The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 41

Tuesday 1 August 2017

Contents

Watch: Hackers Demonstrate How to Crack Into Electronic Voting Machines in Minutes
Luly Friesdat
Security This Week: The Very Best Hacks From Black Hat and DEF CON
WiReD
The Hacking Wars Will Get Worse
Adam Segal
UK home secretary Amber Rudd says 'real people' don't need end-to-end encryption
Business Insider
Putin passes law that will ban VPNs in Russia
TechCrunch
Queensland Police want to listen through your fridge
Brisbane Times via Henry Baker
Amazon suspends sales of Blu phones due to privacy concerns
CNET
These cheap phones come at a price—your privacy
CNET
HBO is hacked, and Game of Thrones episodes may have leaked out
The Washington Post
Senate launches bill to remove immunity for websites hosting illegal content, spurred by Backpage.com
The Washington Post
Illegal and undocumented instructions
Koehntopp
Iranians Use 'Cute Photographer' Profile To Hack Targets In Middle East
Slashdot
Amazon Echo as a spy device—with significant limitations
Android Guys
AI defeats anti-virus
The Register
Killer Car Wash: Hackers Can Trap and Attack Vehicles
Fortune via Gabe Goldberg
Google's new program to track shoppers sparks a federal privacy complaint
The Washington Post
"Google, Personal Information, and Star Trek"
Lauren Weinstein
Apple Removes Apps From China Store That Help Internet Users Evade Censorship
The New York Times
Cars Suck Up Data About You. Where Does It All Go?
The New York Times
Re: Keen Lab hackers ... take control of a Tesla ...
Gary Hinson
Re: Myopic CEO perspective, I think
Gene Wirchenko
Re: NEC Updates like software updates
R. G. Newbury
Re: Mass. maker of Roomba isn't going to sell your data, after all
Monty Solomon
Info on RISKS (comp.risks)

Watch: Hackers Demonstrate How to Crack Into Electronic Voting Machines in Minutes (Luly Friesdat)

Suzanne Johnson <fuhn@pobox.com>
Mon, Jul 31, 2017 at 1:08 AM
Lulu Friesdat, *AlterNet*, 29 Jul 2017 (via Dave Farber)

Disturbing footage from the DEF CON 25 hacker convention.
http://www.alternet.org/investigations/def-con-25-hackers-get-electronic-voting-machines-and-e-poll-books-minutes

Who says America's electronic voting machinery cannot be hacked?

One of the world's largest and best-known hacker conventions, DEF CON,
debuted an interactive "Voting Machine Hacker Village" this year at its
annual gathering in Las Vegas. In some cases within minutes, and in other
cases within a few hours, of the village doors' opening, hackers in
attendance said they had successfully breached some systems. The security
investigators claimed to have found major vulnerabilities or claimed to have
breached every voting machine and system present.

Members of the DEF CON hacking community said they took complete control of
an e-poll book, a type of election equipment in use in dozens of states
where voters arrive at precincts, sign in and receive their ballots. Other
targets hackers claim had major security flaws include the Sequoia AVC Edge,
currently in use in 13 states and the AccuVote TSX, in use in 19 states.
(Those machine usages are according to Verified Voting, an election
transparency advocacy group.)

  [See also
http://www.telegraph.co.uk/technology/2017/07/31/hackers-take-control-us-voting-machines-less-90-minutes/
  PGN]


Security This Week: The Very Best Hacks From Black Hat and DEF CON (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 31 Jul 2017 17:12:08 -0400
As they do every year, hackers descended on Las Vegas this week to show off
the many ways they can decimate the Internet's security systems.  Here's a
collection of some of our favorite talks from this week's Black Hat
conference, including some we didn't get the chance to cover in depth.

https://www.wired.com/story/best-black-hat-defcon-talks/


The Hacking Wars Will Get Worse (Adam Segal)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 1 Aug 2017 20:55:24 PDT
Adam Segal, *The New York Times*, 1 Aug 2017 [PGN-ed]

"Reports this month [presumably meaning July] that the United Arab Emirates
orchestrated the hacking of a Qatari news agency, helping to incite a crisis
in the Middle East, are as unsurprising as they are unwelcome.  For years,
countries—in particular Russia—have used cyberattacks and the
dissemination of disinformation to provoke protests, sway elections and
undermine trust in institutions.  It was only a matter of time before
smaller states tried their hand at these tactics."

[But this is not new.  Examples noted:]

  August 2012: India accused Pakistani hackers of trying to provoke
  sectarian violence.

