The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 46

Thursday 14 April 2016

Contents

President Obama's Commission on Enhancing National Cybersecurity
Michael Daniel Ed Felten and Tony Scott
Burr-Feinstein bill draft
PGN
Senate Cybersecurity panel unveils long-awaited encryption bill
The Hill
Feds say they hired a hardware hacker to crack the San Bernardino phone
WashPo
Online election hacking
BBW
Failure in bank security
Corwyn
Re: Japanese computer system problems left many flight passengers stranded
Alister Macintyre
Re: The Panama Papers and Barbara Streisand
Michael Bacon
Info on RISKS (comp.risks)

President Obama's Commission on Enhancing National Cybersecurity

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 14 Apr 2016 10:19:25 PDT
https://www.whitehouse.gov/blog/2016/04/13/announcing-presidents-commission-enhancing-national-cybersecurity

Michael Daniel, Ed Felten, and Tony Scott, 13 Apr 2016

In February, the President announced a Cybersecurity National Action Plan
(CNAP) to take a series of short-term and long-term actions to improve our
nation's cybersecurity posture.  A central feature of that plan is the
non-partisan Commission on Enhancing National Cybersecurity, comprised of
leading thinkers from business, technology, and academia and charged with
making recommendations to the nation for actions that can be taken over the
next decade to strengthen cybersecurity in both the public and private
sector.

Today, we are pleased to announce that the President and the bipartisan
Congressional leadership have selected the 12 individuals to serve on the
Commission.  They are:

* Tom Donilon, former Assistant to the President and National Security
  Advisor (Chair)

* Sam Palmisano, former CEO of IBM (Vice Chair)

* General Keith Alexander, CEO of IronNet Cybersecurity, former Director of
  the National Security Agency and former Commander of U.S. Cyber Command

* Annie Anton, Professor and Chair of the School of Interactive Computing at
  Georgia Tech.

* Ajay Banga, President and CEO of MasterCard

* Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike

* Patrick Gallagher, Chancellor of the University of Pittsburgh and former
  Director of the National Institute of Standards and Technology

* Peter Lee, Corporate Vice President, Microsoft Research

* Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the
  Stanford Center for International Security and Cooperation and Research
  Fellow at the Hoover Institution

* Heather Murren, former member of the Financial Crisis Inquiry Commission
  and co-founder of the Nevada Cancer Institute

* Joe Sullivan, Chief Security Officer of Uber and former Chief Security
  Officer of Facebook

* Maggie Wilderotter, Executive Chairman of Frontier Communications

These 12 individuals will be charged with recommending bold, actionable
steps that the government, private sector, and the nation as a whole can
take to bolster cybersecurity in today's digital world, and reporting back
by the beginning of December.  They will hold their first public meeting
tomorrow at the U.S. Department of Commerce, where they will be joined by
Secretary of Commerce Penny Pritzker, Assistant to the President for
Homeland Security and Counterterrorism Lisa Monaco, and others to discuss
the critical work that lies ahead for the Commission.

From the beginning of his Administration, the President has made it clear
that cybersecurity is one of the most important challenges we face as a
Nation.  For more than seven years, we have acted comprehensively to make
progress towards three goals:

* Raise the level of cybersecurity in both the public and private sectors.

* Deter, disrupt, and interfere with malicious cyber activity aimed at the
  U.S. or its allies.

* Respond effectively to and recover from cyber incidents.

Recent accomplishments in pursuit of these goals include the Cyber Threat
Intelligence Integration Center (CTIIC) attaining initial operating
capability; reaching an unprecedented set of commitments with China's
President on cybersecurity; deploying strong authentication for 81 percent
of accounts on federal systems; and implementing the Cybersecurity Act of
2015 to enhance cybersecurity information sharing and improve cyber-defense
throughout the nation.  [...]


