The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 44

Tuesday 5 April 2016

Contents

Wrecking crew demolishes wrong house due to Google Maps error
Softpeedia
WhatsApp adopts default encryption *WiReD*
PGN
With Hospital Ransomware Infections, the Patients Are at Risk
TechReview
Ransomware vs. US government agencies
Al Mac
US State Dept database vulnerabilities
Al Mac
Technology Upgrades Get White House Out of the 20th Century
NYTimes
Hayden on encryption v. metadata
Henry Baker
Panama Papers
Al Mac
Many law firms hacked
Al Mac
Risks of car manufacturers adding flash
Steve Loughran
Why I Don't Make Financial Decisions on My Smartphone?
NYTimes
Man gets free holidays and car rentals after changing surname to 'Null'
Caroline Mcguire via Chris Drewe
How one programmer broke the Internet by deleting a tiny piece of code
QZ
DoD Picks HackerOne to Operate Bug Bounty Pilot Program
HackerOne
Satellite Images Can Pinpoint Poverty Where Surveys Can't
NYTimes
"Node.js alert: Google engineer finds flaw in NPM scripts"
Fahmida Y. Rashid
Google April Fool's prank backfires—possibly?
Peter Houppermans
April fools?
Martyn Thomas
Info on RISKS (comp.risks)

Wrecking crew demolishes wrong house due to Google Maps error

Dan Jacobson <jidanni@jidanni.org>
Fri, 01 Apr 2016 19:35:27 +0800
Company Demolishes Wrong Housing Duplex Following Google Maps Error
Wrecking crew forgets to double-check location
http://news.softpedia.com/news/company-demolishes-wrong-housing-duplex-after-google-maps-error-502188.shtml

A wrecking company has demolished the wrong housing duplex after one of its
employees was misled by a Google Maps error. In December 2015, the city of
Rowlett, near Dallas, Texas, was hit by a tornado that destroyed or damaged
multiple houses. Some of the unlucky homeowners who had their houses damaged
beyond repair contacted demolition companies to have their house lots
cleared in order to start rebuilding their new homes.  One of the contacted
companies was Billy L. Nabors Demolition, who was contracted to demolish the
house at 7601 Cousteau Drive... Never, ever, hire a demolition company from
another town...


WhatsApp adopts default encryption

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 5 Apr 2016 9:17:45 PDT
*WiReD*
http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/


With Hospital Ransomware Infections, the Patients Are at Risk

Monty Solomon <monty@roscom.com>
Sun, 3 Apr 2016 02:12:22 -0400
Ransomware that locks up patient data in hospitals is disrupting medical
care, and the problem is set to get worse.

https://www.technologyreview.com/s/601143/with-hospital-ransomware-infections-the-patients-are-at-risk/


Ransomware vs. US government agencies

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 4 Apr 2016 14:06:09 -0500
Some 29 federal agencies reported they were targeted with ransomware 321
times between June and early December 2015, according to a Department of
Homeland Security response to an inquiry by Sen. Tom Carper.  The Delaware
Democrat, who serves as the ranking member of the US Senate Homeland
Security and Governmental Affairs Committee, had requested information about
the government's ransomware defenses as part of the panel's oversight of
government IT security.
<https://www.hsgac.senate.gov/download/dhs-responds-to-carper-inquiries-on-response-to-threat-of-ransomware>
<http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=01C0457D-DF6D-47E1-9096-07413536C080>

Assistant Attorney General Peter Kadzik, in the DOJ's response
to Carper's inquiry, said the FBI's Internet Crime Complaint Center (IC3)
received 7,694 ransomware complaints in 2015, with losses from these
attacks costing victims an estimated $57.6 million.

In addition to federal agencies, state and local governments are also being
targeted. The Multistate Information and Analysis Center told DHS that
MS-ISAC's associated Computer Emergency Response Team identified and
addressed 40 incidents related to ransomware-associated activity on state,
local, tribal and territorial governments' systems.

