The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 29

Saturday 13 May 2017

Contents

Fiat Chrysler Recalls 1.2 Million Ram Pickups Over Faulty Software
Bill Vlasic and Neal E. Boudette
Today's Massive Ransomware Attack Was Mostly Preventable—Here's How To Avoid It
Gizmodo
Dozens of countries hit by huge cyberextortion attack
McClatchy
A British researcher says he found a kill switch for the malware crippling computers worldwide
The Washington Post
Hackers Use Tool Taken from NSA in Global Attack
Nicole Perlroth and Davide E. Sanger
Indicators Associated With WannaCry Ransomware
US-CERT
WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware WannaCry attack!
Lauren Weinstein
Global 'Wana' Ransomware Outbreak Earned Perpetrators $26,000 So Far
Krebs
The Joy of Tech comic: The Internet of ransomware things!
GeekCulture
Vehicle lien recorded in name of cartoon characters
Mark Brader
Cochrane Report on IHealth EHR: Lessons for engaging users to provide QA feedback
Island Health via Kelly Bert Manning
Microsoft patches Windows XP to fight 'WannaCrypt' attacks
Engadget via LW
Malware and The Cloud
Lauren Weinstein
"How the Macron campaign slowed cyberattackers"
Fahmida Y. Rashid
Counter intelligence in the French elections - this changes cybersecurity forever.
Gadi Evron
Facebook takes to newspapers to teach UK users how to spot "fake news"
Ars Technica
"HP computer owners: Check for the MicTray Conexant keylogger"
Woody Leonhard via Gene Wirchenko
MUST READ "Open MIC" report: Corporate responsibility in an age of alternative facts—with emphasis on Facebook and Google
Lauren Weinstein
China Is on Track to Fully Phase Out Cash
Motherboard
Sony PlayStation leads to the arrest of 15 member gang
Diomidis Spinellis
UK Telecomms Service Stopped by Bureaucracy
Chris Drewe
Crash with Impact
The New York Times
NYU Accidentally Exposed Military Code-Breaking Computer Project to Entire Internet
Sam Biddle
Confidential patient data breach at NYC's Bronx Leb Hospital
Data Breaches via danny burstein
Security Alert from Intel concerning Business-grade Processors with detection tool— followup
Bob Gezelter
"Supply chain attack on HandBrake video converter app hits Mac users"
Lucian Constantin
The FCC says an attack—not John Oliver—hampered its website
The Washington Post
U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies
The Washington Post
Re: Someone hacked every tornado siren in Dallas. It was loud.
Jim Reisert
Progress To Date on Deepwater Horizon
Earl Boebert
Re: The Lost Picture Show
Dimitri Maziuk
Gabe Goldberg
Brian Inglis
Jeff Jonas
Re: Man gets fined for discovering an engineering flaw
John Levine
Re: Senseless Government Rules Could Cripple the Robo-Car Revolution
Mike Spencer
Re: Bobby Tables and electoral fraud
Dave Horsfall
Kelly Bert Manning
Info on RISKS (comp.risks)

Fiat Chrysler Recalls 1.2 Million Ram Pickups Over Faulty Software (Bill Vlasic and Neal E. Boudette)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 13 May 2017 08:13:18 PDT
*The New York Times*, 13 May 2017

After one death and two injuries, the recall is intended to fix faulty
software that can disable airbags and seatbelt tension devices.
Reportedly, "normal restraint-system function may be restored" by
turning the ignition off and on again.


Today's Massive Ransomware Attack Was Mostly Preventable—Here's How To Avoid It (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Fri, 12 May 2017 16:27:31 -0700
NNSquad
http://gizmodo.com/today-s-massive-ransomware-attack-was-mostly-preventabl-1795179984

  Here's what happened: Unknown attackers deployed a virus targeting
  Microsoft servers running the file sharing protocol Server Message Block
  (SMB). Only servers that weren't updated after March 14 with the MS17-010
  patch were affected; this patch resolved an exploit known as ExternalBlue,
  once a closely guarded secret of the National Security Agent, which was
  leaked last month by ShadowBrokers, a hacker group that first revealed
  itself last summer.  The ransomware, aptly named WannaCry, did not spread
  because of people clicking on bad links. The only way to prevent this
  attack was to have already installed the update.


