The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 03

Monday 19 December 2016

Contents

Patient data encapsulated inside .exe file
Henry Baker
The EAC was itself hacked!
Elliott Hannon
US feds cyberattack US states
Al Mac
How France's TV5 was almost destroyed by 'Russian hackers'
Herb Lin
Richard OBrien
Evernote to read customer notes
Al Mac
Home routers under attack in ongoing malvertisement blitz
Ars Technica
Millions exposed to malvertising that hid attack code in banner pixels
Ars
Stop using Netgear routers with unpatched security bug, experts warn
Ars
Tech in Cars: What Happens When the Wheels Outlast the Wireless
WSJ
The FCC Just Approved a Landmark New Way For Deaf People to Communicate
Motherboard
Re: Audi Cars Now Talk To Stop Lights In Vegas
Richard Bos
Re: Yahoo Says 1 Billion User Accounts Were Hacked
Arthur Flatau
Re: Interview with Charles Delavan ...
Larry Sheldon
Re: SHAME ON YOU, GOOGLE!
Michael Marking
LW
Craig Burton
LW
CB
LW
Info on RISKS (comp.risks)

Patient data encapsulated inside .exe file

Henry Baker <hbaker1@pipeline.com>
Thu, 15 Dec 2016 14:31:46 -0800
I recently had occasion to transport some patient diagnostic data of a
family member from one doctor to another, so I examined the data on the disk
to see what format it was.

Basically, *all of the data was incorporated into a compressed (Windows)
executable file*.!?!

This strategy of delivering patient data is so wrong on so many levels
that I don't even know where to start.

1. The *only* non-security-researcher way to examine the data is to *execute
   an unknown .exe file*.  Can you say malware?  Can you say OPM hack?  Can
   you say DNC hack?  Can you say ransomware for a doctor's office or an
   entire hospital?  It should not be necessary to view patient data within
   a clean air-gapped virtual machine which must be restarted from scratch
   every time.

2. Security by obscurity is no security at all.  Embedding data within an
   executable file is not secure from anyone with the proper tools.  If by
   any chance you can actually get access to the data, it isn't encrypted at
   all.

3. The idea of embedding patient data into programs that will be obsolete in
   2 years is sheer insanity.  This means that normal bitrot will make these
   data inaccessible decades before the patient no longer needs them.
   Patient data needs to be accessible via open source viewer programs that
   can continue to be updated and used for multiple decades.

4. The (unencrypted) data also included live *video* of the patient, which
   was not disclosed to the patient at the time of the diagnostic procedure.
   I can't even begin to guess how many privacy regulations were broken when
   gathering, storing and distributing these video data.

Bottom line: No wonder hospitals and doctor's offices are so easily hacked
and patient records either disclosed or held for ransomware (or both), with
these insecure-by-design types of products and procedures.


The EAC was itself hacked! (Elliott Hannon)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 18 Dec 2016 12:09:13 PST
Elliot Hannon, *Slate*, 15 Dec 2016
Agency in Charge of U.S. Election Standards and Best Practices
Reportedly Also Got Hacked

http://www.slate.com/blogs/the_slatest/2016/12/15/agency_in_charge_of_u_s_election_standards_and_best_practices_reportedly.html

The vulnerabilities of the American electoral system don't stop at email
hacks.  As Reuters reports following the 8 Nov election the U.S. Election
Assistance Commission, the very federal agency that is charged with testing
and certifying state voting systems, was itself hacked. The hack was
discovered by a cybersecurity firm that detected someone selling logins to
the Election Assistance Commission on the black market. The Russian-speaking
hacker had more than 100 logins for commission employees and was attempting
to sell them for as little as a few thousands dollars to Middle Eastern
countries.

What is the potential fallout from such a breach? From Reuters:

The election commission certifies voting systems and develops standards for
technical guidelines and best practices for election officials across the
country.  Though much of the commission's work is public, the hacker gained
access to non-public reports on flaws in voting machines. In theory, someone
could have used knowledge of such flaws to attack specific machines, said
Matt Blaze, an electronic voting expert and professor at the University of
Pennsylvania. The researchers were confident that the hacker moved to sell
his access soon after getting it, meaning that he was not inside the system
before election day.

