The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 37

Monday 21 March 2016

Contents

Flaw in iMessage fixed in today's release of iOS 9.3
Nakashima via PGN
Printer Error Triggered Bangladesh Race to Halt Cyber Heist
Bloomberg
Hackers Stalked Bangladesh Bank for Two Weeks Before Big Heist
Bloomberg
Indian parliament passes bill that enables mass domestic surveillance
Jean Drze via Prashanth Mundkur
A View of ISIS's Evolution in New Details of Paris Attacks
NYTimes
Child-safety risk due to hyphenation
Mark Brader
How a Fitbit May Make You a Bit Fit
NYTimes
AI detects Twitter tweets sent under influence of alcohol
Mark Thorson
Spoofing the boss
Al Macintyre
Ukraine Electric SANS Report
Dark Reading via Al Mac)
American Express 3rd-party breach
Al Macintyre
Re: Apple vs FBI
Carl Byington
Re: Pentagon skips tests on key component of U.S.-based missile defense system
Wols
Re: U.S. war on Tor encryption
David Brunberg
Re: Great encryption segment from John Oliver, with Matt Blaze cameo
Gary Barnes
Info on RISKS (comp.risks)

Flaw in iMessage fixed in today's release of iOS 9.3

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 21 Mar 2016 13:26:55 PDT
Matt Green and colleagues at Johns Hopkins University found a nasty bug that
allowed iMessage to be seriously compromised.  They discovered the flaw
several months ago, but it was not fixed until now.  Today's article by
Ellen Nakashima in *The Washington Post* summarizes the situation and its
broader implications.

https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html


Printer Error Triggered Bangladesh Race to Halt Cyber Heist (Bloomberg)

Monty Solomon <monty@roscom.com>
Sun, 20 Mar 2016 18:19:47 -0400
http://www.bloomberg.com/news/articles/2016-03-16/printer-error-set-off-bangladesh-race-to-halt-illicit-transfers


Hackers Stalked Bangladesh Bank for Two Weeks Before Big Heist (Bloomberg)

Monty Solomon <monty@roscom.com>
Sun, 20 Mar 2016 18:12:28 -0400
http://www.bloomberg.com/news/articles/2016-03-18/hackers-stalked-bangladesh-bank-for-two-weeks-before-big-heist


Indian parliament passes bill that enables mass domestic surveillance

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Sat, 19 Mar 2016 11:15:27 -0700
The 'Aadhaar' bill has passed in the Indian parliament without any privacy
measures recommended by the parliamentary opposition.  As Jean Drze pointed
out,

Jean Drze, *The Hindu*, 15 Mar 2016
The Aadhaar coup
http://www.thehindu.com/opinion/lead/jean-dreze-on-aadhaar-mass-surveillance-data-collection/article8352912.ece

  The Aadhaar Bill opens the door to mass surveillance. This danger needs to
  be seen in the light of recent attacks on the right to dissent.  No other
  country, and certainly no democratic country, has ever held its own
  citizens hostage to such a powerful infrastructure of surveillance.

Even before the bill passed, Indian companies were advertising products
relying on their access to the identity database, which includes biometric
information.

Usha Ramanathan, *Scroll.in*, 15 Mar 2016, The future is here:
A private company claims it can use Aadhaar to profile people
http://scroll.in/article/805201/the-future-is-here-a-private-company-claims-to-have-access-to-your-aadhaar-data


A View of ISIS's Evolution in New Details of Paris Attacks (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 20 Mar 2016 14:08:24 -0400
http://www.nytimes.com/2016/03/20/world/europe/a-view-of-isiss-evolution-in-new-details-of-paris-attacks.html

A 55-page French report details how the attackers used disciplined
communications, identified soft targets and perfected bomb-making techniques
after two years of failures.


Child-safety risk due to hyphenation

Mark Brader
Mon, 21 Mar 2016 11:33:35 -0400 (EDT)
911 is the phone number for emergency services in the US and Canada, but
because of fears that someone might not be able to "find the 11 key", it is
sometimes spelled 9-1-1.  (Apparently there is no concern for people who
might not be able to find the hyphen key.)

Last night in Toronto the father of a 3-month-old baby stepped out of his
car and left the engine running, and the car was stolen with the child
inside.  In due course the police issued an AMBER Alert, which included an
automated announcement broadcast on radio stations, and the baby was found
safe, asleep in the abandoned car.

Now I never listen to radio if I can avoid it, but my wife told me about
this this morning: the AMBER announcement on the radio was not recorded, but
voice-synthesized.  And in the part where it said to call the police if you
had information, it gave the number to call as "September 1, 2001".

