Prev

RISKS Digest 28.31

Friday 24 October 2014

Audi Recalls 850,000 Cars Over Airbag Software Flaw

NYT via Monty Solomon <monty@roscom.com>

Date: Fri, 24 Oct 2014 06:30:53 -0400

The recall of the 2013-15 A4 model includes about 102,000 cars in the United States, and the company said it had no reports of related accidents.

http://www.nytimes.com/2014/10/24/business/audi-recalls-850000-cars-over-airbag-software-flaw.html

Feds examining medical devices for fatal cybersecurity flaws

David Kravets via Monty Solomon <monty@roscom.com>

Date: Fri, 24 Oct 2014 01:16:26 -0400

David Kravets, Ars Technica, 23 Oct 2014, They could be controlled remotely, overdose patients, or thwart heart implants.

http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/

NOAA is having major weather satellite data feed issues

danny burstein <dannyb@panix.com>

Date: Wed, 22 Oct 2014 22:41:42 -0400 (EDT)

(I can't find a copy of their actual news release, so using this press story)

"Since Tuesday night, NESDIS, NOAA's satellite and information service, has been experiencing network issues, and has not received a full feed of satellite data for input, a critical component for the numerical models used to forecast the weather"

http://www.accuweather.com/en/weather-news/noaa-network-issue-may-impact/36161909

It took a *year* for them to fix the NOAA/AHR radio transmitter in NYC, and that only happened after a WSJ article...

Belkin routers around the globe unable to connect to the Internet

Myce <lauren@vortex.com>

Date: Tue, 7 Oct 2014 13:40:29 -0700

Myce via NNSquad http://www.myce.com/news/belkin-router-users-worldwide-unable-to-connect-to-the-internet-73019/

As a workaround, Belkin is suggesting that users change their routers' DNS settings to use Google DNS on 8.8.8.8 and 8.8.4.4:

https://statuspage-production.s3.amazonaws.com/static/belkin.html (interesting URL)

India probes identity card for monkey god Hanuman

BBC via Prashanth Mundkur <prashanth.mundkur@gmail.com>

Date: Thu, 23 Oct 2014 01:26:19 -0700

BBC, 12 September 2014 http://www.bbc.com/news/world-asia-india-29175870

Authorities in India are investigating how Hanuman, the monkey god, has been issued a biometric identity card. [...] It emerged when a postman attempted to deliver the card, but could not find a Hanuman at the address.

Machine Tasked with Getting Rid of Spam Could End Humanity

Elon Musk <mkrukg@gmail.com>

Date: Fri, 10 Oct 2014 13:21:55 -0600

http://www.vanityfair.com/online/daily/2014/10/elon-musk-artificial-intelligence-fear

The Exascale Revolution

Tiffany Trader <technews@hq.acm.org>

Date: Fri, 24 Oct 2014 12:11:58 -0400 (EDT)

Tiffany Trader, The Exascale Revolution, HPC Wire, 23 Oct 2014 (via ACM TechNews, Friday, October 24, 2014)

Experts are coming to a consensus that the shift from the petascale to the exascale supercomputing eras is going to be more challenging than many previously anticipated. At the recent Argonne National Laboratory Training Program in Extreme Scale Computing, Pete Beckman, director of Argonne's Exascale Technology and Computing Institute, highlighted some of the possible problems. One major concern is power and the costs associated with it. Although supercomputers have been getting more energy-efficient, Beckman uses the example of the most recent generations of IBM supercomputers to demonstrate a 5x trajectory of energy efficiency gains that would still have an exascale system requiring 64 megawatts of power, which could cost tens of millions of dollars a year. These cost concerns are prompting many countries to pursue exascale computing on an international scale, forming multinational partnerships to share the massive costs. The U.S. and Japan recently entered such an agreement, and Europe is looking to join them. However, China is proceeding on its own, largely on the strength of its own native technology. Beckman also addressed challenges relating to memory and resilience and the need to update software to be able to make use of exascale resources. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-cd87x2bdf9x068385&

