Prev

RISKS Digest 28.47

Monday 26 January 2015

Unwitting trusted travelers and drug smuggling

AP via PGN <neumann@csl.sri.com>

Date: Fri, 23 Jan 2015 13:36:56 PST

This is a really egregious example of exploits of a Time of Check to Time of Use (ToCToU) vulnerability. Hundreds of thousands of drivers with trusted backgrounds have enrolled in the SENTRI program (Secure Electronic Network for Travelers Rapid Inspection), which endows them with a "trusted traveler" status—reducing to about fifteen minutes what are normally 2+ hour crossings at automobile checkpoints from Mexico to the U.S. Initially, trusted travelers were issued windshield decals, although that ceased in 2013. Smugglers have figured out they could track vehicles bearing the decal on both sides of the border, plant magnetic containers with drugs under the cars on the Mexican side, and then recover those containers on the U.S. side. With a little observation of who goes through the trusted traveler lines regularly over time, even the subsequent absence of the decals is not a serious obstacle.

Here the time of check is when the driver's automobile is registered in the SENTRI program, and the time of use any time or times after that.

This exploit has been discovered accidentally, and has resulted in several recent seizures. A complication arises if the trusted traveler is actually the culprit rather than the dupe, combining insider misuse with the ToCToU exploit.

Source: an Associated Press item, Unwitting drivers used to carry drugs, unauthored, which I saw in the *San Francisco Chronicle*, 23 Jan 2015, D8.

UK Commission recommends digital voting by 2020

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>

Date: Mon, 26 Jan 2015 15:25:05 +0100

A Commission called the Digital Democracy Commission, set up by the Speaker of the UK House of Commons, apparently has recommended on-line voting be implemented for the 2020 UK general election.

They are certainly right that it's somewhat popular, judging by letters columns I read in a couple of UK publications. But it can equally be said that the people who may make such recommendations and, unfortunately, who may make such decisions do not appear to be sufficiently aware of the risks.

People who read RISKS are, though. So, let me pop in another one or two. If you are going to use your smartphone to vote, then what is to prevent Apple or Google or the NSA or GCHQ or all of them from knowing exactly who voted for whom? Suppose they "secured" it and said so publicly, cross their hearts and hope to die, who might want to believe it, given recent history of such public statements? And how would this square with the UK Parliament mandating decryptability for all civil electronic communications in the next Parliament, if the current Prime Minister has his way.

And, for extra points - we can go back way before smartphonery for this -- why might one think that it would not be such a great idea to have any of those four entities - or indeed any large influential organisation, government or private - being able to know who voted whom?

http://www.theguardian.com/politics/2015/jan/26/john-bercow-online-voting-2020-general-election

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited Je suis Charlie www.rvs.uni-bielefeld.de www.causalis.com

People upset that the E-911 folk want to use GLONASS

danny burstein <dannyb@panix.com>

Date: Thu, 22 Jan 2015 19:05:58 -0500 (EST)

"GLONASS was chosen because similar US systems don't cover the required territory, Trey Forgety, National Emergency Number Association's director of government affairs, said.

"Besides that, GLONASS is a lot better than GPS in locating mobile phones when the call is made from inside the building."

http://rt.com/usa/225183-us-russia-glonass-911/

Ok, there are clearly politics involved here, but to rely on a system under the complete control of another nation for such a critical piece of communications infrastructure, raises my eyebrows, too

F-35 software is a buggy mess

Henry Baker <hbaker1@pipeline.com>

Date: Thu, 22 Jan 2015 08:19:21 -0800

This story reminds me of the elaborate hoaxes the Victorians played on the Meiji-period Japanese, by providing the Japanese with shipbuilding plans that were purposely flawed.

Security by obscurity wins!

