The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 32

Saturday 10 June 2017

Contents

How Russian Propaganda Spread from a Parody Website to Fox News
Neil MacFarquahar and Andrew Rossback
Securing our election systems?
Slate
Stolen Roambee property reports itself to owner
Mark Brader
Voice synthesis
Mark Brader
Internet cameras have hard-coded password that can't be changed
Ars Technica
UK police arrest man via automatic face-recognition tech
Ars Technica
Task force tells Congress health IT security is in critical condition
Monty Solomon
Cyberattack on Britain's National Health Service—A Wake-up Call for Modern Medicine
Monty Solmon
Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack
NYTimes
Sneaky hackers use Intel management tools to bypass Windows firewall
Ars Technica
Self-driving cars
Multiple items from Monty
Re: Robot Copilot Lands 737
Andrew Duane
Re: Software is forever... Re: WannaCry
Paul Edwards
Re: What Happens When Your Car Gets Hacked?
Dimitri Maziuk
Lothar Kimmeringer
Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless?
John Levine
William Brodie-Tyrrell
Info on RISKS (comp.risks)

How Russian Propaganda Spread from a Parody Website to Fox News (Neil MacFarquahar and Andrew Rossback)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 10 Jun 2017 16:22:19 PDT
I've been meaning to submit this for the past few days, and finally
found a few spare moments:

How Russian Propaganda Spread from a Parody Website to Fox News
Neil MacFarquahar and Andrew Rossback
*The New York Times*, 8 June 2017

Here's the time sequence described in the article:

* Parody website (Made-up Russian attack on a U.S. shop
* Facebook (Parody article shared)
* Russian TV (Invented a quote from a U.S. Air Force general)
* The Sun (Reported on the Russian TV story)
* FoxNews.com (Article reprinted with only hints of skepticism)


Securing our election systems? (Slate)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 8 Jun 2017 12:18:46 PDT
"Despite the alarms raised by these revelations in recent days, there has
been little discussion of solutions.  But the way forward is relatively
clear.  Protecting our elections against foreign attackers ultimately
requires the will to squarely address known vulnerabilities—a will that
has been lacking in Washington."

http://www.slate.com/articles/technology/future_tense/2017/06/congress_needs_to_act_now_to_secure_our_election_systems.html


Stolen Roambee property reports itself to owner

Mark Brader
Fri, 9 Jun 2017 05:09:40 -0400 (EDT)
At the Roambee factory in Santa Clara, California, one or more thieves (the
kind who are dumb enough to leave their own blood and other evidence behind
them) stole a box of 100 of what they thought were cellphone chargers.

Actually they were Roambee Bees, which are GPS-based trackers that broadcast
their location.  (Their intended use is that a company shipping goods puts
one in each shipment and can always know where it is.)  And they can't be
turned off.

It wasn't long before police recovered the stolen goods and made an arrest,
and meanwhile the Roambee company got some free advertising...

http://www.mercurynews.com/2017/06/06/sjm-roambee-0607/
http://www.sfgate.com/bayarea/article/any-11204181.php


Voice synthesis

Mark Brader
Fri, 9 Jun 2017 05:24:14 -0400 (EDT)
It says here:

  http://www.tdbank.com/bank/tdvoiceprint.html
  http://www.td.com/ca/products-services/investing/td-direct-investing/trading-platforms/voice-print-system-enroll.jsp

that customers of the Toronto-Dominion Bank can arrange to have the bank's
computer identify them, in part, by recognizing their voice on the phone.
(I therefore presume that other banks are now doing this also.)

It says here:

    http://www.cbc.ca/news/any-1.4084423

that a new Canadian company called Lyrebird has produced software which
(they say), given a 1-minute high-quality recording of anyone's voice, can
produce a highly accurate simulation of that person saying anything the user
chooses.  And given a 5-minute recording, the quality would be extremely
hard to tell from the real thing.

And someone thought that this was a GOOD idea?

