Prev

RISKS Digest 29.79

Saturday, 24 September 2016

We Have to Start Thinking About Cybersecurity in Space

ACM TechNews <technews-editor@acm.org>

Fri, 23 Sep 2016 12:18:18 -0400 (EDT)

Zeljka Zorz, Help Net Security, 22 Sep 2016, via ACM TechNews, 23 Sep 2016

UK-based researchers are studying the cybersecurity of space-related technologies. "An insecure environment in space will hinder economic development and increase risks to societies, particularly in crucial sectors such as communications, transport, energy, financial transactions, agriculture, food and other resources management, environmental and weather monitoring, and defense," according to Chatham House researchers David Livingstone and Patricia Lewis. They say space-related cybersecurity gaps and weaknesses need to be addressed as a matter of urgency. Cybersecurity in space includes satellites, rockets, space-based systems and vehicles, space stations and ground stations, as well as the associated networks and data centers, all of which the researchers warn could be targeted by hackers. "Possible cyberthreats against space-based systems include state-to-state and military actions; well-resourced organized criminal elements seeking financial gain; terrorist groups wishing to promote their causes, even up to the catastrophic level of cascading satellite collisions; and individual hackers who want to fanfare their skills," according to the researchers. The researchers suggest an international multi-stakeholder space security organization would provide the best opportunity for developing a sectoral response to match the range of threats. However, such an effort should avoid basing policies on technology alone. "An effective regime requires a comprehensive technological response that is integrated into a wider circle of knowledge, understanding, and collaboration," according to the researchers. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda9x073885&

"5 Tech Trends That Have Turing Award Winners Worried"

ACM TechNews <technews-editor@acm.org>

Fri, 23 Sep 2016 12:18:18 -0400 (EDT)

IDG News Service (09/23/16) Katherine Noyes

A panel of ACM A.M. Turing Award winners convened on Thursday at the Heidelberg Laureate Forum in Germany to discuss technology trends they find troubling. Massachusetts Institute of Technology professor Barbara Liskov cited technology encouraging people to selectively filter out news and opinions differing from their own as a worrisome trend. Another concern of Liskov's is how the Internet has empowered malevolent hackers and other malefactors to target children. Meanwhile, Carnegie Mellon University's Raj Reddy discussed criminals' ability to attack freedom technologically, noting terrorists and other evildoers "can communicate with impunity with encryption today." Google chief Internet evangelist and former ACM president Vint Cerf said bug-ridden software could undermine control of devices comprising the Internet of Things. "It's ordinary devices that have a lot of software in them that don't work the way we expect them to" that constitute a major threat, he warned. Cerf also worries about the obsolescence of the software needed to access online content, and a partial solution may be to employ virtual machines in the cloud to mimic outdated hardware. However, Cerf said other issues are in need of resolution, including ownership of intellectual property and business models to support long-term preservation. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda6x073885&

Tesla tones down Autopilot

Peter G. Neumann <neumann@csl.sri.com>

Fri, 23 Sep 2016 12:13:01 PDT

Tesla says its latest software update will disable automatic steering if drivers don't keep their hands on the wheel. They are enhancing the radar system so Autopilot will work better in bright sun and bad weather. If drivers ignore three warnings to place their hands on the wheel, automatic steering will be disabled and won't resume until the car is parked. As in earlier versions, the car will slow to a stop if the warnings are ignored.

[PGN-excerpted from the *San Francisco Chronicle*, 23 Sep 2016, front page of the Business Report]

[I suspect that strategy won't work very well on an Automated Highway. Fortunately, we still have a way to go to work things out. I should note that I've written two articles in the past months that might need some updating in light of recent developments noted in RISKS and elsewhere:

PGN, Automated Car Woes—Whoa There! ACM Ubiquity, July 2016: <http://ubiquity.acm.org/article.cfm?id=2974062>

PGN, Risks of Automation: A Cautionary Total-System Perspective of Our Cyberfuture, CACM Inside Risks article, October 2016: <http://www.csl.sri.com/neumann/cacm239.pdf>

One of the risks of writing journal articles is that they should be able to have successive updates, which of course never happens. One of the benefits of RISKS is that we are continually reflecting on the ever-changing nature of computer-related technologies. The topic of self-driving cars and automated highways is certainly likely to be one such area where things will be changing! (That's just one of the reasons I never tried to write a successor to my 1995 book, *Computer-Related Risks*—although most of what I wrote then still seems timely today.) PGN]

Krebs on Security hit by a huge DDoS attack

Peter G. Neumann <neumann@csl.sri.com>

Fri, 23 Sep 2016 09:18:17 PDT

Brian Krebs's security blog was booted off the Akamai network after DDoS attack proves pricey. "There's no rancor or bitterness, however, since Akamai hosted the security expert's blog pro bono."

