Forum on Risks to the Public in Computers and Related Systems
Volume 29: Issue 58
Tuesday 21 June 2016
- A Hacking of More Than $50 Million Dashes Hopes in the World of Virtual Currency
- Technician broke the Internet by thinking Hong Kong was in the USA
- Dagens Nyheter via Debora Weber-Wulff
- Attacking NYC by computer
- NY Magazine via Jeremy Epstein
- One Million IP Addresses Used In Brute-Force Attack On A Bank
- Critical MSDOS program can't get license renewed
- Henry Baker
- Russian bill requires encryption backdoors in all messenger apps
- Daily Dot
- Citing Attack, GoToMyPC Resets All Passwords
- Krebs on Security
- Man Inadvertently Broadcasts His Own Killing on Facebook Live
- Autonomous harmful robot
- Daily Mail via Mark Thorson
- Re: Tesla Model X autonomously crashes into building, owner claims
- Ian Macky
- Re: The Air Force Had a Totally Accidental Computer Disaster
- Steve Lamont
- Info on RISKS (comp.risks)
http://www.nytimes.com/2016/06/18/business/dealbook/hacker-may-have-removed-more-than-50-million-from-experimental-cybercurrency-project.html The project, known as the Decentralized Autonomous Organization, is raising broader questions about the security and viability of virtual currencies like Ether and Bitcoin. [Not very DAO-ist. Lao Tze would be shocked! Actually, the hack reportedly resulted from a TOCTTOU problem—nonatomic transactions exploiting a time-of-check-to-time-of-use flaw. This might be considered as a converse of Tom Lehrer's Don't Write Naughty Words on Walls If You Can't Spell: Don't Write Critical Code If You Can't Think. The risks of TOCTTOUs are as old as the hills. PGN]
The Swedish Daily "Dagens Nyheter" reports on June 21 on the reason that many sites (Reddit, Whatsapp, Slack, and others) were hard to reach the day before in Europe. http://www.dn.se/ekonomi/europa-blev-hongkong-sa-sankte-telia-natet/ It seems that the Swedish operator Telia Carrier is one of the few Tier 1 companies that are responsible for directing European Internet traffic. While a technician was reconfiguring part of the network, they mixed up a few things and sent all traffic to the USA via Hong Kong. The resulting slowdown led people to believe that the transatlantic cable had been damaged. Telia would not comment on the issue. The Register has a short report from June 20: http://www.theregister.co.uk/2016/06/20/telia_engineer_blamed_massive_net_outage/ Prof. Dr. Debora Weber-Wulff, HTW Berlin, 10313 Berlin +49-30-5019-2320 email@example.com http://www.f4.htw-berlin.de/people/weberwu/
NY Magazine has a long description of a scenario where basically everything in NYC is (successfully) attacked - vehicles, hospitals, power systems, thermostats, etc. There's nothing in here that we haven't seen before -- and they footnote each of the claims, but it's a well-written if somewhat breathless description of how attackers could put all the bad things together into a fairly catastrophic attack. (Yeah, some of the elements are misleading - for example, the reference to hacked elections isn't actually about hacking voting, but rather spying on elections. But the overall pictures is IMHO fairly accurate.) http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html
Slashdot via NNSquad https://it.slashdot.org/story/16/06/19/226250/one-million-ip-addresses-used-in-brute-force-attack-on-a-bank Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses—and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign.
