Prev

RISKS Digest 28.92

Wednesday 26 August 2015

Air Traffic Ctlr directs pilot to.. nonexistent runway

danny burstein <dannyb@panix.com>

Date: Tue, 25 Aug 2015 07:42:12 -0400 (EDT)

Folk in the NYC area, especially commuters from Long Island, may remember a plane that crash landed on Long Island Railroad tracks earlier this month.

[NTSB]

[Private plane having engine trouble.. ATC giving him directions...]

The controller then provided information on "Bethpage strip" and informed the pilot that the airport was closed; however, there was a runway there. ....

An examination of the area of the former Bethpage Airport revealed that industrial buildings occupied the former runway surface area. The accident site was located about 0.25 nm northwest of the former runway's approach end. ^^^^^^^

rest: http://www.ntsb.gov/_layouts/ntsb.aviation/brief.aspx?ev_id 150816X95657&key=1

FTC can sue for non-encryption?

Ars Technica via HB <hbaker1@pipeline.com>

Date: Tue, 25 Aug 2015 09:21:22 -0700

FYI—I guess this means that encryption is now mandatory?

"Wyndham allowed its partner hotels to store credit card information in plain text"

'The FTC argued that “taken together, [Wyndham] unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.''

"the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."

http://arstechnica.com/tech-policy/2015/08/ftc-can-sue-companies-with-poor-information-security-appeals-court-says/

FTC can sue companies with poor information security, appeals court says

Court says Wyndham hotels practices could be considered `unfair' and `deceptive'.

Megan Geuss - Aug 24, 2015 9:47 pm UTC

On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US.

http://cdn.arstechnica.net/wp-content/uploads/2015/08/Wyndham-opinion-1.pdf

In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.

Should Cops Be Allowed to Take Control of Self-Driving Cars?

Slate via LW <lauren@vortex.com>

Date: Wed, 26 Aug 2015 08:05:06 -0700

http://www.slate.com/blogs/future_tense/2015/08/24/rand_report_self_driving_cars_could_give_police_new_powers.html

What's less clear is where to draw the line. If a police officer can command a self-driving car to pull over for his own safety and that of others on the road, can he do the same if he suspects the passenger of a crime? And what if the passenger doesn't want the car to stop--can she override the command, or does the police officer have ultimate control?

I've been saying for ages that governments will demand access to sensor data and the ability to control these vehicles, both individually and en masse. They'll be able to effectively close down a city, lock your doors and drive you direct to the police station, and more. Don't believe it? It's inevitable if autonomous cars go mainstream.

Car information security is a complete wreck

Cory Doctorow via HB <hbaker1@pipeline.com>

Date: Mon, 24 Aug 2015 08:16:07 -0700

FYI—Obviously, the head-in-the-sand (or some other orifice) approach isn't working...

"There is a sociopathic economic rationality to silencing researchers who come forward with bugs."

"GM... says that your car is a copyrighted work and that researching its bugs is a felony form of piracy."

"Volkswagen sued security researchers ... over disclosure of major bugs in VW's keyless entry system."

Cory Doctorow, BoingBoing, 23 Aug 2015 Car information security is a complete wreck—here's why https://boingboing.net/2015/08/23/car-information-security-is-a.html

Your Car Network == CAN of Worms

Sean Gallagher via HB <hbaker1@pipeline.com>

Date: Mon, 24 Aug 2015 09:03:06 -0700

FYI—It's time for Dan to host a "Top Geer" TV show...

Those '50's cars in Cuba are looking more attractive all the time!

"Not all of the vehicles that might be vulnerable ... can be patched easily."

"car companies have even sued researchers to shut them up"

"the network effect of a vulnerable remote connection to a vehicle increases the odds that something can be hacked"

"start sending CAN bus signals to your engine controller and theoretically make your engine explode"

"the [OBD II] port allows devices to jack directly into the CAN bus"

"CAN is a multi-master bus, and thus any device with a CAN transceiver is able to send messages as well as receive"

"transmit access to the CAN bus is frequently sufficient to obtain arbitrary control over all key vehicular systems (including throttle and brakes)"

"updates can't fix ... problems that may be in systems that can't be remote updated, or updated at all."

"Automakers essentially hope that by deterring security researchers from investigating their systems, they can keep potential vulnerabilities hidden."

Sean Gallagher, Ars Technica, 23 Aug 2015 Highway to hack: Why we're just at the beginning of the auto-hacking era http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/

A slew of recently revealed exploits show gaps in carmakers' security fit and finish.