Richard Chirgwin, *The Register*, 22 Jan 2015 US military finds F-35 software is a buggy mess Tests jettisoned to protect schedule http://www.theregister.co.uk/2015/01/22/us_military_finds_f35_software_is_a_buggy_mess/

The F-35 Joint Strike Fighter (JSF) remains the problem child of the US military, with some operational tests abandoned in 2014, and buggy software proving a headache.

The US military's Office of the Director, Operational Test & Evaluation (DOT&E) has released its latest annual report, and the F-35 Joint Strike Fighter chapter describes the Department of Defense's efforts in trying to get the project back somewhere close to schedule.

To avoid a cascading series of delays that would have stretched into 2016, the project abandoned an Operational Utility Evaluation (OUE) planned in April 2014 for the Marines' Block 2B configuration of the aircraft.

The reasoning, explained at Aviation Week, was that Lockheed Martin couldn't put together enough units in that configuration to run the Block 2B OUE in time. If it had proceeded, the OUE would have been pushed back until 2016, in turn delaying the software development effort for Block 3F.

Instead, F-35A test aircraft will be used for a `limited assessment', the report states.

The Block 2B tests were also impacted by restrictions imposed after a June 2013 engine failure in an F-35A unit. That impacted software tests, because the restricted flying hours “reduced the number of accessible test points.''

There were also unplanned software releases to fix bugs, in spite of which “discoveries continued to occur in later versions of software.''

To try and get around software-associated delays, the test program is being revised: some test points are being eliminated, reducing the total number of test points remaining for Block 2B from 529 down to 243; and some fixes are being deferred to the Block 3 program.

Mission `data load' software is also causing concern. This software is loaded on a mission-by-mission basis, working in conjunction with the permanent systems, to operate sensors and respond to conditions for a particular battleground (Aviation Week gives identifying hostile radars as an example).

The DOT&E report says “truncating the mission data load development and conducting open-air flight testing early on a limited open-air range for the purpose of releasing a mission data load in mid-2015 would create significant operational risk to fielded units.''

Implementation of Gas Station Remote Inventory Monitoring Systems vulnerable to attack

Ars via Bob Gezelter <gezelter@rlgsc.com>

Date: Mon, 26 Jan 2015 07:25:00 -0700

Ars Technica reports that the remotely accessible inventory reporting systems used by the over 100,000 fuel dealers in North America use weak security schemes for remote access (whether connecting over dial-ups or via the public Internet). In a modern day transposition of Napoleon's "an army travels on its stomach", this could lead to an attack that would disrupt the availability of availability of petroleum products. It is worth noting that a key element in the Allied victory in World War II was the systematic attacks against axis POL (Petroleum, Oil, and Lubricant) facilities and logistic chains. The core of the problem is that, rather than initiating connections from the stations, the devices are polled, either over dial-up lines or via the public Internet. Reportedly, most of the communications are unencrypted, making them subject to eavesdropping, replay, and later, impersonation attacks. This is also an excellent example of what will become a severe problem with Internet of Things, unsecured or weakly secured devices with the ability to disrupt or endanger everyday life. The original article is at: http://arstechnica.com/security/2015/01/internet-attack-could-shut-down-us-gasoline-stations/

Bob Gezelter, http://www.rlgsc.com

California must lead on cybersecurity

Jonathan Mayer and Edward W. Felten via Henry Baker <hbaker1@pipeline.com>

Date: Mon, 26 Jan 2015 08:42:21 -0800

FYI—Very interesting proposal.

Jonathan Mayer and Edward W. Felten, The Sacramento Bee, 24-24 Jan 2015 http://www.sacbee.com/opinion/the-conversation/article7967445.html

No state has more at stake on cybersecurity than California. From Hollywood's intellectual property to the Central Valley's water reserves to Silicon Valley's cloud services, the Golden State is at singular risk. But, as the world's innovation capital, California also has a unique opportunity to advance cybersecurity.

