The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 79

Saturday 24 September 2016

Contents

We Have to Start Thinking About Cybersecurity in Space
Zeljka Zorz
"5 Tech Trends That Have Turing Award Winners Worried"
Katherine Noyes
Tesla tones down Autopilot
San Francisco Chronicle
Krebs on Security hit by a huge DDoS attack
ZDnet via PGN
"Seagate NAS hack should scare us all"
Roger A. Grimes
Australian Police warn of malware-laden USB sticks in letterboxes
The Register via Werner U
Russian intelligence services seem responsible for hacking German political groups
The Cyberwire
China teen killing sparks Internet *addiction* boot camp debate
BBC
Banks want to make the Internet less secure for everybody
Thomas Koenig
Rogue Algorithms—and the Dark Side of Big Data
Wharton Knowledge
WikiLeaks uploads 300+ pieces of malware among email dumps
Werner U
Re: Police try to arrest robot
Martin Ward
Re: The risks of getting your email address wrong
John Levine
Re: Microsoft dismisses Exchange vulnerability report
Bill Stewart
Re: PC without OS
Martin Ward
Dmitri Maziuk
Info on RISKS (comp.risks)

We Have to Start Thinking About Cybersecurity in Space (Zeljka Zorz)

"ACM TechNews" <technews-editor@acm.org>
Fri, 23 Sep 2016 12:18:18 -0400 (EDT)
Zeljka Zorz, Help Net Security, 22 Sep 2016, via ACM TechNews, 23 Sep 2016

UK-based researchers are studying the cybersecurity of space-related
technologies.  "An insecure environment in space will hinder economic
development and increase risks to societies, particularly in crucial sectors
such as communications, transport, energy, financial transactions,
agriculture, food and other resources management, environmental and weather
monitoring, and defense," according to Chatham House researchers David
Livingstone and Patricia Lewis.  They say space-related cybersecurity gaps
and weaknesses need to be addressed as a matter of urgency.  Cybersecurity
in space includes satellites, rockets, space-based systems and vehicles,
space stations and ground stations, as well as the associated networks and
data centers, all of which the researchers warn could be targeted by
hackers.  "Possible cyberthreats against space-based systems include
state-to-state and military actions; well-resourced organized criminal
elements seeking financial gain; terrorist groups wishing to promote their
causes, even up to the catastrophic level of cascading satellite collisions;
and individual hackers who want to fanfare their skills," according to the
researchers.  The researchers suggest an international multi-stakeholder
space security organization would provide the best opportunity for
developing a sectoral response to match the range of threats.  However, such
an effort should avoid basing policies on technology alone.  "An effective
regime requires a comprehensive technological response that is integrated
into a wider circle of knowledge, understanding, and collaboration,"
according to the researchers.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda9x073885&


"5 Tech Trends That Have Turing Award Winners Worried"

"ACM TechNews" <technews-editor@acm.org>
Fri, 23 Sep 2016 12:18:18 -0400 (EDT)
IDG News Service (09/23/16) Katherine Noyes

A panel of ACM A.M. Turing Award winners convened on Thursday at the
Heidelberg Laureate Forum in Germany to discuss technology trends they find
troubling.  Massachusetts Institute of Technology professor Barbara Liskov
cited technology encouraging people to selectively filter out news and
opinions differing from their own as a worrisome trend.  Another concern of
Liskov's is how the Internet has empowered malevolent hackers and other
malefactors to target children.  Meanwhile, Carnegie Mellon University's Raj
Reddy discussed criminals' ability to attack freedom technologically, noting
terrorists and other evildoers "can communicate with impunity with
encryption today."  Google chief Internet evangelist and former ACM
president Vint Cerf said bug-ridden software could undermine control of
devices comprising the Internet of Things.  "It's ordinary devices that have
a lot of software in them that don't work the way we expect them to" that
constitute a major threat, he warned.  Cerf also worries about the
obsolescence of the software needed to access online content, and a partial
solution may be to employ virtual machines in the cloud to mimic outdated
hardware.  However, Cerf said other issues are in need of resolution,
including ownership of intellectual property and business models to support
long-term preservation.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda6x073885&


Tesla tones down Autopilot

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 23 Sep 2016 12:13:01 PDT
Tesla says its latest software update will disable automatic steering if
drivers don't keep their hands on the wheel.  They are enhancing the radar
system so Autopilot will work better in bright sun and bad weather.  If
drivers ignore three warnings to place their hands on the wheel, automatic
steering will be disabled and won't resume until the car is parked.  As in
earlier versions, the car will slow to a stop if the warnings are ignored.