Dozens of countries hit by huge cyberextortion attack (McClatchy)

Lauren Weinstein <lauren@vortex.com>
Fri, 12 May 2017 15:10:41 -0700
via NNSquad
http://www.mcclatchydc.com/news/politics-government/national-politics/article150231887.html

  Dozens of countries were hit with a huge cyberextortion attack Friday that
  locked up computers and held users' files for ransom at a multitude of
  hospitals, companies and government agencies.  The attack appeared to
  exploit a vulnerability that was purportedly identified by the U.S.
  National Security Agency for its own intelligence-gathering purposes and
  was later leaked to the Internet.  Britain's national health service was
  hit hard, its hospitals forced to close wards and emergency rooms. Spain,
  Portugal and Russia were also struck.  Several cybersecurity firms said
  they had identified the malicious software behind the attack in upward of
  60 countries, with Russia apparently the hardest hit.

    [On the UK NHS danny burstein burstein noted
    UK hospital system suffering nationwide computer issues
    (The Guardian):

      NHS hospitals across England hit by large-scale cyber-attack
      Immediately on discovery of the problem, the trust acted to protect
      its IT systems by shutting them down; it also meant that the trust's
      telephone system is not able to accept incoming calls.
https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack

  See Also
    http://www.bbc.co.uk/news/health-39899646
  PGN]


A British researcher says he found a kill switch for the malware crippling computers worldwide (The Washington Post)

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 07:50:05 -0700
via NNSquad
https://www.washingtonpost.com/news/worldviews/wp/2017/05/13/a-british-researcher-says-he-found-a-kill-switch-for-the-malware-crippling-computers-worldwide/

  By purchasing the domain name and registering a website, the cybersecurity
  researcher claims that he activated a kill switch. It immediately slowed
  the spread of the malware and could ultimately stop its current version,
  cybersecurity experts said Saturday ... About 3 p.m. Eastern time, the
  specialist with U.S. cybersecurity enterprise Kryptos Logic bought an
  unusually long and nonsensical domain name ending with "gwea.com." The
  22-year-old says he paid $10.69, but his purchase might have saved
  companies and governmental institutions around the world billions of
  dollars.


Hackers Use Tool Taken from NSA in Global Attack (Nicole Perlroth and Davide E. Sanger)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 13 May 2017 08:20:04 PDT
*The New York Times*, 13 May 2017 (front page)

A digital `perfect storm' hits hospitals, businesses, and a Russian ministry
on 12 May 2017.  By the end of the day, the attack had spread to more than
74 countries.  According to Kaspersky Lab (a Russian cybersecurity company),
Russia was the worst-hit, then Ukraine, India, and Taiwan.  This seems to
have been the largest ransomware attack to date.  It was triggered by a
simple phishing attack, and is believed to have exploited a vulnerability
with a method developed—and leaked from or stolen from—NSA.  [PGN-ed]


Indicators Associated With WannaCry Ransomware (US-CERT)

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 08:39:09 -0700
via NNSquad
https://www.us-cert.gov/ncas/alerts/TA17-132A

  According to numerous open-source reports, a widespread ransomware
  campaign is affecting various organizations with reports of tens of
  thousands of infections in as many as 74 countries, including the United
  States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The
  software can run in as many as 27 different languages.  The latest version
  of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor,
  was discovered the morning of May 12, 2017, by an independent security
  researcher and has spread rapidly over several hours, with initial reports
  beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting
  indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.  This
  Alert is the result of efforts between the Department of Homeland Security
  (DHS) National Cybersecurity and Communications Integration Center (NCCIC)
  and the Federal Bureau of Investigation (FBI) to highlight known cyber
  threats. DHS and the FBI continue to pursue related information of threats
  to federal, state, and local government systems and as such, further
  releases of technical information may be forthcoming.


WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware WannaCry attack!

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 09:08:37 -0700
Lauren's Blog
https://lauren.vortex.com/2017/05/13/warning-antivirus-sites-may-be-helping-to-spread-the-current-global-malware-ransomware-wannacry-attack

It has been reported that a researcher discovered that spread of the current
worldwide ransomware attack can be halted after he registered the domain:

  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

and built a sinkhole website that the malware could check. Reportedly
the malware does not continue spreading if it can reach this site.
HOWEVER, various antivirus websites/services are now reportedly adding
that domain to their "bad domain" lists! If sites infected with this
malware are unable to reach that domain due to their firewalls
incorporating rules from antivirus sites that include a block for that
domain, the malware will likely continue spreading across their
machines. Your systems MUST be able to access the domain above if this
malware blocking trigger is to be effective, according to the current
reports that I'm receiving!