What should happen to software that the vendor wants to stop supporting? So long as the vendor is left blameless and without any liability, why not allow continued use through abandonment to the public domain? I'm sure that all of us have tons of stories of software that works just fine w/o requiring any support for years and years. Why "upgrade" to SW that costs 10-50X more, which requires a huge additional investment in new HW, and—most importantly—requires the *retraining* of lots of people ? Nowadays, it is possible to run such old MSDOS software through HW or SW emulation, and this enables accessing the software through modern I/O devices. Such software can often access memories 1000X bigger than available when the MSDOS SW was in its prime, thereby enabling many additional years of useful life. There's an additional hope that legislation will eventually allow software copyrights on such old SW *source code* to also join the public domain, so that computer museums, at least, can demonstrate these old systems. Antique automobiles are typically grandfathered out of modern requirements so they can still be driven on public roads. This particular MSDOS SW doesn't even drive on the public Internet—at least so far as I can tell from this article. http://www.abc.net.au/news/2016-06-18/software-legal-battle-could-put-sa-patients'-safety/7522934 Software legal battle could put South Australian patients' safety at risk, Government outlines in court documents Angelique Donnellan, ABC Net (AU), 18 Jun 2016 The South Australian Government has warned that patient safety will be at risk if it is forced to stop using a crucial software system in country hospitals. The ABC obtained court documents which reveal the extent of a bitter legal stoush between the Government and the maker of the patient records system. The system called, CHIRON, is used at 64 country health sites in South Australia, including at the Mount Barker Hospital. In technology terms, the program is ancient and based on the MS-DOS platform. It was installed in SA hospitals in the early 90s. In the Federal Court CHIRON's maker Working Systems demanded the State Government stop using it because the licence expired in March last year. The Government said complying would jeopardise patient safety and there would be a material risk to SA Health's ability to provide an effective health service. According to court documents the Government argued without CHIRON hospital staff would not have access to critical information such as patient allergies to medication and there was potential for new patient data being lost or incorrectly recorded. Working Systems said any risk to patient safety was the Government's fault because it had failed to plan and refused to sign up to updated software in 2003. The company said a licence extension for CHIRON was not possible because it was too old and no longer supported. Court documents show in 2014 the Government assured Working Systems it was seeking a replacement. That system known as EPAS, which has been dogged by delays, controversy and cost blowouts. It is currently only operating at three sites, including Port Augusta. The CHIRON matter is listed for trial in December.
Daily Dot via NNSquad http://www.dailydot.com/politics/encryption-backdoor-russia-fsb/ Backdoors into encrypted communications may soon be mandatory in Russia. A new bill in the Russian Duma, the country's lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service—the successor to the KGB —can obtain special access to all communications within the country.
Krebs via NNSquad http://krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-passwords/ GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.
A 28-year-old man in Chicago who accidentally caught his own fatal shooting on video is the latest example of the *no gatekeeper* world of live streaming. http://www.nytimes.com/2016/06/18/us/man-inadvertently-broadcasts-his-own-killing-on-facebook-live.html
The first of a new class of robots. It's all downhill from here. http://www.dailymail.co.uk/sciencetech/article-3638874
Teslas are instrumented. When there's a crash like this one, it's probably a good idea to wait until the log contents are revealed before repeating the driver's claims; the logs often show the opposite. Unintended acceleration is almost always caused by the driver pushing the wrong pedal, then, thinking they are pushing the brake, when the car takes off, they push yet harder. Happens all too frequently. Cognitive error. Anyway, in this case, here's Tesla's response: "We analyzed the vehicle logs which confirm that this Model X was operating correctly under manual control and was never in Autopilot or cruise control at the time of the incident or in the minutes before. Data shows that the vehicle was traveling at 6 mph when the accelerator pedal was abruptly increased to 100%. Consistent with the driver's actions, the vehicle applied torque and accelerated as instructed. Safety is the top priority at Tesla and we engineer and build our cars with this foremost in mind. We are pleased that the driver is ok and ask our customers to exercise safe behavior when using our vehicles."
http://thehill.com/policy/defense/283605-air-force-recovers-crashed-database Air Force recovers crashed database, *The Hill*, 15 Jun 2016 The Air Force has recovered a database that holds thousands of inspector general records after it crashed, the service said Wednesday afternoon. "After aggressively leveraging all vendor and department capabilities, the Air Force made a full recovery of the Automated Case Tracking System database, the Air Force inspector general system of record for all records related to IG complaints, investigations and appeals," the Air Force said in a statement. Last week, the Air Force announced that a database known as the Automated Case Tracking System (ACTS) had crashed and that records for more than 100,000 Air Force inspector general cases dating back to 2004 were lost. [...] [Martyn Thomas noted that this should act as a warning to those who trust irreplaceable data to any cloud service provider. But I'd wager it won't be heeded. PGN] [PGN via LW: See also BoingBoing:] http://boingboing.net/2016/06/18/air-force-tried-harder-now-sa.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29
Report problems with the web pages to the maintainer