[PGN-excerpted from the *San Francisco Chronicle*, 23 Sep 2016, front page
of the Business Report]

  [I suspect that strategy won't work very well on an Automated Highway.
  Fortunately, we still have a way to go to work things out.  I should note
  that I've written two articles in the past months that might need some
  updating in light of recent developments noted in RISKS and elsewhere:

    PGN, Automated Car Woes—Whoa There! ACM Ubiquity, July 2016:
    <http://ubiquity.acm.org/article.cfm?id=2974062>

    PGN, Risks of Automation: A Cautionary Total-System Perspective of Our
    Cyberfuture, CACM Inside Risks article, October 2016:
    <http://www.csl.sri.com/neumann/cacm239.pdf>

  One of the risks of writing journal articles is that they should be able
  to have successive updates, which of course never happens.  One of the
  benefits of RISKS is that we are continually reflecting on the
  ever-changing nature of computer-related technologies.  The topic of
  self-driving cars and automated highways is certainly likely to be one
  such area where things will be changing!  (That's just one of the reasons
  I never tried to write a successor to my 1995 book, *Computer-Related
  Risks*—although most of what I wrote then still seems timely today.)
  PGN]


Krebs on Security hit by a huge DDoS attack

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 23 Sep 2016 09:18:17 PDT
Brian Krebs's security blog was booted off the Akamai network after DDoS
attack proves pricey.  "There's no rancor or bitterness, however, since
Akamai hosted the security expert's blog pro bono."

The attack, 665 Gbps in size, was detected by Akamai and DDoS protection
outfit Prolexic, owned by Akamai, as "almost twice the size" of attacks they
have had to fend off in the past, according to Krebs.

On Twitter, the security expert said in a series of tweets that despite the
unknown attackers "throwing it all" at Krebs on Security, including SYN
Floods, GET Floods, ACK Floods, POST Floods, and GRE Protocol Floods, the
attack, one of—if not—the largest DDoS ever recorded, failed.

http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/

  [This episode seems to have a nasty slippery slope.  If nothing else, it
  demonstrates how devastating massive denial-of-service attacks can be.
  Also, Akamai's booting Krebs suggests a camel's foot under the hood that
  may result in shooting themselves in the nose and throwing the boobie
  hatch out with the dirty laundry.  Nip a flood in the bud in the mud with
  a thud?  PGN]


"Seagate NAS hack should scare us all" (Roger A. Grimes)

Gene Wirchenko <genew@telus.net>
Fri, 23 Sep 2016 11:34:21 -0700
Roger A. Grimes, InfoWorld, 20 Sep 2016
An under-the-radar news story proves that computers are far from the only
devices prey to attack
http://www.infoworld.com/article/3121338/security/seagate-nas-hack-should-scare-us-all.html

opening text:

No fewer than 70 percent of Internet-connected Seagate NAS hard drives have
been compromised by a single malware program. That's a pretty startling
figure.  Security vendor Sophos says the bitcoin-mining malware Miner-C is
the culprit.

  [At peak, seek to tweak the weak link.  This reeks of leaks that peek as
  well.  PGN]


Australian Police warn of malware-laden USB sticks in letterboxes

Werner U <werneru@gmail.com>
Fri, 23 Sep 2016 02:03:28 +0200
[ twist: an old trick at a new place.... still works ]

Simon Sharwood, *The Register*, 21 Sep 2016
Victoria Police warn of malware-laden USB sticks in letterboxes
<http://www.theregister.co.uk/2016/09/21/letterbox_usb_police_warning/>

It's called 'junk mail' for a reason people: take the pizza vouchers and
ignore the rest!