The Election Assistance Commission issued a statement
<https://www.eac.gov/eac_reports_potential_breach_of_web-facing_application/>
Thursday evening on the breach:

  The EAC is currently working with Federal law enforcement agencies to
  investigate the potential breach and its effects. The EAC does not
  administer elections. State and local jurisdictions run elections.  The
  EAC does not collect or store any personal information of voters. The EAC
  does not maintain voter databases.  The EAC does not tabulate or store
  vote totals.

  [Ken Nitz also noted a TechCrunch item on that story.  PGN]
https://techcrunch.com/2016/12/15/the-government-body-that-oversees-the-security-of-voting-systems-was-itself-hacked/


US feds cyberattack US states

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 15 Dec 2016 20:07:14 -0600
The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS
(Dept of Homeland Security).

Kentucky & West Virginia experienced similar attacks, confirmation
uncertain.

http://www.politico.com/story/2016/12/georgia-donald-trump-cyberattacks-dhs-232648
http://www.hannity.com/articles/election-493995/breaking-3-state-election-agencies-confirm-15397026/
http://www.wsbtv.com/news/local/more-states-confirm-cyber-attacks-sourced-to-dhs/476227320
http://www.wsbtv.com/news/georgia/georgia-secretary-of-state-says-cyberattacks-linked-back-to-dhs/475707667

[Since DHS was been stonewalling GA requests for clear explanations, maybe
it is time for state of GA to issue a FOIA (Freedom of Information) request
to DHS, and also request an IG (Inspector General) investigation.]

Possible explanations:

* DHS, and other US fed agencies, are authorized to do white-hat penetration
  tests of organizations they are supposedly regulating, but such tests
  should be promptly followed up with notification to the tested sites what
  they did why, and any problems they found.  With large government
  agencies, there can be break downs in communications.

* Some hackers manage to disguise their attacks, so they appear to come from
  some place else (spoofing).

* IGs (Inspectors general) have found vulnerabilities in many government
  systems.  Crooks often exploit one place, then use its connections to
  others, to also penetrate the others.  This could be the beginnings of a
  breach, where DHS has been hacked to support such attacks.

* The dates of the attacks indicate this may be part of the alleged hacking
  of 2016 election.

In related news, a growing number of members, of the US Electoral College
are demanding an intelligence briefing about what the CIA found out about
possible Russian interference in the US 2016 election, before they can do
their job.  If their request is denied, that's maybe enough to cause Donald
Trump to not win the election, and move the decision to US House of
Representatives.

http://www.politico.com/story/2016/12/electoral-college-members-intel-briefing-232554

http://thehill.com/blogs/blog-briefing-room/news/310220-electoral-college-members-demanding-briefing-on-russian
http://thehill.com/homenews/campaign/310316-over-50-dem-electors-sign-letter-calling-for-intelligence-briefing

Alternatively, this could delay the Electoral College deciding 2016
election, originally scheduled for 19 Dec 2016.

http://thehill.com/homenews/campaign/310381-house-dem-wants-electoral-college-vote-delayed-until-after-intelligence


Re: How France's TV5 was almost destroyed by 'Russian hackers'

Herb Lin <herblin@stanford.edu>
Sun, Dec 18, 2016 at 6:57 AM
  [via Dave Farber, who previously noted this URL:]
    http://www.bbc.com/news/technology-37590375

A chilling story indeed.  But I think the key paragraph is this one:

  It was a race against time—more systems were corrupted with every
  passing minute.  Any substantial delay would have led satellite
  distribution channels to cancel their contracts, placing the entire
  company in jeopardy.

In other words, it was customers canceling contracts that was the ultimate
threat to the company.  This particular story thus indicates the value of
destructive cyberattacks in prompting or instigating large-scale reaction
that can amplify by many times the effect of any given attack.

An interesting question arises—did the attackers know in advance that
their attack would place the very economic survival of the company at risk?
Or had they *merely* intended wreak havoc that they expected would have only
short term effects?  Was the existential nature of threat to the company
just fortuitous from their perspective?