We do not know if recent occasional news stories about ransomware attacks on
local institutions, are included in those statistics.

http://www.govinfosecurity.com/ransomware-attacks-against-government-agencies-widespread-a-9005

To boost profits, operators of ransomware are hiring and funding their own
development teams to fashion new variants of malware, according to Cisco's
latest Midyear Security Report.
<http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html>

https://fcw.com/articles/2015/12/04/lyngaas-congressmen-ransomware.aspx

Senator Carper's inquiry was sent December 2015.

According to the DHS 7 page (50 k PDF) report:

The Department of Homeland Security's (DHS) National Cybersecurity and
Communications Integration Center (NCCIC) has received reports of 337
ransomware-related incidents since June 2015. The NCCIC received these
reports from federal government agencies, the private sector, international
partners, and the general public.

The DoJ report is 8 pages (5.8 meg), part of which is redacted in the
general public edition.

There is more info in these 2 reports, than the ransomware statistics I am
citing.


US State Dept database vulnerabilities

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 2 Apr 2016 23:07:03 -0500
The US State Dept has a system, for tracking people who wish to travel to
and from the USA, which has been found to have vulnerabilities exposing a
billion people to hackers, and alter applications of potential visitors to
the USA, potentially opening the border to terrorists. In 2015 alone, the
State Department denied more than 2,200 applications from people with a
*suspected connection to terrorism,* a senior homeland security official
told lawmakers last month.

It is the Consular Consolidated Database (CCD). It holds current and
archived visa records and data, including names, photos, addresses,
biometric data and identification numbers from the Bureau of Consular
Affairs (BCA) and is key to processing passport applications for visa
applicants and travelers.  Visit search engines looking for info on this,
and we find this is not the first instance of cybersecurity problems with
the CCD.

http://abcnews.go.com/US/exclusive-security-gaps-found-massive-visa-database/story?id=38041051

http://thehill.com/policy/cybersecurity/274819-security-holes-found-in-state-department-visa-database-report

http://fortune.com/2016/04/02/data-sheet-saturday-april-2-2016/

https://fcw.com/articles/2016/04/01/visa-state-vulnerable.aspx

http://cio.economictimes.indiatimes.com/news/digital-security/security-vulnerabilities-found-in-us-visa-database-report/51657905

https://travel.state.gov/content/visas/en/law-and-policy/bulletin.html


Technology Upgrades Get White House Out of the 20th Century

Gabe Goldberg <gabe@gabegold.com>
Mon, 4 Apr 2016 12:28:47 -0400
As President Obama prepares to leave the White House, one of his legacies
will be the office information technology upgrade that his staff has finally
begun.

http://www.nytimes.com/2016/04/04/us/politics/technology-upgrades-get-white-house-out-of-the-20th-century.html

Risks?  Distributed/conflicting technology teams/ agendas/ authorities/
abilities, plus a nice dose of politics and national security. Stir
vigorously until catastrophe ensues.


Hayden on encryption v. metadata

Henry Baker <hbaker1@pipeline.com>
March 23, 2016 at 8:11:11 PM EDT
  [Also in Cryptography]

https://www.lawfareblog.com/lawfare-podcast-general-michael-hayden-discusses-american-intelligence-age-terror

Highly recommended, *especially* if you disagree with Hayden.

Basically, Hayden is ok with just about anything—including torture—so
long as it is approved by someone higher up.  Methinks he might not fare so
well in a Nuremberg-type trial, but perhaps those ethics are sooo last
century.

However, Hayden does think that the FBI is p*ss*ng into the wind on
encryption, because any restrictions on encryption will drive technology
overseas & weaken the U.S. tech economy.

Hayden is basically agreeing with the statement "we kill people based on
metadata", so you'd better believe that social graphs, GPS coordinate
positions, etc., are being hoovered up, big time.  Perhaps the FBI will be
forced to de-parallel-construct their DRT-bag data for the U.S. courts, but
I suspect that NSA has no such scruples.

