RISKS Digest 31.36

Monday 12 August 2019

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

WiReD <>

Date: Thu, 8 Aug 2019 23:36:06 -0400

But Boeing counters that it has both "additional protection mechanisms" in the CIS/MS that would prevent its bugs from being exploited from the ODN, and another hardware device between the semi-sensitive IDN—where the CIS/MS is located—and the highly sensitive CDN. That second barrier, the company argues, allows only data to pass from one part of the network to the other, rather than the executable commands that would be necessary to affect the plane's critical systems.

"Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack," the company's statement concludes.

Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with the manufacturer' s assessment of the issue."

...or not.

This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'

WiReD <>

Date: Sat, 10 Aug 2019 23:24:51 -0400

Automatic license plate reader cameras are controversial enough when law enforcement deploys them, given that they can create a panopticon of transit throughout a city. Now one hacker has found a way to put a sample of that power—for safety, he says, and for surveillance—into the hands of anyone with a Tesla and a few hundred dollars to spare.

"New Windows malware can also brute-force WordPress websites"

Catalin Cimpanu <>

Date: Wed, 07 Aug 2019 10:53:43 -0700

Catalin Cimpanu for Zero Day | 7 Aug 2019 Avast discovers strange new malware strain that besides stealing and mining cryptocurrency on infected hosts, it also launches brute-force attacks on WordPress sites.

Getting physical: warshipping

Fortune <>

Date: Sat, 10 Aug 2019 23:46:31 -0400

IBM researchers are hyping a new hacking technique called "warshipping" that involves breaking into corporate networks using a cheap Wi-Fi device sent in the mail. <> A hacker has turned a Tesla vehicle into a mobile surveillance station capable of storing facial imagery and license plate numbers. Elevator " phone freaking is the latest hacker fad. <> <>"

...from Fortune magazine newsletter.

These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer


Date: Mon, 12 Aug 2019 17:53:56 -0400

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

Inside the Hidden World of Elevator Phone Phreaking

WiReD <>

Date: Sat, 10 Aug 2019 23:22:02 -0400

Author writes:

The first time I called into an elevator, I picked up my iPhone and dialed the number-labeled on my list as the Crown Plaza Hotel in Chicago—and immediately heard two beeps, then a recording of a woman's voice, who told me to press one to talk. When I did, I was suddenly in aural space filled with the hum of motors and the muffled twanging of steel cables under tension. "Hello, can anyone hear me?" I asked the void. The void did not respond.

I hung up and tried another number on my list: A Hilton hotel in Grand Rapids, Michigan. After just one ring I heard a series of four tones and was immediately listening to the inside of another elevator. I heard a chime, perhaps a signal that it had reached a floor, followed by the rumble of what might have been a door opening. "Hi, is anyone in here?" I asked. This time I heard a few muffled voices, then a woman answered: "There are people in here, yes."

Popular kids' tablet patched after flaws left personal data vulnerable

Danny Palmer <>

Date: Wed, 07 Aug 2019 10:31:38 -0700

Danny Palmer, ZDNet, 7 Aug 2019 Researchers also found security holes that gave away personal data and credit card information of children's parents.

selected text:

Security vulnerabilities in a popular children's tablet could have allowed attackers to collect sensitive information about its young users, as well as enabling hackers to steal their parents' names, address and credit card details.

In addition to this, researchers found that the Pet Chat protocol didn't require any authentication between devices, meaning anyone running Pet Chat within 100ft of a user could send messages to the child's device, albeit in the set phrases allowed by Pet Chat, something that could potentially put the child at risk.

Watch a Drone Take Over a Nearby Smart TV

WiReD <>

Date: Mon, 12 Aug 2019 17:58:31 -0400

For all the focus on locking down laptops and smartphones, the biggest screen in millions of living rooms remains largely unsecured <>, even after years of warnings <>. Smart TVs today can fall prey to any number of hacker tricks—including one still-viable radio attack, stylishly demonstrated by a hovering drone.