If the first (they knew in advance), it seems like an exercise in predicting
second order effects—this time, second order effects that are
psychological, legal, and economic in nature, rather than technical.  That's
a significant expansion of the space that planners of an attack must account
for—and defenders too.

Senior Research Scholar, Center for International Security and Cooperation
Research Fellow, Hoover Institution, Stanford University


How France's TV5 was almost destroyed by 'Russian hackers' (Re: Lin, RISKS-30.03)

Richard OBrien <Richard.OBrien@paymentpathways.com>
Sun, Dec 18, 2016 at 1:06 PM
Herb Lin's comments spotlight a force multiplier effect when psychological,
legal and economic boundaries are crossed.

However, we should remain vigilant of *any* use of cyberweaponry.  If DDOS
attack sources can be taken as a proxy indicator for bad guy geography, may
I suggest there's nothing unique about attacks from Russia.
http://www.digitalattackmap.com/#anim=1&color=1&country=ALL&list=2&time=17153&view=map

Building Walls is a failed doctrine, not worth revisiting.  Building
Verified Trust infrastructure is a better doctrine.  To paraphrase Thomas
Friedman's recent book *Thank You for Being Late*, "Verified Trust is the
best performance enhancing drug on the market.  Mere Trust is an
anachronism.  It means Lack of Knowledge.  The world needs frameworks for
new rules to [e]nsure access to Verified Trust.

https://www.kirkusreviews.com/book-reviews/thomas-l-friedman/thank-you-for-being-late/


Evernote to read customer notes

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 15 Dec 2016 20:25:06 -0600
If you are an Evernote customer, with notes you want to keep confidential,
perhaps you better learn how to encrypt them, using an encryption system
other than one supplied by Evernote.

Some notes may be related to development of something needing intellectual
property protection & you not want Evernote employees to get it protected
before you, or open a competitor effort.

Quite possibly many similar services have spied on their customers, and not
yet revealed that fact.

Evernote updates its privacy to let its employees read the notes of Evernote
customers.  They cannot opt out of this.

https://help.evernote.com/hc/en-us/articles/235660588
http://www.pcworld.com/article/3150479/security/bye-privacy-evernote-will-let-its-employees-read-your-notes.html
http://www.gsmarena.com/evernote_updates_its_privacy_policy_to_allow_employees_to_read_your_notes_and_you_cant_opt_out_of_th-blog-22185.php
http://www.forbes.com/sites/thomasbrewster/2016/12/14/worst-privacy-policy-evernote/#33bb8351977c


Home routers under attack in ongoing malvertisement blitz (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 18 Dec 2016 01:02:00 -0500
http://arstechnica.com/security/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/


Millions exposed to malvertising that hid attack code in banner pixels (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 18 Dec 2016 01:06:22 -0500
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/


Stop using Netgear routers with unpatched security bug, experts warn (Ars Tecnica)

Monty Solomon <monty@roscom.com>
Sun, 18 Dec 2016 01:08:13 -0500
http://arstechnica.com/security/2016/12/unpatched-bug-allows-hackers-to-seize-control-of-netgear-routers/


Tech in Cars: What Happens When the Wheels Outlast the Wireless (WSJ)

Monty Solomon <monty@roscom.com>
Sun, 18 Dec 2016 15:10:42 -0500
http://www.wsj.com/amp/articles/tech-in-cars-what-happens-when-the-wheels-outlast-the-wireless-1481976000

  [Wheel just have to learn to use sneakernets, or else sneakers!  PGN]


The FCC Just Approved a Landmark New Way For Deaf People to Communicate (Motherboard)

Lauren Weinstein <lauren@vortex.com>
Sun, 18 Dec 2016 09:52:03 -0800
via NNSquad
http://motherboard.vice.com/read/the-fcc-just-approved-a-landmark-new-way-for-deaf-people-to-communicate