There was an unclassified program by a small midwest company a couple of
years ago that did 2 things: collected huge amounts of continuous hires
video surveillance imagery and built a time-line database.  Subsequently, an
inquiry about the position of a car a 2:17pm at such-and-such a location
could be run *backwards* in time to see where the car came from.  Although
this data was used to catch a few very surprised criminals who found the
police patiently waiting for them at their homes, it was either deemed too
creepy (hard to believe!) or too expensive to continue.

However, I think the real reason why this surveillance technique was dropped
(from public discussion, anyway) is that exactly the same database
technology is *already* in use to track cellphones backwards in time.  This
can be done with cheap, ubiquitous NSA junior-varsity-type technology --
collect cellphone signals, wifi signals, Bluetooth signals.

Thus, if person X is noticed at location Y at time T, then the database can
track person X backwards over the past hours, days, months to see if person
X ever came close to person Y.

If this happens in some locations on the globe, and if person Y is considered a "bad guy/gal", then person X is now considered to be a "bad guy/gal".  Hayden may not even know person X's name or gender, but the U.S. might still target person X for killing simply on the basis of this metadata.  Hayden seems completely ok with this sort of thinking, but then he has lime on his cleats (his too cute football analogy re coming too close to getting out of bounds).

So while the encryption fight is going on, a far more insidious type of surveillance is taking place, but without being discussed or approved by anyone in Congress or the courts.

I believe that this type of system is what Hayden is referring to when he
 says that—far from "going dark"—this is currently the "golden age" of surveillance.


Panama Papers

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 4 Apr 2016 20:14:40 -0500
11.5 million documents leaked, estimated to contain about 2.6 terabytes of
data.  They were at a law firm in Panama.  Contents cover off-shore
accounts, and financial activities which may be illegal for some of the
participants, depending on their home nations, where the money went, and if
proper tax reporting was done.

Many allegations, in the papers, need confirmation.

The named individuals are denying this info.

The law firm says they are a victim, in this leak.

https://www.reddit.com/live/wp1fvdxxwb45/

https://panamapapers.icij.org/graphs/

http://www.usatoday.com/story/tech/news/2016/04/04/stealing-115-million-documents-panama-papers-snowden-sony-hack-leak/82613940/

http://www.reuters.com/article/us-panama-tax-idUSKCN0X10C2


Many law firms hacked

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 5 Apr 2016 14:37:31 -0500
50 plus law firms got hacked, including the most prestigious, of several
nations.

The good news is that many law firms are waking up to their fiduciary cyber
security responsibilities, much more rapidly than we have seen for other
industries.. Firms are also signing up to join the information-sharing group
about cyberthreats formed by Financial Services Information Sharing and
Analysis Center (FS-ISAC).
https://www.fsisac.com/

http://abovethelaw.com/2016/03/beware-of-big-hacking-in-biglaw/
See page 2 of above link, for where I got this list of 47 of the law firms
involved.

This list was compiled by Flashpoint (via Crain's Chicago Business).
<http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1>

Akin Gump Strauss Hauer & Feld
Allen & Overy
Baker & Hostetler
Baker Botts
Cadwalader Wickersham & Taft
Cleary Gottlieb Steen & Hamilton
Covington & Burling
Cravath Swaine & Moore
Davis Polk & Wardwell
Debevoise & Plimpton
Dechert
DLA Piper
Ellenoff Grossman & Schole
Freshfields Bruckhaus Deringer
Fried Frank Harris Shriver & Jacobson
Gibson Dunn & Crutcher
Goodwin Procter
Hogan Lovells
Hughes Hubbard & Reed
Jenner & Block
Jones Day
Kaye Scholer
Kirkland & Ellis
Kramer Levin Naftalis & Frankel
Latham & Watkins
McDermott Will & Emery
Milbank Tweed Hadley & McCloy
Morgan Lewis & Bockius
Morrison & Foerster
Nixon Peabody
Paul Hastings
Paul Weiss Rifkind Wharton & Garrison
Pillsbury Winthrop Shaw Pittman
Proskauer Rose
Ropes & Gray
Schulte Roth & Zabel
Seward & Kissel
Shearman & Sterling
Sidley Austin
Simpson Thacher & Bartlett
Skadden Arps Slate Meagher & Flom
Sullivan & Cromwell
Vinson & Elkins
Wachtell Lipton Rosen & Katz
Weil Gotshal & Manges
White & Case
Wilkie Farr & Gallagher

Apparently some crooks were seeking info on mergers & acquisitions, for the
purpose of insider trading.

