The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 57

Saturday 18 June 2016

Contents

FBI Needs Better Hackers to Solve Encryption Standoff
Joshua Eaton
"Surveillance reform measure blocked in the wake of Orlando killings"
John Ribeiro
London Mayoral count resorted to spreadsheets
Martyn Thomas
Intel x86s hide another CPU that can take over your machine— you can't audit it
BoingBoing
Physical Key Extraction Attacks on PCs
CACM
Lawyers who yanked "Happy Birthday" into public domain now sue over "This Land"
Ars Technica
The Air Force Had a Totally Accidental Computer Disaster
Gizmodo
"Home invasion? Three fears about Google Home"
Fahmida Y. Rashid
Best Korea's Social Network hacked after using worst ID and password possible
Rocket News
The average cost of a data breach is now $4 million
Help Net Security
"Companies pay out billions to fake-CEO email scams"
Michael Kan
'Spam King' Sanford Wallace gets 2.5 years in prison for 27M Facebook scam messages
BoingBoing
Cormac Herley, "Unfalsifiability of security claims"
Bruce Schneier
Henry Baker <hbaker1@pipeline.com> Privacy not possible with increasing financial surveillance
Sarah Jeong
Re: Tesla Model X autonomously crashes into building, owner claims
Gary Hinson
Re: Russian penetration attack on DNC: NOT!
Ars Technica
Re: Lancaster UK power outage
Martin Ward
Info on RISKS (comp.risks)

FBI Needs Better Hackers to Solve Encryption Standoff (Joshua Eaton)

"ACM TechNews" <technews-editor@acm.org>
Fri, 17 Jun 2016 12:54:47 -0400 (EDT)
Joshua Eaton, *The Christian Science Monitor*, 16 Jun 2016

With U.S. technology companies refusing to allow anyone, including the
federal government, access to suspected criminals' encrypted communications
conducted on their devices, a leading cybersecurity expert is proposing
another method for authorities to obtain the information they need without
undermining the security of the millions of other consumers who also use
those products.  Worcester Polytechnic Institute professor Susan Landau
suggests law enforcement boost the hiring of government hackers and foster
in-house experts to legally hack such devices when they have a warrant.  The
strategy entails exploiting existing software bugs instead of having tech
companies install "backdoors" in their products.  Landau says the
U.S. Federal Bureau of Investigation (FBI) can bypass encryption by
investing in court-sanctioned lawful hacking capabilities such as installing
remote surveillance programs on computers and phones and hiring more agents
with computer science backgrounds.  The unacceptable alternative would
compromise consumer security and give criminal hackers, among others,
another exploitation option, according to Landau.  She also says the FBI's
paltry lawful hacking budget and resources may be one reason why the bureau
wants companies to install backdoors.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-f2f6x2e54ax065639&


"Surveillance reform measure blocked in the wake of Orlando killings" (John Ribeiro)

Gene Wirchenko <genew@telus.net>
Sat, 18 Jun 2016 05:21:25 -0700
John Ribeiro, InfoWorld, 17 Jun 2016
The U.S. House of Representatives voted down a proposed anti-surveillance
amendment that would prevent warrantless searches by law enforcement on
Americans
http://www.infoworld.com/article/3085175/government/surveillance-reform-measure-blocked-in-the-wake-of-orlando-killings.html

selected text:

"With Orlando fresh in everyone's mind, members of Congress appear to be
voting based on fear rather than on reason," wrote Kevin Bankston, director
of New America's Open Technology Institute. He added that there is no reason
to think that mandating backdoors into American companies' encrypted
products or allowing warrantless searches of Americans' private data would
have prevented the tragedy, a view widely held by many privacy advocates.


London Mayoral count resorted to spreadsheets

Martyn Thomas <martyn@thomas-associates.co.uk>
Sat, 18 Jun 2016 14:26:48 +0100
The result of last month's London Mayoral election on 5 May was delayed
by several hours after staff had to manually query a bug-stricken database.

http://www.bbc.co.uk/news/technology-36558446


Intel x86s hide another CPU that can take over your machine—you can't audit it

"David Farber" <dfarber@me.com>
Sat, 18 Jun 2016 09:58:13 -0400
  [Boing Boing. More on this latter . Not what is suggested djf]

http://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

Recent Intel x86 processors implement a secret, powerful control mechanism
that runs on a separate chip that no one is allowed to audit or
examine. When these are eventually compromised, they'll expose all affected
systems to nearly unkillable, undetectable rootkit attacks. I've made it my
mission to open up this system and make free, open replacements, before it's
too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit
ARC microprocessor that's physically located inside the chipset. It is an
extra general purpose computer running a firmware blob that is sold as a
management system for big enterprise deployments. ...

  [Werner U. notes SlashDot item that refers to BoingBoing.