At last week's State of the Union address, President Barack Obama announced a new federal cybersecurity agenda. Except, it wasn't so new. It was a portfolio of unpopular old proposals, dusted off and relabeled. The odds of clearing Congress: low. The odds of materially improving security: even lower.

That's a shame. Events over the past year—most prominently, the breach at Sony Pictures in Culver City—have highlighted the growing importance of cybersecurity. Attacks are more frequent, better organized and increasingly sophisticated. And intruders are driven by a diverse range of motives—greed, malice, national security or even national pride. America's consumers, businesses and government agencies are undeniably under threat.

While the federal government is stalled, however, the states have an opportunity to lead. California could blaze a trail for effective cybersecurity policy.

The Golden State is, in fact, already an innovator on technology security and privacy. In 2002, California passed the nation's first data breach notification law. If a company leaks personal data, it has to fess up and provide warning. Forty-six other states now have similar laws on the books. In 2003, California mandated that online services make commitments about how they handle consumer data. That farsighted policy has contributed to numerous law enforcement actions, both federal and state, where a business has bungled security or privacy.

Demonstrated successes aside, there are other reasons for California to step up. One of the greatest concerns in cybersecurity policy is critical infrastructure, such as power and water. Even brief disruptions in service could have extraordinary economic and human costs. Remember the Northeast blackout of 2003? It may have claimed dozens of lives and cost the economy billions of dollars. And it was caused, in part, by a software bug. California should not tolerate a fraction of that risk from cybersecurity threats.

Utilities are already subject to extensive state legal requirements, and they already answer to a powerful state regulatory commission. Addressing security and privacy would be a sensible application of existing authority.

Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable—they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state's critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive—especially relative to the enormous risks.

Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing.

California's own agencies are yet another worthwhile focus. Many government systems are outdated, including some that contain sensitive data. According to the California Department of Justice, there were at least 20 leaks from state and local agencies in just the past year. In addition to regular audits, uniform security training and standards would be no-brainer policies.

What's more, California could benefit the private sector through its own improvements. It could improve services on the market by leveraging its massive acquisition outlays, presently over $4.5 billion on information technology projects. The state could also lead by example in deploying security technology. Migrating state and local websites to https, the secure Web protocol, would be a good first step.

There are, to be sure, valid concerns about the Golden State taking action on cybersecurity. For starters, not all of California's agencies have the requisite technical chops for making and enforcing cyberpolicies. In our view, the skills gap is manageable—outside experts are willing and able to lend a hand.

That's no hypothetical. When former Secretary of State Debra Bowen had concerns about electronic voting systems in 2007, she brought in a cadre of computer security researchers. They quickly produced a comprehensive set of reports, demonstrating severe vulnerabilities. Similarly, when Attorney General Kamala Harris made consumer privacy a focus of her administration, her staff turned to experts in the field.

We know these models work because we collaborated on them. To this day, the secretary of state's

Government Health Care Website Quietly Sharing Personal Data

ABC via Monty Solomon <monty@roscom.com>

Date: Wed, 21 Jan 2015 23:17:30 -0500

http://abcnews.go.com/Technology/wireStory/privacy-concerns-governments-health-care-website-28340119

AMA et al., on medical records?

Harry Hochheiser <hshoch@gmail.com>

Date: Fri, 23 Jan 2015 08:51:59 -0500

AMA-Led Coalition tells ONC EHR Certification Must Change http://www.healthdatamanagement.com/news/AMA-Led-Coalition-Tells-ONC-EHR-Certification-Must-Change-49668-1.html

"...The group charges that the MU [Meaningful Use] certification requirements are contributing to EHR system problems with `downstream effects' on patient safety and that MU certification “has become the priority in health IT design at the expense of meeting physician customers' needs, patient safety, and product innovation.'' The coalition also expresses its concern with the “lack of oversight ONC places on authorized testing and certification bodies for ensuring testing procedures and standards are adequate to secure and protect electronic patient information contained in EHRs.'' In addition to patient safety concerns, they say the certification process lacks necessary security measures to protect patient information." [...]