Dangers of an IT monoculture

Robert L Wears <wears@ufl.edu>

Date: Fri, 24 Oct 2014 11:32:55 -0400

A recent paper in a medical journal raises ()concerns about the emergence of an IH 'monoculture' in healthcare. But, the paper misses IMHO the most significant risk of a monoculture—that it increases the magnitude of the inevitable failures. In agriculture and ecosystems, monocultures lead to the more rapid spread of pests and diseases, and are more vulnerable to catastrophic collapse, particularly when conditions change. In a heterogeneous population of EHRs, the occasional failure of any given system due to hidden bugs, vulnerabilities, hacking, or unexpected interactions with the conditions of use would create major problems for individual institutions or work systems (e.g., see RISKS-23.19, 23.81, 24.68, 25.45, 25.51, 26.25, 28.3) but its impact would be limited. However, if a large proportion of systems all contain the same vulnerability ... what could possibly go wrong? The original paper available at: http://jamia.bmj.com/content/early/2014/10/23/amiajnl-2014-003023.abstract

Robert L Wears, University of Florida wears@ufl.edu 1-904-244-4405 (ass't) Imperial College London r.wears@imperial.ac.uk +44 (0)791 015 2219

IoT as a Hazard: Smart Meters prove vulnerable

Bob Gezelter <gezelter@rlgsc.com>

Date: Fri, 17 Oct 2014 09:46:10 -0700

It should not be surprising. While the Internet of Things (IoT) has great promise, widely-deployed, connected devices are an attractive target for all kinds of mischief. SecurityAffairs reports that Javier Vazquez Vidal and Alberto Garcia Illera explored smart power meters used in Spain. They found that they could be hacked, and exploited in a number of ways (e.g., transferring usage, reporting false data). The lack of integrity in such devices also raises the possibility that large numbers of compromised devices could be used to present a false picture to utility operators, compromising the operation of the utility's production and transmission facilities. A profoundly disturbing picture. Meters and other devices also represent a potential privacy hazard to the individual. The full article can be found at: http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html Bob Gezelter, http://www.rlgsc.com

Hackers' Attack Cracked 10 Financial Firms in Major Assault

NYT <monty@roscom.com>

Date: Sun, 5 Oct 2014 00:36:07 -0400

Matthew Goldstein, Nicole Perlroth and David E. Sanger, *The New York Times*, 3 Oct 2014

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions - a number that has not been previously reported - were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said. ... http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/

Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, NYT, 2 Oct 2014 JPMorgan Chase Hacking Affects 76 Million Households Hackers' Attack Cracked 10 Financial Firms in Major Assault http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/

Ways to Protect Yourself After the JPMorgan Hacking Tara Siegel Bernard, *The New York Times*, 3 Oct 2014 http://www.nytimes.com/2014/10/04/your-money/jpmorgan-chase-hack-ways-to-protect-yourself.html

Cyberattack on JPMorgan Raises Alarms at White House and on Wall Street

NYT <monty@roscom.com>

Date: Wed, 8 Oct 2014 19:55:48 -0400

Other financial institutions—Citigroup, E*Trade Financial and HSBC -- found that one of the same web addresses used to penetrate JPMorgan had tried to get into their systems.

http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/

The Unpatchable Malware That Infects USBs Is Now on the Loose

Andy Greenberg <monty@roscom.com>

Date: Sat, 4 Oct 2014 23:35:31 -0400

Andy Greenberg, *WiReD*, 2 Oct 2014

It's been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it's possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem-and the lack of any easy patch-Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl's fellow researchers aren't waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable. ...

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

ComputerCOP: dubious "Internet Safety Software" given to US families

Ars <lauren@vortex.com>

Date: Wed, 1 Oct 2014 08:32:48 -0700

Ars via NNSquad http://arstechnica.com/tech-policy/2014/10/computercop-the-dubious-internet-safety-software-given-to-families-nationwide/

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an "Internet Safety" outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency's official seal and the chief's portrait, with a signed message warning of the "dark and dangerous off-ramps" of the Internet. As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies using shady information. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting those keystoke logs over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against. Furthermore, by providing a free keylogging program--software that operates without even the most basic security safeguards--law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.