(But if it had been entered as 911, would the synthesized speech have
pronounced it "nine hundred eleven"?)


How a Fitbit May Make You a Bit Fit (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 20 Mar 2016 17:15:50 -0400
http://www.nytimes.com/2016/03/20/opinion/sunday/how-a-fitbit-may-make-you-a-bit-fit.html

Millions now have fitness-tracking devices. But are they any use?


AI detects Twitter tweets sent under influence of alcohol

Mark Thorson <eee@sonic.net>
Sun, 20 Mar 2016 22:00:32 -0700
It lacks only one feature—automatically sending notifications to your
medical and car insurance companies and your employer.

https://www.technologyreview.com/s/601051/machine-learning-algorithm-identifies-tweets-sent-under-the-influence-of-alcohol/


Spoofing the boss

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 19 Mar 2016 17:46:10 -0500
Most new forms of crime start small, experiment with approaches, to become
polished, then grow into many areas.  This one has been around for a few
years, and now is growing.

Crooks easily learn how they can pretend to be the top boss of some outfit,
as that is usually public info, then they fake out various departments to
send them the company's crown jewels . lots of money, and lots of employee
PIII, for more stealing. It is called the CEO scam, because it works when
the top boss has not authorized sufficient security training for the work
force to be able to resist this form of phishing.

In addition to a lack of good training, and testing to verify the training
"took," companies can be more vulnerable to this if the top boss is not
approachable, to ask for verification of strange instructions, or if
corporate culture means it does not seem unusual for something confidential
going on, which they want you to handle.

https://www.riskbasedsecurity.com/2016/03/hr-departments-gone-phishing/

Within a week, another dozen outfits had been identified, which had fallen
victim to similar spoofing, exploiting workers whose employers have not
provided adequate security training. Some of them have additional
departments with data these crooks might want, such as Customer PII, Student
PII, Patient PII.  If the crooks were more skilled, they should have gone
after all of this at one time, because some of these targets may learn from
one breach how to prevent more.

As of 10 weeks into 2016, this RISK BASED SECURITY outfit has found there
have already been over 535 data breaches disclosed and more than 175 million
records compromised.

https://www.riskbasedsecurity.com/2016/03/hr-departments-part-2-still-out-phishing/

KREBS ON SECURITY reminds us that when companies fall victim to this
corporate phishing, their cyber security insurance policy is no help,
because this is not considered to be a breach of the computer systems,
rather it is a breach of human behavior policies.

http://krebsonsecurity.com/tag/ceo-fraud/

CEO Scam falls within a larger category of phishing known as business e-mail
compromise (BEC).

In France, it is called "fraude au president," or "fake President fraud"

http://www2.deloitte.com/lu/en/pages/about-deloitte/articles/fake-presidents.html

It can come in many forms.

1. Someone poses as a boss of a company instructing staff to make a wire
   transfer into the fraudster's account

2. Fraudsters pose as the IT services department of a bank saying they want
   to make a test transfer - but it's not a test

3. Fraudsters claim to be a supplier and ask for outstanding invoices to be
   paid into a new bank account

4. Employees click on links within phishing emails containing malware which
   authorizes many small payments to the fraudster's account

Over a year ago, the FBI said that US businesses had lost about $ 750
million and counting, thanks to this form of fraud, with the total being
about $2 billion worldwide.

https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise
http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/
http://www.bbc.com/news/business-35250678

Many corporate leaders do not believe in good security, because they believe
their companies do not have much worth stealing.  Well, if they have
employees, customers, money in banks, assets of any kind, those are targets
for future fraud.

Crooks steal payroll data, and company bank accounts, by pretending to be
the top boss of company with a special request.

Now they steal from banks by pretending to be the Central Bank, of a nation.

What next? From which government agencies, are we most likely to jump,
rather than questioning their credentials, when they issue us commands?

http://www.bankinfosecurity.com/russian-banks-targeted-by-fake-security-alerts-a-8975


Ukraine Electric SANS Report (Dark Reading)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sun, 20 Mar 2016 20:10:00 -0500
Investigators, into the Ukraine Electric Grid attack, have issued reports
answering some questions with technical details, where many earlier articles
had only speculation and assumptions on how perhaps it could have happened.

http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power-outage-us-report-concludes/

The Ukraine government continues to blame Russia, not yet proven.  Clues to
the attackers are a choice of attacks seemingly to highlight apparent
incompetence, and who has obvious motivation.  But attribution is secondary
to what happened, and what steps are needed to prevent that ever happening
again.

https://swannysec.net/
http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/

* Attackers used stolen user credentials to remotely access and manipulate
the industrial control systems (ICS) and shut down power for some 225,000
Ukrainian power customers on Dec. 23, 2015.  There were similar attacks on
other companies, with less devastation.