Risks in uninformed legislation and governance

Jay Ashworth <jra@baylink.com>

Date: Fri, 23 Jan 2015 13:32:04 -0500 (EST)

As technology expands to support and enable more of the things we want to do -- and do more efficiently—in life, it tends to bump head on into law.

And, more and more, those laws are being written by people who not only don't understand the technology they're restricting, they *purposefully* don't understand it. They venerate ignorance.

On the last point first, I'm speaking of the dissolution of the Office Of Technology Assessment [1] in 1995, which made a lot of people very angry and was widely regarded as a bad move. OTA's job was to do this very thing, and to, perhaps, prevent stories like this one [2]:

"Chairman of the Armed Services subcommittee, Rep. Mike Rogers, has sent an angry letter to the Secretary of Defense and Director of National Intelligence (DNI) after learning about the intentions of the US Federal Communications Commission (FCC) [to GLONASS-enable 911 routing].

"Rogers asked the Department of Defense and DNI to detail the extent of GLONASS use and the effect on national security if Russia provides the satellite communications."

"Provides the satellite communications", while admittedly not a quote, is the sort of language I would expect from a legislator who is a) wigging out about The Reds, and b) doesn't understand at all how GPS satellite systems work.

As many RISKS readers probably understand, GPS satellites, whatever they are, merely say "It's this time. It's this time. It's this time" and the receivers calculate their position based on the differences in reception time from various birds; there are no `satellite communications' in the fashion in which that term would be generally understood by the nontechnical public.

Since they don't understand it, though, it's a dandy term to use to whip them up into a frenzy.

A companion example is the White House's upcoming War On Hackers, discussed in a blog posting by Robert Graham at Erratasec [3]. This too, is an excellent example of the RISKS in allowing people to control things they don't understand, and do not appreciate, or worse, care about, the unexpected consequences of.

I often think the best solution is for system admins nationwide to simply take a week off [4], and see how long things last [5]. After all, I didn't -- and I don't think anyone else did—get into this career to worry about whether my government thinks I ought to be a felon for doing the things that are a normal part of my job. Hopefully, a bit more sanity will be applied to that bill before it comes to a vote.

[1] http://en.wikipedia.org/wiki/Office_of_Technology_Assessment [2] http://rt.com/usa/225183-us-russia-glonass-911/ [3] http://blog.erratasec.com/2015/01/obams-war-on-hackers.html [4] Call it a strike if you want [5] I give it until Wednesday afternoon around 3:30

Jay R. Ashworth, Ashworth & Associates http://www.bcp38.info St Petersburg FL USA +1 727 647 1274

Calls for ISPs to filter content could be illegal, EU council documents suggest

Lauren Weinstein <lauren@vortex.com>

Date: Thu, 22 Jan 2015 09:30:40 -0800

IT World via NNSquad http://www.itworld.com/article/2873235/calls-for-isps-to-filter-content-could-be-illegal-eu-council-documents-suggest.html

"Last week justice ministers from across the European Union called on ISPs to conduct voluntary censorship of online content--but documents in preparation for a meeting of telecoms ministers suggest such a move could be illegal."

Autonomous Bot Seized For Illegal Purchases: Who's Liable When A Bot Breaks The Law?

Mike Masnick via robert schaefer <rps@haystack.mit.edu>

Date: Fri, 23 Jan 2015 11:34:21 -0500

Mike Masnick, 23 Jan 2015

"If you program a bot to autonomously buy things online, and some of those things turn out to be illegal, who's liable? We may be about to have the first such test case in Switzerland, after an autonomous buying bot was "seized" by law enforcement."

https://www.techdirt.com/articles/20150118/06453429734/autonomous-bot-seized-illegal-purchases-whos-liable-when-bot-breaks-law.shtml

It was only a matter of time for this kind of thing to happen with anonymous purchasing. The legal authorities can simply wait to see who picks up the goods for physical items, but what about illegal purchases of virtual items?