Global 'Wana' Ransomware Outbreak Earned Perpetrators $26,000 So Far

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 16:11:39 -0700
NNSquad
https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/

  As thousands of organizations work to contain and clean up the mess from
  this week's devastating Wana ransomware attack, the fraudsters responsible
  for releasing the digital contagion are no doubt counting their earnings
  and congratulating themselves on a job well done. But according to a
  review of the Bitcoin addresses hard-coded into Wana, it appears the
  perpetrators of what's being called the worst ransomware outbreak ever
  have made little more than USD $26,000 so far from the scam.


The Joy of Tech comic: The Internet of ransomware things!

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 11:32:42 -0700
via NNSquad

http://www.geekculture.com/joyoftech/joyarchives/2340.html


Vehicle lien recorded in name of cartoon characters

Mark Brader
Thu, 11 May 2017 15:13:01 -0400 (EDT)
Apparently, some time ago someone in the Ontario provincial government's
computer systems was running a test simulating the addition of a lien to the
information record about someone's vehicle.  For the lienholder's name they
used fictional characters from the old animated TV show "The Flintstones" --
but for the vehicle they used a real VIN.

Result: the 75-year-old woman who owned the vehicle found herself
blocked from selling it until the bogus lien was cleared.  Apparently
this took 9 months, but the matter only became public this week.

Naturally, the government is saying this was the only such case and
it won't happen again, while the opposition takes a different view...

   http://www.cbc.ca/news/anykey-1.4109296


Cochrane Report on IHealth EHR: Lessons for engaging users to provide QA feedback (Island Health)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Mon, 8 May 2017 12:02:38 -0400 (EDT)
http://ihealth.islandhealth.ca/2016/11/the-cochrane-report/
http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/Summary-of-Recommendations.pdf
http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/ihealth-review-2017.pdf
http://vancouverisland.ctvnews.ca/video?clipId=1115112

 "Issue reporting and resolution

  At roll out, when users were highly supportive and enthusiastic, they
  actively engaged in reporting issues of performance, usability and
  safety. At the time, reporting was accepted through multiple sources
  including the Patient Safety Learning System (PSLS), health
  informaticists, the Help Desk, emails, red dot reports and meetings. Peer
  mentors and informaticists were actively engaged in addressing issues as
  they arose.

  Unfortunately, follow up with users that had reported a concern was
  inconsistent. Many users reported an absence of feedback. The reasons for
  the lack of feedback are not clear but may relate to the volume of issues
  being reported and Island Health's capacity to address them. As a result,
  from the users' perspective, many issues remained unexplained and
  unresolved, undermining confidence in the safety of the system and the
  effectiveness of the reporting systems. Users stopped reporting because of
  fatigue and the lack of feedback.

  Some individuals who provided reports perceived that those responding to
  issues were transferring responsibility to the users. Explanations for
  issues included user error, bad habits, and users failing to remember.
  Island Health's reactions were described by interviewees as punitive and
  involved public shaming and bullying (see emotional responses below). It
  was claimed that there were no gaps in education or training, but rather
  gaps in remembering and a lack of engagement of staff for voluntary
  learning.

In a previous job a "Creating Satisfied Customers" course taught that a lack
of problem reports indicates a failed system for users to report concerns,
get status updates and see that concerns are addressed and resolved in a
timely fashion.

Many customers will choose another service provider or product if one is
available, and they keep encountering issues.

A minority of users will try to follow the problem reporting process. Most
will give up if they find it too much bother to complete and they keep
encountering issues.

Most will not bother to continue to report issues if they get no resolution
to the initial issue reports.

Very few will persist in requesting follow up status reports, particularly
if there is no regular feed back or perceived resolution. They just give up.


Microsoft patches Windows XP to fight 'WannaCrypt' attacks (Engadget)

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 08:22:23 -0700
via NNSquad
https://www.engadget.com/2017/05/13/Microsoft-WindowsXP-WannaCrypt-NHS-patch/

  Microsoft officially ended its support for most Windows XP computers back
  in 2014, but today it's delivering one more public patch for the
  16-year-old OS. As described in a post on its Windows Security blog, it's
  taking this "highly unusual" step after customers worldwide including
  England's National Health Service suffered a hit from "WannaCrypt"
  ransomware.  Microsoft patched all of its currently supported systems to
  fix the flaw back in March, but now there's an update available for
  unsupported systems too, including Windows XP, Windows 8 and Windows
  Server 2003, which you can grab here (note: if that link isn't working
  then there are direct download links available in the Security blog post).

Sure, now that the spread has apparently been largely contained through
other means, Microsoft shows up, a day late and a dollar short, as usual.


