The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 35

Wednesday 28 June 2017

Contents

HMS Queen Elizabeth is 'running outdated Windows XP', raising cyberattack fears
The Telegraph
32TB of Windows 10 internal builds, core source-code leak online
The Register
AES-256 keys sniffed in seconds using E200 of kit a few inches away
The Register
Google's Elite Hacker SWAT Team vs. Everyone
Fortune
Easiest Path to Riches on the Web? An Initial Coin Offering
NYTimes
FCC investigating unlawful transactions after contractor takes ownership of 40-plus towers
WirelessEstimator
Europe has been working to expose Russian meddling for years
The Washington Post
Trump's Lies
NYTimes
Complex Petya-Like Ransomware Outbreak Worse than WannaCry
ThreatPost
Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled
Ars Technica
Transition problem for mailservice cutover
Steven Barryte
Re: Y2K problem causes earthquake aftershock 92 years later
Amos Shapir
Info on RISKS (comp.risks)

HMS Queen Elizabeth is 'running outdated Windows XP', raising cyberattack fears

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 27 Jun 2017 20:02:26 PDT
Danny Boyle and Ben Farmer, *The Telegraph*, 27 June 2017
http://www.telegraph.co.uk/news/2017/06/27/hms-queen-elizabeth-running-outdated-windows-xp-software-raising/

Fears have been raised that Britain's largest ever warship could be
vulnerable to cyber attacks after it emerged it appears to be running the
outdated Microsoft Windows XP.

As HMS Queen Elizabeth left its dockyard for the first time to begin sea
trials, it was revealed the £3.5billion aircraft carrier is apparently using
the same software that left the NHS exposed.  Screens inside a control room
on the ship, which is the largest vessel ever built for the Royal Navy,
reportedly displayed Microsoft Windows XP - copyright 1985 to 2001.

But Michael Fallon, the Defence Secretary, insisted the ship's systems were
safe because security around the computer software on the aircraft carrier
is "properly protected".  He told BBC Radio 4's Today programme: "It's not
the system itself, of course, that's vulnerable, it's the security that
surrounds it.  "I want to reassure you about Queen Elizabeth, the security
around its computer system is properly protected and we don't have any
vulnerability on that particular score."

The operating system was that which left the NHS and other organisations
around the world vulnerable to a major WannaCry ransomware attack last
month. It affected 300,000 computers in 150 countries.  Windows XP is no
longer supported by Microsoft, meaning it does not receive updates to
protect users from new types of cyber hacks.

A computer expert warned that Windows XP could leave HMS Queen Elizabeth
vulnerable to cyber attack.  "If XP is for operational use, it is extremely
risky," Alan Woodward, professor of computing at the University of Surrey
told The Times.  "Why would you put an obsolete system in a new vessel that
has a lifetime of decades?"

A defence source told the newspaper that some of the on-board hardware and
software "would have been good in 2004" when the carrier was designed, "but
now seems rather antiquated".  However, he added that HMS Queen Elizabeth is
due to be given a computer refit within a decade.  And senior officers said
they will have cyber specialists on board to defend the carrier from such
attacks.  [...]


32TB of Windows 10 internal builds, core source-code leak online

Lauren Weinstein <lauren@vortex.com>
Fri, 23 Jun 2017 16:50:42 -0700
via NNSquad
http://www.theregister.co.uk/2017/06/23/windows_10_leak/

  A massive trove of Microsoft's internal Windows operating system builds
  and chunks of its core source code have leaked online.  The data - some
  32TB of official and non-public installation images and software
  blueprints that compress down to 8TB - were uploaded to betaarchive.com,
  the latest load of files provided just earlier this week. It is believed
  confidential data in this dump was exfiltrated from Microsoft's in-house
  systems around March this year.  The leaked code is Microsoft's Shared
  Source Kit: according to people who have seen its contents, it includes
  the source to the base Windows 10 hardware drivers plus Redmond's PnP
  code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific
  OneCore kernel code.  Anyone who has this information can scour it for
  security vulnerabilities, which could be exploited to hack Windows systems
  worldwide. The code runs at the heart of the operating system, at some of
  its most trusted levels.


AES-256 keys sniffed in seconds using E200 of kit a few inches away

Lauren Weinstein <lauren@vortex.com>
Sat, 24 Jun 2017 09:59:31 -0700
NNSquad
https://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

  Sideband attacks that monitor a computer's electromagnetic output to
  snaffle passwords are nothing new.  They usually require direct access to
  the target system and a lot of expensive machinery - but no longer.
  Researchers at Fox-IT have managed to wirelessly extract secret AES-256
  encryption keys from a distance of one metre (3.3 feet) - using EUR200
  (~US$224) worth of parts obtained from a standard electronics store - just
  by measuring electromagnetic radiation. At that distance sniffing the keys
  over the air took five minutes, but if an attacker got within 30
  centimetres (11.8 inches) of a device, the extraction time is cut down to
  just 50 seconds.


Google's Elite Hacker SWAT Team vs. Everyone

Gabe Goldberg <gabe@gabegold.com>
Sun, 25 Jun 2017 13:44:12 -0400
Brash. Controversial. A guard against rising digital threats around the
globe. Google's Project Zero is securing the Internet on its own terms.  Is
that a problem?

http://fortune.com/2017/06/23/google-project-zero-hacker-swat-team/


Easiest Path to Riches on the Web? An Initial Coin Offering (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 25 Jun 2017 13:59:30 -0400
Programmers are selling digital currencies redeemable for services that do
not exist.  Where some see a financing revolution, others see trouble.
https://www.nytimes.com/2017/06/23/business/dealbook/coin-digital-currency.html

  Invent currency, sell it. Beats counterfeiting a real one...


