The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 40

Friday 25 March 2016

Contents

Michael Hayden video comes out REALLY STRONG for Apple and encryption
PGN
Apple Worries That Spy Technology Has Been Secretly Added To The Computer Servers It Buys
LW
France demands right to be *global* Google censor
FT
Jeremy Epstein <jeremy.j.epstein@gmail.com>
????
Ransomware shuts restaurant
WTOP via Jeremy Epstein
Insurance Limits
IB Times
"America's obsession with social media is undermining the democratic process"
QZ
Children as young as seven caught sexting at school, study reveals
The Guardian
The Uber model, it turns out, doesn't translate (
????
Bangladesh bank heist investigator alive
IB Times
Hacker sells data stolen from Verizon's enterprise customers
Engadget
The Amateur Radio Operators Preparing for Disaster
The Atlantic
Utah Republicans conducting online primary voting
WashPo
FBI to use NAND mirroring to crack terrorist's iPhone
MacWorld
Verizon 2015 DBIR
Al Mac
Re: Pentagon skips tests on key component of U.S.-based missile
Anthony
Re: Radio Attack Lets Hackers Steal 24 Different Car Models
John Rivard
Steven Sprague
Re: American Express 3rd-party breach
Tony Finch
Info on RISKS (comp.risks)

Michael Hayden video comes out REALLY STRONG for Apple and encryption

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 24 Mar 2016 8:10:20 PDT
https://www.aei.org/publication/gen-michael-hayden-on-apple-the-fbi-and-data-encryption/

  [Thanks to Marty Hellman for extracting a few pithy comments from Former
  DIRNSA Michael Hayden video interview about FBI-Apple legal fight.]

(0:20) Interviewer: You, one of the great national security leaders of our
country, have sort of backed Apple. What's happening here?

(0:40) Hayden: I just look at this in the security line, and frankly, given
the variety of threats that America faces, one needs to be careful that, in
dealing with this threat over here (points to right), we don't make it more
difficult to deal with that threat over here (points to left).

(1:26) Jim Clapper, the last two or three years in his worldwide threat
briefing, the Director of National Intelligence, has said the number one
threat facing America is the cyber threat.

(1:40) I think the government has the right to demand this. I just don't
know that it's a wise thing for the government to demand it.  My judgment is
that we're probably better served by not punching any holes into a strong
encryption system—even well guarded holes.

(2:07) [Interviewer says that if he has an alarm on his home and the
government gets a warrant, he needs to turn the alarm off and let them in.]
The tech companies are building technology that will blow up my home if you
try and come in.

(2:32) Hayden replies: Actually, in this case, you're asking the tech
companies to build a key that opens 320 million houses. That' s really the
deal.

(3:00) This key isn't just to my house. This key opens everybody's
house.

(3:26) You play this out two or three moves down the board, we could have a
really bad outcome. What if you compel US companies to do this and we drive
the highest end encryption on the planet offshore. If you look, Apple has
actually been cooperative in all of the other things with regard to the
phone. All of what I call the digital exhaust that these folks have been
putting out. That was available to Apple and they shared it with the
government. It was available to them [the government] because they [the
terrorists] used an Apple product. They were in the Apple system. Now, if we
make Apple do this and offshore companies don't, we will drive the
international market to the offshore companies. And we will now not only not
get content, we won't get digital exhaust either.

(4:16) Mike McConnell, one of my predecessors at NSA [tried to get Clipper
chip baked into the silicon as a back door].  The Clinton administration
would have none of it. And Mike then tells the tale, Thus began the greatest
fifteen years in the history of electronic surveillance because everyone
going to digital devices created this ocean of data, much of it meta as
opposed to content. But, with metadata you can do an awful lot. To
specifically answer your question, under any circumstances, we're going to
get less content [but] it doesn't mean we're going to get less intelligence.