Sean Gallagher's long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer's season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet.

All complex systems have bugs. Even well-audited systems have bugs lurking in them (cough openssl cough). Mission-critical systems whose failings can be weaponized by attackers to wreak incredible mischief are deeply, widely studied, meaning that the bugs in the stuff you depend on are likely being discovered by people who want to hurt you, right now, and turned into weapons that can be used against you. Yes, you, personally, Ms/Mr Nothing To Hide, because you might be the target of opportunity that the attacker's broad scan of IP addresses hit on first, and the software your attacker wrote is interested in pwning everything, regardless of who owns it.

The only defense is to have those bugs discovered by people who want to help you, and who then report them to manufacturers. But manufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.

In the computer world, the manufacturers have largely figured out that threatening researchers just makes their claims more widely know (the big exceptions are Oracle and Cisco, but everyone knows they're shitty companies run by assholes).

The car industry is nearly entirely run by Oracle-grade assholes. GM, for example, says that your car is a copyrighted work and that researching its bugs is a felony form of piracy. Chrysler was repeatedly informed about its showstopper, 1.4M-car-recalling bug, and did nothing about it until it was front-page news. Volkswagen sued security researchers and technical organizations over disclosure of major bugs in VW's keyless entry system. Ford claims that its cars are designed with security in mind, so we don't have to worry our pretty little heads about them (because openssl was not designed with security in mind?).

None of this stops bad guys from learning about the bugs in these systems -- it just stops you, the poor sucker behind the wheel, making payments on a remote-controllable deathmobile, from learning about them.

Tesla, at least, has a bug-bounty program and a commitment to transparency. But the bugs that researchers found are pretty heinous and difficult to comprehensively mitigate.

Gallagher's article explains in eye-watering detail the dumb technological decisions the car-makers made that got us into this mess, but more importantly (and less prominently), the culture of the car-makers that has allowed this situation to come to pass. Even if the technological boondoggles can be fixed, we're still in a lot of trouble unless we can sort out their culture. [...]

Twitter's Right to Be Forgotten Move

Paul Alan Levy via Dave Farber <plevy@citizen.org>

Date: August 24, 2015 at 2:43:56 PM EDT

Twitter's recent decision to cutoff API access to a site that memorializes tweets from politicians, and that refuse to bar access to such tweets after a political figure decides to hide a given tweet, presents an unusual twist on the right to be forgotten. Twitter's position is apparently that it is protecting its users' right to have their own inconvenient past statements
*forgotten*.

http://venturebeat.com/2015/08/24/twitter-shutters-service-that-saved-politicians-deleted-tweets/

Paul Alan Levy, Public Citizen Litigation Group, 1600 20th Street, NW Wash. D.C. 20009 (202) 588-7725 http://www.citizen.org/Page.aspx?pid96

????? <hbaker1@pipeline.com>

Date: Mon, 24 Aug 2015 07:56:43 -0700

FYI—If you believe in representative democracy and the First Amendment, the right for politicians' words to be forgotten is the ultimate poison pill.

It remains to be seen why Twitter would shut down a service that preserves politicians' embarrassing tweets, but if the reason was to ingratiate Twitter with said politicians, then Twitter should lose all of its Fourth Estate privileges.

It's time to incorporate tweets into a Bitcoin-style blockchain so that it will be impossible to delete them.

https://en.wikipedia.org/wiki/Fourth_Estate

- - - -

Open State Foundation promotes digital transparency by unlocking open data and stimulates the development of innovative and creative applications. http://www.openstate.eu/2015/08/twitter-cuts-off-diplotwoops-and-politwoops-in-all-remaining-30-countries/

Danziger Bridge prosecutors' misconduct, anonymous comments unmasked; convictions overturned

Henry Baker <hbaker1@pipeline.com>

Date: Tue, 25 Aug 2015 12:18:25 -0700

This case troubles me for many reasons. The police officers were wrong. The prosecutors were wrong. Yet *no one* will remain in jail.

I'm sure that this case will be used as an excuse to eliminate anonymous postings on the Internet, but this would be the equivalent to removing everyone's right to drive due to the bad behavior of a few drivers.

Furthermore, the apparently voluminous nature of the anonymous postings from prosecutors makes one wonder about the volume of leaks to reporters from "knowledgeable sources"—i.e., prosecutors—in many/most other cases. There seems to be a systematic perversion of the right to a fair trial by unethical prosecutors.