At the Defcon hacker conference Sunday, independent security researcher Pedro Cabrera showed off, in a series of hacking proof of concept attacks, how modern TVs—and particularly smart TVs that use the Internet-connected HbbTV standard implemented in his native Spain, across Europe, and much of the rest of the world—remain vulnerable to hackers. Those techniques can force TVs to show whatever video a hacker chooses, display phishing messages that ask for the viewer's passwords, inject keyloggers that capture the user's remote button presses, and run cryptomining software. All of those attacks stem from the general lack of authentication in TV networks' communications, even as they're increasingly integrated with Internet services that can allow a hacker to interact with them in far more dangerous ways than in a simpler era of one-way broadcasting.

"The lack of security means we can broadcast with our own equipment anything we want, and any smart TV will accept it," Cabrera says. "The transmission hasn't been at all authenticated. So this fake transmission, this channel injection, will be a successful attack."

At the Defcon hacking conference in Las Vegas, a security researcher showed how easy it is to compromise a smart TV with a DJI quadcopter. See for yourself. Harald Sund/Getty Images

5G Wireless Networks Are Not Harmful to Health, FCC Says

Fortune <>

Date: Fri, 9 Aug 2019 15:36:27 -0400

The Feds Try To End the Debate Over 5G Health Concerns' Data Sheet

It's the question everyone wants to go away: are 5G wireless networks safe or are they a risk to human health?

On Thursday, the Federal Communications Commission and the Food and Drug Administration tried to put the question to bed once more. The FCC announced it would hold its radio frequency exposure limits for cell phones, cellular towers, and other wireless gear at current levels. The use of some new frequencies as part of the 5G rollout did not change the situation, the agency said. After a review of the scientific record and consultations with health agencies, “we find it appropriate to maintain the existing radio frequency limits, which are among the most stringent in the world for cell phones,'' Julius Knapp, chief of the FCC's Office of Engineering and Technology, said. That came backed with excerpted comments from Jeffrey Shuren, director of the Food and Drug Administration's Center for Devices and Radiological Health. The “available scientific evidence to date does not support adverse health effects in humans due to exposures at or under the current limit'' and “[n]o changes to the current standards are warranted at this time,'' Shuren explained in a letter cited in part by the FCC.

That's also the same conclusion that the scientific association the Institute of Electrical and Electronics Engineers, or IEEE, came to back in February, when it completed a review of recommended exposure limits and also agreed to maintain them at current levels.

But the announcements are unlikely to end the debate <>. Worriers can point to a few studies and the decision by the World Health Organization's International Agency for Research on Cancer to classify cellular radio waves as a possible carcinogen back in 2011. And countries like Belgium and Switzerland have delayed 5G networks over health concerns. On the other side, research from the American Cancer Society and the National Institutes of Health, among others, have concluded there are no risks. And so round it goes. The WHO has a vast, new study underway that, perhaps, will offer a more definitive result. For a truly deep dive, check out the page maintained by the National Cancer Institute on cell phones and cancer research <>.

Phishing attack: Students' personal information stolen in university data breach

Danny Palmer <>

Date: Wed, 07 Aug 2019 10:26:47 -0700

Danny Palmer, ZDNet, 23 Jul 2019

University says it has fallen victim to a "a sophisticated and malicious phishing attack"—and students are being warned to look out for suspicious emails.

Hackers have stolen personal data of prospective and current students at Lancaster University after gaining access to databases that contained personal information—with victims now the targets of additional cyberattacks.

Names, addresses, telephone numbers, and email addresses have been compromised by cyberattackers who gained unauthorised entry to undergraduate students' application records for 2019 and 2020. The university has over 13,000 students, but there's currently no figure on the number of people who have been caught up in the attack.

Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects Touchscreen Controls

USNI News <>

Date: Mon, 12 Aug 2019 17:51:04 -0400

SAN DIEGO – The Navy will begin reverting destroyers back to a physical throttle and traditional helm control system in the next 18 to 24 months, after the fleet overwhelmingly said they prefer mechanical controls to touchscreen systems in the aftermath of the fatal USS John S. McCain (DDG-56) collision.