Apple Worries That Spy Technology Has Been Secretly Added To The Computer Servers It Buys

Lauren Weinstein <lauren@vortex.com>
Wed, 23 Mar 2016 17:00:05 -0700
Apple via NNSquad
https://apple.slashdot.org/story/16/03/23/2312208/apple-worries-that-spy-technology-has-been-secretly-added-to-the-computer-servers-it-buys

  According to Business Insider, "[Apple] worries that some of the equipment
  and cloud services it buys has been compromised by vendors who have agreed
  to put "back door" technology for government spying, according to a report
  from The Information's Amir Efrati and Steve Nellis." With many of its
  cloud-based services like iTunes, the App Store, and iCloud requiring
  enormous data center to operate, Apple hasn't been able to build all the
  data centers it needs, and has instead been using services from its
  rivals, namely Amazon Web Services and Microsoft. Google recently landed
  Apple as a customer for the Google Cloud Platform. "Meanwhile, [Apple] has
  embarked on yet another attempt to build more of its own data centers to
  handle all of that, called Project McQueen, reports Jordan Novet at
  VentureBeat, and the project is having a rough go of it, reports The
  Information." Apple suspects that backdoors have been added to many of the
  servers it has been ordering from others. "At one point, the company even
  had people taking photographs of the motherboards in the computer servers
  it was using, then mark down exactly what each chip was, to make sure
  everything was fully understood."


France demands right to be *global* Google censor

Lauren Weinstein <lauren@vortex.com>
Thu, 24 Mar 2016 12:54:59 -0700
FT via NNSquad
Google handed EUR100,000 fine by French data regulator

http://www.ft.com/intl/cms/s/0%2Fa0cd2e94-f1e6-11e5-aff5-19b4e253664a.html#axzz43qrXvFNW

  On Thursday, the Commission nationale de l'informatique et des libertes
  (CNIL) said this solution did not go far enough, because it "does not give
  people effective, full protection of their right to be delisted".  The
  watchdog said that for Google to comply with the European court's ruling,
  links must be fully removed from all versions of its search engine and for
  all users.  Google's supporters claim that giving in to Europe would usher
  in a new form of censorship. Drawing on the precedent, they say,
  repressive countries would be able to insist that Google remove links from
  all its search engines to information they are trying to suppress,
  extending national censorship regimes around the world.

France wants to censor search results GLOBALLY—not just to users in
France but for everyone on the planet. And if France gets their way EVERY
COUNTRY ON THE PLANET will demand the right to remove search results they
don't like. Imagine what Putin, Chinese leaders, and other tyrants will do
with such power. I've been predicting this slippery slope all along. IT MUST
BE STOPPED.


Ransomware shuts restaurant

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 25 Mar 2016 09:21:49 -0400
http://wtop.com/money/2016/03/hard-times-cafe-in-rockville-hit-with-ransomware/

  A restaurant in Rockville MD (just outside Washington DC) has been shut
  down for several days because of ransomware in the point of sale devices
  (cash registers /ordering) and back office systems.

  Co-owner Howard: “The FBI tells us they can't keep up with ransomware
  cases.  The advice is either pay the ransom or shut down your entire
  systems and rebuild from scratch. And that's what we're doing.

It's not clear to me why they can't just wipe the point of sale devices and
restore them to some predefined configuration (assuming they have backups,
of course!), but the back office systems are obviously a bigger issue.


Insurance Limits (IB Times)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 24 Mar 2016 12:51:40 -0500
Insurance companies do not pay out claims when the victim had no security,
such as leaving building or car unlocked.

British Metropolitan Police Commissioner, Sir Bernard Hogan-Howe, has
suggested that similar rules should apply to victims of on-line crime who do
not take minimum cyber security precautions.

http://www.ibtimes.co.uk/victims-online-fraud-should-not-be-refunded-by-uk-banks-says-met-police-chief-1551416

I wonder how well the commissioner has been briefed on the methods of
attack.  There are constantly new criminal schemes being dreamed up to
exploit vulnerabilities, some of which were installed by NSA and GCHQ for
their surveillance purposes, refusing to believe that such vulnerabilities
could only be used by them.  Thus a person can have a good firewall,
anti-virus, anti-spam, other security, patched regularly, and still be
victimized.

