The RISKS Digest
Volume 28 Issue 81

Saturday, 25th July 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Fiat Chrysler Issues Recall Over Hacking
Aaron M. Kessler
The Web-Connected Car Is Cool, Until Hackers Cut Your Brakes
Aaron M. Kessler
Fiat Chrysler "connected car" bug lets hackers take over Jeep remotely
Ars
Re: Jeep hack: The cure can be worse than the disease if the doctor is a quack
USA Today
Re: Hackers Remotely Kill a Jeep on the Highway
Mark Kramer
What's Wrong With the Internet and How We Can Fix It: Lori Emerson's Interview With Internet Pioneer John Day
????
When the Internet's Moderators Are Anything But
Adrian Chen
Facebook blocked from challenging search warrants targeting its users
Lauren Weinstein
HP's ZDI discloses 4 new vulnerabilities in Internet Explorer
Woody Leonhard
Bug exposes OpenSSH servers to brute-force password guessing attacks
Werner U
Google: New research: Comparing how security experts and non-experts stay safe online
GoogleOnline via Lauren Weinstein
What My Landlord Learned About Me From Twitter
Haley Mlotek
"The messy truth about BYOD"
Galen Gruman
Looks like a bad idea: "Self-Destructing Gmail Possible With Free Chrome Extension"
ABC via LW
For .sucks Web domains, currency seems to be paid in reputations
BetaBoston via Bob Frankston
Court: You Have No Right To Privacy When You Butt Dial Someone
Mary Beth Quirk
Cellphone Ordinance Puts Berkeley at Forefront of Radiation Debate
NYT
Bison selfies are a bad idea: Tourist gored in Yellowstone as another photo goes awry
WashPost
Silver Bullet 112: Green and Bellovin on Crypto Back Doors
Gary McGraw
DMCA Takedown Notice for 127.0.0.1
Wikipedia
Verizon's evil exposed yet again: "Is Verizon Planning on Becoming an All-Wireless-Only Company: Who Needs the Wires Anyway?" *HuffPost*
????
Info on RISKS (comp.risks)

Fiat Chrysler Issues Recall Over Hacking (Aaron M. Kessler)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 25 Jul 2015 8:01:12 PDT
An Article by Aaron M. Kessler in today's issue of *The New York Times*
discusses a consequence of the Jeep Cherokee vulnerabilities—very similar
problems exist in Fiat Chrysler automobiles, resulting in the recall of 1.4
million vehicles.

Car-pay diem.


The Web-Connected Car Is Cool, Until Hackers Cut Your Brakes (Aaron M. Kessler)

Monty Solomon <monty@roscom.com>
Fri, 24 Jul 2015 02:44:31 -0400
A pair of researchers said that they had hacked a Jeep Cherokee through its
Internet-connected system, allowing them to take control of the engine,
brakes and even steering.
http://www.nytimes.com/2015/07/24/business/the-web-connected-car-is-cool-until-hackers-cut-your-brakes.html


Fiat Chrysler "connected car" bug lets hackers take over Jeep remotely

Lauren Weinstein <lauren@vortex.com>
Tue, 21 Jul 2015 13:03:21 -0700
http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/

  Uconnect, a "connected car" system sold in a number of vehicles produced
  by Fiat Chrysler for the US market, uses the Sprint cellular network to
  connect to the Internet and allows owners to interact with their vehicle
  over their smartphone--performing tasks like remote engine start,
  obtaining the location of the vehicle via GPS, and activating anti-theft
  features. But vulnerabilities in Uconnect, which Fiat Chrysler has issued
  a patch for, made it possible for an attacker to scan Sprint's cellular
  network for Uconnect-equipped vehicles, obtaining their location and
  vehicle identification information.  Miller and Valasek demonstrated that
  they could then attack the systems within the car via the IP address of
  the vehicle, allowing them to turn the engine of the car off, turn the
  brakes on or off, remotely activate the windshield wipers, and take
  control of the vehicle's information display and entertainment system.
  Miller and Valasek also found that they could take remote control of the
  steering of their test vehicle, the aforementioned Jeep Cherokee--but only
  while it was in reverse.

Thinking about what hackers will do to *autonomous* vehicles.