Malware and The Cloud

Lauren Weinstein <lauren@vortex.com>
Sat, 13 May 2017 13:31:04 -0700
via NNSquad
https://plus.google.com/+LaurenWeinstein/posts/cMA7HsuR7UC

I might note that there's a strong argument to be made that many of these
systems crippled by the current malware epidemic by all rights should have
instead had their data in the cloud, where professionals are able to keep
security and privacy parameters up to date.  Successful attacks are becoming
more common with virtually every OS.  And most systems in homes and offices
are not adequately backed up—if they're backed up at all. Fundamentally,
this tech has become too integral to society and too complex for amateurs to
maintain by themselves in the long run.

  [On the other hand, RISKS readers understand the the "cloud" is not all
  that secure, and still entails [I originally wrote entrails] many risks,
  even though many cloud providers might have better security than small
  institutions, and a very large one—evidently, most of the
  U.S. Government!  PGN]


"How the Macron campaign slowed cyberattackers" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Tue, 09 May 2017 10:12:57 -0700
Fahmida Y. Rashid, InfoWorld, 9 May 2017

Did the French president-elect's security team use cyberdeception techniques
to fight off phishing attacks? Submitting fake credentials definitely
qualifies
http://www.infoworld.com/article/3195018/security/how-the-macron-campaign-slowed-cyber-attackers.html

opening text:

In the wake of French president-elect Emmanuel Macron's victory over Marine
Le Pen, IT armchair quarterbacks should look at the Macron campaign's
security playbook for ideas on how to fight off targeted phishing and other
attacks.


Counter intelligence in the French elections - this changes cybersecurity forever.

Gadi Evron <gevron@gmail.com>
Tue, 9 May 2017 21:33:09 +0300
I'm extremely excited about what happened at the French elections.  Up until
today, when it comes to information operations, I could only look up to
Russia.  What (supposedly, we don't really know too much yet) in France
changes all that.

Add supposedly and likely to every sentence:
1. They seeded attack attempts with data that will slow them down.
   Sending credentials to phishing attempts.
2. They created a few fake documents, which allowed them when the time
   came to cast doubt on the entire data dump.

I wrote a full analysis based on what is currently known here, I hope you
enjoy it:
https://hackernoon.com/analyzing-a-counter-intelligence-cyber-operation-how-macron-just-changed-cyber-security-forever-22553abb038b

I am so excited a public case exists that shows thinking of the type I love
and live.  With cyberdeception they have essentially shown they can increase
the economic costs of the attackers to shift the burden of anomaly detection
to them.  I've bet my career and life on starting Cymmetria to do this, and
now—finally, someone else is thinking the same way I do, and more than
that, actively working on cyberdeception to control the battle ground and
act dynamically.

Interesting side-note:
Late last year the various French political parties were summoned to a
government brief on phishing attacks. All but one came to the meeting.


Facebook takes to newspapers to teach UK users how to spot "fake news" (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 8 May 2017 08:07:02 -0700
via NNSquad
https://arstechnica.com/business/2017/05/facebook-fake-news-newspaper-ad/

  Facebook has attempted to lightly rein in the spread of misinformation on
  the free content ad network by taking out full-page adverts in UK
  newspapers with "tips for spotting false news" ahead of next month's
  General Election.  The Mark Zuckerberg-run company, which has long-swerved
  any suggestion that it is the publisher of content that is shared on its
  site by nearly two billion people worldwide, makes it clear in its press
  ad that the onus is on its users to police dodgy-looking posts.  "Be
  skeptical of headlines," it warned.  Apparently, "catchy headlines in all
  caps with exclamation marks" could contain false news and users should be
  wary of clicking on clickbaity, screeching claims.


"HP computer owners: Check for the MicTray Conexant keylogger"

Gene Wirchenko <genew@telus.net>
Thu, 11 May 2017 15:27:19 -0700
Woody Leonhard, InfoWorld, 11 May 2017
The Conexant audio driver logs all keystrokes on certain HP machines and
publishes them to a file in the Public folder
http://www.infoworld.com/article/3196125/data-security/on-hp-computers-check-for-the-conexant-keylogger-called-mictray.html

selected text:

Swiss security firm modzero AG released a white paper (PDF) that contains
details about a keylogger in certain HP audio drivers. The keylogger stores
records of all of your keystrokes in a file located in the public folder
C:\Users\Public\MicTray.log.

The Security Advisory goes on to list almost 30 HP machines known to use the
bad drivers, ... including many current models.

