The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 90

Tuesday 8 November 2016

Contents

"Your WiFi-connected thermostat can take down the whole Internet. We need new regulations."
Bruce Schneier
Hack Your Own Car in USA
IEEE Spectrum
TSA biometrics
Detroit CBS
"XSS flaw on Wix leaves the door open to worms"
Fahmida Y. Rashid
Blockchain is Eating Wall Street
Alex Tapscott
Re: denied jackpot—this number seems familiar!
Walter Hunt
Trolley challenge in Indiana
TV news via Al Mac
Hack-a-day stingray
Eli the Bearded
Squirrels and voting
Mark Thorson
Re: German voting system, for comparison
Sheldon
Re: Undetectable election hacking?
David Brodbeck
Rob Slade
Jim Hickstein
Paul Edwards
Re: Mirai and Anna Senpai
Derek J Decker
Info on RISKS (comp.risks)

"Your WiFi-connected thermostat can take down the whole Internet. We need new regulations." (Bruce Schneier)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 4 Nov 2016 1:53:04 PDT
Bruce Schneier, 3 Nov 2016, *The Washington Post*,  3 Nov 2016
The government has to get involved in the "Internet of Things."
https://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/?utm_term=.284c3ae330c1&tid=sm_tw

Bruce Schneier is a security technologist and a lecturer at the Kennedy
School of Government at Harvard University. His latest book is "Data and
Goliath: The Hidden Battles to Collect Your Data and Control Your World."

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal
went down for most of a day. The distributed denial-of-service attack that
caused the outages, and the vulnerabilities that made the attack possible,
was as much a failure of market and policy as it was of technology. If we
want to secure our increasingly computerized and connected world, we need
more government involvement in the security of the Internet of Things—and
increased regulation of what are now critical and life-threatening
technologies. It's no longer a question of if, it's a question of when.

First, the facts. Those websites went down because their domain name
provider—a  company named Dyn—was forced offline. We don't know who
perpetrated that attack, but it could have easily been a lone hacker.
Whoever it was launched a distributed denial-of-service attack against Dyn
by exploiting a vulnerability in large numbers—possibly millions—of
Internet-of-Things devices like webcams and digital video recorders, then
recruiting them all into a single botnet. The botnet bombarded Dyn with
traffic, so much that it went down. And when it went down, so did dozens of
websites.

Your security on the Internet depends on the security of millions of
Internet-enabled devices, designed and sold by companies you've never heard
of to consumers who don't care about your security.

The technical reason these devices are insecure is complicated, but there is
a market failure at work. The Internet of Things is bringing computerization
and connectivity to many tens of millions of devices worldwide. These
devices will affect every aspect of our lives, because they're things like
cars, home appliances, thermostats, lightbulbs, fitness trackers, medical
devices, smart streetlights and sidewalk squares. Many of these devices are
low-cost, designed and built offshore, then rebranded and resold. The teams
building these devices don't have the security expertise we've come to
expect from the major computer and smartphone manufacturers, simply because
the market won't stand for the additional costs that would require. These
devices don't get security updates like our more expensive computers, and
many don't even have a way to be patched. And, unlike our computers and
phones, they stay around for years and decades.

An additional market failure illustrated by the Dyn attack is that neither
the seller nor the buyer of those devices cares about fixing the
vulnerability. The owners of those devices don't care. They wanted a webcam
-- or thermostat, or refrigerator—with nice features at a good price. Even
after they were recruited into this botnet, they still work fine—you can't
even tell they were used in the attack. The sellers of those devices don't
care: They've already moved on to selling newer and better models. There is
no market solution because the insecurity primarily affects other people.
It's a form of invisible pollution.

And, like pollution, the only solution is to regulate. The government could
impose minimum security standards on IoT manufacturers, forcing them to make
their devices secure even though their customers don't care. They could
impose liabilities on manufacturers, allowing companies like Dyn to sue them
if their devices are used in DDoS attacks. The details would need to be
carefully scoped, but either of these options would raise the cost of
insecurity and give companies incentives to spend money making their devices
secure.

It's true that this is a domestic solution to an international problem and
that there's no U.S. regulation that will affect, say, an Asian-made product
sold in South America, even though that product could still be used to take
down U.S. websites. But the main costs in making software come from
development. If the United States and perhaps a few other major markets
implement strong Internet-security regulations on IoT devices, manufacturers
will be forced to upgrade their security if they want to sell to those
markets. And any improvements they make in their software will be available
in their products wherever they are sold, simply because it makes no sense
to maintain two different versions of the software. This is truly an area
where the actions of a few countries can drive worldwide change.