Re: Jeep hack: The cure can be worse than the disease if the doctor is a quack (USA Today)

Lance Hoffman <lanceh@gwu.edu>
Fri, 24 Jul 2015 14:51:37 -0400
  Let's see if anyone rushes to send out a bunch of USB drives with a
  "security update" to the Chrysler owners before they get them from
  Chrysler?  A great way to plant a time bomb.

Today, the automaker will update the software in the infotainment system
of the cars it is recalling by sending customers a USB drive that can be
used to download new software.

The cars and trucks under the recall are equipped with 8.4-inch
touchscreens on the following models:

   - 2013-2015 MY Dodge Viper specialty vehicles
      - 2013-2015 Ram 1500, 2500 and 3500 pickups
      - 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
      - 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
      - 2014-2015 Dodge Durango SUVs
      - 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
      - 2015 Dodge Challenger sports coupes

"It's important to reiterate that there is no real safety threat to FCA
owners," said Edmunds.com consumer advice editor Ron Montoya. "This week's
hack was an isolated incident that was performed on one specific vehicle
and it was not something that could be replicated on a mass scale."

Customers who own cars subject to the recall will not need to take them to
dealers. They will receive a USB drive in the mail. The USB drive provides
additional security features.

Owners who are not comfortable installing the software themselves can take
their car to a dealer.

Also, customers who want to check if their vehicle is affected by the
recall can visit http://www.driveuconnect.com/software-update/ to see if
their vehicle identification numbers is included in the recall."

Lance J. Hoffman, Director, Cyber Security Policy and Research Institute
http://www.cspri.seas.gwu.edu/ http://www.cs.seas.gwu.edu/people/faculty/99

  [Quack?  Web(foot)ware? Inter(duck)net?  If it looks like an duck and
  walks like a duck, it must need another software fix.  PGN]


Re: Hackers Remotely Kill a Jeep on the Highway (Greenberg, R-28.80)

Mark Kramer <c28f62@theworld.com>
Thu, 23 Jul 2015 22:23:29 -0400
It is nice that Andy Greenberg offered himself as a "crash test dummy" for a
hacker demonstration.

I wonder if the other people sharing his bit of the St. Louis highway where
he was going 70 MPH are as appreciative of his offer.  Loss of forward
visibility at a random time at high speed could have resulted in injury to
others.


What's Wrong With the Internet and How We Can Fix It: Lori Emerson's Interview With Internet Pioneer John Day

Dewayne Hendricks <dewayne@warpspeed.com>
July 25, 2015 at 5:13:57 AM EDT
[Note:  This item comes from friend Paul Pangaro.  DLH][via Dave Farber]

Lori Emerson, 23 Jul 2015
<http://loriemerson.net/2015/07/23/whats-wrong-with-the-internet-and-how-we-can-fix-it-interview-with-internet-pioneer-john-day/>

Below is an interview I conducted with the computer scientist and Internet
pioneer John Day via email over the last six months or so. The interview
came about as a result of a chapter I've been working on for my Other
Networks project, called The Net Has Never Been Neutral.  In this piece, I
try to expand the materialist bent of media archaeology, with its investment
in hardware and software, to networks. Specifically, I'm working through the
importance of understanding the technical specs of the Internet to figure
out how we are unwittingly living out the legacy of the power/knowledge
structures that produced TCP/IP. I also think through how the Internet could
have been and may still be utterly different. In the course of researching
that piece, I ran across fascinating work by Day in which he argues that
“the Internet is an unfinished demo'' and that we have become blind not
only to its flaws but also to how and why it works the way it works. Below
you'll see Day expand specifically on five flaws of the TCP /IP model that
are still entrenched in our contemporary Internet architecture and, even
more fascinating, the ways in which a more sensible structure (like the one
proposed by the French CYCLADES group) to handle network congestion would
have made the issue of net neutrality beside the point. I hope you enjoy and
many, many thanks to John for taking the time to correspond with me.

Emerson: You've written quite vigorously about the flaws of the TCP/IP model
that go all the way back to the 1970s and about how our contemporary
Internet is living out the legacy of those flaws. Particularly, you've
pointed out repeatedly over the years how the problems with TCP were carried
over not from the American ARPANET but from an attempt to create a transport
protocol that was different from the one proposed by the French Cyclades
group. First, could you explain to readers what Cyclades did that TCP should
have done?