In the USA, consumer victims of theft from bank accounts, who report thefts
promptly, are limited in their losses, but business accounts have no such
protection.  There have been law suits proving that banks violated their
contracts, but judges ruled in the banks favor when the bank shows that it
had industry standard cyber security, which is a very low thresh hold.

There are social engineering frauds, delivered by e-mail and phone calls,
leading company personnel to deliver large funds and significant assets to
crooks, where cyber insurance won't pay off, as this is not a computer
breach, but a breach of human practices.

There are millions of new victims of id theft every year, whose financial
lives are ruined.  The state of art of computer crimes policing is such that
it is rare that any victim learns what breach or breaches led to them
becoming a victim. They are not compensated by anyone for this, unless they
were wise enough to have had id theft insurance before they became
victimized.

There don't seem to be any standards for id theft insurance.  Mainstream
news media needs to deliver reviews of the quality of what's out there, and
the importance of having it, since this is a fast growing crime.


"America's obsession with social media is undermining the democratic process"

Lauren Weinstein <lauren@vortex.com>
Fri, 25 Mar 2016 08:57:26 -0700
http://qz.com/647064/americas-obsession-with-social-media-is-undermining-the-democratic-process/

  In an increasingly saturated online media landscape, the influence of
  social media may have outlived its usefulness.  Voters today are embracing
  presidential candidates who appeal to their specific passions and ideals
  without attempting to consider, or even listen to, opposing views.  This
  is perhaps unsurprising, given data about the effect of political
  polarization and media habits from the Pew Research Center.  The 2014
  survey found that voters who consistently call themselves conservative or
  liberal only trust news sources that align with their ideological views.
  "Our data shows that one of the things that has developed along side of
  the proliferation of news sources and social media platforms is that the
  political environment is also becoming more divided rather than more
  cohesive," Amy Mitchell, Pew's director of journalism research, tells
  Quartz.

Also see: "Search Personalization: Blessing and Trap?" -
http://lauren.vortex.com/archive/000757.html (Sept. 2010).


Children as young as seven caught sexting at school, study reveals (The Guardian)

Monty Solomon <monty@roscom.com>
Fri, 25 Mar 2016 08:30:24 -0400
More than half of teachers aware of sexting incidents with most cases
involving pupils aged 13 to 16, according to NASUWT.

http://www.theguardian.com/society/2016/mar/25/children-young-seven-caught-sexting-school-study-reveals


The Uber model, it turns out, doesn't translate (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 23 Mar 2016 20:16:08 -0400
http://www.nytimes.com/2016/03/24/technology/the-uber-model-it-turns-out-doesnt-translate.html

The ride-hailing service is a giant, but companies that aim to get stuff
done on demand for customers, like food delivery, grocery shopping and
parking, are faltering.


"How one yanked JavaScript package wreaked havoc" (Serdar Yegulalp)

Gene Wirchenko <genew@telus.net>
Wed, 23 Mar 2016 16:27:48 -0700
Serdar Yegulalp, InfoWorld, 23 Mar 2016

When a developer 'unpublished' his work from the NPM JavaScript package
registry, it broke dependencies for many other projects—and highlighted
the fragility of the open source ecosystem.
http://www.infoworld.com/article/3047177/javascript/how-one-yanked-javascript-package-wreaked-havoc.html


Bangladesh bank heist investigator alive (IB Times)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 24 Mar 2016 13:28:58 -0500
A person, identified as a cyberinvestigator into the Bangladesh bank heist,
gave the media a progress report, then was apparently kidnapped.

Why would any investigator talk to the media?  Don't organizations have
official PR spokespersons?

He was traveling home with a friend, when both were stopped by plain clothed
individuals, who placed them in custody, and blind folded them, then later
the friend was released.  The friend has no idea as to the true identity of
the individuals.

Are Bangladesh police supposed to show id when arresting people, or is this
a nation with a secret police?