Physical Key Extraction Attacks on PCs

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Jun 2016 12:41:43 -0700
http://cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext

  Our research thus focuses on two main questions: Can physical side-channel
  attacks be used to nonintrusively extract secret keys from PCs, despite
  their complexity and operating speed?  And what is the cost of such
  attacks in time, equipment, expertise, and physical access?  Results. We
  have identified multiple side channels for mounting physical
  key-extraction attacks on PCs, applicable in various scenarios and
  offering various trade-offs among attack range, speed, and equipment
  cost. The following sections explore our findings, as published in several
  recent articles.


Lawyers who yanked "Happy Birthday" into public domain now sue over "This Land" (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Sat, 18 Jun 2016 08:17:36 -0700
  [This song is made for you and me!]  [NNSquad]

http://arstechnica.com/tech-policy/2016/06/lawyers-who-yanked-happy-birthday-into-public-domain-now-sue-over-this-land/

  The lawyers who successfully got "Happy Birthday" put into the public
  domain and then sued two months ago over "We Shall Overcome" have a new
  target: Woody Guthrie's "This Land."  Randall Newman and his colleagues
  have filed a proposed class-action lawsuit against The Richmond
  Organization (TRO) and Ludlow Music, the two entities that also claim to
  own the copyright for "We Shall Overcome." ...  According to the "This
  Land" suit, the melody of the song is actually a Baptist hymn from the
  late 19th or early 20th century, often referred to as "Fire Song."


The Air Force Had a Totally Accidental Computer Disaster (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Tue, 14 Jun 2016 14:41:17 -0700
via NNSquad
http://gizmodo.com/the-air-force-had-a-totally-accidental-computer-disaste-1781973697?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+gizmodo%2Ffull+%28Gizmodo%29

  Last Month, Lockheed Martin, the government contractor which operates the
  servers that store sensitive information about internal Air Force
  investigations, came to realize that all of the data on said servers was
  missing. The apparent reason was a run-of-the-mill system crash--but what
  caused that actual crash is still unclear. Now, the United Stated Air
  Force is reportedly missing all of its investigation records dating all
  the way back to 2004. Whoops!

Investigation records lost back to 2004. And no clear sense of what backups
may or may not exist. This is the same government that wants access to our
secure communications. Yeah.

  [The Air Force and the FBI are *not quite* the same.]


"Home invasion? Three fears about Google Home" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Wed, 15 Jun 2016 09:37:57 -0700
  This article covers risks and concerns about Google Home.

Fahmida Y. Rashid, InfoWorld, 15 Jun 2016
Always-listening devices accelerate our transformation into a constantly
surveilled society. That's a problem not only for us but for our kids, too
http://www.infoworld.com/article/3079846/security/home-invasion-3-fears-about-google-home.html


Best Korea's Social Network hacked after using worst ID and password possible (Rocket News)

Gene Wirchenko <genew@telus.net>
Wed, 15 Jun 2016 12:41:41 -0700
"Best Korea's Social Network" hacked after using worst ID and password possible
http://en.rocketnews24.com/2016/06/16/best-koreas-social-network-hacked-after-using-worst-id-and-password-possible/


The average cost of a data breach is now $4 million (Help Net Security)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 16 Jun 2016 15:26:07 -0600
Help Net Security, 16 Jun 2016

The average data breach cost has grown to $4 million, representing a 29
percent increase since 2013, according to the Ponemon Institute.

Cybersecurity incidents continue to grow in both volume and sophistication,
with 64 percent more security incidents reported in 2015 than in 2014. As
these threats become more complex, the cost to companies continues to
rise. In fact, the study found that companies lose $158 per compromised
record. Breaches in highly regulated industries like healthcare were even
more costly, reaching $355 per record – a full $100 more than in 2013.

https://www.helpnetsecurity.com/2016/06/16/data-breach-cost-4-million/


"Companies pay out billions to fake-CEO email scams" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Fri, 17 Jun 2016 10:20:52 -0700
Michael Kan, InfoWorld, 16 Jun 2016
In the U.S. alone, victims have lost $960 million to the schemes over
the past three years, according to new data from the FBI
http://www.infoworld.com/article/3084886/cyber-crime/companies-pay-out-billions-to-fake-ceo-email-scams.html

opening text:

Email scammers, often pretending to be CEOs, have duped businesses into
giving away at least $3.1 billion, according to new data from the FBI.