  June 2017: Hackers believed to be tied to the Vietnamese government stole
  and released transcripts of talks been the Philippine and U.S. presidents,
  with the suspected hope of pressuring Duterte and sabotaging Philippine
  relations with China.

"It's only a matter of time before a state's response to a cyberattack
escalates into full-blown military conflict. ...  As a result, we all are
much less secure in cyberspace—and in the real world."

  [Well, cyberspace and its ubiquitous lack of security are unfortunately
  the real world, and have been for a long time—as should be evident to
  RISKS readers.  PGN]


UK home secretary Amber Rudd says 'real people' don't need end-to-end encryption (Business Insider)

Lauren Weinstein <lauren@vortex.com>
Tue, 1 Aug 2017 14:41:08 -0700
via NNSquad
http://www.businessinsider.com/home-secretary-amber-rudd-real-people-dont-need-end-to-end-encryption-terrorists-2017-8?IR=T

  UK home secretary Amber Rudd has called on messaging apps like WhatsApp to
  ditch end-to-end encryption, arguing that it aids terrorists.  Writing in
  The Telegraph on Tuesday, the Conservative minister said that "real
  people" don't need the feature and that tech companies should do more to
  help the authorities deal with security threats.  But activists have
  reacted with concern to her remarks, blasting them as "dangerous and
  misleading."


Putin passes law that will ban VPNs in Russia (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Sun, 30 Jul 2017 20:28:53 -0700
via NNSquad
https://techcrunch.com/2017/07/30/putin-passes-law-that-will-ban-vpns-in-russia/?ncid=rss

  The new law (link via Google Translate), signed today by President
  Vladimir Putin, goes into effect on 1 Nov 2017 and represents another
  major blow to an open Internet. This weekend, news broke that Apple has
  removed most major VPN apps from the App Store in China to comply with
  regulations passed earlier this year that require VPN apps to be
  explicitly licensed by the Chinese government.

Putin tightens his murderous grip.

ALSO:
To Protect Global Free Speech, Google May Need to Take Some Drastic Actions
https://lauren.vortex.com/2017/07/29/google-free-speech


Queensland Police want to listen through your fridge (Brisbane Times)

Henry Baker <hbaker1@pipeline.com>
Tue, 01 Aug 2017 16:58:45 -0700
"[The bill] would give police the power to turn existing devices into
surveillance devices during a declared emergency, including by remotely
installing software...  This is further exacerbated through [terrorists']
use of encryption and anonymising tools to make their use of the Internet
and social media invisible to intelligence and law enforcement agencies."

  Perhaps buying that "smart" device isn't so smart, after all?  Heck, in
  the U.S., the local police will simple "asset forfeiture" your fridge and
  it becomes theirs for whatever they want to do with it!

Felicity Caldwell, Brisbane Times, 24 Jul 2017
Queensland police say fridges could be turned into listening devices
http://www.brisbanetimes.com.au/queensland/queensland-police-say-fridges-could-be-turned-into-listening-devices-20170724-gxh97o.html

Your fridge could be turned into a covert listening device by Queensland
Police conducting surveillance.  The revelation was made during a
Parliamentary committee hearing on proposed legislation to give police more
powers to combat terrorism.

Police Commissioner Ian Stewart said technology was rapidly changing and
police and security agencies could use devices already in place, and turn
them into listening devices.  "It is not outside the realm that, if you
think about the connected home that we now look at quite regularly where
people have their security systems, their CCTV systems and their
computerised refrigerator all hooked up wirelessly, you could actually turn
someone's fridge into a listening device, This is the type of challenge that
law enforcement is facing in trying to keep pace with events and premises
where terrorists may be planning, they may be gathering to discuss
deployment in a tactical way and they may be building devices in that place.
All of that is taken into account by these new proposed laws."

The Counter-Terrorism and Other Legislation Amendment bill would give police
more powers during and following attacks.  It would give police the power to
turn existing devices into surveillance devices during a declared emergency,
including by remotely installing software, when the life, health or safety
of a person may be in danger.  It would also allow police the power to
search a person or vehicle without a warrant during a declared terrorist
emergency.

A review of emergency situation declarations for the past 2.5 years did not
identify any incident which would have required the proposed extraordinary
emergency powers.

But Mr Stewart said despite the rarity, the proposed legislation was still
important to help police fight the terror threat.  Mr Stewart said the most
likely scenario for a terrorist attack in Australia would be low-tech
violence by a person or small group involving knives, vehicles, firearms or
improvised explosive devices.  "The threat of a low-tech terrorist
organisation inspired attack is exponentially harder to detect and disrupt.
This is further exacerbated through their use of encryption and anonymising
tools to make their use of the Internet and social media invisible to
intelligence and law enforcement agencies."