Because the police did not appear to be cooperating with the family, in
investigating the apparent kidnapping, they suspected that the he was in
secret police custody.  What kind of country is this, when government
officials are unable to determine if a person is in the custody of the
police or not?

Another mystery is who he was working for, as one possibility said he was
not working for them.

It sounds like he now needs medical attention, due to abuse, while in
custody of the abductors.

Hopefully he gets the needed medical care, and then is able to cooperate
with the other investigators.

http://www.ibtimes.co.uk/bangladesh-bank-heist-cybersecurity-researcher-found-alive-week-after-abduction-1551294
http://en.prothom-alo.com/bangladesh/news/98327/Tanvir-might-have-been-arrested-says-home
http://bdnews24.com/bangladesh/2016/03/14/ict-division-denies-any-link-with-tanvir-hassan-zoha
http://www.manilatimes.net/bangladesh-it-expert-missing-after-bank-heist-remarks/251279/
https://www.youtube.com/watch?v=8-PW8ptDypo (interview with the guy, not inEnglish)
https://en.wikipedia.org/wiki/Tanvir_Hassan_Zoha
https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist


Hacker sells data stolen from Verizon's enterprise customers

Lauren Weinstein <lauren@vortex.com>
Fri, 25 Mar 2016 08:53:49 -0700
Engadget via NNSquad
http://www.engadget.com/2016/03/24/verizon-enterprise-solutions-hack/

  Verizon suffered a data breach, according to KrebsOnSecurity, but you can
  breathe easy if you're just one of the carrier's subscribers. What the
  hacker infiltrated was Verizon Enterprise Solutions, a division that
  provides services to clients from the business and government sectors.
  Coincidentally, it's also the task force of sorts Fortune 500 companies
  call in when their systems get infiltrated. Brian Krebs says a well-known
  member of a cybercrime forum recently posted a thread selling info on 1.5
  million enterprise customers for $100,000. He also offered to share the
  vulnerabilities he found on Verizon's website for a price.


The Amateur Radio Operators Preparing for Disaster (The Atlantic)

Gene Spafford <spaf@purdue.edu>
Mon, 14 Mar 2016 14:16:20 -0500
This article talks about some of the risks of losing critical technology
for longer than expected.

http://www.theatlantic.com/technology/archive/2016/03/ham-radio-disaster-preparedness/473598/


Utah Republicans conducting online primary voting

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 23 Mar 2016 12:27:58 PDT
https://www.washingtonpost.com/news/the-fix/wp/2016/03/22/utah-republicans-are-holding-a-first-ever-online-primary-and-its-not-going-so-well/?hpid=hp_hp-top-table-low_primaries-1105pm%3Ahomepage%2Fstory


FBI to use NAND mirroring to crack terrorist's iPhone

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 23 Mar 2016 15:39:30 PDT
http://www.macworld.com/article/3047542/ios/forensics-expert-says-fbi-to-use-nand-mirroring-to-crack-terrorists-iphone.html


Verizon 2015 DBIR

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 25 Mar 2016 14:23:40 -0500
Each year, several outfits involved in breach investigations, come out with
reports on trends in trouble making, and state-of-art of places needing to
defend themselves. Verizon's Data Breach Investigations Report (DBIR) for
2015 is out: http://www.verizonenterprise.com/DBIR/2015/20

Here you can get the full report (3.2 Meg 70 pages), executive summary,
statistics, latest lessons.

There's registration, but you can bypass that and download without it.

A statistic I don't see here—maybe it is there, I have only skimmed the
download so far.

We know there are 500+ vulnerabilities.

The outfits whose hardware, software, apps needed patches for those problems,

Do they know:

1. # of downloads of their service which needed later patching.

2. # of downloads of the patches.

3. From there get an idea of what % of their customer base is probably
   unpatched.

It would not be wise to make this public on a vulnerability basis, since
that would help the criminals, but it might be useful to know the big
picture of the need to remind end users about the importance of staying
current on security patches.  Similarly there is the issue of legacy & no
longer supported products, with exploitable vulnerabilities.