Burr-Feinstein bill draft

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 13 Apr 2016 11:59:06 PDT
The Burr-Feinstein discussion draft now released:
Compliance with Court Orders Act of 2016
http://www.feinstein.senate.gov/public/index.cfm?a=files.serve&File_id=5B990532-CC7F-427F-9942-559E73EB8BFB

Here's my short-version summary

  It would compel "covered entities" (very broad: device manufacturer,
  software manufacturer, electronic communication service, provider of a
  remote computing service, or any person who provides a product or method
  to facility a communication or processing or storage of data) to comply
  with court orders [*] to provide data or otherwise assist in efforts to
  prosecute crimes (resulting in death; foreign intelligence, espionage, and
  terrorism; Federal crime against a minor; serious violent felony; serious
  Federal drug crime; state crimes equivalent to the previous ones).
  However, the draft bill does not prescribe penalties for noncompliance,
  and seems to leave that up to the courts.  That could be quite a slippery
  slope—and could easily tend to act as a not-so-veiled threat.

* The draft says "an order or warrant", so presumably a subpoena would be
sufficient?  When I testified for the Senate Judiciary Committee on 9 Jul
1997, Senator Leahy began the first morning session by getting Bob Kerry to
admit that he did not know that his own Kerry-McCain bill required only a
subpoena, and not a warrant.  I think what constitutes a "court order" is a
potentially sticky wicket here.

Incidentally, my testimony in the second session that day is at
http://www.csl.sri.com/neumann/judiciary.html, along with my answers to
subsequent written questions from Senators Thurmond, Grassley, Leahy, and
Feinstein.  At the end of the first session. Senator Feinstein excused
herself to go to another hearing, but remarked that if FBI Director Freeh
said he needed access to essentially everything, we'd better give it to him.


Senate Cybersecurity panel unveils long-awaited encryption bill

Lauren Weinstein <lauren@vortex.com>
Wed, 13 Apr 2016 16:45:40 -0700
http://thehill.com/policy/cybersecurity/overnights/276219-overnight-cybersecurity-long-awaited-encryption-bill-lands

  The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne
  Feinstein (D-Calif.), would force companies to provide "technical
  assistance" to government investigators seeking locked data.  Little has
  changed in the bill since an initial discussion draft was first made
  public by The Hill last week. The measure still states that a company must
  provide "information or data" to the government "in an intelligible
  format" when served with a court order.

The obvious outcome of this of course would be the rapid deployment of even
more third-party apps to layer strong crypto without government backdoors
onto the systems that the government mandates must be made hacker, criminal,
and terrorist attack friendly via government backdoors. Next, the government
plans to make it illegal to speak in unfamiliar languages, and will mandate
the installation of cameras in every room of every home and business that
can be enabled under court order. Just wait until you see what they'll
demand in the future for data collection and remote control from and over
autonomous vehicles!

  [It is also likely to open up a huge market for non-U.S. meaningfully
  secure operating systems and well-embedded strong cryptography, and
  noncompliant apps.  Unfortunately, the U.S. government itself may have to
  resort to non-U.S. products if they cannot get them domestically—which
  represents a huge set of risks, PGN]


Feds say they hired a hardware hacker to crack the San Bernardino phone (from Cryptography via Dave Farber)

"John Levine" <johnl@iecc.com>
April 14, 2016 at 5:07:14 AM GMT+9
The WashPo says:

The FBI cracked a San Bernardino terrorist's phone with the help of
professional hackers who discovered and brought to the bureau at least one
previously unknown software flaw, according to people familiar with the
matter. ...

The new information was then used to create a piece of hardware that helped
the FBI to crack the iPhone's four-digit personal identification number
without triggering a security feature that would have erased all the data,
the individuals said. ...

Even without a new flaw, that suggests something like the plan many people
suggested to make an image of the device's memory and restore it after each
group of PIN guesses.

https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?hpid=hp_hp-cards_no-name%3Ahomepage%2Fcard


Online election hacking (BBW)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Tue, 12 Apr 2016 16:32:19 -0500
Pages 60-65 of April 4-10 BBW is on history of hacking on-line elections, in
the Americas.  It has reportedly happened in Columbia, Costa Rica, El
Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, and Venezuela.  A
person accused of participating in this election rigging, is now allegedly
working in the Donald Trump campaign. [...]

http://www.bloomberg.com/content-service/blog/2016-04-08/hack-election-comohackear-una-eleccion/


Failure in bank security

<risks@corwyn.net>
Mon, 11 Apr 2016 16:54:11 -0400
Today I spent a while on the phone puzzling out an error in my SunTrust
account, eventually determined to be me having transferred money from my
line of credit (check protection) instead of my checking account. Mea culpa.