Regardless of what you think about regulation vs. market solutions, I
believe there is no choice. Governments will get involved in the IoT,
because the risks are too great and the stakes are too high. Computers are
now able to affect our world in a direct and physical manner.

Security researchers have demonstrated the ability to remotely take control
of Internet-enabled cars. They've demonstrated ransomware against home
thermostats and exposed vulnerabilities in implanted medical devices.
They've hacked voting machines and power plants. In one recent paper,
researchers showed how a vulnerability in smart lightbulbs could be used to
start a chain reaction, resulting in them all being controlled by the
attackers—that;s every one in a city. Security flaws in these things could
mean people dying and property being destroyed.

Nothing motivates the U.S. government like fear. Remember 2001? A
small-government Republican president created the Department of Homeland
Security in the wake of the Sept. 11 terrorist attacks: a rushed and
ill-thought-out decision that we've been trying to fix for more than a
decade. A fatal IoT disaster will similarly spur our government into action,
and it's unlikely to be well-considered and thoughtful action. Our choice
isn't between government involvement and no government involvement. Our
choice is between smarter government involvement and stupider government
involvement. We have to start thinking about this now. Regulations are
necessary, important and complex—and they're coming. We can't afford to
ignore these issues until it's too late.

In general, the software market demands that products be fast and cheap and
that security be a secondary consideration. That was okay when software
didn't matter—it was okay that your spreadsheet crashed once in a while.
But a software bug that literally crashes your car is another thing
altogether. The security vulnerabilities in the Internet of Things are deep
and pervasive, and they won't get fixed if the market is left to sort it out
for itself. We need to proactively discuss good regulatory solutions;
otherwise, a disaster will impose bad ones on us.


Hack Your Own Car in USA (IEEE Spectrum)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 2 Nov 2016 19:38:08 -0500
You may own your car, but you don't own the software that makes it work --
that still belongs to your car's manufacturer. You're allowed to use the
software, but in the past, trying to alter it in any way (including fixing
it by yourself when it breaks or patching security holes) was a form of
copyright infringement. iFixit, Repair.org, the Electronic Frontier
Foundation (EFF), and many others think this is ridiculous,
<http://ifixit.org/blog/8510/car-repair-illegal-dmca/> and they've been
lobbying the government to try to change things.

A year ago, the U.S. Copyright Office agreed that people should be able to
modify the software that runs cars that they own, and as of last Friday [Oct
28], that ruling came into effect.  It's good for only two years, though, so
get hacking.
<https://www.gpo.gov/fdsys/pkg/FR-2015-10-28/pdf/2015-27212.pdf#page=10>

The legal and technical distinction between physical ownership and digital
ownership is perhaps most familiar in the context of DVD movies. You can go
to the store and buy a DVD, and when you do, you own that DVD. You don't,
however, own the movie that comes on it: Instead, it's more like you own
limited rights to watch the movie, which is a very different thing. If the
DVD is protected by Digital Rights Management (DRM) software, the Digital
Millennium Copyright Act (DMCA) says that you are not allowed to circumvent
that software, even if you're just trying to watch the movie on a different
device, change the region restriction so that you can watch it in a
different country, or do any number of other things that it really seems
like you should be able to do with a piece of media that you paid 20 bucks
for.

Cars work in a similar way. You own the car as a physical object, but you
only have limited rights to the software that controls it, because the car's
manufacturer holds the copyright on that software. This prevents you from
making changes to the software, even if those changes are to fix problems or
counter obsolescence, as well as preventing you from investigating the
security of the software, which can have very serious and direct
consequences for you as the owner and driver.
<http://spectrum.ieee.org/cars-that-think/transportation/self-driving/hacker
s-take-control-of-a-moving-jeep>  It's also worth pointing out that
(especially in older vehicles like the 1995 Volvo 940 Turbo belonging to a
certain anonymous journalist) relatively simple computerized parts can cost
a ridiculous amount of money to replace because there is no legal
alternative besides buying a new one from the manufacturer, who hasn't made
them in 20 years and would much rather you just bought an entirely new car
anyway. [...]