  [I presume Mark is referring to the Toronto-Dominion Bank phone voice
  scheme rather than the Lyrebird scheme.  The latter is obviously a good
  idea, because it clearly points to the stupidity of the former.  PGN]


Internet cameras have hard-coded password that can't be changed (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:08:28 -0700
https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/


UK police arrest man via automatic face-recognition tech (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:07:00 -0700
https://arstechnica.com/tech-policy/2017/06/police-automatic-face-recognition/


Task force tells Congress health IT security is in critical condition

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:08:53 -0700
https://arstechnica.com/security/2017/06/task-force-tells-congress-health-it-security-is-in-critical-condition/


Cyberattack on Britain's National Health Service—A Wake-up Call for Modern Medicine

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:19:53 -0700
http://www.nejm.org/doi/full/10.1056/NEJMp1706754


Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:16:07 -0700
https://www.nytimes.com/2017/06/06/technology/hackers-ransomware-bitcoin-ponzi-wannacry.html

As more of our lives go online, online attackers are finding increasingly
creative ways to wreak havoc using ransomware, and now, pyramid schemes.


Sneaky hackers use Intel management tools to bypass Windows firewall (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:09:57 -0700
https://arstechnica.com/security/2017/06/sneaky-hackers-use-intel-management-tools-to-bypass-windows-firewall/


Self-driving cars

Monty Solomon <monty@roscom.com>
Fri, 9 Jun 2017 13:16:41 -0700
  [PGN has merges multiple items into one message:]

https://www.nytimes.com/2017/06/07/technology/google-self-driving-cars-handoff-problem.html
Robot Cars Can't Count on Us in an Emergency
Scientists call it the *handoff* problem. How do you keep humans focused
enough to take control of a self-driving car in an emergency?
  [This is an old argument that Don Norman has addressed.  Partial automation
  is risky.  On the other hand, if total automation allows overrides, it is
  really only partial automation, and risky!  PGN]

https://www.nytimes.com/2017/06/07/technology/autonomous-car-technology-challenges.html
A Guide to Challenges Facing Self-Driving Car Technologists
The underlying technology of autonomous vehicles has made dramatic strides
in recent years. But there are still plenty of issues to be worked out.

https://www.nytimes.com/2017/06/07/technology/why-car-companies-are-hiring-computer-security-experts.html
Why Car Companies Are Hiring Computer Security Experts: Researchers have
proved a car can be remotely hacked. Now imagine if that car was being
driven entirely by a computer.

https://www.nytimes.com/2017/06/07/technology/electronic-setups-of-driverless-cars-vulnerable-to-hackers.html
Electronic Setups of Driverless Cars Vulnerable to Hackers:
As cars become more like computers, cybercriminals will have more ways to
get into their important systems.


Re: Robot Copilot Lands 737 (RISKS-30.30)

Andrew Duane <e91.waggin@gmail.com>
Fri, 9 Jun 2017 08:58:36 -0400
... and also Re: Untold story of QF72: What happens when 'psycho' automation

  leaves pilots powerless?  (RISKS-30.30)

To paraphrase an old joke:

In the future, the cockpit of an airplane will have a computer, a pilot,
and a dog.
It's the computer's job to fly the plane.
It's the pilot's job to watch over the computer.
It's the dog's job to bite the pilot if he tries to touch the controls.

  [Indeed, an old joke, but we have lots of young readers, so it might
  be okay to run it every 20 years:
  In November 1997, RISKS-19.47 had this line from Robert Dorsett:
    "With autopilots, who needs a dog to keep an eye on the pilot?"
  (This was in a delightful item of a plane that took off without its pilot
  after he got out to crank the propeller.)

  Incidentally, in its early days, NASA insisted that computers had to be
  buried under layers of equipment so that it would be very difficult for
  astronauts to fiddle with the hardware.  There was one later case where an
  in-space repair actually had to be made.  However, software is easy to
  remediate without physical access.  PGN]


Re: Software is forever... Re: WannaCry (Keating, RISKS 30.31)

Paul Edwards <paule@cathicolla.com>
Fri, 9 Jun 2017 20:35:52 +1000
> ... How bad would the state need to be before this last option starts
> looking good?