iOS 8.1 plugs security hole that made it easy to install emulators

Kyle Orland <monty@roscom.com>

Date: Thu, 9 Oct 2014 00:21:14 -0400

Kyle Orland, Ars Technica, 8 Oct 2014 "Date trick" workaround allowed for unapproved apps without jailbreaking. http://arstechnica.com/gaming/2014/10/ios-8-1-plugs-security-hole-that-made-it-easy-to-install-emulators/

"Cisco, Oracle find dozens of their products affected by Shellshock"

Lucian Constantin <genew@telus.net>

Date: Thu, 02 Oct 2014 15:33:58 -0700

Lucian Constantin, Infoworld, 30 Sep 2014 Cisco, Oracle find dozens of their products affected by Shellshock Cisco has identified 71 products vulnerable to Shellshock and Oracle 51, but the number is likely to increase http://www.infoworld.com/article/2689356/security/cisco-oracle-find-dozens-of-their-products-affected-by-shellshock.html

"Mayhem malware spreads through Linux servers via Shellshock exploits"

Lucian Constantin <genew@telus.net>

Date: Tue, 14 Oct 2014 11:53:44 -0700

Lucian Constantin, Infoworld, 10 Oct 2014 The botnet targets Web servers that haven't been patched for recent vulnerabilities found in the Bash Linux shell http://www.infoworld.com/article/2824494/security/mayhem-malware-spreads-through-linux-servers-via-shellshock-exploits.html

Bug in Bash shell creates big security hole on anything with *nix in it

Brett Mahar <brett@coiloptic.org>

Date: Wed, 1 Oct 2014 13:37:03 +1000

Not on OpenBSD, bash is not the shell, unless manually installed and configured to be. Also, all network facing services are installed in chroot by default, so even if bash was the made the default shell it would be inaccessible.

Samsung printer sniffers

David Lesher <wb8foz@panix.com>

Date: Oct 3, 2014 6:10 PM

I was planning on spec'ing a quantity of Samsung printers for a client. We bought a sample. The Mac driver installed OK, but the Windows one had a very disturbing message during installation: Samsung was going to sniff the printer's output, to {of course} better serve the customer. [I paraphrase slightly....]

Needless to say, I was far from pleased. I tried to disallow same during the installation, but got no confirmation that it happened.

{I can guess Samsung does not sell many printers to either Ft. Meade or Langley.}

I've tried to reach someone at Samsung's printer division but got nowhere; Support does not see it as their potato, and Sales's voicemail said they will call me Back Real Soon Now.

Twitter Sues U.S. Government Over Data Disclosure Rules

Monty Solomon <monty@roscom.com>

Date: Tue, 7 Oct 2014 18:12:58 -0400

The social media giant wants to loosen restrictions on what it is allowed to tell users about government information requests.

http://bits.blogs.nytimes.com/2014/10/07/twitter-sues-u-s-government-over-data-disclosure-rules/

Dozens of European ATMs rooted, allowing criminals to easily cash out

Robert Lemos <monty@roscom.com>

Date: Wed, 8 Oct 2014 09:00:58 -0400

Robert Lemos, Ars Technica, 7 Oct 2014 Criminals with physical access to ATMs install malware to control flow of money.

Criminals are installing fairly sophisticated malicious programs on banks' ATMs, allowing them to control access to the machines and easily steal cash, security firms Kaspersky and Interpol said in a joint statement released on Tuesday. ...

http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-criminals-to-easily-cash-out/

Using new Corvette's valet-recording tech could be a felony in some states

Megan Geuss <monty@roscom.com>

Date: Wed, 8 Oct 2014 09:08:15 -0400

Megan Geuss, Ars Technica, 26 Sep 2014 GM is sending updated software to make Valet Mode less legally questionable.

http://arstechnica.com/tech-policy/2014/09/new-corvettes-valet-recording-tech-could-be-a-felony-in-12-states/

"The Dark Market for Personal Data"

Frank Pasquale <rotenberg@epic.org>

Date: Thu, 16 Oct 2014 21:00:43 -0400

Frank Pasquale, *The New York Times* op-ed, 16 Oct 2014 http://www.nytimes.com/2014/10/17/opinion/the-dark-market-for-personal-data.html

The reputation business is exploding. Having eroded privacy for decades, shady, poorly regulated data miners, brokers and resellers have now taken creepy classification to a whole new level. They have created lists of victims of sexual assault, and lists of people with sexually transmitted diseases. Lists of people who have Alzheimer's, dementia and AIDS. Lists of the impotent and the depressed.