The attack, 665 Gbps in size, was detected by Akamai and DDoS protection outfit Prolexic, owned by Akamai, as "almost twice the size" of attacks they have had to fend off in the past, according to Krebs.

On Twitter, the security expert said in a series of tweets that despite the unknown attackers "throwing it all" at Krebs on Security, including SYN Floods, GET Floods, ACK Floods, POST Floods, and GRE Protocol Floods, the attack, one of—if not—the largest DDoS ever recorded, failed.

http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/

[This episode seems to have a nasty slippery slope. If nothing else, it demonstrates how devastating massive denial-of-service attacks can be. Also, Akamai's booting Krebs suggests a camel's foot under the hood that may result in shooting themselves in the nose and throwing the boobie hatch out with the dirty laundry. Nip a flood in the bud in the mud with a thud? PGN]

"Seagate NAS hack should scare us all"

Gene Wirchenko <genew@telus.net>

Fri, 23 Sep 2016 11:34:21 -0700

Roger A. Grimes, InfoWorld, 20 Sep 2016 An under-the-radar news story proves that computers are far from the only devices prey to attack http://www.infoworld.com/article/3121338/security/seagate-nas-hack-should-scare-us-all.html

opening text:

No fewer than 70 percent of Internet-connected Seagate NAS hard drives have been compromised by a single malware program. That's a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.

[At peak, seek to tweak the weak link. This reeks of leaks that peek as well. PGN]

Australian Police warn of malware-laden USB sticks in letterboxes

Werner U <werneru@gmail.com>

Fri, 23 Sep 2016 02:03:28 +0200

[ twist: an old trick at a new place.... still works ]

Simon Sharwood, *The Register*, 21 Sep 2016 Victoria Police warn of malware-laden USB sticks in letterboxes <http://www.theregister.co.uk/2016/09/21/letterbox_usb_police_warning/>

It's called 'junk mail' for a reason people: take the pizza vouchers and ignore the rest!

Police in the Australian State of Victoria have warned citizens not to trust unmarked USB sticks that appear in their letterboxes.

The warning issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices. Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues.'' <https://www.vicpolicenews.com.au/news/harmful-usb-drives-found-in-letterboxes>,

Only the suburb of Pakenham in Victoria's capital Melbourne has experienced the dodgy stick drop, but Victoria Police nonetheless saw fit to issue a state-wide alert.

*The Register* is utterly unsurprised that some people plugged in the drives, as we've previously reported that half of people who find a USB stick in a carpark will plug it in and a USBs-left-in-car-parks phishing scam. And who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM. <http://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/> <http://www.theregister.co.uk/2007/04/25/usb_malware/> <http://www.theregister.co.uk/2012/07/11/infected_usb_spyware/>?

The latter two attacks were targeted. Pakenham, however, is an unremarkable outer suburb. Perhaps the perps behind this USB drop had a particular target in mind. Or perhaps USB sticks are now so cheap, and the profits to be had from cracking even home computers so large, that scattering a few dozen sticks is a crime that pays?

Russian intelligence services seem responsible for hacking German political groups

The CyberWire <editor@thecyberwire.com>

Thu, 22 Sep 2016 12:26:28 -0400 (EDT)

The CyberWire 9.22.16 http://ui.constantcontact.com/sa/fwtf.jsp?llr=46gbevkab&m=1110957923263&ea=editor%40thecyberwire.com&a=1125925470626

China teen killing sparks Internet *addiction* boot camp debate

Lauren Weinstein <lauren@vortex.com>

Fri, 23 Sep 2016 17:02:01 -0700

BBC via NNSquad http://www.bbc.com/news/world-asia-china-37451134

“A murder case in China, in which a teenager reportedly tied up and killed her mother after being sent to an [I]nternet addiction treatment centre, has sparked shock across the country. The teenager, from the northern province of Heilongjiang, had "tied the victim up in a chair until she died" on 16 September, local police say, without giving further details about the death. The 16-year-old, identified in media reports by a ps[eu]donym, Chen Xin, has handed herself in to the police. Local media say Chen Xin had been sent to an academy in Shandong, more than 1,000 km (600 miles) from her home, that specialised in "treating addictions and rebellious youths" - and which had a particular reputation for treating [I]nternet addictions.''