'Spam King' Sanford Wallace gets 2.5 years in prison for 27M Facebook scam messages

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Jun 2016 16:03:30 -0700
http://boingboing.net/2016/06/16/spam-king-sanford-wallace.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29

  A hacker who called himself 'Spam King' and sent 27 million unsolicited
  Facebook messages for a variety of scams has been sentenced to 30 months
  in jail.  Sanford Wallace, 47 was also ordered to pay more than $310,000
  in fines. The hacker also known as "Spamford" is reported to have
  compromised over 500,000 Facebook accounts from November 2008 to March
  2009, and messaged victims links to external sites that harvested their
  log-ins and Facebook friend lists. Then, Wallace spammed the Facebook
  users with links to other websites ... allace's spamming career didn't
  begin with Facebook messages, but stretches all the way back to the '90s,
  when he sent junk fax messages. He faced civil suits from both Myspace and
  Facebook in 2007 and 2009, respectively, and racked up nearly $1 billion
  in fines from the two companies that he was unable to pay. This recent
  sentence, is the first time Wallace has been convicted of a crime, with
  the Spam King pleading guilty to one count of "fraud and related activity
  in connection with electronic mail." His two-and-a-half year jail sentence
  is just short of the three year maximum he was facing.


Cormac Herley, "Unfalsifiability of security claims":

Bruce Schneier <schneier@schneier.com>
Wed, 15 Jun 2016 00:30:27 -0500
             CRYPTO-GRAM
            June 15, 2016
          by Bruce Schneier
    CTO, Resilient, an IBM Company
        schneier@schneier.com
       https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<https://www.schneier.com/crypto-gram/archives/2016/0615.html>. These same
essays and news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent comment
section. An RSS feed is available.

Interesting research paper:
  Cormac Herley, "Unfalsifiability of security claims":

  There is an inherent asymmetry in computer security: things can be
  declared insecure by observation, but not the reverse. There is no
  observation that allows us to declare an arbitrary system or technique
  secure. We show that this implies that claims of necessary conditions for
  security (and sufficient conditions for insecurity) are unfalsifiable.
  This in turn implies an asymmetry in self-correction: while the claim that
  countermeasures are sufficient is always subject to correction, the claim
  that they are necessary is not. Thus, the response to new information can
  only be to ratchet upward: newly observed or speculated attack
  capabilities can argue a countermeasure in, but no possible observation
  argues one out. Further, when justifications are unfalsifiable, deciding
  the relative importance of defensive measures reduces to a subjective
  comparison of assumptions. Relying on such claims is the source of two
  problems: once we go wrong we stay wrong and errors accumulate, and we
  have no systematic way to rank or prioritize measures.

This is both true and not true.

Mostly, it's true. It's true in cryptography, where we can never say that an
algorithm is secure. We can either show how it's insecure, or say something
like: all of these smart people have spent lots of hours trying to break it,
and they can't—but we don't know what a smarter person who spends even
more hours analyzing it will come up with. It's true in things like airport
security, where we can easily point out insecurities but are unable to
similarly demonstrate that some measures are unnecessary. And this does lead
to a ratcheting up on security, in the absence of constraints like budget or
processing speed. It's easier to demand that everyone take off their shoes
for special screening, or that we add another four rounds to the cipher,
than to argue the reverse.

But it's not entirely true. It's difficult, but we can analyze the
cost-effectiveness of different security measures. We can compare them with
each other. We can make estimations and decisions and optimizations. It's
just not easy, and often it's more of an art than a science. But all is not
lost.

Still, a very good paper and one worth reading.

Blog entry URL:
https://www.schneier.com/blog/archives/2016/05/the_unfalsifiab.html

Unfalsifiability of security claims:
http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.pdf


Privacy not possible with increasing financial surveillance

Henry Baker <hbaker1@pipeline.com>
Fri, 17 Jun 2016 07:17:25 -0700
In a series of four articles in *The Atlantic*, Sarah Jeong argues
conclusively that the systems of financial surveillance originally intended
for determining credit-worthiness of corporations and rich individuals have
been extended—thanks to the cost-effectiveness of IT & Internet
technology—to even the poorest of the poor.

Furthermore, this surveillance exercise has been converted into a form of
coercive social control on legal activities which have been politicized.
The use of financial controls to punish Wikileaks today can also be used to
punish those seeking and providing abortions tomorrow.

While Sarah does not mention "civil asset forfeiture" (CAF) in this
particular series, it is easy to see that CAF is the obvious next step in
closing the surveillance/control loop.  "See Something, Say Something"
inevitably becomes "See Something, Take Something".

Some libertarians have advocated the use of Bitcoin-type protocols to avoid
this financial surveillance.  Sarah argues that—far from saving us from
surveillance, a cashless society (advocated by state-nanny Cass Sunstein)
will allow essentially complete surveillance and control.

 - - -

The "War on Drugs" was the excuse for much of this financial surveillance &
control system; the "War on Terror" is now the excuse for extending it for
total surveillance and total control.

Within a few years, the President won't require a drone strike to disable a
domestic dissident; that "Red Button" on her desk will disable the
dissident's ability to financially function in society, and instantly strip
all financial assets—without any presumption of innocence.  "Look ma, no
due process!"