There are lists of impulse buyers. Lists of suckers: gullible consumers who have shown that they are susceptible to vulnerability-based marketing. And lists of those deemed commercially undesirable because they live in or near trailer parks or nursing homes. Not to mention lists of people who have been accused of wrongdoing, even if they were not charged or convicted.

Typically sold at a few cents per name, the lists don't have to be particularly reliable to attract eager buyers—mostly marketers, but also, increasingly, financial institutions vetting customers to guard against fraud, and employers screening potential hires.

There are three problems with these lists. First, they are often inaccurate. For example, as The Washington Post reported, an Arkansas woman found her credit history and job prospects wrecked after she was mistakenly listed as a methamphetamine dealer. It took her years to clear her name and find a job.

Second, even when the information is accurate, many of the lists have no business being in the hands of retailers, bosses or banks. Having a medical condition, or having been a victim of a crime, is simply not relevant to most employment or credit decisions.

Third, people aren't told they are on these lists, so they have no opportunity to correct bad information. The Arkansas woman found out about the inaccurate report only when she was denied a job. She was one of the rare ones. [...]

Frank Pasquale, a professor of law at the University of Maryland, is the author of the forthcoming book,T he Black Box Society: The Secret Algorithms That Control Money and Information.

"Patent trolls have one fewer legal loophole to hide behind"

Simon Phipps via Gene Wirchenko <genew@telus.net>

Date: Fri, 17 Oct 2014 14:33:51 -0700

It is nice to see the patent trolls having risks.

Simon Phipps, InfoWorld | 16 Oct 2014 With one subtle stroke, the Judicial Conference of the United States retires an old rule—and denies patent trolls a major weapon http://www.infoworld.com/article/2834542/patents/rule-change-hits-trolls.html

The "he said, she said" of how the FBI found Silk Road's servers

Ars <monty@roscom.com>

Date: Fri, 3 Oct 2014 16:43:38 -0400

http://arstechnica.com/tech-policy/2014/10/the-he-said-she-said-of-how-the-fbi-found-silk-roads-servers/

New York City orders Bluetooth beacons in pay phones to come down

Ars <monty@roscom.com>

Date: Tue, 7 Oct 2014 10:28:58 -0400

http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacons-in-pay-phones-to-come-down/

Seeing where the last taxi passenger went

Jeremy Epstein <jeremy.j.epstein@gmail.com>

Date: Sun, 12 Oct 2014 08:31:45 -0400

On a recent ride from Washington Dulles airport (IAD) to my home in the Virginia suburbs, the cab had an Android tablet mounted to the back of the front-seat passenger seat, running an app that allowed you to see the weather, driver information, etc. But the most interesting thing was that it allowed you to enter your destination in Google Maps, which is useful for drivers who may not know the area and/or whose English isn't the best.

A tool like this could be particularly useful if it allowed input in multiple languages—i.e., allow a Japanese visitor to enter their destination in Japanese; similarly if such a thing were in a taxi in Japan, it would be useful to allow an English-speaking visitor to enter their destination in English. [Perhaps such things already exist; I haven't seen one.]

However, the part that gave me slight pause was that in the destination field, I could see the most recent half dozen destinations that cab had gone, and there was no (obvious) way to clear destinations if I entered mine.

At one level, this isn't a big deal—if the cab had been on the street, then the most recent destination was presumably near where I got it. On the other hand, if the driver was being dispatched, the recent destinations might be places where the driver had recently picked up passengers, and hence likely empty homes.

One could also hypothesize interesting things one might learn—if one sees a politician getting out of a cab, one might be interested in where he/she was coming from - i.e., from a lobbyist's office or a secret lover's hideaway.

But all this depends on getting just the right timing - finding the right person coming out of the cab, and getting in before another passenger.

Overall, I think the risk is low, but it might be surprising to taxi customers that a future customer can find out where they went.