Modzero says it found evidence of the problematic behavior going all the way
back to December 2015.  It's still there today with driver Version 1.0.0.46.

If the logfile does not exist or the setting is not yet available in Windows
registry, all keystrokes are passed to the OutputDebugString API, which
enables any process in the current user-context to capture keystrokes
without exposing malicious behavior.

I have no idea how the driver passed Microsoft certification, but apparently
it has.

Modzero isn't happy with the runaround it's getting from HP. The group says
it discovered the keylogger in MicTray 1.0.0.31 back on April 28.  Modzero
contacted Conexant the same day, and when the keylogger was found in the
latest audio drivers, it contacted HP Enterprise on May 1.  Then on May 5,
modzero got a response from HP Enterprise, which “tried to reach for
security folks at HP Inc. to gain attention.''  Looks like HP Enterprise and
HP Inc. aren't talking to each other—I bet they start talking now.

  [Also noted by Al Mac;

https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html
https://consumerist.com/2017/05/12/keylogging-spyware-found-on-dozens-of-hp-laptop-models/
https://thenextweb.com/insider/2017/05/11/hp-is-shipping-audio-drivers-with-a-built-in-keylogger/#.tnw_OV69vf8G
HP list of their models affected:
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt

  ... and Bob Gezelter:
https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/

  PGN]


MUST READ "Open MIC" report: Corporate responsibility in an age of alternative facts—with emphasis on Facebook and Google

Lauren Weinstein <lauren@vortex.com>
Tue, 9 May 2017 10:40:40 -0700
NNSquad
http://fakenews.openmic.org/

  Among the recommendations discussed in this report:

  To avoid government regulation and/or corporate censorship of information,
  tech companies should carry out impact assessments on their information
  policies that are transparent, accountable, and provide an avenue for
  remedy for those affected by corporate actions.

  Tech companies should appoint ombudspersons to assess the impact of their
  content algorithms on the public interest.

  Tech companies should report at least annually on the impact their
  policies and practices are having on fake news, disinformation campaigns
  and hate speech. Reports should include definitions of these terms;
  metrics; the role of algorithms; the extent to which staff or
  third-parties evaluate fabricated content claims; and strategies and
  policies to appropriately manage the issues without negative impact on
  free speech.


China Is on Track to Fully Phase Out Cash (Motherboard)

Lauren Weinstein <lauren@vortex.com>
Fri, 12 May 2017 21:06:29 -0700
via NNSquad
https://motherboard.vice.com/en_us/article/china-cashless

  Experts believe it won't be long before China, the first country to
  introduce paper money, becomes the first to go totally cashless.

The better to track you by, my dear.


Sony PlayStation leads to the arrest of 15 member gang

Diomidis Spinellis <dds@aueb.gr>
Tue, 9 May 2017 12:19:48 +0300
A Sony PlayStation helped the police arrest 15 members of a gang that
specialized in stealing company safes in Greece last week.  According to the
police's press release [1], the gang members were involved in 145 cases,
including 58 armed robberies, 52 burglaries, and 24 car thefts.  In order to
evade detectives, the gang used hundreds of cellphones, stolen cars, fake
license plates, and diverse hideouts.  The "Kathimerini" daily newspaper
reports [2] that one of the leads that helped the police to narrow down on
the gang's members was a Sony PlayStation.  In December 2016 the gang stole
from a company 700 euros and a truck with 2179 PlayStation consoles.  The
police, in cooperation with Sony and the local ISPs, found that one of the
stolen consoles was used the next day at the house of one of the gang
members.

[1]
http://www.astynomia.gr/index.php?option=ozo_content&lang=%27..%27&perform=view&id=71085&Itemid=1883&lang
[2]
http://www.kathimerini.gr/908617/article/epikairothta/ellada/lhstes-twn-xrhmatokivwtiwn-to-krhsfygeto-sto-menidi-o-arravwnas-kai-to-klemmeno-playstation

Diomidis Spinellis - https://www.spinellis.gr/


UK Telecomms Service Stopped by Bureaucracy

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 11 May 2017 21:26:23 +0100
RISKS has featured telecomms services stopped by hack attacks, software
faults, infrastructure failures, and so forth, but one UK network has been
disabled by officialdom, according to reports in a couple of newspapers.
Years ago, pagers were widely used to keep in contact with people on the
move, but their use has greatly declined with the popularity of cellphones,
and the UK currently only has two service providers, PageOne, owned by
Capita, and Vodafone.  Vodafone wanted to transfer its 1,000 users to
PageOne, but the UK Competition and Markets Authority objected and wanted a
full investigation, which Vodafone didn't want to get involved with for such
a tiny market, so announced that it will simply close its service...