  As a result of the FCC's action, the nation's wireless carriers and device
  manufacturers will be required to support RTT functionality, which allows
  real-time text messaging--without the need to hit "send"--in which the
  recipient can instantly see letters, characters and words as they are
  being typed.  "We now have the opportunity--as we design our new
  communications system that is based on internet-protocol--to finally make
  our nation's communications systems accessible to everyone," FCC Chairman
  Wheeler said at the agency's monthly meeting last Thursday.  This
  innovation will facilitate more natural, conversation-friendly
  communication for deaf and hard of hearing people--without the need for
  separate, specialized hardware.  It will also allow 911 operators to
  receive incomplete messages during an emergency, potentially saving
  lives. RTT technology is expected to be interoperable across wireless
  networks and devices, creating the potential for unprecedented ease of
  communication between deaf and hearing people.


Re: Audi Cars Now Talk To Stop Lights In Vegas (Goldberg, RISKS-30.01)

Richard Bos
Thu, 15 Dec 2016 20:31:50 GMT
This is a bad idea even when the system is not cracked or otherwise
technically insecure. What happens if an emergency vehicle comes up from
behind? What happens if a rogue driver (intentionally or because of, oh I
dunno, a stroke) drives straight at the stalled vehicle?

Of course, there are already drivers who turn off their engines at traffic
lights. IMAO that's a bad idea already, but at least those drivers
_actively_ do so, and are therefore aware that they did. Now imagine that a
driver tries to get out of the way of an incoming vehicle, and finds that
his car has turned itself off without his active intervention... which of us
would _not_ panic and do the wrong thing? I know I probably would!

Of course, Elon Musk c.s. will say, the solution is to fit all emergency
vehicles with an automatic get-your-car-out-of-the-way WiFi signal. What
could go wrong? Well, even ignoring _other_ reasons to want to move
promptly, how would we guarantee that all emergency vehicles in all
countries in which these cars are sold use the same system? And how do we
guarantee that the signal is not interrupted? It's pretty damn hard to
interrupt a siren, but a WiFi signal?

I have no problem with "giving drivers the information they need". When it
comes to "bypassing the driver"... bad idea even in a crackerless world.


Re: Yahoo Says 1 Billion User Accounts Were Hacked (RISKS-30.02)

Arthur Flatau <flataua@acm.org>
Fri, 16 Dec 2016 11:46:15 -0600
I have seen or heard news reports that suggest an *additional* billion
accounts were hacked (although not The NY Times article referenced).  No
doubt many if not most of the 500 million accounts hacked in the second
(chronologically) hack were included in the 1 billion accounts hacked in the
first incident—though presumably by different people.


Re: Interview with Charles Delavan ... (RISKS-30.02)

Larry Sheldon <lfsheldon@gmail.com>
Thu, 15 Dec 2016 21:02:27 -0600
See the fifth item in the "Interview with Charles Delavan on Podesta's
e-mail" (Slate, on an IT Authority in a high-placed organization approving
the opening of a phish that did become somewhat phamous.

I have simplified my instructions to the occasional person that respects my
experience and expertise in the matter of malicious email.

  "If you feel the need to stop and think about opening something of the
  need to ask somebody if they think you should open|react to|respond to it,
  the answer is "No.  Delete it (via a "spam" reporting facility if
  available).  If your account is in fact in trouble, do nothing can not
  make it worse.  The next time you access the account in the normal routine
  of things you will be notified of the problem and probably referred to a
  telephone number for assistance."


Re: SHAME ON YOU, GOOGLE! (LW R 30 01, Burton R 30 02) RISKS-30.02)

Michael Marking <marking@tatanka.com>
Fri, 16 Dec 2016 08:10:39 +0000
I agree with Burton, and like his insights.  However, I don't think
Weinstein's idea of assessing the credibility of linked pages is a
reasonable option for Google.

Google is a running popularity contest, not a research tool. Pages which are
popular will more likely be satisfying to others looking for them.  The
model they use in their business is much more successful than the previous,
manually curated page ranking system used by their predecessors.

Since it's a popularity contest, not a judgment, they can claim that they're
only providing information from others, not making value determinations
themselves. (I ignore, for now, the ways in which an algorithm such as
theirs can introduce or amplify bias.)