Mr Stewart said there was an unprecedented escalation of terrorist-related
activity within Australia since September 2014, with the principal threat
from an extremist interpretation of Islam, while far right-wing violent
extremism also posed a domestic threat.  Since 2012, about 200 Australians
have traveled to Syria and Iraq to join the conflict, and there are about
40 Australians who have returned.  "And some of these returnees remain a
significant security concern," Mr Stewart said.  Mr Stewart said there were
about 210 Australians being investigated.

The bill is being considered by the Legal Affairs and Community Safety
Committee, which is due to report by 11 Aug.


Amazon suspends sales of Blu phones due to privacy concerns

Monty Solomon <monty@roscom.com>
Tue, 1 Aug 2017 00:18:09 -0400
Following a report that some Blu phones use an app that collects your data,
Amazon has made them unavailable on its site.

https://www.cnet.com/news/amazon-suspends-sales-of-blu-phones-due-to-privacy-concerns/


These cheap phones come at a price—your privacy

Monty Solomon <monty@roscom.com>
Tue, 1 Aug 2017 00:20:33 -0400
How much do you value your privacy and security? Researchers at Black Hat
found a series of phones that are secretly sending data to Chinese servers.
https://www.cnet.com/news/these-cheap-phones-are-costing-you-your-privacy/


HBO is hacked, and Game of Thrones episodes may have leaked out

Monty Solomon <monty@roscom.com>
Tue, 1 Aug 2017 04:26:05 -0400
A nightmare scenario develops for HBO
https://www.washingtonpost.com/news/the-switch/wp/2017/07/31/hbo-is-hacked-and-game-of-thrones-episodes-may-have-leaked-out/


Senate launches bill to remove immunity for websites hosting illegal content, spurred by Backpage.com (The Washington Post)

Monty Solomon <monty@roscom.com>
Tue, 1 Aug 2017 21:03:03 -0400
https://www.washingtonpost.com/news/true-crime/wp/2017/08/01/senate-launches-bill-to-remove-immunity-for-websites-hosting-illegal-content-spurred-by-backpage-com/


Illegal and undocumented instructions

Lauren Weinstein <lauren@vortex.com>
Fri, 28 Jul 2017 10:29:15 -0700
via NNSquad
http://blog.koehntopp.info/index.php/2282-illegal-and-undocumented-instructions/

  Sandsifter has uncovered secret processor instructions from every major
  vendor; ubiquitous software bugs in disassemblers, assemblers, and
  emulators; flaws in enterprise hypervisors; and both benign and
  security-critical hardware bugs in x86 chips.  The findings have been
  summarized in a whitepaper (PDF), which also describes how to effectively
  search the instruction space of a CPU that has variable length
  instructions from 1 to 15 bytes in length. A crafty way of using page
  faults to determine the length of privileged instructions while running
  unprivileges is shown.


Iranians Use 'Cute Photographer' Profile To Hack Targets In Middle East (Slashdot)

Lauren Weinstein <lauren@vortex.com>
Mon, 31 Jul 2017 19:18:58 -0700
via NNSquad
https://tech.slashdot.org/story/17/07/31/2026230/iranians-use-cute-photographer-profile-to-hack-targets-in-middle-east

  Hackers working on behalf of the government of Iran are using alluring
  social media profiles featuring a young, English photographer to entice
  and then compromise the systems of high value targets in the oil and gas
  industry, according to a report by Dell Secureworks. In a report released
  on Thursday, Secureworks' Counter Threat Unit (CTU) said that it observed
  an extensive phishing campaign beginning in January and February 2017 that
  used a polished social media profile of a young, English woman using the
  name "Mia Ash" to conduct highly targeted spear-phishing and social
  engineering attacks against employees of Middle Eastern and North Africa
  firms in industries like telecommunications, government, defense, oil and
  financial services.  The attacks are the work of an advanced persistent
  threat group dubbed COBALT GYPSY or "Oil Rig" that has been linked to
  other sophisticated attacks.