>From the Appeals Court ruling:

http://www.ca5.uscourts.gov/opinions/pub/13/13-31078-CR0.pdf

'That three supervisory-level prosecutors committed misconduct in connection with the Danziger Bridge prosecution is beyond dispute. Perricone's comments spanned the entire prosecution and went directly to the guilt of the defendants, the collective guilt of NOPD, and the relative competence and integrity of defense counsel versus the USAO. Dobinski's comments stirred the pot by encouraging commenters who were plainly familiar with the trial proceedings, one of whom was Perricone, to keep doing a `public service' with their biased reports. Mann's comments, posted during post-trial sentencing proceedings, displayed partiality toward the prosecution and denigrated the district court and defense counsel in another Danziger Bridge case.'

'The government acknowledges significant, repeated misconduct by Perricone and Jan Mann and, to a lesser extent, Dobinski. [...]

Recursive UnJournalism; RTBF Story is Forgotten

Mike Masnick via HB <hbaker1@pipeline.com>

Date: Tue, 25 Aug 2015 12:43:09 -0700

FYI—"Should auld acquaintance be forgot, and never brought to mind?"

Remember the hacker's dictionary entry: "Recursion. See recursion." The Right-To-Be-Forgotten (RTBF) is now being abused to take down stories about RTBF itself.

Remember the old joke about how to stop a robot: yell "Control-C". Well, the new joke about RTBF is to yell "Control-Z" (undo on Windoze).

One of the comments on this TechDirt story: "Recursive Journalism: TechDirt should prepare a recursive strategy for these cases. Nest the prior story inside a new one with an iterative counter. Repeat until it's turtles all the way down."

https://www.techdirt.com/articles/20150824/13495432050/google-disappears-techdirt-article-about-right-to-be-forgotten-due-to-right-to-be-forgotten-request.shtml

Google Disappears TechDirt Article About Right To Be Forgotten Due To Right To Be Forgotten Request

Mike Masnick, TechDirt, 25 Aug 2015

Well, well. Just a few days ago, we wrote about the fact that Google was being asked to "forget" articles about the right to be forgotten, under new right to be forgotten requests... and suddenly we've been notified that a Techdirt article about the right to be forgotten has been similarly stuffed down the memory hole*. The article in question, is our story from last fall about *The NY Times* writing about the right to be forgotten requests that resulted in *NY Times* articles disappearing from some searches. The *NYT* detailed what each story was about and it wasn't too difficult to figure out who was likely trying to make sure the articles were no longer linked to their names.

It would appear that one of those individuals similarly has sent in this request—but that's completely bogus, as we'll explain in a moment. First up, the notice:

Due to a request under data protection law in Europe, we are no longer able to show one or more pages from your site in our search results in response to some search queries for names or other personal identifiers. Only results on European versions of Google are affected. No action is required from you. [...] [Very long message truncated for RISKS. PGN]

Virtualization doubles the cost of security breach

Maria Korolov <genew@telus.net>

Date: Tue, 25 Aug 2015 14:06:38 -0700

Maria Korolov, InfoWorld (CSO) 24 Aug 2015 When a security incident involves virtual machines, the recovery costs double compared to that of a traditional environment. http://www.infoworld.com/article/2975001/security/virtualization-doubles-the-cost-of-security-breach.html

DEFCON23: Mass /Virtual/ Murder

Chris Rock via HB <hbaker1@pipeline.com>

Date: Tue, 25 Aug 2015 18:58:37 -0700

FYI—For example, using the hacked OPM database and the techniques in this DEFCON talk, one could (virtually) "kill" all 22 million people in the OPM database—or at any rate, get an official death certificate issued for each and every one of them. The appropriate web sites even have an "upload bulk death registration" button for your convenience.

Slides:

https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20&%20Workshop%20Materials/Chris%20Rock/DEFCON-23-Chris-Rock-I-Will-Kill-You-How-to-Get-Away-with-Mu.pdf

Book:

http://www.amazon.com/Baby-Harvest-terrorist-criminal-laundering/dp/1515014576/

Video:

https://www.youtube.com/watch?v

ATT hotspots injecting ads by tampering with HTTP

Jonathan Mayer <hbaker1@pipeline.com>

Date: Tue, 25 Aug 2015 17:22:33 -0700

FYI—Yet another reason to convert *everything* to HTTPS...

http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/

Jonathan Mayer (CS+Lawyer, Stanford), Web Policy, August 25, 2015

While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

But the web had sprouted ads. Lots of them, in places they didn't belong. [...]