Google could have difficulty ranking based on some definition of "truth":
they might risk legal liability toward those who considered themselves
unfairly judged. Their approach, claiming that they make no judgments and
have no biases, and keeping the algorithm secret to protect themselves from
attacks, is a logical one which minimizes their own risk. As soon as they
were to claim to measure the "truth" level of a site, or even to offer an
"unbiased" list of the common arguments on the "top ten" or "most
controversial" topics, they'd open themselves up to attack.

I see the risk here, given all of the debate, that Congress might enact laws
to create some kind of system similar to that of credit rating agencies,
which would nullify the common law bases for liability for slander and
libel. If a credit rating agency gets your credit report wrong, you have to
go through some procedure to get it changed. But they aren't liable for
damages occasioned by the negligence. Under common law, even repeating a
libelous or slanderous statement is, by itself, libelous or slanderous, so
there is an incentive to be careful to avoid repeating erroneous data. Under
common law, if they make mistakes or are negligent, they would have to pay
for the damage, but the statutory law and administrative regulations give
them a safe harbour. They have only a small incentive to avoid errors: as
long as their reports are "mostly" accurate, they don't lose
business. (Compare with the national crime database, replete with errors,
and with no incentive to correct them.  I've met two people who each spent
some time in jail due solely to errors in that database.)

Suppose that Congress were to create a national agency to "rate" web sites
based on their supposed accuracy. In its typical fashion, it would create an
elaborate, unfair, and arduous appeal process to contest a bad rating, but
it would also create a safe harbour for those who faithfully followed the
ratings. By the time an erroneous, bad rating was corrected, it usually
would be too late to do any good, and with the safe harbour there would be
no incentive to get it right in the first place.

The foregoing presupposes that there is, anyway, an acceptable, scientific,
unbiased method to determine the truthfulness of a site's content.

As for the Holocaust deniers, well, I've known too many guys with numbers
tatooed on their forearms for me to accept that line.  On the other hand, I
see no safe way to create our own incorruptible Reichsministerium für
Volksaufklärung und Propaganda. It would end up hiding the atrocities
committed against the Palestinians and the genocide against the indigenous
peoples and others. Should we not also warn against those who deny the
Native American Holocaust, or the estimated hundreds of millions who died as
a direct result of colonialism and the slave trade, or those deaths caused
by neocolonialism, or those killed by environmental toxins and destruction?
Each of these tolls is more than six million, do they also not deserve a
place in the warning system? What about deaths due to climate change? These
all have their deniers. Where should this end?  Who will decide? No
institution or institutionalized mechanism is beyond error or even beyond
malice. It would be like the lie which says that we have a "government of
laws". Yes, we have laws, but men and women decide which ones to enforce,
and against whom.

The only "fair" approach I can envision is one that allows each search
customer to choose a rating mechanism, or none at all. (In truth, the
searchers are the product, delivered to advertisers, they are not the
customers, but let's not quibble.) For example, if I were to belong to the
Church of the Living Yogurt Culture, and were to trust their view of things,
then I should be able to enable some Church-provided script which would show
a Yogurt Score alongside each result. A little coordination and a few
browser plugins should do it. A different customer doing the same search but
belonging to the Pterodactyl Temple would get his own institution's rating,
instead. With a selectable rating system, the various competing offerings
would have to earn the trust of potential users, and accuracy and truth
might become valuable coins. Their success might be highly dependent upon
their reputations, so there'd be a big risk to lying even a little.