Police in the Australian State of Victoria have warned citizens not to
trust unmarked USB sticks that appear in their letterboxes.

The warning issued today, says “The USB drives are believed to be extremely
harmful and members of the public are urged to avoid plugging them into
their computers or other devices.  Upon inserting the USB drives into their
computers victims have experienced fraudulent media streaming service
offers, as well as other serious issues.''
<https://www.vicpolicenews.com.au/news/harmful-usb-drives-found-in-letterboxes>,

Only the suburb of Pakenham in Victoria's capital Melbourne has experienced
the dodgy stick drop, but Victoria Police nonetheless saw fit to issue a
state-wide alert.

*The Register* is utterly unsurprised that some people plugged in the
drives, as we've previously reported that half of people who find a USB
stick in a carpark will plug it in and a USBs-left-in-car-parks phishing
scam.  And who could forget the attempt at industrial espionage that saw USB
sticks left in the parking lot of Dutch chemical giant DSM.
<http://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/>
<http://www.theregister.co.uk/2007/04/25/usb_malware/>
<http://www.theregister.co.uk/2012/07/11/infected_usb_spyware/>?

The latter two attacks were targeted.  Pakenham, however, is an unremarkable
outer suburb.  Perhaps the perps behind this USB drop had a particular
target in mind.  Or perhaps USB sticks are now so cheap, and the profits to
be had from cracking even home computers so large, that scattering a few
dozen sticks is a crime that pays?


Russian intelligence services seem responsible for hacking German political groups

The CyberWire <editor@thecyberwire.com>
Thu, 22 Sep 2016 12:26:28 -0400 (EDT)
The CyberWire 9.22.16
http://ui.constantcontact.com/sa/fwtf.jsp?llr=46gbevkab&m=1110957923263&ea=editor%40thecyberwire.com&a=1125925470626


China teen killing sparks Internet *addiction* boot camp debate

Lauren Weinstein <lauren@vortex.com>
Fri, 23 Sep 2016 17:02:01 -0700
BBC via NNSquad
http://www.bbc.com/news/world-asia-china-37451134

  “A murder case in China, in which a teenager reportedly tied up and
  killed her mother after being sent to an [I]nternet addiction treatment
  centre, has sparked shock across the country.  The teenager, from the
  northern province of Heilongjiang, had "tied the victim up in a chair
  until she died" on 16 September, local police say, without giving further
  details about the death.  The 16-year-old, identified in media reports by
  a ps[eu]donym, Chen Xin, has handed herself in to the police.  Local media
  say Chen Xin had been sent to an academy in Shandong, more than 1,000 km
  (600 miles) from her home, that specialised in "treating addictions and
  rebellious youths" - and which had a particular reputation for treating
  [I]nternet addictions.''


Banks want to make the Internet less secure for everybody

Thomas Koenig <tkoenig@netcologne.de>
Sat, 24 Sep 2016 08:38:44 +0200
In an E-Mail to the TLS mailing list at ietf.org, a representative of the
"Financial Services Roundtable" asked to keep the RSA key exchange in the
upcoming TLS 1.3 standard.  Why on earth would they do that?  One would
suppose that banks, above everybody else, would need a secure Internet, in
the interest of protecting their clients and themselves.

Well, maybe that's not quite the case:

# Like many enterprises, financial institutions depend upon the ability to
# decrypt TLS traffic to implement data loss protection, intrusion detection
# and prevention, malware detection, packet capture and analysis, and DDoS
# mitigation.  Unlike some other businesses, financial institutions also
# rely upon TLS traffic decryption to implement fraud monitoring and
# surveillance of supervised employees.

So, to keep snooping internally, they want to make external snooping easier?

Fortunately, the response was rather short: "No".