Win10 stops piracy & privacy, so why should I care?

Henry Baker <hbaker1@pipeline.com>

Date: Mon, 24 Aug 2015 12:39:02 -0700

FYI—"*misunderstanding* around Microsoft's Services Agreement" ?? Perhaps Microsoft is *misunderestimating* the negative response to all of Win10's snooping. HB [Multiple sources follow, somewhat PGN-ed]

The ordinary man-in-the-street would consider Win10's banishment from pirate sites to be a good thing, but the problem is that *any technology powerful enough to stop piracy is also powerful enough to destroy free speech and democracy*.

Microsoft Wants to Block Pirated Content? Pirate Sites Ban Windows 10 Instead http://news.softpedia.com/news/microsoft-wants-to-block-pirated-content-pirate-sites-ban-windows-10-instead-489827.shtml

iTS torrent tracker admins ban Windows 10 users, BB and FSC administrators thinking of doing the same

The misunderstanding [?] around Microsoft's Services Agreement is starting to trickle into the ordinary life of regular Internet users, with scared torrent tracker admins banning or thinking of banning Windows 10 users from their sites.

We aren't talking about The Pirate Bay, Kickass Torrents, RARBG, or ExtraTorrent here, but the small scene trackers—which are so private that it takes 30 minutes of googling just to find what the site acronym stands for, what their URL is, and what the correct sign-up procedure is.

These trackers, along with the release scene, are where most pirated materials first get posted and spread online, and where privacy, security, and anonymity are very crucial factors, helping protect the identity of the people spreading the pirated material online.

If you've been away from your computer this past week, you've probably missed all the talk about Microsoft's new Windows 10 update procedures which, coupled with the company's Services Agreement could allow it to block pirated material and unauthorized hardware.

http://news.softpedia.com/news/microsoft-explains-why-it-might-block-pirated-games-on-your-windows-10-pc-489780.shtml

While the waters are still murky around this issue, with Microsoft staying silent around the topic, and with not a single complaint from one Windows 10 user screaming that he had his downloaded torrents whipped from their hard drive, some pirate tracker admins are already taking some steps to protect themselves, just in case.

iTS admins block users with Windows 10 from their tracker

The first ones to hit the alarm button were the iTS admins, which have started redirecting all Windows 10 users accessing their site to a YouTube video called: Windows 10 is a Tool to Spy on Everything You Do.

https://www.youtube.com/watch?v=DY_FWpr8BX8

Additionally, a statement was sent out to users from which you can also read below:

https://www.reddit.com/r/trackers/comments/3hhtgy/its_bans_users_using_windows_10/

"Hey there shadows! Many of you might have heard or read about the terrible privacy policy of windows 10 recently. Unfortunately Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company called MarkMonitor.

"Amongst other things windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures. Since last Thursday Windows 10 is officially banned from iTS. Members using it get redirected to a video that eggsplains the dangers quite in detail hoping to enlighten as many people as possible."

"Perhaps at some point special versions of Windows 10 will surface that would successfully wipe all those outrageous privacy violations but until then Windows 10 is not welcome here in the interest of this site and all iTS members." [...]

https://torrentfreak.com/torrent-trackers-ban-windows-10-over-privacy-concerns-150822/

"As we all know, Microsoft recently released Windows 10. You as a member should know, that we as a site are thinking about banning the OS from FSC," said one of the FSC staff.

Likewise, in a message to their users, a BB admin said something similar, "We have also found [Windows 10] will be gathering information on users' P2P use to be shared with anti piracy group."

The anti-piracy group the pirate site admins are referring to is MarkMonitor, a US company that specializes in online corporate identity protection, one that is known to have worked with the MPAA in protecting its copyrighted materials, but one that has also worked with Microsoft in the past, to protect Windows users from online identity theft and scam campaigns.

The reaction of everyone involved is very similar to the Y2K debacle, and judging that Microsoft has worked with MarkMonitor in previous versions of Windows should tell you that the pirate site admins are overreacting a bit.

We certainly don't believe Microsoft is going to commit reputational suicide by messing with user files, may them be pirated or not. Let's not forget Windows 10 is an operating system, not our parents, and there's always Linux or Mac around the corner.

Crypto is hard ...