Day: There were several fundamental properties of networks the CYCLADES crew understood that the Internet group missed:

 * The Nature of Layers,
 * Why the Layers they had were there,
 * A complete naming and addressing model,
 * The fundamental conditions for synchronization,
 * That congestion could occur in networks, and
 * A raft of other missteps most of which follow from the previous 5, but
   some are unique.

First and probably foremost was the concept of layers. Computer Scientists
use layers to structure and organize complex pieces of software. Think of a
layer as a black box that does something, but the internal mechanism is
hidden from the user of the box. One example is a black box that calculates
the 24 hour weather forecast. We put in a bunch of data about temperature,
pressure and wind speed and out pops a 24 hour weather forecast. We don't
have to understand how the blackbox did it. We don't have to interact with
all the different aspects it went through to do that. The black box hides
the complexity so we can concentrate on other complicated problems for which
the output of the black box is input. The operating system of your laptop is
a black box. It does incredibly complex things but you don't see what it is
doing. Similarly, the layers of a network are organized that way. For the
ARPANET group, BBN [erstwhile Bolt, Beranek, and Newman] built the network
and everyone else was responsible for the hosts. To the people responsible
for the hosts, the network of IMPs was a blackbox that delivered
packets. Consequently, for the problems they needed to solve, their concept
of layers focused on the black boxes in the hosts. So the Internet's concept
of layers was focused on the layer in the Hosts where its primary purpose
was modularity. The layers in the ARPANET hosts were the Physical Layer, the
wire; IMP-HOST Protocol; the NCP; and the applications, such as Telnet, and
maybe FTP. For the Internet, they were Ethernet, IP, TCP, Telnet or HTTP,
etc. as application. It is important to remember that the ARPANET was built
to be a production network to lower the cost of doing research on a variety
of scientific and engineering problems.


When the Internet's Moderators Are Anything But

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Jul 2015 22:36:40 -0400
The title suggests a steward of civility and decency.  However, online,
unpaid moderators can become a force for mayhem.

http://www.nytimes.com/2015/07/26/magazine/when-the-internets-moderators-are-anything-but.html?smprod=nytcore-ipad&smid=nytcore-ipad-share

  [Gabe, Are you suggesting that RISKS is biased?  We're just reporting
  it like it is...  PGN]


Facebook blocked from challenging search warrants targeting its users

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Jul 2015 12:20:58 -0700
  Facebook does not have legal standing to challenge search warrants on
  behalf of its users, a New York appeals court has ruled in what was the
  biggest batch of warrants the social-media site said it ever received at
  one time.


HP's ZDI discloses 4 new vulnerabilities in Internet Explorer (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Fri, 24 Jul 2015 10:04:24 -0700
  [1) Risk number 1 is the vulnerability.
   2) Risk number 2 is Microsoft taking their sweet time dealing with it.
  GW]

Woody Leonhard, InfoWorld, 23 Jul 2015
ZDI went public after extending the disclosure deadline twice with no fix
forthcoming from Microsoft
http://www.infoworld.com/article/2951738/patch-management/hp-s-zdi-discloses-four-new-vulnerabilities-in-internet-explorer.html

HP's Zero Day Initiative (ZDI) doesn't cut much slack with its 120-day
disclosure policy. When ZDI knocks on your door and says you have a security
hole, you get 120 days to fix it or risk full public disclosure. That's what
happened—again. With ZDI and Microsoft—again. Over Internet Explorer
-- again. [...]


Bug exposes OpenSSH servers to brute-force password guessing attacks

Werner U <werneru@gmail.com>
Thu, 23 Jul 2015 22:50:48 +0200
Who is responsible for ensuring security and privacy in the age of the
Internet of Things? As the number of Internet-connected devices explodes,
Gartner estimates that 25 billion devices and objects will be connected to
the Internet by 2020—security and privacy issues are poised to affect
everyone from families with connected refrigerators to grandparents with
healthcare wearables.