The 2015 DBIR report by Verizon, with (I list some high points):

* The report is not mere statistics, and trends, but what Verizon calls
  *before and beyond* the breaches.  Techniques being used to fight this
  cyber crime wave—how effective are they, what guidance can be derived
  from this analysis?

* Contributions from 70 organizations around the world.

* Knujon (no junk backwards) has shown that a small number of domain
  registrars enable over 90% of phishing, and other anonymous cyber
  crimes.

I do not see them in Appendix C list of organizations whose security
intelligence was used in this report. I hope that's fixed in future years,
since both this report and Knujon's investigations have pieces of a puzzle
which I think ought to be correlated.  Verizon focuses on how people can
better protect themselves from cyber crime, while Knujon is more focused on
identifying patterns of how digital criminals are enabled, so that if the
authorities were really interested in stamping out cyber crime, this
research could contribute to a dramatic rise in the volume of cyber
criminals put out of business.  Possibly this dimension is off topic for
Verizon DBIR evaluation of what techniques are effective in cyber crime
fighting, and where there is room for improvement.

* $ 400 million is the estimated financial loss from 700 million compromised
  records.  Larger organizations have more records, and higher cost per
  record.

* 78,790 security incidents, 2,122 confirmed data breaches, in 61 nations.

* No industry is immune from security failures.  There are many different
 threats, and Verizon evaluates them by industry.

* They show trends for 2015, and compare to prior years to see what if
anything has changed or evolved, graphing some trends over several years

* RAM scraping has grown.

 99.99 % of the vulnerabilities were exploited more than a year after they
became known.  Overwhelmingly, patches had been available before the breach
occurred, and had not been implemented by the breached organization.  This
is not a new statistic, just a confirmation that organizations are not
staying current with security patches.  Just because a vulnerability is old,
does not mean it will not continue to be exploited.  However, the newer
discovered vulnerabilities are often exploited within a month of discovery.
There are hundreds of vulnerabilities out there.  My takeaway is that we
need to continue having good backups, and stay current with security
patches, the backups in case of the occasional flawed patch.

* In 60% of the cases, attackers are able to compromise an organization
within minutes.  There;s a graph (figure 5) showing how long it takes before
the attacks are detected, indicating that there is a growing deficit between
attackers and defenders.  Attackers are getting in undetected is rising,
relative to attackers getting discovered.  However, detection times are
getting better with skimmers, shifting from months and weeks, to hours and
days.

* In 70% of the cases, where they figure out motive for the attack, there is
  a secondary victim..

* 75% of attacks spread from victim 0 to victim 1 within 1 day (24 hours).
  Over 40% hit the second organization in less than an hour.

* For 2 years, 2/3 of Cyber-Espionage cases have involved phishing.

* 23% of phishing recipients open that e-mail & 11 % of them click on the
  attachments.  Nearly 50% who click on phishing, do so within 1 hour of
  receiving it.

* Mobile is not yet a major vector for breaches.  The nuisances are to
  individual users, not as a larger vehicle of trouble such as thru BYOD.
  I'd like to see risk evaluation for consumers of devices, web cam hacking,
  car hacking, IoT, etc., but although I wondered if that is off-topic for
  Verizon DBIR, they did try to measure the size of mobile problems, and
  growth in IoT industry.  Out of tens of millions of mobile devices, only
  0.03 % get infected by malware, so far.  Android wins.  96% of mobile
  malware is aimed at them. More than 5 billion downloaded Android aps have
  vulnerabilities. 80% of EnPublic apps invoke risky private APIs that are
  also in violation of Apple's Developer guidelines.

Verizon invites feedback:

* dbir@verizon.com,find us on LinkedIn, or tweet @VZdbir with the hashtag
  #dbir.

Some of the stories, in there, apparently did not make the mainstream news,
until after people started digging into the report.