Rogier Wolff <wolff@bitwizard.nl>

Date: Wed, 26 Aug 2015 10:41:16 +0200

In response to: Re: Intel to customers: We listen to you... All The Time! (Maziuk)

Henry Baker pointed us towards: https://www.springer.com/cda/content/document/cda_downloaddocument/9781893115729-c1.pdf

which says:

> Once such variant is 3DES, which will increase the effective key > length to 112 bits or 168 bits, depending on how it's implemented.

strongly implying that the "work factor" explained a few lines up would be 2^168 for the 168 bit key length.

Wouldn't it be nice to know something about cryptography before writing about it? No matter how many keybits (112/168) you throw at 3-DES, I understand that there is a "meet in the middle" attack that always restricts the amount of work to break it to about 2^112.

So 3-DES with more than 112 key bits only serve to instill a false sense of security to those who don't know the details.

Moore's law implies we can break 10 more bits every 2 decades. Want to keep a secret for a century (or don't want to be forced to change your encryption system (*)), you need a "margin" of at least 5*10 = 50 bits. Assuming 60 bits is broken today in 2015, 3DES will expire in 2115, even if you use 168 bits.

(*) Of course the /system/ can be broken in that period. But if you design a margin of say only 20 bits, you can be SURE that you have to change the encryption scheme in a few decades.

R.E.Wolff@BitWizard.nl http://www.BitWizard.nl/ +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233

Re: Failing light rail safety system

David Alexander <davidalexander440@btinternet.com>

Date: Sat, 22 Aug 2015 17:41:25 +0000 (UTC)

I noted Geof Kuenning's post about low level hardware controllers to prevent an 'all green' event on traffic lights with a failsafe mode.

In a previous job we did some vulnerability research in a lab on a system made by a European manufacturer that controlled traffic lights. By using ladder logic analysis we worked out which memory locations to alter in order to set all the lights to green or red. It worked. Either they don't have that kind of fail-safe controller or we defeated even that. regards David AlexanderEngland

Re: gmail policy on BCCs, related to Mass. pot dispensary

Steve Peterson <steve@stevepeterson.com>

Date: Fri, 21 Aug 2015 17:24:49 -0500

About a year ago I switched to a paid outgoing SMTP service (US$45/year) with better spam prevention logic. Worth every cent.

Re: Ad Blockers and the Nuisance at the Heart of the Modern Web

David Alexander <davidalexander440@btinternet.com>

Date: Sat, 22 Aug 2015 17:49:20 +0000 (UTC)

In the post by Monty Solomon on the developments by PageFair, they seem to have forgotten the basics of human nature. I have been using AdBlock and Ghostery for years and love the freedom they give me from intrusive adverts that annoy me and from <expletive deleted> that I don't want cluttering up my web pages and trying to track my activity. I appreciate that some North American readers may find the concept of privacy a bit 'quaint' but in Europe we guard it as closely and value it as fiercely as many Americans do the right to bear arms.

If PageFair think that I am going to be receptive to advertising that finds a way round the blocking features I use then they have another think coming. I am going to be actively hostile towards the companies supplying the technology and those using it to advertise. They run the of alienating their potential customers and losing market share, not gaining it.

If I have to choose between receiving adverts and there being a lot less web content available, I'll take less web content every time.

Re: ATM security risk: nonfinalization

Alister Wm Macintyre <macwheel99@wowway.com>

Date: Sun, 23 Aug 2015 11:22:48 -0500

[Jeremy Epstein said, My bank's ATMs have this same "feature", but clicking "yes" just avoids reswiping the card. You still have to re-enter the PIN.]

I have used the YES to do more transactions, without having to do the PIN# again. It has been a while since I last tried that, maybe they changed it since.

[John Levine said, My bank does that, but demands that I re-enter my PIN if I pick YES for another transaction. Perhaps they're not quite as dumb as they seem.

I have occasionally used the YES NO screen at the end of one of my transactions, to do another one. I did not have to enter my PIN # for the later transaction.

Usually the customer in front of me is in another personal auto. The last time, it was vehicle of a major company. If that was not his personal account, there might be a lot in there. My bank limits what can be withdrawn via ATM in a day, to a few hundred $, or at least they used to.

Re: ATM security risk: nonfinalization

Geoff Kuenning <geoff@cs.hmc.edu>

Date: Sat, 22 Aug 2015 06:27:16 -0700

So: hang back and use binoculars. Pull on a ski mask and walk or drive up (having covered the license plate). Grab money.

That sounds pretty foolproof to me. However, you'd better do it soon because customers will start catching on.

(And my own (big) banks have had the multi-transaction capability for decades. So I'd have to suspect the RISK is small since there are relatively few latecomers to the technology.)

Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/