Banks want to make the Internet less secure for everybody

Thomas Koenig <tkoenig@netcologne.de>

Sat, 24 Sep 2016 08:38:44 +0200

In an E-Mail to the TLS mailing list at ietf.org, a representative of the "Financial Services Roundtable" asked to keep the RSA key exchange in the upcoming TLS 1.3 standard. Why on earth would they do that? One would suppose that banks, above everybody else, would need a secure Internet, in the interest of protecting their clients and themselves.

Well, maybe that's not quite the case:

# Like many enterprises, financial institutions depend upon the ability to # decrypt TLS traffic to implement data loss protection, intrusion detection # and prevention, malware detection, packet capture and analysis, and DDoS # mitigation. Unlike some other businesses, financial institutions also # rely upon TLS traffic decryption to implement fraud monitoring and # surveillance of supervised employees.

So, to keep snooping internally, they want to make external snooping easier?

Fortunately, the response was rather short: "No".

Full E-Mail can be found at https://www.ietf.org/mail-archive/web/tls/current/msg21275.html

Rogue Algorithms -- and the Dark Side of Big Data

David Farber <farber@gmail.com>

Fri, 23 Sep 2016 13:36:45 -0400

http://knowledge.wharton.upenn.edu/article/rogue-algorithms-dark-side-big-data/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2016-09-22

WikiLeaks uploads 300+ pieces of malware among email dumps

<>

Sun, 25 Sep 2016 00:14:37 +0200

[Sources: Gizmodo, 15 Aug 2016 and *The Register*, 19 Aug 2016] [This is an old item that somehow did not make it earlier. PGN]

Michael Nunez, *WikiLeaks Published Dozens of Malware Links in Email Dump* Gizmodo, 15 Aug 2016 https://github.com/bontchev/wlscrape/blob/master/malware.md>

Bontchev published his research on his GitHub page, which shows just how extensive the threats inside WikiLeaks AKP email dump were. This is just the latest example of unethical leaking to come from the whistleblowing organization. In July, the site was criticized for “putting women in danger by publishing sensitive information of every female voter in 79 of 81 Turkish provinces. Now, there is yet another reason to refer to the AKP email dump and dangerous and poorly executed.'' <https://github.com/bontchev/wlscrape/blob/master/malware.md> <http://gizmodo.com/what-happened-to-wikileaks-1784455507#_ga=1.232804830.1573483110.1468589968> <http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan-emails_b_11158792.html>

*WikiLeaks uploads 300+ pieces of malware among email dumps*

http://www.theregister.co.uk/Author/2823>

WikiLeaks is hosting 324 confirmed instances of malware among its caches of dumped emails, a top Bulgarian anti-malware veteran says. Random checks of reported malware hashes find the trojans are flagged as malware by Virus Total's static analysis checks. Much of the malware appear to be attachments emailed by black hats in a bid to compromise the various parties affected in the WikiLeaks dumps.

Dr Vesselin Bontchev says the instances of malware are only those confirmed and found in an initial search effort. Dr Bontchev, an antivirus researcher of nearly 30 years and founder of the National Laboratory of Computer Virology in Bulgaria, said there were "no doubts" that the malware hosted on WikiLeaks was indeed malware. "The list is by no means exhaustive; I am just starting with the analysis," Bontchev says. "But what is listed below is definitely malware; no doubts about it." <https://github.com/bontchev/wlscrape/blob/master/malware.md>

The document dumpster uploads attachments for the emails it releases but offers no warning about the security implications of downloading macro-enabled documents, executables, and other potentially malicious files.

A feasibly simple antivirus check would have cleared a lot if not all of the attachment malware given the huge 80 to 100 percent hit rate Virus Total returned when testing files selected randomly from Dr Bontchev's list.

Re: Police try to arrest robot

Martin Ward <martin@gkc.org.uk>

Fri, 23 Sep 2016 10:40:58 +0100

This one didn't pass my "smell test". The Mirror has been known to publish faked news reports in the past (google Harambe McHarambeface)

Given that the previous "escapes" of the robot have been debunked: http://bgr.com/2016/06/17/robot-run-fake-promobot-escape/ this one seems unlikely to be genuine.