Amazon Echo as a spy device—with significant limitations (Android Guys)

Lauren Weinstein <lauren@vortex.com>
Tue, 1 Aug 2017 08:46:37 -0700
via NNSquad

Only for older units, and physical access is required to alter the firmware.
So as with pretty much all devices, physical access always means that all
bets are off, and always avoid purchases from untrusted third party sources.
The authors also note that the mic mute button still works and cannot be
disabled in software, and points out that overall, ordinary smartphones are
far more easily hacked for similar capabilities (and much more)!

http://www.androidguys.com/2017/08/01/amazon-echo-can-be-turned-into-a-spying-device-security-researchers-reveal/


AI defeats anti-virus (The Register)

Ridgely Evers <rce@evers.org>
August 1, 2017 at 11:36:55 AM EDT
https://www.theregister.co.uk/2017/07/31/ai_defeats_antivirus_software


Killer Car Wash: Hackers Can Trap and Attack Vehicles

Gabe Goldberg <gabe@gabegold.com>
Sun, 30 Jul 2017 21:34:27 -0400
In the cheesy 1980s film Maximum Overdrive, a passing comet causes machines
to rise up and attack the humans who once controlled them.  Well, don't look
now, but something like that came to pass in a car wash in Washington state.

At the car wash, hackers hijacked the Internet-enabled PDQ LaserWash system
in order to slam shut the outside doors, and trap a pick-up inside. The
attackers also proved they were able to take over the mechanical arms inside
the car wash and direct a powerful stream of water at the vehicle's door to
prevent the occupant from exiting.

http://fortune.com/2017/07/27/car-wash-hack/


Google's new program to track shoppers sparks a federal privacy complaint (The Washington Post)

Lauren Weinstein <lauren@vortex.com>
Mon, 31 Jul 2017 07:22:51 -0700
via NNSquad
https://www.washingtonpost.com/news/the-switch/wp/2017/07/30/googles-new-program-to-track-shoppers-sparks-a-federal-privacy-complaint/

  The legal complaint from the Electronic Privacy Information Center, to be
  filed with the FTC on Monday, alleges that Google is newly gaining access
  to a trove of highly sensitive information—the credit and debit card
  purchase records of the majority of U.S. consumers—without revealing
  how they got the information or giving consumers meaningful ways to opt
  out.  Moreover, the group claims that the search giant is relying on a
  secretive technical method to protect the data—a method that should be
  audited by outsiders and is likely vulnerable to hacks or other data
  breaches.

EPIC is right up there with Consumer Watchdog as reliable Google Haters, but
Google does need to tread with great care in this area, and maximum possible
transparency in this realm is strongly encouraged.


Lauren's Blog: "Google, Personal Information, and Star Trek"

Lauren Weinstein <lauren@vortex.com>
Tue, 1 Aug 2017 18:57:42 -0700
https://lauren.vortex.com/2017/08/01/google-personal-information-and-star-trek

Rarely does a day go by when I don't get an email from some outraged soul
who has seen on some wacky site—or perhaps heard on a right-wing radio
program somewhere—the lie that Google sells users' personal information
to advertisers. I got a phone call from one such person very recently—an
individual who hardly would calm down enough for me to explain that they'd
been bamboozled by the Google Haters.

'Cause Google doesn't sell your data. Not to advertisers, not to anyone
else. But the falsehood that they do so is one of the most enduring of
fabrications about Google.

To be sure, Google is partly responsible for the long life of this legend,
because frankly they've never done a really good job of explaining for
non-techies how the Google ad system works, and Google ad relevance is often
so accurate that users naturally assume (again, falsely) that their browsing
habits or other data were handed over to third parties.

Here's what actually happens. Let's say that you work in warp engine design
and testing. So you're frequently using Google to search for stuff like
antimatter injectors and dilithium crystals.

Now you start seeing "top of page" search results ads from some mining
operation on Rigel XII for exactly the raw crystals that you need, and at an
attractive price with free shipping, too! (Yes Trekkies, I realize that in
this early episode they were actually referred to as "lithium" crystals --
go tell it to Spock.)

But you wonder: Did Google provide my search history to those ragtag and
somewhat disreputable bachelor miners—out there on a planet that is so
windy that you clean pots by hanging them out to be sandblasted?

How else could that ad have been targeted to me?

The answer is simple, and you don't need a dose of Venus Drug to understand
it.  (OK, happy now, Trekkies?)

The miners create an ad that is aimed at users who are looking for warp
drive paraphernalia, based on the logical keywords—like dilithium, for
example.

When Google's ad personalization algorithms detect that your search terms
are relevant to that ad, Google displays it to you. The miners back on Rigel
XII don't even know that you exist at this point. They didn't display the ad
to you, Google did.

Now, if you proceed to click on their ad and visit the miners' sale site,
you'll be providing more information to them, much as you would when
visiting other sites around the Web.

But if you don't click on the ad, there's no connection between you and the
advertiser.

And you don't have to simply accept Google's default handling of ad
personalization. Over at:

    https://adssettings.google.com

you can change Google ad personalization settings or even disable ad
personalization entirely.