Crash with Impact

Bob Gonsalves <pinknoiz@me.com>
Sat, 13 May 2017 12:36:24 -0700
https://www.nytimes.com/2017/04/22/us/politics/james-comey-election.html

FBI agents in New York seized Mr. Weiner's laptop in early October. The
investigation was just one of many in the New York office and was not
treated with great urgency, officials said. Further slowing the
investigation, the F.B.I. software used to catalog the computer files kept
crashing.


NYU Accidentally Exposed Military Code-Breaking Computer Project to Entire Internet (Sam Biddle)

geoff goodfellow <geoff@iconia.com>
Thu, 11 May 2017 11:22:31 -1000
Sam Biddle, The Intercept, 11 May 2017
https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/

In early December 2016, Adam was doing what he's always doing, somewhere
between hobby and profession: looking for things that are on the Internet
that shouldn't be. That week, he came across a server inside New York
University's famed Institute for Mathematics and Advanced Supercomputing,
headed by the brilliant Chudnovsky brothers, David and Gregory. The server
appeared to be an Internet-connected backup drive. But instead of being
filled with family photos and spreadsheets, this drive held confidential
information on an advanced code-breaking machine that had never before been
described in public. Dozens of documents spanning hundreds of pages detailed
the project, a joint supercomputing initiative administered by NYU, the
Department of Defense, and IBM. And they were available for the entire world
to download. [...]


Confidential patient data breach at NYC's Bronx Leb Hospital

danny burstein <dannyb@panix.com>
Wed, 10 May 2017 21:36:36 -0400 (EDT)
Third party vendor, rsync backups...

https://www.databreaches.net/confidential-medical-records-from-bronx-lebanon-hospital-exposed-online-by-vendors-error/


Security Alert from Intel concerning Business-grade Processors with detection tool— followup (downloadcenter)

"Bob Gezelter" <gezelter@rlgsc.com>
Mon, 08 May 2017 09:30:25 -0700
The security vulnerability involving Intel involves more than servers,
business laptops are also vulnerable.  Advice is to run the Intel tool to
determine vulnerability, then get the update from the manufacturer. The
Intel article also includes interim mitigation information.

Intel has released detailed notes on checking for the vulnerability. See
https://downloadcenter.intel.com/download/26755

An extensive article also appeared in The Register at:

https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/


"Supply chain attack on HandBrake video converter app hits Mac users" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Mon, 08 May 2017 11:41:55 -0700
Lucian Constantin, ComputerWorld, 8 May 2017
Mac users who downloaded the app earlier this month may have their
computers infected with the Proton Trojan program
http://www.computerworld.com/article/3194935/security/supply-chain-attack-on-handbrake-video-converter-app-hits-mac-users.html

selected text:

Hackers compromised a download server for HandBrake, a popular open-source
program for converting video files, and used it to distribute a macOS
version of the application that contained malware.

The HandBrake development team posted a security warning on the project's
website and support forum on Saturday, alerting Mac users who downloaded and
installed the program from May 2 to May 6 to check their computers for
malware.

This is just the latest in a growing string of attacks over the past few
years in which attackers compromised software update or distribution
mechanisms.

Last week Microsoft warned of a software supply-chain attack in which a
group of hackers compromised the software update infrastructure of an
unnamed editing tool and used it to distribute malware to select victims:
mainly organizations from the financial and payment processing industries.

This is not the first time Mac users have been targeted through such attacks
either. The macOS version of the popular Transmission BitTorrent client
distributed from the project's official website was found to contain malware
on two separate occasions last year.


The FCC says an attack—not John Oliver—hampered its website

Monty Solomon <monty@roscom.com>
Mon, 8 May 2017 22:09:58 -0400
The FCC says an attack—not John Oliver—hampered its website.  John
Oliver renewed a call asking his viewers to support net neutrality rules.
https://www.washingtonpost.com/news/the-switch/wp/2017/05/08/the-fcc-says-an-attack-not-john-oliver-hampered-its-website/


U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies

Monty Solomon <monty@roscom.com>
Tue, 9 May 2017 09:40:03 -0400
The Pentagon wanted to target servers in allied countries, but CIA, State
and FBI said those nations had to be notified.
https://www.washingtonpost.com/world/national-security/us-military-cyber-operation-to-attack-isis-last-year-sparked-heated-debate-over-alerting-allies/2017/05/08/93a120a2-30d5-11e7-9dec-764dc781686f_story.html


Re: Someone hacked every tornado siren in Dallas. It was loud.