This comes with a few caveats,

You still can't mess with the vehicle entertainment system, since you could
hypothetically use it to commit copyright infringement. You can't screw
around with any kind of telematics that you might find, either. And you're
definitely not allowed to make modifications that break other laws,
including emissions laws.
<http://spectrum.ieee.org/cars-that-think/transportation/advanced-cars/vws-slow-agony-illustrates-carmakers-problem-with-software>
http://spectrum.ieee.org/cars-that-think/transportation/systems/its-now-temporarily-legal-to-hack-your-own-car

  [Spectrum article also noted by Steven Cheung.  See also *WiReD*:
https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/
  PGN]


TSA biometrics (Detroit CBS)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 2 Nov 2016 12:56:34 -0500
    [This item contains some uninformed "journalism".  See Al Mac's
    comments below before you respond.  PGN]

  Detroit has a new airport 'security' thing called "CLEAR", wherein
  they [try to] take all 10 fingerprints, an iris scan, a high res photo of
  the face...  That is an incredible amount of information.  They also
  charge $ 179 a year for this alleged high speed path thru airport
  security.

  CLEAR is now in operation at the Detroit Metro Airport's McNamara
  Terminal.  Certified as a "qualified anti-terrorism technology" by the
  U.S. Department of Homeland Security (DHS), CLEAR has been used more than
  five million times to move travelers quickly through airport security
  lines at 16 other airports.

  "They validate their identity using a knowledge-based quiz, they use a
  government identification that's validated using technology, and then we
  link it to their biometrics—we take 10 fingerprints with a digital
  reader, we take a scan of their iris, and we take a high-res photo of
  their face," said CLEAR spokesperson David Cohen.

  Cohen said the initial sign-up process takes about five minutes and after
  that, getting through security lines should be a breeze. He said there are
  special lines for CLEAR customers that can be a great time-saver for
  travelers, who will still have to pass through X-Rays and body scans.

  "Our customers go through the TSA security process in minutes. They come
  to a CLEAR lane, that lane is going to be open and available for them to
  validate their identity on the spot, a process in itself that takes less
  than a second," he said.

  Membership to use CLEAR costs $179 per year. New members who enroll at the
  airport receive a one-month free trial and can use CLEAR immediately.

http://detroit.cbslocal.com/2016/10/27/new-system-at-detroit-metro-airport-allows-travelers-to-move-through-airport-security-in-a-flash/

What can go wrong?  Well, TSA previously has had schemes to expedite people
through airport security, which have allegedly not worked out so well, at
all airports.  There are now several such systems in operation, where a
frequent traveler needs to evaluate what's involved in each, to decide which
combination to get.

Comments, on the above link, include:

CLEAR is "new" only to Detroit.  Other Airports have been using it for
years.

* TSA has many cheaper alternatives, which allegedly perform the same
  service, and are much less intrusive.

* This is another security measure which would not have stopped 9/11..

https://www.clearme.com/where-is-clear/
http://thepointsguy.com/2015/03/clear-expedited-airport-security-program-is-it-worthwhile/

As explained by the above link, there are several different versions of
CLEAR.

I am a senior (age 72).  When I have to have my fingerprints taken, the
process takes at least an hour, because fingerprints fade on older people.
We wait in line to have this done.  Younger people zip through, 5 minutes or
less.  Then one of us older people arrive, and the people behind us have to
wait an extra hour, per senior, because the digital scan has to be redone
scores of times, before they are able to get the desired info.

  [I first heard about Detroit CLEAR from V.]


"XSS flaw on Wix leaves the door open to worms" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Fri, 04 Nov 2016 10:42:58 -0700
Fahmida Y. Rashid, InfoWorld, 3 Nov 2016
A researcher found a cross-site scripting flaw in Wix templates that a worm
could have used to infect all Wix-hosted sites, but couldn't find a way to
report the vulnerability
http://www.infoworld.com/article/3137956/security/xss-flaw-on-wix-leaves-the-door-open-to-worms.html

[selected text:]

  "Austin claimed he repeatedly tried to contact Wix to get the
  vulnerability fixed, but despite creating a support ticket and directly
  emailing support@wix.com, never received a response. When he emailed
  security@wix.com with details of the flaw, he received an automated reply
  stating that security@wix.com "may not exist, or you may not have
  permission to post messages to the group." Austin decided to publicly
  disclose the flaw because it could be exploited by a worm.

