users who decline to use it find it is repeatedly reintroduced.
  The language of the counter-malware industry is more appropriate than the
  language of enterprise IT for GWX.  GWX subverts a channel intended for
  one purpose (security hotfixes) for another (advertising); it changes its
  *attack vectors*, it uses *polymorphic* techniques; and it consistently
  overrides users' actions and permissions.

http://www.theregister.co.uk/2016/03/17/microsoft_windows_10_upgrade_gwx_vs_humanity/


Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Mar 2016 14:12:41 -0700
  If the F.B.I. wins its court fight to force Apple's help in unlocking an
  iPhone, the agency may run into yet another roadblock: Apple's engineers.
  Apple employees are already discussing what they will do if ordered to
  help law enforcement authorities. Some say they may balk at the work,
  while others may even quit their high-paying jobs rather than undermine
  the security of the software they have already created, according to more
  than a half-dozen current and former Apple employees.  Among those
  interviewed were Apple engineers who are involved in the development of
  mobile products and security, as well as former security engineers and
  executives.

http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html?partner=rss&emc=rss

  [Monty Solomon noted:
    The potential resistance adds a wrinkle to a very public fight over access
    to an iPhone used by one of the San Bernardino attackers.
  PGN]


This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Mar 2016 13:58:10 -0700
This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA

http://arstechnica.com/information-technology/2016/03/this-is-the-phone-nsa-suggested-clinton-use-a-4750-windows-ce-pda/

  When former Secretary of State Hillary Clinton was pushing to get a waiver
  allowing her to use a BlackBerry like President Barack Obama back in 2009,
  the National Security Agency had a very short list of devices approved for
  classified communications. It was two devices built for the Secure Mobile
  Environment Portable Electronic Device (SME PED) program.  In fact, those
  devices were the only thing anyone in government without an explicit
  security waiver (like the one the president got, along with his souped-up
  BlackBerry 8830) could use until as recently as last year to get mobile
  access to top secret encrypted calls and secure e-mail.  Despite $18
  million in development contracts for each of the vendors selected to build
  the competing SME PED phones (or perhaps because of it), the resulting
  devices were far from user-friendly. The phones—General Dynamics'
  Sectéra Edge and L3 Communications' Guardian—were not technically
  *smart phones*, but instead were handheld personal digital assistants with
  phone capability, derived from late 1990s and early 2000s technology that
  had been hardened for security purposes—specifically, Windows CE
  technology.


CRYPTO-GRAM, March 15, 2016 (Bruce Schneier)

Bruce Schneier <schneier@schneier.com>
Tue, 15 Mar 2016 02:03:58 -0500
  [I often excerpt from Bruce's Crypto-Gram.  This issue is so full of
  goodies that I'm just listing the Table of Contents.  PGN]

In this issue:

      Data Is a Toxic Asset
      The FBI vs. Apple: Decrypting an iPhone
      Lots of News and Essays about the FBI vs. Apple
      The Importance of Strong Encryption to Security
      News
      Security Implications of Cash
      WikiLeaks Publishes NSA Target List
      Schneier News
      Resilient Systems News: IBM to Buy Resilient Systems
      Cheating at Professional Bridge
      Simultaneous Discovery of Vulnerabilities

Bruce Schneier, CTO, Resilient Systems, Inc. https://www.schneier.com
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily
those of Resilient Systems, Inc.  Copyright (c) 2016 by Bruce Schneier.  For
back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.


Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 17 Mar 2016 09:33:39 -0400
http://www.nytimes.com/2016/03/16/world/asia/bangladesh-bank-chief-resigns-after-cyber-theft-of-81-million.html


Re: Hackers steal $81M from Bangladesh (RISKS-29.35)

"John Levine" <johnl@iecc.com>
16 Mar 2016 23:14:31 -0000
  [was: Typo thwarts hackers in $1 billion cyber heist]

*Thwarts* is rather an overstatement, since the crooks stole $101M—of
which only $20M has been retrieved, and $81M is a lot of money for a country
as poor as Bangladesh.  The $81M went to banks in the Philippines—$50M to
accounts belonging to casinos, and $30M in cash to a man in Manila.  It's a
political issue there, as well.  ($30M in $100 bills weighs over 600 pounds,
so it's not like the guy walked out of the bank with a briefcase.)

Bangladesh's well-regarded finance minister has resigned, and several of his
subordinates were fired (and probably more) for trying to cover up the theft
and not telling him about it.

According to the *Financial Times*, they were SWIFT transfer requests that
were fully authenticated at the New York end.  The FT says that the current
assumption is that Bangladeshi computers were compromised by malware, and a
lot of people would like to know the details.  Another question is why the
thefts, which happened a month ago, have just become public now.

https://next.ft.com/content/4275601e-be2d-3529-a5f0-702e635e02ca

  [Clearly, no one should be allowed to have meaningfully secure computers
  and strong crypto—not even the U.S. Government!  That would solve
  problems such as this one, even if it is not yet April Fools' Day.  PGN]


Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank ... (RISKS-29.35)

"Bob Frankston" <Bob2@bob.ma>
17 Mar 2016 22:45:45 -0400
The interesting question is what does “The spokesman said the payment
instructions were 'fully authenticated' using standard methods.'' mean given
the amounts involved?

Please report problems with the web pages to the maintainer

Top