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory, Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu

Mozilla tweaks `referer headers' in bid to limit website privacy grabs

Ars via Monty Solomon <monty@roscom.com>

Date: Wed, 21 Jan 2015 23:18:26 -0500

http://arstechnica.com/tech-policy/2015/01/mozilla-tweaks-referer-headers-in-bid-to-limit-website-privacy-grabs/

2014: The year of living cable TV-free

chron.com via Monty Solomon <monty@roscom.com>

Date: Fri, 23 Jan 2015 21:54:29 -0500

http://blog.chron.com/techblog/2015/01/2014-the-year-of-living-cable-tv-free/

Google discloses three severe vulnerabilities in Apple OS X

Monty Solomon <monty@roscom.com>

Date: Sat, 24 Jan 2015 10:26:02 -0500

http://www.cnet.com/news/google-team-finds-three-severe-vulnerabilities-in-apple-os-x/

Cuba demonstrates the future of the Internet

Henry Baker <hbaker1@pipeline.com>

Date: Mon, 26 Jan 2015 10:35:58 -0800

FYI—This is the future of the Internet, brought to you by NSA/GCHQ/Great-Firewall-of-China/etc. Who knew that Cuba was such a leader in high technology?

[The current DNS & CA system is hopelessly broken, so without an immediate

(<24 months) improvement, we can kiss the whole Internet goodbye.]

http://uk.businessinsider.com/cuban-youth-built-a-secret-internet-network-2015-1

Cuban Youth Built A Secret Internet Network Michael Weissenstein, Associated Press, 26 Jan 2015

Cut off from the Internet, young Cubans have quietly linked thousands of computers into a hidden network that stretches miles across Havana, letting them chat with friends, play games and download hit movies in a mini-replica of the online world that most can't access.

Home Internet connections are banned for all but a handful of Cubans, and the government charges nearly a quarter of a month's salary for an hour online in government-run hotels and Internet centers. As a result, most people on the island live offline, complaining about their lack of access to information and contact with friends and family abroad.

A small minority have covertly engineered a partial solution by pooling funds to create a private network of more than 9,000 computers with small, inexpensive but powerful hidden WiFi antennas and Ethernet cables strung over streets and rooftops spanning the entire city. Disconnected from the real Internet, the network is limited, local and built with equipment commercially available around the world, with no help from any outside government, organizers say.

Hundreds are online at any moment pretending to be orcs or U.S. soldiers in multiplayer online games such as "World of Warcraft" or "Call of Duty." They trade jokes and photos in chat rooms and organize real-world events like house parties or trips to the beach.

"We really need Internet because there's so much information online, but at least this satisfies you a little bit because you feel like, 'I'm connected with a bunch of people, talking to them, sharing files," said Rafael Antonio Broche Moreno, a 22-year-old electrical engineer who helped build the network known as SNet, short for `streetnet'.

[LONG MIDDLE SECTION DELETED FOR RISKS. PGN]

Broche Moreno estimated it costs about $200 to equip a group of computers with the antennas and cables needed to become a new node, meaning the cost of networking all the computers in SNet could be as little as $200,000. Similar but smaller networks exist in other Cuban cities and provinces.

"It's proof that it can be done," said Alien Garcia, a 30-year-old systems engineer who publishes a magazine on information technology that's distributed by email and storage devices. "If I as a private citizen can put up a network with far less income than a government, a country should be able to do it, too, no?"

The Internet isn't the only one with a DNS/Certificate problem...

Henry Baker <hbaker1@pipeline.com>

Date: Mon, 26 Jan 2015 07:04:37 -0800

FYI—I wonder how many spam advertising phone calls make it through into the NSA and/or White House? It must be significantly greater than zero.

Perhaps the acronym "MITM" has a new interpretation?