  "The debate between private and public disclosure is never-ending, and it
  usually boils down to the organization's responsiveness. It appears Wix
  quietly closed the vulnerability after Austin's public disclosure since
  the proof of concept no longer works, which indicates Wix could have
  responded and fixed the issue swiftly and avoided Austin going public in
  the first place."

I have had the issue of not being able to report a problem in other areas.
Goggle Maps was one.  It was confusing NE (Northeast) and SE (Southeast)
streets in Salmon Arm, British Columbia, Canada.  I could not find a way to
report the problem.  Then, there are full voice mailboxes and the like.


Blockchain is Eating Wall Street (Alex Tapscott)

Don Tapscott and Alex Tapscott <info@tapscott.com>
November 2, 2016 at 10:43:57 AM EDT
Alex Tapscott at TEDxSanFrancisco (via Dave Farber)

TED recently asked Alex Tapscott to deliver the first TED talk about how
blockchain is transforming the global financial system. Alex is co-author
(with father Don) of the Globe and Mail #1 bestselling book Blockchain
Revolution: How the Technology Behind Bitcoin is Changing Money, Business,
and the World.

In the talk, which was given live to a full-house in TEDx in SanFrancisco,
Alex argues that blockchain gives us another kick at the can to reinvent
financial services for a new era of trust and legitimacy. Titled Blockchain
is Eating Wall Street, Alex calls on the industry's leaders to step up and
join the blockchain revolution.


Re: denied jackpot—this number seems familiar! (RISKS-29.89)

Walter Hunt <walter.hunt@ca.rr.com>
Thu, 03 Nov 2016 11:11:16 -0700
http://ktla.com/2016/11/01/new-york-woman-denied-43-million-jackpot-by-casino-is-offered-steak-dinner-2-25-instead/

  Jackpot that the casino says is a malfunction: $42,949,672
  Magic number stuck in my head: 0xffffffff == 4294967295

I'm going to go out on a limb and say it probably is a malfunction.


Trolley challenge in Indiana (TV news)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 4 Nov 2016 12:28:05 -0500
There has been much discussion of self-driving car software ethics vs.
human real-life ethics, with questions whether there have been any real life
events that resemble the trolley choices..

Near where I reside, a car was going too fast for local conditions, came
around a curve and found 35 students crossing the road, in the path of the
car, so the driver deliberately crashed into the school bus, to avoid
hitting the kids.

http://www.14news.com/story/33628281/evansville-school-bus-unloading-students-hit-by-car


Hack-a-day stingray

Eli the Bearded <*@eli.users.panix.com>
Fri, 4 Nov 2016 20:06:27 -0400 (EDT)
This art project shows just how easy it is to build your own Stingray.
(Hat tip to November 2nd hackaday.com)

https://julianoliver.com/output/stealth-cell-tower

  Stealth Cell Tower is an antagonistic GSM base station in the form of an
  innocuous office printer. It brings the covert design practice of
  disguising cellular infrastructure as other things - like trees and
  lamp-posts - indoors, while mimicking technology used by police and
  intelligence agencies to surveil mobile phone users.

And to think, previously I only worried about Internet-connectedness of
printers...


Squirrels and voting

Mark Thorson <eee@sonic.net>
Fri, 4 Nov 2016 19:51:46 -0700
Two among the most popular topics in RISKS are squirrels and voting, and now
we have both here:

Following a squirrel incident, polling station had to resort to paper.
  http://www.cnn.com/2016/11/03/politics/squirrel-voting-outage/index.html

  [A squirrel is "a kind of arboreal rodent having a long bushy tail".
  It might be coincidental that we had "bushy" candidates.  PGN]


Re: German voting system, for comparison (Koenig, RISKS-29.89)

Sheldon <sheldon10101@gmail.com>
Fri, 4 Nov 2016 15:36:06 -0400
The United States can't simply go to a paper ballot, counted by hand.

The problem is actually counting ballots when you may have many offices and
even ballot initiatives on a single ballot.

In Canada, the same simple plain paper ballot as in Germany are used in
provincial and federal elections when you are voting for only one
office. They are counted by hand. It works fine. I've counted them.

For local elections, I once counted by hand a ballot with more than 5
offices on one ballot. They were a nightmare to count by hand. That's why
for local elections where I live, a large plain paper ballot is used, but
the ballot is counted using an OCR scanner. That's how some ballots are
counted in the US. Almost everyone marks the ballot by hand, however there
are machines for those with disabilities who want to mark their ballots
themselves, the machine takes the voter input in many different ways and
outputs the same paper ballot everyone else uses marked so it can be counted
by the OCR scanner.