Law firms have also been victimized by ransomware.

Law firms have also been recipients of the CEO scam [browse on "Fake
President Scam"], where a junior executive is ordered by the higher one to
transmit some money some place, and keep this confidential, when the order
is really coming from someone faking out the senior executive.  If all their
security rules, and normal e-mail traffic, are on the computer network, and
the computer network is hacked, then this kind of scam is easy to
perpetrate.

A problem common to many companies, including law firms, is that senior
leaders of the companies are free to disregard security rules which apply to
lower level employees, but they are above the company laws & regulations.
If they had proper security audits, this would be revealed, and if the law
required that they show the results of audits to their clients, then such
behavior would cease, and the whole industry would become more secure.

http://www.lawgazette.co.uk/practice/ma-hack-attack-on-48-elite-law-firms/5054524.article

http://www.americanlawyer.com/id=1202753706763/Cravath-Admits-Breach-as-Law-Firm-Hacks-Go-Public-?slreturn=20160305150736

http://www.bbc.com/news/technology-35933246

A common claim by hacked outfits, is that no data was taken, and we always
wonder how they know this.

Breach laws only require that non-government organizations truthfully report
when the data taken is PII of humans.

There are many forms of breaches, for which the breached institution has no
legal obligation to report the event to anyone, and many reasons to cover it
up, so as not to have their reputation impaired.

Government organizations are generally required to report breaches to
whatever government agency tracks security problems, and tries to manage
their mitigation.  Most of this never gets to the general public beyond some
statistics.

Due Diligence when we contract with some place for business, includes
finding out if they have good security.  But just as good security requires
layered protection, cover-ups also involve layers, so potential customers,
of outfits which are good at cover-ups, will probably never learn about
security breaches there.

Who financed the implementation of IT security, at the hacked law firms?

In the business world there are many professions.

We trust lawyers to know the law.

We trust accountants to balance the books.

We trust IT security professionals to know what is needed, and to do the job
right, provided they get the resources they need to implement good security.

We do not trust people to perform jobs for which they have not had the
proper training. We do not trust people, who do not have training, to know
what they are missing out, by not having the training. Unfortunately, many
business leaders lack the understanding I have stated above.


Risks of car manufacturers adding flash

Steve Loughran <steve.loughran@gmail.com>
Mon, 4 Apr 2016 18:20:01 +0100
For people wondering how secure their newly purchased car is, why not take
a look at the manual on the "media centre", a manual which is now bigger
than one on "driving your vehicle safely to your chosen destination"

I was certainly surprised to see a section on how to disable flash in the
manual of a 2012 car we had just purchased second-hand.

https://www.flickr.com/photos/steve_l/25625279674/in/album-72157623050830883/

I've been trying very had to have a vaguely secure house, with "removing
flash off all devices" being one of the tasks undertaking. The fact that
it's being built into vehicle entertainment systems means I appear to be
fighting a losing battle.

An emergency check of the vehicle showed me that, fortunately, the previous
owner had not opted for the "web browser" feature when buying their
vehicle. As well as keeping flash out the vehicle, it meant their web
browsing history and cookies were not available to me.

The fact that car manufacturers are putting software with such an awful
track record of security into the firmware of their systems is not a good
sign for future vehicle security


Why I Don't Make Financial Decisions on My Smartphone?