Full E-Mail can be found at
https://www.ietf.org/mail-archive/web/tls/current/msg21275.html


Rogue Algorithms—and the Dark Side of Big Data (Wharton Knowledge)

"David Farber" <farber@gmail.com>
Fri, 23 Sep 2016 13:36:45 -0400
http://knowledge.wharton.upenn.edu/article/rogue-algorithms-dark-side-big-data/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2016-09-22


WikiLeaks uploads 300+ pieces of malware among email dumps

<>
Sun, 25 Sep 2016 00:14:37 +0200
[Sources: Gizmodo, 15 Aug 2016 and *The Register*, 19 Aug 2016]
  [This is an old item that somehow did not make it earlier.  PGN]

Michael Nunez, *WikiLeaks Published Dozens of Malware Links in Email Dump*
Gizmodo, 15 Aug 2016
https://gizmodo.com/wikileaks-published-dozens-of-malware-links-in-email-du-1785293372

WikiLeaks published more than 80 variants of malware in the second email
dump from Turkey's ruling political party (AKP), according to
anti-virus security expert Vesselin Bontchev.  Anyone searching the
WikiLeaks database can easily download malware attachments by clicking on
the wrong link.
<https://github.com/bontchev/wlscrape/blob/master/malware.md>

Bontchev published his research on his GitHub page, which shows just how
extensive the threats inside WikiLeaks AKP email dump were. This is just the
latest example of unethical leaking to come from the whistleblowing
organization. In July, the site was criticized for “putting women in danger
by publishing sensitive information of every female voter in 79 of 81
Turkish provinces. Now, there is yet another reason to refer to the AKP
email dump and dangerous and poorly executed.''
<https://github.com/bontchev/wlscrape/blob/master/malware.md>
<http://gizmodo.com/what-happened-to-wikileaks-1784455507#_ga=1.232804830.1573483110.1468589968>
<http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan-emails_b_11158792.html>

*WikiLeaks uploads 300+ pieces of malware among email dumps*

http://www.theregister.co.uk/2016/08/19/wikileaks_uploads_324_bits_of_malware_in_munted_document_dump/

Darren Pauli, *The Register*, 19 Aug 2016
Freedom. Justice. Openness. And some entirely avoidable p0wnage for good luck
<http://www.theregister.co.uk/Author/2823>

WikiLeaks is hosting 324 confirmed instances of malware among its caches of
dumped emails, a top Bulgarian anti-malware veteran says.  Random checks of
reported malware hashes find the trojans are flagged as malware by Virus
Total's static analysis checks.  Much of the malware appear to be
attachments emailed by black hats in a bid to compromise the various parties
affected in the WikiLeaks dumps.

Dr Vesselin Bontchev says the instances of malware are only those confirmed
and found in an initial search effort.  Dr Bontchev, an antivirus researcher
of nearly 30 years and founder of the National Laboratory of Computer
Virology in Bulgaria, said there were "no doubts" that the malware hosted on
WikiLeaks was indeed malware.  "The list is by no means exhaustive; I am
just starting with the analysis," Bontchev says.  "But what is listed below
is definitely malware; no doubts about it."
<https://github.com/bontchev/wlscrape/blob/master/malware.md>

The document dumpster uploads attachments for the emails it releases but
offers no warning about the security implications of downloading
macro-enabled documents, executables, and other potentially malicious files.

A feasibly simple antivirus check would have cleared a lot if not all of the
attachment malware given the huge 80 to 100 percent hit rate Virus Total
returned when testing files selected randomly from Dr Bontchev's list.


Re: Police try to arrest robot

Martin Ward <martin@gkc.org.uk>
Fri, 23 Sep 2016 10:40:58 +0100
This one didn't pass my "smell test". The Mirror has been known to publish
faked news reports in the past (google Harambe McHarambeface)

Given that the previous "escapes" of the robot have been debunked:
http://bgr.com/2016/06/17/robot-run-fake-promobot-escape/
this one seems unlikely to be genuine.