In this interview, U.S. Federal Communications Commission CIO David Bray
says control should be put in the hands of individual consumers. Speaking in
a personal capacity, Bray shares his learnings from a recent educational
trip to Taiwan and Australia he took as part of an Eisenhower Fellowship: "A
common idea Bray discussed with leaders during his Eisenhower Fellowship was
that the interface for selecting privacy preferences should move away from
individual Internet platforms and be put into the hands of individual
consumers." Bray says it could be done through an open source agent that
uses APIs to broker their privacy preferences on different platforms.
<http://www.gartner.com/technology/research/internet-of-things/>
<https://enterprisersproject.com/article/2015/7/empower-consumers-control-their-privacy-internet-everything>

itwbennett writes:
OpenSSH servers with keyboard-interactive authentication enabled, which is
the default setting on many systems, including FreeBSD ones, can be tricked
to allow many authentication retries over a single connection, according to
a security researcher who uses the online alias Kingcope, who disclosed the
issue on his blog last week. According to a discussion on Reddit, setting
PasswordAuthentication to 'no' in the OpenSSH configuration and using
public-key authentication does not prevent this attack, because
keyboard-interactive authentication is a different subsystem that also
relies on passwords.
<http://it.slashdot.org/story/15/07/22/1715244/bug-exposes-openssh-servers-to-brute-force-password-guessing-attacks>


Google: New research: Comparing how security experts and non-experts stay safe online

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Jul 2015 12:27:52 -0700
http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html

  This paper outlines the results of two surveys--one with 231 security
  experts, and another with 294 web-users who aren't security experts--in
  which we asked both groups what they do to stay safe online. We wanted to
  compare and contrast responses from the two groups, and better understand
  differences and why they may exist.

I agree with all of the points made in this article, with the notable
exception of #5—password managers. One of the most common "mass"
failure points reported to me is use of password managers. I do not use
them, and I strongly recommend that others not use them either.

  [What is interesting to me is that there is ZERO overlap between the
  "experts" and the "non-experts".  And yes, password managers are just
  kicking the ball back to the goalie.  PGN]


What My Landlord Learned About Me From Twitter (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Jul 2015 22:36:08 -0400
Haley Mlotek, *The New York Times magazine, 20 Jul 2015)
Apartment hunting in the age of social media.

http://www.nytimes.com/2015/07/20/magazine/what-my-landlord-learned-about-me-from-twitter.html?smprod=nytcore-ipad&smid=nytcore-ipad-share


"The messy truth about BYOD" (Galen Gruman)

Gene Wirchenko <genew@telus.net>
Fri, 24 Jul 2015 10:10:17 -0700
  "There are lies, damned lies, statistics, ..."

Galen Gruman, InfoWorld, 24 Jul 2015
It's jeopardizing your business! It's already a passing fad! It's the
standard in business today! Why the claims don't add up.
http://www.infoworld.com/article/2951555/byod/the-messy-truth-about-byod.html


Looks like a bad idea: "Self-Destructing Gmail Possible With Free Chrome Extension"

Lauren Weinstein <lauren@vortex.com>
Fri, 24 Jul 2015 14:03:59 -0700
Looks like a bad idea
http://abcnews.go.com/Technology/destructing-gmail-free-chrome-extension/story?id=32667353

  A new Chrome extension called Dmail brings its self-destructing super
  powers to a user's Gmail inbox, allowing users to take control of the
  messages they send even long after they've been fired off to the recipient
  ... Messages sent to a friend who has Dmail appear in their inbox as
  normal. The extension still works if a friend doesn't have the service.
  They'll instead be given a Dmail link in the email which will take them to
  the secure message.

The potential for confusion or abuse with this extension strikes me as being
quite high. Because of the manner in which it may confuse Gmail users who
are recipients of messages through "Dmail" who have not chosen to install
the Dmail extension, it seems possible that this extension violates the
Gmail and/or Chrome Terms of Service.


For .sucks Web domains, currency seems to be paid in reputations (BetaBoston)

"Bob Frankston" <bob19-0501@bobf.frankston.com>
23 Jul 2015 22:45:31 -0400
http://www.betaboston.com/news/2015/07/23/sleazy-internet-domain-sucks-up-the-bucks/

Do I need to point out again that what really sucks is the idea that you
can't own your identity and that the web is held together by links that are
designed to unravel for no reason other than the artificial scarcity of
identifiers? Of course ICANN benefits by this refilling its coffers by
harvesting our misery. That sucks.