So the next time that someone tries to fervently sell you the big lie that
Google is selling your personal data, tell them that they're wrong and that
they're a stick in the Mudd.


Apple Removes Apps From China Store That Help Internet Users Evade Censorship (The New York Times)

Monty Solomon <monty@roscom.com>
Sat, 29 Jul 2017 18:43:46 -0400
https://www.nytimes.com/2017/07/29/technology/china-apple-censorhip.html

The world's most valuable company appears to have pulled down the apps amid
China's deepening crackdown on tools that evade Internet controls.


Cars Suck Up Data About You. Where Does It All Go?

Lauren Weinstein <lauren@vortex.com>
Sat, 29 Jul 2017 16:00:19 -0700
via NNSquad
https://www.nytimes.com/2017/07/27/automobiles/wheels/car-data-tracking.html

  Cars have become rolling listening posts. They can track phone calls and
  texts, log queries to websites, record what radio stations you listen to
 —even tell you when you are breaking the law by exceeding the speed
  limit.  Automakers, local governments, retailers, insurers and tech
  companies are eager to leverage this information, especially as cars
  transform from computers on wheels into something more like self-driving
  shuttles. And they want to tap into even more data, including what your
  car's video cameras see as you travel down a street.  Who gets what
  information and for what purposes?

Not the ancient vehicle I drive. But wait until you see what the government
will do with the data from autonomous vehicles, and how the government will
demand the ability to remotely control them, both individually and en masse.


Re: Keen Lab hackers ... take control of a Tesla ... (RISKS-30.40)

"Gary Hinson" <gary@isect.com>
Sat, 29 Jul 2017 18:12:29 +1200
The news relating to "Chinese group hacks a Tesla for the second year in a
row" hints at the opening of a new (?) front in the ongoing global cyberwar:
never mind directly attacking an adversary's government, military or
critical infrastructure, leave aside the election hacking and fake news
malarkey, strike directly at the jugular of its commercial industry.
Undermine it by demonstrating just how pitifully easy it is to hack its
products.  Poke the capitalists where it hurts the most - the brands and
profits.

Oh, but hang on a moment, the West has been doing that to China for years.
I get it now.  The playground fight just popped into focus.

And all of a sudden, the West's consistent and substantial underinvestment
in security engineering over far too many decades seems 'somewhat
shortsighted', not to put too fine a point on it.


Re: Myopic CEO perspective, I think (Goldberg, RISKS-30.40)

Gene Wirchenko <genew@telus.net>
Sun, 30 Jul 2017 10:05:58 -0700
> "Who gives a sh*t?" about better hardware seems good argument against
> buying Ring.  Better hardware might last longer, not rust, be upgradeable,
> have better connectivity, be more reliable.  Even look better.'

Or not last as long, rust, not be upgradeable, have worse connectivity, be
less reliable.  Even look worse.

Or remove needed functionality, add privacy invasion, etc.

If I am looking for a replacement because the old one has died or is not up
to my current or projected needs, yes, I will look at another system.

However, if I have a system that is working well for me, it is fairly
irrelevant that another system is shinier for whatever value of "shiny".

Going from Windows XP to Windows 7 broke part of my development toolkit.  I
was very impressed by this but not in a positive way.

Frankly, I am tired of the myopia of technology companies who insist on new,
new, new at all costs.  I want solutions, not a bunch of prated-about
features.


Re: NEC Updates like software updates

"R. G. Newbury" <newbury@mandamus.org>
Mon, 31 Jul 2017 10:46:43 -0400
Re: Charging Phone Kills 14-Year-Old Girl in Bathtub (Strauss, RISKS-30.40)

> 15.08.020   National Electrical Code adopted.
> The regulations contained in the National Electrical Code, 1956 Edition,

* as the same are now or may be amended*
> is adopted by reference and is declared
> to be a part of this chapter

Note the phrase "or may be amended".  I am quite sure that the present code,
*including GFI requirements* is legally an amended version of the 1956
Code. At least, the relevant authorities will treat it as such.  Otherwise,
no-one could be charged or prosecuted or sanctioned for a failure to do what
the present code requires.

What goes un-noticed is that the legislature effectively grants to an
un-named, un-accountable body the power to unilaterally *amend the law*.

Don't feel bad, though. The same thing is going on in Canada.


Mass. maker of Roomba isn't going to sell your data, after all (Re: RISKS-30.40)

Monty Solomon <monty@roscom.com>
Sun, 30 Jul 2017 12:05:10 -0400
https://www.boston.com/news/local-news/2017/07/28/mass-maker-of-roomba-isnt-going-to-sell-your-data-after-all

Please report problems with the web pages to the maintainer

Top