* Like many targeted attacks, the Ukraine power grid attack began with
spearphishing email containing a malware-rigged attachment. In this case,
Word Documents and Excel spreadsheets that when opened by users in the
companies' business network, dropped BlackEnergy3 malware that lurked around
and stole legitimate user credentials.

* Firewalls separated the Business Networks from the Power Control System.
But the attackers used stolen Virtual Private Network (VPN) credentials to
reach the industrial control systems (ICS) network, and remote access tools
to control the HMIs and pull the breakers.  VPN connections between the
Ukraine power companies' ICS and enterprise networks did not appear to use
two-factor authentication. At my day job we had VPN credentials not stored
anywhere unencrypted on our systems, so they could not be easily stolen by
normal intruders.

* There were related attacks: installing their custom firmware on
substations; disconnecting Uninterruptible Power Systems (UPS) to delay
restart (using a remote interface); destroying evidence of what they had
done; and denial-of-service attack on the power companies' telephone
systems.  The customized firmware meant that even if HQ personnel had
regained remote access to the Supervisory Control and Data Acquisition
(SCADA) systems, power could not be restored, except by visiting in person.

* The firewall allowed the adversary to remote admin out of the environment
utilizing a remote access capability native to the systems.

* The Ukraine power grid attackers hid in plain sight for six months,
gradually gathering enough intelligence and knowledge to figure out how to
access and manipulate the HMI and turn out the lights. Had the power
companies been running network security monitoring tools, they could have
spotted that activity.  Also, if National Security in Europe, has
surveillance up to NSA standards, they probably could back trace whether the
hacking came from Russian government, or private entities.  If so, they
probably won't make that public info.

SANS
<https://ics.sans.org/blog/2016/02/25/thoughts-on-the-ics-cert-ukraine-cyber-attack-report/>
, in conjunction with the North American Reliability Corporation (NERC
<http://www.nerc.com/AboutNERC/Pages/default.aspx> )'s E-ISAC
<http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx> , published an
in-depth postmortem analysis by SANS ICS experts of the attack
<http://www.darkreading.com/threat-intelligence/more-signs-point-to-cyberattack-behind-ukraine-power-outage/d/d-id/1323927> , based on details revealed
by ICS-CERT <https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01> late
last month as well as other public information.  I could not find link to
the actual report on E-ISAC nor SANS.

http://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743?_mc=RSS_DR_EDT

http://www.tripwire.com/state-of-security/latest-security-news/u-s-ics-cert-confirms-cyber-intrusions-behind-ukraine-power-outages/

Several cyber security companies have issued info clarifying what is known
so far about the attack on the Ukrainian Electric Grid, and challenges for
getting all desired answers.

http://www.archerenergysolutions.com/lights-out-researcher-says-he-knows-how-cyber-invaders-attacked-ukraine-power-companies/

http://www.antiy.net/p/comprehensive-analysis-report-on-ukraine-power-system-attacks/

Questions I would like to see answered:

* How often are critical infrastructures supposed to have security audits?

* If & when a place gets a poor result from an audit, are government
  regulators, customers, and investors kept informed?

* Some of the attack was witnessed by an operator, who realized he no longer
  had control of the computer in front of him.  What are we supposed to do
  when that happens?  Disconnect our terminal? Power down the computer
  network? Notify what authority?

* Is it true that some US electric grid facilities have weaker defenses than
  in the Ukraine?

* What other nations have similar vulnerabilities?

* Are electric companies, around the world, learning from what happened in
  the Ukraine, like our nuclear industry learned from Fukushima?

http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

http://www.nytimes.com/2016/03/01/us/politics/utilities-cautioned-about-potential-for-a-cyberattack-after-ukraines.html

http://www.bbc.com/news/technology-35686493

https://www.lawfareblog.com/hot-commodities-what-comes-down—this link
reviews many topics in the news—scroll about 1/3 down to Denial of
Service.

http://www.worldfinance.com/markets/our-critical-infrastructure-could-be-the-next-target-for-cyber-attackers


American Express 3rd-party breach

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 19 Mar 2016 03:00:17 -0500
American Express notice of 3rd-party data breach, via a not yet named
service provider, used by some retailers.  American Express owned and
controlled systems were not affected.  It is still uncertain what all has
happened.