I still don't understand why we put up with the idea of making failure the
default for something so fundamental and vital as our ability to communicate
and maintain relationships. It's not the only problem but is one of the more
egregious. ICANN.Sucks is a valid use of this TLD.

As to the purveyors of the .SUCKs domain they are doing exactly what ICANN
is supposed to do - monetizing people's identity and reputation.

Apologies to the creators of ICANN who had the best intentions—sometimes
noble ideas do not work out and we need to put them to rest and move on.


Court: You Have No Right To Privacy When You Butt Dial Someone Mary Beth Quirk, Consumer Media LLC

Gabe Goldberg <gabe@gabegold.com>
Fri, 24 Jul 2015 17:31:13 -0400
Today in issues we never thought a court would weigh in on: if you
accidentally pocket dial someone, pulling the move we all know as “butt
dialing,” don't expect anything you say during the call you don't know
you're making to stay private.

The U.S. Court of Appeals for the Sixth Circuit in Kentucky ruled yesterday
that a person who butt dials another party during a conversation doesn't
have a reasonable expectation of privacy.

This, because everyone knows about such accidental calls and there are a lot
of ways to prevent such a thing from happening. That means anyone who
happens to be listening in on the call that came in on their phone isn't
violating privacy laws by recording that conversation, the three-judge panel
determined.

http://consumerist.com/2015/07/22/court-you-have-no-right-to-privacy-when-you-butt-dial-someone/

But(t)—I didn't mean to dial!

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433


Cellphone Ordinance Puts Berkeley at Forefront of Radiation Debate

Monty Solomon <monty@roscom.com>
Fri, 24 Jul 2015 02:09:00 -0400
A city measure requiring retailers to warn cellphone customers about
radiation exposure is on hold pending a lawsuit from the wireless industry.
http://www.nytimes.com/2015/07/22/us/cellphone-ordinance-puts-berkeley-at-forefront-of-radiation-debate.html


Bison selfies are a bad idea: Tourist gored in Yellowstone as another photo goes awry

Monty Solomon <monty@roscom.com>
Thu, 23 Jul 2015 09:39:26 -0400
http://www.washingtonpost.com/news/morning-mix/wp/2015/07/23/bison-selfies-are-a-bad-idea-tourist-gored-in-yellowstone-as-another-photo-goes-awry/

  [Let's let bi-sons be bi-sons!  PGN]


Silver Bullet 112: Green and Bellovin on Crypto Back Doors

Gary McGraw <gem@cigital.com>
Thu, 23 Jul 2015 15:57:45 +0000
For the latest episode of Silver Bullet, we spoke to two of the fifteen
co-authors of the Keys Under Doormats paper describing the technical peril
of implementing crypto back doors as FBI Director Comey has suggested.
Steve Bellovin comes at the problem with years of experience and direct
involvement in the first crypto wars.  Matthew Green comes to the problem
with a solid understanding of applied cryptography in real world systems.
Have a listen:

http://bit.ly/SB-crypto-wars


DMCA Takedown Notice for 127.0.0.1

Henry Baker <hbaker1@pipeline.com>
Thu, 23 Jul 2015 07:10:06 -0700
FYI—Shoot oneself in the foot; see 127.0.0.1.
https://en.wikipedia.org/wiki/Localhost

Allegedly Infringing URLs: http://127.0.0.1:4001/#/fr/
https://i.imgur.com/V4ZAXEa.png
https://www.chillingeffects.org/notices/10969223


Verizon's evil exposed yet again: "Is Verizon Planning on Becoming an All-Wireless-Only Company: Who Needs the Wires Anyway?"

Lauren Weinstein <lauren@vortex.com>
Fri, 24 Jul 2015 10:00:39 -0700
HuffPost via NNSquad
http://www.huffingtonpost.com/bruce-kushnick/is-verizon-planning-on-be_b_7866124.html

  Of course almost everyone reading this has a cell phone. But, you may have
  been misled if you believe that the wires don't matter or that wireless
  services alone are the future.

Please report problems with the web pages to the maintainer

x
Top