JPMorgan Discovers Further Cyber Security Issues

Monty Solomon <monty@roscom.com>

Date: Thu, 2 Oct 2014 17:07:10 -0400

The nation's largest bank recently found that hackers had gained entry to some of its servers, say several people with knowledge of the investigation. http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/

7 million Dropbox username/password pairs apparently leaked

Ars <lauren@vortex.com>

Date: Mon, 13 Oct 2014 21:20:31 -0700

Ars via NNSquad

http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/

"Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised. Reddit users who have tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset. The hackers claim that they will release more username/password pairs if they receive donations to their bitcoin address."

It's like damned "Groundhog Day" ...

LATER Update: Dropbox is saying that this is not a hack per se, but rather a cross-site shared password attack—which of course can still cause a lot of problems if you share your passwords between services and don't have 2-factor authentication enabled. [NNSquad]

Russia's Sandworm Hack Spying on Foreign Governments for Years

WiReD <lauren@vortex.com>

Date: Mon, 13 Oct 2014 21:27:35 -0700

Wired via NNSquad http://www.wired.com/2014/10/russian-sandworm-hack-isight/

"A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks. The campaign, dubbed "Sandworm" is believed to have been running since 2009, and used a wide-reaching zero-day exploit uncovered by the researchers that affects nearly every version of the Windows operating system released since Windows Vista."

[Also noted by Bob Gezelter] http://www.isightpartners.com/2014/10/cve-2014-4114/

- Bob Gezelter, http://www.rlgsc.com

Google report on EU "right to be forgotten" requests

Lauren Weinstein <lauren@vortex.com>

Date: Fri, 10 Oct 2014 11:46:52 -0700

Google via NNSquad http://www.google.com/transparencyreport/removals/europeprivacy/

European privacy requests for search removals. // Total URLs that Google has evaluated for removal: 497,695 URLs // Total requests Google has received: 144,954 requests // 41.8% removal approval rate.

This POODLE bites: exploiting the SSL 3.0 fallback

Google <lauren@vortex.com>

Date: Tue, 14 Oct 2014 17:58:06 -0700

Google via NNSquad http://www.wired.com/2014/10/poodle-explained/> ]

Re: Firedrive and Cloudflare

Jay Grizzard <elfchief@lupine.org>

Date: Fri, 24 Oct 2014 08:11:07 -0700

The recent firedrive.com outage has triggered several messages to RISKS that have pointed a finger at Cloudflare as a culpable party, because the IP address for firedrive.com matches IP addresses also owned by Cloudflare. While the latter is true (firedrive.com is in Cloudflare's IP space), this does not actually imply Cloudflare involvement, complacency, or responsibility.

Cloudflare is a Content Distribution Network (CDN). Basically, this means that they host no data at all—they sell distribution services, much the same way a phone company does (though a better analogue might be an answering service). Companies (like Firedrive) pay Cloudflare to proxy incoming traffic for them, and cache the parts of that data that can be cached, as a way to offload traffic from their own servers, and make their websites more responsive to their users.

Blaming Cloudflare, in this case, is like blaming an answering service because your doctor's office isn't picking up their phone. No matter how much you beg, the answering service can't help you with that funny looking mole you just discovered—all they can do is pass on your requests, and hope that your doctor responds.

Cloudflare is just an intermediary here.

The real risk (beyond the mis-attribution of problems) is the continued belief that "the cloud" is some kind of magic sauce that relieves you of responsibility for the safety of your data (i.e. keeping backups). Any given cloud provider is a place you can store data, but cloud providers can fail, just like physical media can. Storing your important data on a single cloud provider is akin to storing your important data on a single hard drive. You /probably/ won't have a failure that causes you to lose data, but cloud providers (like hard drives) are fallible, and I seriously doubt that this will be the last major failure of a cloud storage company.

Re: Firedrive has gone down taking millions of files with it

Henry Baker <hbaker1@pipeline.com>

Date: Fri, 24 Oct 2014 06:12:31 -0700

Two words: "Erasure Code":

http://en.wikipedia.org/wiki/Erasure_code

"In information theory, an erasure code is a forward error correction (FEC) code for the binary erasure channel, which transforms a message of k symbols into a longer message (code word) with n symbols such that the original message can be recovered from a subset of the n symbols"

Aka RAIC—Redundant Array of Independent Clouds