Bottom line: allowing the government a pass on the ubiquitous surveillance
of financial transactions is akin to providing the govt a "metadata
loophole" aka "third party doctrine"; fine-grained financial data provides
all of the metadata information, so this becomes a distinction without a
difference.

http://www.theatlantic.com/technology/archive/2016/04/mass-surveillance-was-invented-by-credit-bureaus/479226/

Also by Sarah Jeong:
Credit Bureaus Were the NSA of the 19th Century
http://www.theatlantic.com/technology/archive/2016/04/credit-reporting-spying/480510/

You Can't Escape Data Surveillance In America
http://www.theatlantic.com/technology/archive/2016/04/rental-company-control/478365/

How Technology Helps Creditors Control Debtors
http://www.theatlantic.com/technology/archive/2016/04/cashless-society/477411/

How a Cashless Society Could Embolden Big Brother
Sarah Jeong Apr 8, 2016 Technology


Re: Tesla Model X autonomously crashes into building, owner claims

"Gary Hinson" <Gary@isect.com>
Fri, 17 Jun 2016 12:23:41 +1200
With ever-advancing auto-automation, surely it is not beyond the wit of Man
to ensure that such vehicles are thoroughly instrumented and the data are
retained in black boxes, if not systematically uploaded for further
analysis?  A moment's idle and ill-informed conjecture suggests the
possibilities of: identifying failure modes; diagnosing driver and vehicle
errors; spotting opportunities for safer, more fuel-efficient driving;
forensic evidence concerning incidents; compliance with road laws;
indications of drivers' failing eyesight/health/impairment/incompetence .

Aren't there suitable standards in this area already?  If not, why not?
Isn't anyone driving them?  It's such an obvious avenue, a clear route ahead.

  [Standards?  We are probably still in the period where each company is
  trying to roll its own, although there is supposedly some standardization
  on interfaces.  However, think about the composition problem of having
  different components from different vendors (including the ubiquitous
  entertainment system that is a culprit in airliners) supposedly seamlessly
  integrated, and the communication problem among vehicles when we get to
  the automated highway (!), and the need for monitoring and oversight to
  ensure everything is working properly, or remediating when it is not, ...
  PGN]

Dr Gary Hinson PhD MBA CISSP, CEO of IsecT Ltd., New Zealand
http://www.isect.com/

Passionate about information risk and security awareness, standards and metrics
 <http://www.noticebored.com/> www.NoticeBored.com
<http://www.iso27001security.com/> www.ISO27001security.com
<http://www.securitymetametrics.com/> www.SecurityMetametrics.com


Re: Russian penetration attack on DNC: NOT! (RISKS-29.56)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 15 Jun 2016 22:42:03 PDT
Ars Technica reports that "Guccifer 2.0" claims responsibility
for the attack on the DNC, Clinton, and Trump sites.  Guccifer includes
the purloined data as "proof".

http://arstechnica.com/security/2016/06/lone-wolf-claims-responsibility-for-dnc-hack-dumps-purported-trump-smear-file/#p3

https://guccifer2.wordpress.com/2016/06/15/dnc/


Re: Lancaster UK power outage (RISKS-29.56)

Martin Ward <martin@gkc.org.uk>
Thu, 16 Jun 2016 11:47:05 +0100
The immediate cause of the power loss was flooding of the main subsystem
next to the River Lune, which reached a peak flow of 1,742 cubic meters of
water per second.

The connection between rainfall level of 150 to 200mm and a record peak
water flow in the river may seem obvious and inevitable: but in fact is
exacerbated by successive Governments' handling of the upland areas:

(1) A study in mid-Wales suggests that rainwater’s infiltration rate into
the soil is 67 times higher under trees than under sheep pasture.  Yet
farmers are subsidised for keeping sheep and rewarded for removing "unwanted
vegetation" (i.e. trees) from land which is not being farmed.

(2) Rivers that have been dredged and canalised to protect farmland rush the
water instead into the nearest town.

(3) In June 2014 the environment department proposed to deregulate dredging,
allowing landowners to strip the structure and wildlife habitat out of
ditches and rivers. There could be no better formula for disaster
downstream. Once water is in the rivers, it has to go somewhere. If you
don’t hold it back in the fields, it will tumble into people’s homes
instead.

(4) Internal drainage boards—which are public bodies but tend to be
mostly controlled by landowners—often prioritise the protection of
farmland above the safety of towns and cities downstream.

(5) The Government was instrumental in destroying the proposed European soil
framework directive, which would have reduced flooding by preventing the
erosion and compaction of the soil.

http://www.theguardian.com/commentisfree/2015/dec/07/hide-evidence-storm-desmond-floods-paris-talks

http://www.theguardian.com/commentisfree/2015/dec/29/deluge-farmers-flood-grouse-moor-drain-land

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/

Please report problems with the web pages to the maintainer

Top