Alan Cowell, *The New York Times*, 26 Jan 2015 Prank Caller Pulls Wool Over British Surveillance Agency's Eyes [PRUNE] http://www.nytimes.com/2015/01/27/world/europe/gchq-britain-prank-caller.html

LONDON—At a time when Western leaders are clamoring for greater powers to conduct covert surveillance, a prankster in Britain has turned the table on the watchers, securing a private cellphone number for a top intelligence chief and apparently making a separate phone call to the prime minister in his name, British officials acknowledged on Monday.

The unidentified caller then phoned a tabloid newspaper on Sunday to boast. He told the tabloid, *The Sun*, that he had been high on alcohol and drugs when he persuaded GCHQ, the British electronic surveillance agency, to give him a cellphone number for its director, Robert Hannigan.

Later, an unidentified caller widely believed to be the same person pretended to be Mr. Hannigan in a separate call to Prime Minister David Cameron.

“I've just made complete monkeys out of GCHQ; I've got the mobile number of the director.'', the unidentified caller told the newspaper—GCHQ collaborates NSA, and also works with Britain's domestic and overseas intelligence services.] [LONG ITEM PRUNED for RISKS. PGN]

Re: 4th-Party Collection: NSA's Wink Wink Nod Nod to the 4th Amendment

Dick Mills <dickandlibbymills@gmail.com>

Date: Thu, 22 Jan 2015 14:45:51 -0500

NSA makes a big deal about their "minimization procedures" which restrict access to data collected under 215 and 702.

They should be asked if the same minimization procedures apply to info gathered by 4th-parties. I suspect that the answer is no because they never give an unequivocal answer such as "minimization procedures apply in all circumstances to all data regardless of source."

Ditto for 215 and 702 data that is shared to allies. A NSA employee denied access to the data because he does not qualify under the minimization rules, might simply ask a friend at GCHQ if he could access their copy of the same data.

Re: Today's Apps Are Turning Us Into Sociopaths?

Peter Houppermans <peter@houppermans.net>

Date: Thu, 22 Jan 2015 09:20:00 +0100

Hmm, one misguided app idea spun out into full article about an apparent trend ("apps like") that heralds the end of society as we know it.

I hope Internet archives still hold the article detailing which doom befell us with the release of Angry Birds. An enquiring mind wants to know..

Re: Schneider Electric SCADA Gateway contains hardcoded credentials

Henry Baker <hbaker1@pipeline.com>

Date: Wed, 21 Jan 2015 17:43:06 -0800

News Flash: Contrary to popular belief, there aren't turtles all the way down. There have to be credentials built-in at some point, and the only question is who controls these credentials. When you get an iPhone from Apple, Apple controls those credentials; when you get a Windows computer from HP, HP & Microsoft control those credentials. You as a schlub end-loser don't get to control almost _any_ of the credentials of the computer objects that you supposedly "own".

Ideally, there should be some sort of _ceremony_ when you become the owner of a computerized object, during which control of the credentials passes from the vendor/distributor/previous owner to you--much like the ceremony that transfers legal title of your new home to you along with the keys to the premises.

Some computerized objects allow whomever has physical access to the object to gain credentialed control—e.g., a home router with a reset/reboot button together with a USB stick containing a new operating system.

You can easily tell which computerized objects you "own" by asking the question: can I reflash its operating system with contents of my choosing (including new credentials)? If you can't, then that computerized object is already "pwned" by someone else.

Re: Schneider Electric SCADA Gateway contains hardcoded credentials

Bob Gezelter <gezelter@rlgsc.com>

Date: Thu, 22 Jan 2015 08:48:13 -0700

Henry, Indeed, to use your words, "there aren't turtles all the way down". The problem is not the existence of a documented, predefined default configuration (which in any case, should not allow arbitrary use). Rather the problem is products shipping with built-in security gaps. Predefined well-known default configuration settings (user