Re: Undetectable election hacking? (Macintyre, RISKS-29.89)

David Brodbeck <david.m.brodbeck@gmail.com>
Mon, 31 Oct 2016 18:21:09 -0700
> "I suspect cyber security is poorer on similar machines in convenience
> stores & gas pumps, than bank ATMs.  Who maintains those machines & do
> they need any relevant qualifications to be hired?"

I was handed the keys to one based on nothing but being "the computer guy,"
so I'd say no, no qualifications whatsoever.  Mind you, I wasn't expected to
do any configuration—mostly I was expected to extract $20 bills that had
gotten wadded up in the feed mechanism—but I did have physical access to
everything except the interior of the safe.


Re: Undetectable election hacking? (RISKS-29.89)

Rob Slade <rmslade@shaw.ca>
Mon, 31 Oct 2016 18:22:44 -0700
> As for accuracy, I have occasionally got an extra bill. like I asked for
> three (3 @ $ 20), but actually got 4.

Interesting.  Have you, or any of the other people, ever asked for 4 and got 3
instead?

Being a professional paranoiac, I generally count my bills when I go to the
ATM.  I say "generally," because, having never found an error in at least 30
years, my paranoia is weakening.

I also say "when I go to the ATM" because we are using less and less cash as
time goes by.  Banks are making their money off us in other ways than
exchanging cash.

So I suspect that a) Canadian banks may use more robust machines than
American banks (per our very weak anecdotal study, here) and b) all banks
are less concerned about giving away extra cash out of ATMs given the small
volume of cash business they conduct.

Cost/benefit, and all that.


Re: Undetectable election hacking?

Jim Hickstein <jxh@jxh.com>
Mon, 31 Oct 2016 23:19:30 -0500
I wonder how many of those people don't even know it happened.  It never
happened to me—as far as I know.  I always take my daily limit, some 15
bills, but a vague sense of threat stops me from standing there counting my
money in public (with a nod to Kenny Rogers), even inside a branch of my
bank.  I suppose I could have been shortchanged, too.

The people supplying the ATMs probably know all too well how much is lost,
if not to whom.  Anyone got stats?


Re: Undetectable election hacking (threedaygoaty, RISKS-29.89)

Paul Edwards <paule@cathicolla.com>
Sat, 5 Nov 2016 12:58:01 +1100
> The AEC does not automatically enroll voters but the states do.  At least
> VIC and NSW that I know of.

Thanks for that ” I didn't know that.

At this stage the offspring are all politically engaged and can't wait to
vote, so they won't be too fussed by the automatic enrollment.

Checked with a mate of mine who works for the VEC, and he confirmed that the
staff member at the ballot box is within their rights to not allow a vote to
be submitted if that staff member concludes that no effort has been made to
complete the ballot. He was quite vague on exactly what happened after that
(does the voter have to get a fresh ballot? Do they get unmarked as having
voted, etc.) although to be fair he's an IT dude at the VEC and not front of
house.  So, a person wishing to avoid a fine would still have to go to the
booth, get their name marked off, fiddle around in a cubicle and then drop
the ballot box in the receptacle.


Re: Mirai and Anna Senpai

Derek J Decker <derek@decker.net>
Tue, 1 Nov 2016 11:42:24 -0400
I have seen several other people try to gain insight into the character of
the Mirai perpetrator based on the choice of handle—but none have gone
much farther than this, and perhaps miss the point entirely.

Anna-senpai is a character in manga and anime series "Shimoneta to Iu Gainen
ga Sonzai Shinai Taikutsu na Sekai", usually abbreviated as "Shimoneta". The
usual English translation of this title is "A Boring World Where the Concept
of 'Dirty Jokes' Does Not Exist"

I could attempt to describe what sort of person the character of Anna is in
this franchise, but this 48-second youtube clip does a much better job than
my poor powers of description:

  <https://www.youtube.com/watch?v=cz4U2TvXkqw>

Sometimes, in the world of computer security, or anywhere else, instead of
speculating about something we're not familiar with, it's helpful to ask a
person with expertise in that field.  Or maybe ask Google.

  [Derek, Thanks for your "expertise", senpai!  RISKS has always relied on
  knowledgeable readers to help.  That's why I have continued to run it for
  thirty years.  I have never pretended to be an oracle.  PGN]

Please report problems with the web pages to the maintainer

Top