The cigarette people wouldn't admit that their product might cause harm, but
eventually they were compelled to put a warning on their packages, telling
of the risks of smoking. Studies have shown that the warning has been
significantly effective in reducing smoking. Maybe we could try for a
warning message with search engines. My modest proposal:

  WARNING: Search results are based in part on the popularity of pages and
  do not necessarily reflect the truth or falsehood of the contents of those
  pages. Furthermore, the position of pages is subject to manipulation by
  various techniques known to be employed by domestic and foreign
  governments, corporations, special interest groups, individuals, and
  businesses offering what is known as "search engine optimization (SEO)"
  services. We ourselves may employ algorithms, confidential to us, and for
  our own reasons, which might affect the position of pages in the search
  results. Neither we nor any of them are under any obligation whatsoever to
  tell you the truth. These search results are provided for entertainment
  purposes only, 'as is' without warranty of any kind, expressed or implied,
  including, but not limited to, the IMPLIED WARRANTIES OF MERCHANTABILITY
  AND FITNESS FOR A PARTICULAR PURPOSE. You may have other rights under the
  law in specific jurisdictions, and are advised to consult an attorney, but
  be advised that attorneys, too, have been known to prevaricate. Moreover,
  the law requires us to act in the best interests of our shareholders, and
  sometimes it is in their best interests for us to hide the truth.

    [Additional warning about selling personal information and tracking data
    is probably too much off-topic, so I'll omit it.]

As for any kind of Ministry of Truth to rate the veracity or accuracy of web
sites, whether that Ministry be commercial or governmental or non-profit, I
believe it's fair to say that such an idea ought obviously to be viewed as a
non-starter, except in some backward countries such as... oh, never mind.


Re: SHAME ON YOU, GOOGLE! (Marking, RISKS-30.02)

Lauren Weinstein <lauren@vortex.com>
Fri, 16 Dec 2016 08:00:09 -0800
The biggest risk—as you note—is that governments will move into this
space, which strongly suggests that proactive actions by these firms to more
appropriately deal with these issues—as I have suggested *and as Facebook
has just announced it is deploying*—are the best approaches to avoid
heavy-handed Ministries of Truth.  But I again assert that the status quo is
not tenable.  Fake news sites are leveraging Google's lack of ANY labeling
along the lines I've suggested—and AdSense—to turn lies into lucrative
income streams doing enormous damage.  Eventually the pushback will reach a
level where dangerous kneejerk reactions by government are inevitable,
unless policies are improved proactively now.


Re: SHAME ON YOU, GOOGLE! (Weinstein, RISKS-30.03)

Craig Burton <craig.alexander.burton@gmail.com>
Sat, 17 Dec 2016 21:23:12 +1100
Lauren, I suspect you mean Google policies are needed and hopefully not
public policies, which are likely to be a poor fit.  I agree in this case,
particularly with fake news in AdSense. I'm concerned the line between
superfluous goods made to seem like we need them and deceptive content made
to look like news worth consuming is a fine line for google policy.

The holocaust denier page was a web page.  If it had AdSense (I admit I
refused to visit it) then an ad may well get many views and clicks.  But I'm
sure it breaks laws in several countries to profit from hate let alone make
it searchable in the first place.

The solution is vigilance, but I can see only a kind of manual reporting
list like sorbs [Spam and Open Relay Blocking System], with its concomitant
mistaken or malicious blocks.  The proper policies would be great, but they
would need to be enforced.


Re: SHAME ON YOU, GOOGLE! (Burton, RISKS-30.03)

Lauren Weinstein <lauren@vortex.com>
Sat, 17 Dec 2016 07:56:44 -0800
Government actions in this sphere are the worst case outcomes.  Proactive
actions by the firms involved *may* help to forestall at least some of these
and perhaps the worst of them.


Re: SHAME ON YOU, GOOGLE! (Weinstein, RISKS-30.03)

Craig Burton <craig.alexander.burton@gmail.com>
Sun, 18 Dec 2016 21:41:18 +1100
https://www.theguardian.com/technology/2016/dec/17/holocaust-deniers-google-search-top-spot


Re: SHAME ON YOU, GOOGLE! (Burton, R-30.03)

Lauren Weinstein <lauren@vortex.com>
Sun, 18 Dec 2016 07:56:57 -0800
That [Guardian] article is confusing ads (which are always marked as such on
Google Search results pages) with organic results (which are not influenced
by ads).  So his creating an ad insert says nothing at all about the organic
results, which are what are actually at issue here.

  [OK.  I'm going to try to blow the whistle on this thread, even though it
  is still computer-related.  Diminishing returns?  PGN]

Please report problems with the web pages to the maintainer

Top