Monty Solomon <monty@roscom.com>
Sun, 3 Apr 2016 11:44:20 -0400
http://www.nytimes.com/2016/03/27/your-money/why-i-dont-make-financial-decisions-on-my-smartphone.html


Man gets free holidays and car rentals after changing surname to 'Null' (Caroline Mcguire)

Chris Drewe <e767pmk@yahoo.co.uk>
Tue, 29 Mar 2016 22:40:19 +0100
Just spotted this on a newspaper web site—don't know if it's for real
(but it's not April 1st yet!):

Caroline Mcguire for MailOnline
<http://www.dailymail.co.uk/travel/travel_news/article-3513652/The-cleverest-time-Man-gets-free-holidays-car-rentals-changing-surname-Null.html>

People will go to extreme lengths to bag themselves a freebie these days,
but one American has come up with the ultimate bag to get free holidays - a
name change.

The man claims to have been given seven free nights at seven different
hotels and free-of-charge car rental after changing his surname to 'Null'.

Raven Felix Null, 24, from the United States, says he changed his
surname after becoming an adult and claims the word 'Null' is
incompatible with a lot of computer programming, leading to many systems
not recognising him as a person.


How one programmer broke the Internet by deleting a tiny piece of code

Monty Solomon <monty@roscom.com>
Sat, 2 Apr 2016 21:17:42 -0400
http://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/


DoD Picks HackerOne to Operate Bug Bounty Pilot Program

Gabe Goldberg <gabe@gabegold.com>
Sat, 2 Apr 2016 10:52:20 -0400
Washington, DC—In a first-of-its-kind program for the federal government,
the *Department of Defense* has selected San Francisco-based *HackerOne* to
operate its "Hack the Pentagon" bug bounty pilot, aimed at bolstering the
department's cybersecurity. Under the program, the company will invite
qualified hackers to participate in a 20-day bug bounty pilot beginning
April 18. The goal will be to find and report security vulnerabilities
within DoD websites so they can be safely resolved. Individual bounty
payments will depend on a number of factors, but will come from the $150,000
in funding for the program. "This initiative will put the department's
cybersecurity to the test in an innovative but responsible way," said
Defense Secretary *Ashton Carter.* "I encourage hackers who want to bolster
our digital defenses to join the competition and take their best shot." A
registration site is now live and can be accessed at the top link below.
https://hackerone.com/hackthepentagon


Satellite Images Can Pinpoint Poverty Where Surveys Can't

Monty Solomon <monty@roscom.com>
Sun, 3 Apr 2016 12:47:29 -0400
http://www.nytimes.com/2016/04/03/upshot/satellite-images-can-pinpoint-poverty-where-surveys-cant.html

Information that can be gathered from novel sources, using algorithms, can help determine the best places to spend limited resources.


"Node.js alert: Google engineer finds flaw in NPM scripts" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Fri, 01 Apr 2016 10:06:11 -0700
Fahmida Y. Rashid, InfoWorld, 28 Mar 2016
Node.js developers, run NPM install at your own risk—a
self-replicating worm can easily spread through the ecosystem
http://www.infoworld.com/article/3048526/security/nodejs-alert-google-engineer-finds-flaw-in-npm-scripts.html


Google April Fool's prank backfires—possibly?

Peter Houppermans <peter@houppermans.net>
Fri, 1 Apr 2016 12:53:58 +0200
The Net appears awash with reports about a Google Mail prank that
backfired:
http://techcrunch.com/2016/04/01/google-reverses-gmail-april-1-prank-after-users-mistakently-put-gifs-into-important-emails/

It appears Google took it upon itself to replace various buttons in their
user interface with some that added information to email.

I am aware that it's April 1st so even the news stories could be pranks
themselves.


April fools?

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 1 Apr 2016 11:35:25 +0100
With apologies to Arthur C Clarke:  "any description of sufficiently advanced
technology is indistinguishable from an April Fool."

  [Note: The Silver Swan, 1611 madrigal by Orlando Gibbons, words allegedly
  by Sir Christopher Hatton, the last line of which is
    More Geese than Swans now live, more Fools than Wise ...  PGN]

Please report problems with the web pages to the maintainer

Top