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/

[Then there's the old story about the person who was moving a disk unit from one part of a building at NSA to another section in which there was a downward-sloping passage across a security barrier that was protected by a guard trained to shoot anyone who crossed without appropriate credentials. According to the legend, apocryphal or otherwise, the heavy disk unit got away from its mover, and the guard shot it. PGN]

Re: The risks of getting your email address wrong

John Levine <johnl@iecc.com>

23 Sep 2016 02:40:30 -0000

Ha, ha. If you knew my name and guessed what my Gmail address is, you would guess right. But my name is quite common, and a lot of other people with names similar to mine wrongly think that my address is their address. A very persistent John Levine is a doctor about whom I know quite a lot, including at which hospitals he bids for shifts. I've also gotten

The normal approach for verifying an e-mail address is to send a message to it with a click here if that was you who signed up and (too often missing) click there if it wasn't you. But a lot of marketers apparently think that's too hard, and why would someone give us the wrong address? I've heard truly bizarro stories of a person who was getting someone else's bank statements, and when he called the bank to tell them, they wouldn't talk to him since of course, he wasn't the person whose statements they were sending to him.

Re: Microsoft dismisses Exchange vulnerability report

Bill Stewart <billstewart@pobox.com>

Fri, 23 Sep 2016 09:44:34 -0700

One partial mitigation to the vulnerability is to maintain separate webservers for your domain.com inside and outside your corporate firewall, so that if employees' Exchange clients do try to reach http(s)://domain.com/ before checking mailserver.domain.com, they'll get your inside one, which is presumably less vulnerable than your outside one. This also requires split DNS servers or similar firewall settings.

Re: PC without OS

Martin Ward <martin@gkc.org.uk>

Fri, 23 Sep 2016 15:35:28 +0100

On 17/09/16 19:58, Dimitri Maziuk wrote: >> So, consumers are unable to buy a PC from a major manufacturer >> without paying the "Microsoft Tax": whether they want to or not. > > No, the monopoly OS supplier can pay PC makers to include a copy of > Windows with every PC they are selling *for $500*. Nobody's stopping > them from selling barebones PCs *for $1000*.

Things that are perfectly reasonable for a company to do when there is ample competition become exploitation when the company has a monopoly. For example, EpiPens which cost $1 to make are sold for $608 because they can save lives and there is no competition.

Goldman Sachs made billions from speculating in food prices, while 200 million people starved, by creating a partial monopoly:

http://www.independent.co.uk/voices/commentators/johann-hari/johann-hari-how-goldman-gambled-on-starvation-2016088.html https://www.theguardian.com/global-development/2011/jan/23/food-speculation-banks-hunger-poverty

Because they are a monopoly, Microsoft can sell Windows at a greatly inflated price and then offer big discounts to major PC suppliers: provided they buy a copy of Windows for every PC they sell, and follow Microsoft's every whim. They wield enormous power over suppliers (and governments).

When the first "netbooks" came out, they were not powerful enough to run Windows. Microsoft grudgingly allowed suppliers to sell them with Linux installed. Many people began to realise that Linux on a cheap netbook could do everything they needed: with a cheaper laptop and a longer battery life. Microsoft soon put a stop to that!

Re: PC without OS

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>

Fri, 23 Sep 2016 09:58:42 -0500

> Things that are perfectly reasonable for a company to do when there > is ample competition become exploitation when the company has > a monopoly.

They're not sued for being a monopoly. There are anti-trust laws for that.

The ruling is that a business entity is not required to disclose the details of a deal it made with another business entity to anyone who bothers to ask. Obviously, you can't rule otherwise and have free market capitalism at the same time.

There should be a special name for unstated middle that is also blatantly untrue.

[PS for PGN: my apologies for getting you dragged into this: my original comment was about "Internet journalism" where the catchy headline "Consumers have no right to buy a PC without an OS, European court rules" and has no relation to the actual court ruling being reported on. It has nothing to do with Evil Capitalism bashing. Sorry about feeding that. DM]

[DM, thanks! Your initial message seemed worthy for RISKS, and I try not to blow the relevance whistle too often on successive messages, but I do try to excise ensuing discourse when it wanders too far afield. PGN]