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 10 May 2017 11:24:41 -0600
Denver, CO has upgraded their tornado warning system:

http://www.thedenverchannel.com/news/local-news/tornado-warning-system-in-denver-upgraded-after-dallas-hacking-incident

I love this paragraph:

  "The sirens in Denver can be activated from the OEM, Denver 911, or at
  DIA. The city holds 86 sirens. Each of them received new hardware, making
  it impossible for anyone to take over the system."

I wonder who will consider this a challenge?


Re: Progress To Date

Earl Boebert <bitsmasherpress@gmail.com>
Mon, 8 May 2017 14:36:50 -0600
  [This is a follow-up to earlier items on the book by Earl Boebert and
  James Blossom (RISKS-29.80), at my request.  PGN]

It's always a tense situation when you release a complex technical analysis
like our Deepwater Horizon book, one that I am familiar with from the many
National Academies studies I've been on: Is somebody going to appear from
nowhere and invalidate one of your main conclusions? The book came out in
October and so far the answer is, "not yet, anyway."  Reviews have been
sparse but good, and our informal working group has been joined by readers,
including the person who ran the simulations for the Chemical Safety Board
report. As a result of his work, the group thinks we have a plausible theory
for what failed down in the well. We'll be writing this up and adding it to
the website soon.  It suggests an answer to the last outstanding question,
but doesn't invalidate any of the conclusions in the book.


Re: The Lost Picture Show (DeMattia, RISKS-30.28)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 9 May 2017 14:05:50 -0500
We have a couple of obsolete drives sitting on the shelf in a server
room. At this point

a) I don't know what interface they have (some flavour of scsi I expect) but
   I'm certain we don't have a computer with that kind of interface card and

b) I am fairly certain the lubricants have solidified and rubber belts, if
   any, will either crack and turn into black dust, or ooze into a sticky
   black goo, the moment one tries to use them.

In theory you could retain the hardware indefinitely, but you have to choose
that hardware very carefully first.


Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum)

Gabe Goldberg <gabe@gabegold.com>
Sat, 13 May 2017 11:29:23 -0400
Hardware deteriorates (bearings, lubrication, plastics, connections, etc.).
I wouldn't trust a ten-year old drive to reliably spin up, let alone one
reaching back far further to read irreplaceable/historical archive
tapes. Since it'll be hard to acquire spare parts, how many copies of each
data generation's hardware would be needed? Then there's needing people
experienced in servicing them, plus manuals and schematics. And needing
computers capable of connecting to and driving them. And, of course, tapes
themselves deteriorate too.


Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (DeMattia, RISKS-30.28)

Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
Wed, 10 May 2017 21:31:38 -0600
> It most certainly does *not* mean that. It might mean that film
> archivists must retain hardware capable of reading the obsolescent
> tapes.

In order to do that, film archivists must have the capability to: archive
the tapes in readable condition; maintain hardware and their interfaces, and
spares for those; software to use those interfaces; documentation and media
for the hardware, software, operation, and maintenance; and retain staff
able to use and maintain those; to read the tapes, recover data going bad,
and write the contents to new media.

A rather larger set of requirements and risks to manage.  The biggest risk
is probably retention of tech staff interested in and capable of maintaining
obsolescent hardware and software for years.

Organizations may weight the risks and costs differently to choose their
most effective approach.


Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum)

Jeff Jonas <jeffj@panix.com>
Wed, 10 May 2017 02:31:31 -0400 (EDT)
I'd say it goes both ways.

Libraries are digitizing cylinder recordings to make them available, but
they keep the original recordings, particularly as new developments allow
for more faithful recreation of the sound.  But there's a video of a fellow
holding a priceless cylinder recording that shatters. Multiple copies on
various media guard against that, particularly if at various locations.

I'm keeping my LPs because I have turntables, but they're useful only to
folks with turntables.

But magtape, 8" floppy disks, QIC tapes and other computer media are
problematic because few drives are available to read them.  Even drives in
storage self-destruct as rubber parts either dry up and crack, or turn to
chewing-gum.  So then the problem becomes preserving the drives to preserve
the ability to read archives, vs. copying up to current media readable by
just about anyone.