To try to prevent making the same error again, I asked that they remove the
line of credit from my Internet access. They said they could not. I asked if
I could decrease the credit limit on the account, and they said "sure". All
I needed to do was send them authorization from my email account. My
personal email account. I asked if I could instead use the "Secure Message"
system within my on-line account, and was told that I couldn't submit the
change from there; the message had to come from my personal account.

I spent a long time on the phone trying to get to someone who would
understand that my personal email address didn't count as "secure" or
"authenticated", to no avail.


Re: Japanese computer system problems left many flight passengers stranded (Ishikawa, RISKS-29.45)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 11 Apr 2016 19:51:54 -0500
CI, Thanks for the Japanese to English translation.  You were unsure about
the Cache.  I think the explanation, that you quoted, is BS.

Approx 35 years ago I first started working with cache.  The concept was
that accessing data from disk drives took thousandths of seconds, while
accessing from memory took millionths of seconds.  Systems may be faster
today, but the same ratio may apply.  So we in IT had the option of setting
aside a portion of memory for cache, which was memory of most recent disk
accesses, on the theory that that data might be needed again very soon, so
by having the latest updated copy in the cache, it could be accessed faster.
Also, copying the updated data to disk could happen as micro seconds permit,
without holding up the parade of other activities.  In case of some
disruption, making sure info in cache written back to disk was a priority.

Failures in this system could occur if

* The overall system did not have enough "gas" to handle normal loads, and
  typical busy time periods.  By "gas" I mean speed, disk capacity, memory,
  processors, file balancing, all the "stuff" needed for a well tuned
  computer system.

* Badly written software messed with the amount of memory assigned to cache.

* To get good cache results, programs need to nibble on data in reasonable
  size chunks, and the routines need to be of reasonable size.  We might not
  get this, with poorly written programs.

* The cache memory worked thanks to a battery, recharged like a miniature
  UPS, whose battery does not live forever.  As it wears out, there is a
  system error message to warn IT that we need to schedule hardware
  maintenance to replace the cache battery.  If no one is paying attention
  to the hardware warning messages, then the cache benefit could come to a
  sudden surprising halt.

* Performance tools show how efficiently cache is functioning, to indicate
  whether the organization can benefit from buying more memory.  They also
  show where there are potential bottlenecks, such as activity waiting on a
  communication line which is overloaded (needs to be faster, more band
  width), or bottleneck waiting on data thru some processor (maybe we need
  more processors, such as a math chip).  If the tools tell IT that certain
  upgrades are needed to improve performance, but management won't approve
  the expenditure, then the result can be inconvenience for some of the
  users.  Performance Tools also identify bottlenecks thanks to the specific
  programs which are badly written, with some info on where in the programs
  they have problems.

* Software updates should go through some kind of testing.  They had a
  backup machine.  Did they use that for testing, since the main one was
  very busy?

  http://itpro.nikkeibp.co.jp/atcl/news/16/040601011/

  According the article above, a critical region handling routine was
  installed in the week before and this caused a deadlock of the application
  cache (not sure exactly what/where the cache is) and handling of disk
  access.


Re: The Panama Papers and Barbara Streisand (RISKS-29.45)

Michael Bacon - Grimbaldus <michael.bacon@grimbaldus.com>
Thu, 14 Apr 2016 05:20:12 -0400
The media love stories about politicians and their finances.  However, there
is a big difference between tax avoidance and tax evasion.

I doubt there is any reader of this who does not take steps to avoid paying
taxes they don't need to.  Of course, there might be some who attempt to
evade paying taxes too, but I suspect the balance to be in favour of the
former.  The journalists writing in high-handed tones, and the political
opponents trying to make capital [pun intended] out of the stories are very
likely to be avoiders too ... and possibly evaders.

British Prime Minister, David Cameron, has come under fire from the
opposition leader Jeremy Corbyn for Cameron's late father's revealed
involvement in one offshore investment company, leading to the PM publishing
his tax returns.  Corbyn responded, only for the media to uncover his
failure to properly declare income from three pensions.  This is now
becoming a bigger story.  Another example of the Streisand Effect?

Please report problems with the web pages to the maintainer

Top