Far, far worse than it does now, frankly. One issue that is often overlooked
in this debate is that of application affinity.

I work in financial services; it's scary how many applications will not work
on anything more modern than Windows XP, or rely on appallingly out-of-date
and deprecated versions of Java. A friend of mine works in healthcare in IT;
she faces a similar problem with certain applications that are used to
monitor patient well-being in ICU.

Forcibly turning off non-supported OSes, frameworks or languages that the
given applications require? What could possibly go wrong?


Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.31)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 8 Jun 2017 16:29:37 -0500
As synchronicity would have it, RedHat has recently fixed a security problem
in Remote Procedure Calls detailed in CVE-2017-8779:

".. a memory leak can occur when parsing specially crafted XDR messages. An
attacker sending thousands of messages to rpcbind could cause its memory
usage to grow without bound, eventually causing it to be terminated"

The "fix" is causing rpcbind to crash 4 seconds after starting.

By now probably the largest user of RPC is file sharing via Network File
System (NFS) and the result of the "fix" is network shares disappearing.  If
remember my NFS correctly, this would not affect already connected shares,
so the problem may possibly go unnoticed for quite some time.

We downgraded our rpcbind and are waiting for the fix of the fix. In the
meantime other patches are not getting installed so as to not accidentally
reinstall the bad one.

Funny enough, the "older unpatched" RHEL 5 systems are not very vulnerable
to this particular problem because they're EOL and not receiving any fixes
anymore. Including bad ones. The vulnerability itself requires a skilled
attacker inside your security perimeter sending "thousands of specially
crafted messages" to eventually accomplish the exact thing that RedHat did
in 4 seconds with a single patch.


Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.30)

Lothar Kimmeringer <lothar@kimmeringer.de>
Fri, 9 Jun 2017 21:51:07 +0200
> knowledgeable Windows 7 users block automatic patches [...]
> They wait a week or more to see what other experience with
> new patches before accepting them.

The patch for the bug in SMB was marked as "critical, wormable".  Whoever
calls him/herself "knowledgeable" and waits with installing that kind of
patch, should be called by others in a completely different way.

Waiting to install a patch that fixes a typo in a context-menu is one thing
but ignoring a patch fixing a wormable bug is something completely
different. That's an announced shot into your own foot or - taking real
consequences into account - potentially killing people in the UK because
they couldn't be treated due to the hospitals' computers got affected.


Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless? (Manning, RISKS-30.31)

"John Levine" <johnl@iecc.com>
8 Jun 2017 23:01:26 -0000
>  ... sometimes with disastrous results.

But sometimes without.  In this article, William Langewiesche credits the
successful ditching of US 1549 as much to the Airbus flight automation as to
the skill of the pilot.

http://www.vanityfair.com/culture/2009/06/us_airways200906

The question is whether the pilot or the software is more likely to go nuts.
The answer is not obvious to me, particularly in cases like the Air France
flight off Brazil where the instruments went nuts in a way that would have
been harmless if the crew ignored them, but instead the crew did exactly the
wrong thing and lost the plane.


Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless? (Manning, RISKS-30.31)

William Brodie-Tyrrell <william@brodie-tyrrell.org>
Fri, 9 Jun 2017 08:56:31 +0930
Does Prof. Leveson also refuse to go near roads?

This is a wonderful illustration of people who should know better still
optimising away the tiniest risks that seem controllable while ignoring
other greater but less-newsworthy risks.  I can well believe that the Boeing
philosophy is safer, but I'd take the deaths per passenger-mile in an Airbus
over just about any other form of transport including a taxi to the airport.

In light of terrorism vs car crashes, Airbus vs heart attacks, sharks vs
falling out of bed, one could almost make a generalisation that "if
everyone is frightened of it, it's probably not a threat to you".  Same
thing seems to apply in infosec: all the panic over 0-days, APT, etc vs
people not bothering to apply vendors' patches and reusing the same
password on 50 different websites.

Please report problems with the web pages to the maintainer

Top