Example:

Hackers got into a Water Treatment Plant and manipulated the programmable
logic controllers that managed the amount of chemicals used to treat the
water to make it safe to drink. (I did not see that, when I was skimming the
report.)

http://www.watertechonline.com/hackers-change-chemical-settings-at-water-treatment-plant/


Re: Pentagon skips tests on key component of U.S.-based missile (RISKS-29.39)

Anthonys Lists <antlists@youngman.org.uk>
Wed, 23 Mar 2016 18:49:26 +0000
My response unfortunately had the first paragraph left off, which led to the
second paragraph not making much sense. To repeat ...

  I read the biography of a US sub captain who got fed up with his torpedoes
  not exploding, and the higher-ups not listening. So he found a sitting
  duck of a Japanese target, fired all six of his loaded torpedoes at it one
  by one, taking photographs as he did so, and then sent them to a
  newspaper. Six direct hits, and the target still afloat, undamaged, at the
  end. I think that was some time mid '42.


Re: Radio Attack Lets Hackers Steal 24 Different Car Models (Sprague, RISKS-29.39)

John Rivard <jcr@jcrdesign.com>
Wed, 23 Mar 2016 17:57:18 -0400
I think Steven is misunderstanding the nature of the attack.

Keyless entry key fobs like this on the Prius don't require any button
pushing. Drivers simply approach the vehicle with their key fob in their
pocket and grab the door handle (which has a touch sensor on it). Antennas
in the exterior of the car determine if the key fob is present, and the
doors unlock. Observant drivers may note that the car interior lights turn
on as they approach.

Likewise, when the Start button is pushed, antennas in the car determine if
the key fob (still in the pocket) is inside the car, and allow the car to
start and be driven. Again, the driver does not interact with the fob
buttons in any way during this process.

It might be possible to have the fob sleep based on a lack of motion for a
few minutes (presuming a walking motion as the driver approaches the car)
but since the driver does not press any buttons on the fob in the current
implementation, it can't stop responding on that basis.

Additionally, the owner manual indicates that the fob should not be stored
overnight in close proximity to a cell phone, because it will prematurely
discharge the batteries. Also, Priuses that have the hands-free fob
capability have a larger-capacity 12-volt accessory battery installed.
These facts suggest to me that the fob responds to a polling signal from the
car, and not vice-versa. So the initial amplification being used to break in
is likely an amplification of the CAR'S signal to activate the fob, and then
an amplification and re-transmission of the fob signal to make the car
sensors believe it is next to and then inside the car.


Re: Radio Attack Lets Hackers Steal 24 Different Car Models (Rivard, RISKS-29.40)

Steven Sprague <steven@rivetz.com>
Wed, 23 Mar 2016 17:57:18 -0400
Thanks for the clarification.  I think it just shows the presence is not
enough for all situations. We don't need to lock the car but we do need to
lock the fob.

I wonder if one could build a system that would remotely use other peoples
RFID or NFC token for payment and or tap and pay. Could a blue tooth card
speak to a radio amplifier that would enable a user to appear to tap their
card but the signal would travel over blue tooth to an amplifier that would
find and use another nearby token.  This would make it possible to ride the
tube in London or buy a coffee at Starbucks.

It is a fun problem and the first fix is to put a switch on the fob that
turns it off under user control there is no need for a freezer.


Re: American Express 3rd-party breach (Al Mac, RISKS-29.37)

Tony Finch <dot@dotat.at>
Wed, 23 Mar 2016 23:20:07 +0000
Several years ago I was given a London Underground map etched onto a
credit-card-sized sheet of stainless steel—a shiny fun Christmas stocking
filler. I tucked it into my wallet and forgot about it; several days later,
after the holidays, I needed to use my work MIFARE ID card to open an
electronic door lock. It didn't work and I was greatly confused, until I
remembered the steel map!

Now the steel sheet lives next to my contactless payment card, and the ID
card lives in a separate fold of the wallet. I have never actually used it
as a map to find my way around London.

Please report problems with the web pages to the maintainer

Top