  [Overlapping comments from Erling Kristiansen.  PGN]


Re: Man gets fined for discovering an engineering flaw (RISKS-30.26)

"John Levine" <johnl@iecc.com>
9 May 2017 19:38:42 -0000
It's true that they fined him for calling himself an Engineer, and
these days, that is ridiculous.  It is also clear from the context
that they did so out of malice, because they didn't like what he said
about red light cameras that generate ticket revenue.

In Oregon, the semi-independent Board of Examiners for Engineering and
Land Surveying licenses professional engineers and has for a long
time.  PEs sign blueprints and similar safety critical documents.
Every state has a similar PE licensing system, and it's an important
part of what keeps our roads and bridges and oil refineries and other
construction projects safe.  Some engineering grads do the extra work
to get a PE license, some don't, depending on whether they plan a
career that involves stuff that PEs have to sign.

For example, my father has two engineering degrees but never got a PE
license because he designed and built airplane fuel gauges and other
electronic instruments for which the license isn't relevant.  He has
never called himself a PE because he isn't one.  Nonetheless he is a
life member of the IEEE (and before that a member of the ISA and IRE.)

In sensible places, which I think includes the other 49 states, they
regulate the term Professional Engineer.  When I look at the Oregon
law, it is ambiguously written, about whether the regulated term is
professional engineer or plain engineer, and it was a mistake not to
challenge the $500 ticket in the first place.  Given the wide usage of
the term engineer to refer to people who don't have a license, I
expect courts would throw it out on first amendment grounds.  Perhaps
the IEEE, which welcomes both licensed and unlicensed engineers, would
offer an amicus brief.

PS: I agree that calling people "Software Engineers" is an egregious
misuse of language.  So-called software engineers don't have any of
the training that actual engineers do, other than perhaps taking a few
of the same courses in school.

I realize the software engineer horse has long left the barn, there
is a fairly well agreed definition of what such a person does, and
no sensible person confuses us with a licensed PE.


Re: Senseless Government Rules Could Cripple the Robo-Car Revolution (Youngman, RISKS-30.28)

Mike Spencer
Tue, 9 May 2017 17:51:39 -0300
If vehicles are to have minds of their own, maybe it's time for everyone to
re-read Valentino Braitenberg's Vehicles—Experiments in Synthetic
Psychology.  (MIT Press, 1984).


Re: Bobby Tables and electoral fraud

Dave Horsfall <dave@horsfall.org>
Wed, 10 May 2017 07:14:36 +1000 (EST)
Jeremy Epstein wrote:

> Not disputing that it's a potential threat; just for the record it
> appears to have been unsuccessful.

No claim was made that it was successful; in fact, upon studying the item
again it was clearly intended as a joke (the SQL appears to be preceded by
"pwn", which is of course cracker slang for "broke into".

But yes, that was seven years ago, and as Bruce Schneier is always saying,
attacks only get better over time...


Re: Bobby Tables ... SQL injection

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Tue, 9 May 2017 18:17:42 -0400 (EDT)
"(Basically it injects a "DROP TABLE" command.)"

And?

In DB2 the running process would have to be authorised for the DROP Table
action in that particular named Tablespace.

How common is that? Is Drop Table less Restricted in other Relation DB
Management Systems?

I will concede that my experience has been that a number of IMS and CICS
developers GRANT EXECUTE on DB2 Plans to PUBLIC, even though they have the
option to restrict that GRANT to a particular named CICS or IMS
subsystem. Even then, CREATE and DROP tablespace should involve scratch pad
or work tablespaces which are intended to be used for transient data, not
the same tablespaces used for long term data. The running process should not
be using a DB Admin or Developer ID.

I pointed out to Security Admins and Sys Admins that a GRANT to PUBLIC
without limiting the scope to a named subsystem meant that programmers with
a screw loose or axe to grind could invoke the program from batch,
TSO... They told me that I was being too paranoid, so I applied that
restriction to my own work and didn't pursue it for the entire server.

My 1st 1979 IMS project involved a contractor who inspired a policy that a
tape should never be sent offsite without a Group Data Security Admin
signature. Years later I saw him in the middle of a Group Photo when I
started a new job and asked "Oh, Does first name last name work here?".

That was met with a sudden silence. I told the story of my interaction with
him and was told that the 1st time he had been on the overnight on call
support rotation the phone number he had given turned out to be for "Dial a
Prayer".

My new manager took to having me vet the names of potential hires. If I
didn't recognise the name I could often dig up work related comments such as
showing up after office hours when a manager was working alone, with a
shotgun, to dispute work assignments.

As I wrote, some folks just have a screw loose, no matter how technically
brilliant they may be.

Please report problems with the web pages to the maintainer

Top