Data, associated with current or previously issued American Express cards,
may have been hacked, including account numbers, names, and expiration dates.

http://securityaffairs.co/wordpress/45387/cyber-crime/american-express-data-breach-notice.html

http://www.infosecurity-magazine.com/news/amex-investigates-possible-data/

Previous AmEx breaches occurred on 18 Oct and 21 Dec 2014, and on
22 Mar 2015, according to notifications on the California AG.
<http://oag.ca.gov/system/files/CA%20AG%20Online%20Submission%20-%20Customer%20Letter_C2015080150_0.pdf?>
<http://oag.ca.gov/system/files/C2015020361%20CA%20AG%20-%20Customer%20Letter_0.pdf?>
<http://oag.ca.gov/system/files/CA%20AG%20-%20Customer%20Letter%20-%20C2015060341_0.pdf?>
<https://oag.ca.gov/ecrime/databreach/list> website.

Account numbers, names and other card information such as the expiration
dates were believed to have been exposed in all of the breaches while
four-digit security codes printed on the front of the cards were compromised
as well in the Dec 2014 and March 2015 incidents.

http://www.scmagazine.com/a-trio-of-breaches-hit-amex-travel-related-services-company/article/464686/

Comments on this next article, about the 3rd-party breach, debate whether
CHIP & PIN is a security improvement for the USA.

In my opinion,  a major weak link is at the retailer.

Many, in my area, do not ask for a signature on check out, if the purchase
is below some $ amount.

When I asked why, at one store, the cashier showed that I had already signed
the back of the card.  That shows to them that they have my signature &
that's the only proof needed, much simpler than applying our signature with
every purchase, she said.

I complained about this policy at my bank which issued the credit card . if
a card is stolen, and has been signed on the back by the correct owner, then
this policy does not stop account fraud.  The bank informed me that it is
totally up to the retailer what kinds of security policies they will have.
So long as we have a credit card, stores with policies like this can accept
usage by crooks, so we need to be vigilant about checking our statements,
and keeping track of our plastic.

I have no idea how many retailers behave like this.

Does anyone sell a pocket sized faraday cage to hold our plastic, without
wiping it, or shocking us?

That way, no one can read the plastic until we actually take it out to make
a purchase.

https://threatpost.com/american-express-notifies-cardholders-of-third-party-breach/116817/


Re: Apple vs FBI

Carl Byington <carl@five-ten-sg.com>
Sat, 19 Mar 2016 17:50:02 -0700
FBI director Comey - "Before these devices came around, there was no closet,
basement or drawer in America that could not be entered with a judge's
order."

Mr. Comey does not know enough about PGP. I have many PGP encrypted files,
and if I die tomorrow, the clear text content of those files will be
permanently lost, and no order from a judge will change that.


Re: Pentagon skips tests on key component of U.S.-based missile defense system (RISKS-29.36)

Wols Lists <antlists@youngman.org.uk>
Fri, 18 Mar 2016 23:53:04 +0000
It took the resultant furore to get the problem fixed—the skipper
resorted to that tactic because previous complaints had just been
ignored.  From what I recall, it was either the depth-tracking gear didn't
work, or more likely the impact fuzes were at fault.


Re: U.S. war on Tor encryption (Al Mac)

David Brunberg <dbrunberg@gmail.com>
Fri, 18 Mar 2016 20:12:55 -0400
> US defendants have a right to face their accusers, which includes how the
> evidence was obtained, so when the government's evidence was obtained by
> new technologies they want to keep secret, they have a choice:

> ... [4 suggested options]

There is at least one more option available to them: that of parallel
construction ( https://en.m.wikipedia.org/wiki/Parallel_construction ).
Parallel construction is a method used by law enforcement agencies wishing
to hide their own unlawful activities when it comes to evidence gathering.
Once illegally obtained evidence points to a crime, the agency works
backward to create an alternate path that will be acceptable to courts,
without risking exposure of the techniques or technologies involved in their
unlawful primary investigation.


Re: Great encryption segment from John Oliver, with Matt Blaze cameo (RISKS-29.34)

Gary Barnes <gkb@adminspotting.org>
Sat, 19 Mar 2016 09:56:28 +0000 (UTC)
> https://www.youtube.com/watch?v=zsjZ2r9Ygzw

There's a RISK in assuming the whole world sees things on the Internet the
same way. Visitors from UK IP addresses visiting that link are told:

"The uploader has not made this video available in your country.
Sorry about that."

Please report problems with the web pages to the maintainer

Top