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/

  [Then there's the old story about the person who was moving a disk unit
  from one part of a building at NSA to another section in which there was a
  downward-sloping passage across a security barrier that was protected by a
  guard trained to shoot anyone who crossed without appropriate credentials.
  According to the legend, apocryphal or otherwise, the heavy disk unit got
  away from its mover, and the guard shot it.  PGN]


Re: The risks of getting your email address wrong (Kumar, R-29.78)

"John Levine" <johnl@iecc.com>
23 Sep 2016 02:40:30 -0000
Ha, ha.  If you knew my name and guessed what my Gmail address is, you would
guess right.  But my name is quite common, and a lot of other people with
names similar to mine wrongly think that my address is their address.  A
very persistent John Levine is a doctor about whom I know quite a lot,
including at which hospitals he bids for shifts.  I've also gotten

The normal approach for verifying an e-mail address is to send a message to
it with a click here if that was you who signed up and (too often missing)
click there if it wasn't you.  But a lot of marketers apparently think
that's too hard, and why would someone give us the wrong address?  I've
heard truly bizarro stories of a person who was getting someone else's bank
statements, and when he called the bank to tell them, they wouldn't talk to
him since of course, he wasn't the person whose statements they were sending
to him.


Re: Microsoft dismisses Exchange vulnerability report (Houppermans)

Bill Stewart <billstewart@pobox.com>
Fri, 23 Sep 2016 09:44:34 -0700
One partial mitigation to the vulnerability is to maintain separate
webservers for your domain.com inside and outside your corporate firewall,
so that if employees' Exchange clients do try to reach http(s)://domain.com/
before checking mailserver.domain.com, they'll get your inside one, which is
presumably less vulnerable than your outside one.  This also requires split
DNS servers or similar firewall settings.


Re: PC without OS (Maziuk, RISKS-29.78)

Martin Ward <martin@gkc.org.uk>
Fri, 23 Sep 2016 15:35:28 +0100
On 17/09/16 19:58, Dimitri Maziuk wrote:
>> So, consumers are unable to buy a PC from a major manufacturer
>> without paying the "Microsoft Tax": whether they want to or not.
>
> No, the monopoly OS supplier can pay PC makers to include a copy of
> Windows with every PC they are selling *for $500*. Nobody's stopping
> them from selling barebones PCs *for $1000*.

Things that are perfectly reasonable for a company to do when there is ample
competition become exploitation when the company has a monopoly.  For
example, EpiPens which cost $1 to make are sold for $608 because they can
save lives and there is no competition.

Goldman Sachs made billions from speculating in food prices, while 200
million people starved, by creating a partial monopoly:

http://www.independent.co.uk/voices/commentators/johann-hari/johann-hari-how-goldman-gambled-on-starvation-2016088.html
https://www.theguardian.com/global-development/2011/jan/23/food-speculation-banks-hunger-poverty

Because they are a monopoly, Microsoft can sell Windows at a greatly
inflated price and then offer big discounts to major PC suppliers: provided
they buy a copy of Windows for every PC they sell, and follow Microsoft's
every whim.  They wield enormous power over suppliers (and governments).

When the first "netbooks" came out, they were not powerful enough to run
Windows.  Microsoft grudgingly allowed suppliers to sell them with Linux
installed. Many people began to realise that Linux on a cheap netbook could
do everything they needed: with a cheaper laptop and a longer battery
life. Microsoft soon put a stop to that!


Re: PC without OS (Ward, RISKS-29.78)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Fri, 23 Sep 2016 09:58:42 -0500
> Things that are perfectly reasonable for a company to do when there
> is ample competition become exploitation when the company has
> a monopoly.

They're not sued for being a monopoly. There are anti-trust laws for that.

The ruling is that a business entity is not required to disclose the details
of a deal it made with another business entity to anyone who bothers to ask.
Obviously, you can't rule otherwise and have free market capitalism at the
same time.

There should be a special name for unstated middle that is also blatantly
untrue.

  [PS for PGN: my apologies for getting you dragged into this: my original
  comment was about "Internet journalism" where the catchy headline
  "Consumers have no right to buy a PC without an OS, European court rules"
  and has no relation to the actual court ruling being reported on.  It has
  nothing to do with Evil Capitalism bashing.  Sorry about feeding that.
  DM]

    [DM, thanks!  Your initial message seemed worthy for RISKS, and I try
    not to blow the relevance whistle too often on successive messages, but
    I do try to excise ensuing discourse when it wanders too far afield.
    PGN]

Please report problems with the web pages to the maintainer

Top