FCC investigating unlawful transactions after contractor takes ownership of 40-plus towers (WirelessEstimator)

Gabe Goldberg <gabe@gabegold.com>
Sun, 25 Jun 2017 13:39:37 -0400
A Wisconsin wireless contractor discovered a flaw in the FCC’s Antenna
Structure Registration (ASR) database, and changed the ownership of more
than 40 towers from multiple carriers and tower owners into his company's
name during the past five months without the rightful owners being notified
by the agency, according to FCC documents and sources knowledgeable of the
illegal transfers.

Sprint, AT&T and key tower companies were targeted in the wide-ranging
thefts.

The unlawful assignments also created a dangerous condition for aircraft
since an FCC investigator was relying upon statements from the new owner,
William M. Nix, 39, President of Aura Holdings of Wisconsin, Inc.  (Aura),
that he would repair obstruction lighting on a 1,100-foot tower, but he had
no intentions of ordering the equipment to complete the repairs by July 1
because he neither owned the structure nor could fund the repairs that would
cost over $21,000. [...]

It is unknown why Nix changed the ownership of the structures or what
benefits would be derived by being able to identify that Aura owned a
$12-plus million group of towers.

Although the ASR database identifies the owner of the tower, it is not legal
proof of ownership but allows for a chain of correspondence to ensure
compliance with all FCC requirements that also incorporate other federal
regulations.

FCC allows instantaneous ownership

Changing ASR ownership is an easy process by applying online for an FCC
Registration Number (FRN) which is instantly granted whether the factual or
inaccurate information is provided. Then, once logged in, an FRN holder can
submit a form stating that they are the new owner of any or multiple
structures in the database.

As soon as it is submitted, the change is immediately reflected in the ASR.

Although Grace said that owners are notified if a change is made in the
system, two tower owners whose structures' ownership was changed by Nix
informed Wireless Estimator they were never informed with an email or
through regular mail, or they would have immediately acted.

http://wirelessestimator.com/articles/2017/fcc-investigating-unlawful-transactions-after-contractor-takes-ownership-of-40-plus-towers/

Ability to change online ownership listings without notifying rightful
owners.  What could go wrong?


Europe has been working to expose Russian meddling for years (The Washington Post)

Monty Solomon <monty@roscom.com>
Mon, 26 Jun 2017 08:28:09 -0400
Official and unofficial groups use a variety of tactics to counter fake news promulgated by Moscow.

https://www.washingtonpost.com/world/europe/europe-has-been-working-to-expose-russian-meddling-for-years/2017/06/25/e42dcece-4a09-11e7-9669-250d0b15f83b_story.html


Trump's Lies (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Fri, 23 Jun 2017 12:57:37 -0700
https://www.nytimes.com/interactive/2017/06/23/opinion/trumps-lies.html

  "Many Americans have become accustomed to President Trump's lies. But as
  regular as they have become, the country should not allow itself to become
  numb to them.  So we have catalogued nearly every outright lie he has told
  publicly since taking the oath of office."


Complex Petya-Like Ransomware Outbreak Worse than WannaCry (ThreatPost)

Monty Solomon <monty@roscom.com>
Wed, 28 Jun 2017 09:05:02 -0400
https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/


Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 28 Jun 2017 09:34:14 -0400
https://arstechnica.com/information-technology/2017/06/skylake-kaby-lake-chips-have-a-crash-bug-with-hyperthreading-enabled/


Transition problem for mailservice cutover

Steven Barryte <sebarryte@cox.net>
Mon, 26 Jun 2017 02:14:50 -0700
Between 4/24/2017 & 5/10/2017 Cox.com transitioned my email account to their
upgraded email server. Since my account was transitioned to the new server
both humans & automated subscription mailing systems occasionally receive a
"550 5.1.1 <sebarryte@cox.net <mailto:sebarryte@cox.net>> invalid recipient"
response when sending email to me. Humans can resend the email & it is
delivered. However, some (& possibly all) automated senders delete my email
address from their distribution list when this happens. These have included:
my local newspaper (twice), a local radio station, Smithsonian, nextdoor.com
& possibly a few other yet to be identified automated senders that only send
me email "as needed", but not very often.

If the automated subscription mailing systems where to implement a
3-strikes-and-you're-out policy rather than deleting an email address for a
single delivery failure, it would be less likely to delete valid
subscribers.


Re: Y2K problem causes earthquake aftershock 92 years later (RISKS-30.34)

Amos Shapir <amos083@gmail.com>
Sun, 25 Jun 2017 17:22:32 +0300
I do not think that the bug could have been caused by the UNIX epoch time --
which, as the LA Times article itself says, starts in 1970. I doubt any
system which keeps historical times would use this epoch in its stored data.

Even if it did, a possible bug would either interpret the negative epoch
time for 1925 as a positive number, then it would end up on a date 44.5
years after the epoch instead of 44.5 years before—that is, in 2014; or
else, the negative number might be interpreted as an unsigned number (to
avoid the upcoming 2K38 bug) and so end up 2^32 or 136 years later—in
2061.

More likely it's just a data entry error, e.g. 6/29/25 interpreted as 2025.
The real bug is that the alert system did not check its input's sanity, and
blared out the warnings anyway.

In any case, I'm keeping that mail, in case there will be an earthquake on
6/29/2025....

Please report problems with the web pages to the maintainer

Top