The investigation into the collision showed that a touchscreen system that was complex and that sailors had been poorly trained to use contributed to a loss of control of the ship just before it crossed paths with a merchant ship in the Singapore Strait. After the Navy released a Comprehensive Review related to the McCain and the USS Fitzgerald (DDG-62) collisions, Naval Sea Systems Command conducted fleet surveys regarding some of the engineering recommendations, Program Executive Officer for Ships Rear Adm. Bill Galinis said.

Nice work on testing design, getting user input...

...and funny juxtaposition:

This High-Tech Solution to Disaster Response May Be Too Good to Be True

The New York Times <>

Date: Sat, 10 Aug 2019 09:52:00 -0700

Emergency response simulation, for sale, adopted by several municipalities (and at least on country—Japan) to optimize first responder resource allocation and prioritization. The `One Concern' AI platform relies on residential census data.

As noted in the NY Times piece:

"But when T.J. McDonald, who works for Seattle's office of emergency management, reviewed a simulated earthquake on the company's damage prediction platform, he spotted problems. A popular big-box store was grayed out on the web-based map, meaning there was no analysis of the conditions there, and shoppers and workers who might be in danger would not receive immediate help if rescuers relied on One Concern's results.

"'If that Costco collapses in the middle of the day, there's going to be a lot of people who are hurt,' he said."

The US census collects household income data. This component might be accorded greater algorithmic weight. Similarly, what would happen to disaster response prioritization if crime statistics, such as homicide rate, were integrated? Or if there's an EPA superfund site in the locality?

Algorithmic bias remains a significant risk to public safety and health. Trust that dedicate public servants, like Mr. McDonald, are vigilant and accountable to direct emergency response where and when disaster strikes.

Scam pulse-monitoring app returns to Apple Store

Ben Lovejoy <>

Date: Wed, 7 Aug 2019 12:05:06 -0400

[Fiendishly clever, or cleverly fiendish:]

Ben Lovejoy Scam heart rate app is back in the App Store, trying to steal $85/year

A scam heart rate app that tried to con iPhone users out of $89/year is now back in the App Store under a new name, some eight months after Apple removed the original version.

The app specifically targets people who own iPhones with Touch ID.

What the app does is ask users to place their finger on the Home button, supposedly to take a heart-beat reading. In reality, the app dims the display brightness its minimum to hide the content—which is actually Apple's dialogue requesting authorization for a recurring in-app purchase. If users place a registered Touch ID finger on the Home button, that completes the purchase.

Apple removed the app in November of last year following our report, but Brazil's Mac Magazine reports that it has now returned. ...

Now the app presents itself as `Pulse Heartbeat' and its developer is registered as BIZNES-PLAUVANNYA, PP.

The in-app purchase is now for 340 Brazilian reals, which is equivalent to around US$85. As before, the app is targeting Portuguese speakers. ...

The reality [no pun intended?] is that the app review process is a manual one, and prone to human error. Scammers will usually submit an innocuous app and then update it with rogue code after approval. Although Apple reviews updates too, there is a general belief that this review is less thorough than for a new app.

The report does show that even in a curated app store, there are still risks. ...

He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets

Bloomberg <>

Date: Sat, 10 Aug 2019 00:44:45 -0400

Avoiding digital snoops takes more than throwing money at the problem, but that part can be really fun.

GDPR's unintended consequences

The Register <>

Date: Fri, 9 Aug 2019 13:33:14 -0400

GDPR, the EU's General Data Protection Regulation, is supposed to protect personal data and user privacy for EU cititzens. But it has made it life much easier for identity thieves. The law obligates companies to provide a copy of any personal data they have, but doesn't require companies to verify the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée [with her permission], including credit card and social security numbers, passwords, and even her mother's maiden name. [...] Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her. ... Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and passwords which had already been compromised in attacks. Several of these still worked on some accounts.''

Source: The Register <>

Black Hat: GDPR privacy law exploited to reveal personal data

BBC News <>

Date: Thu, 8 Aug 2019 17:51:23 -0400

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is the first known test of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018.

"Generally if it was an extremely large company—especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

[Also noted by others. PGN]

Password policy recommendations: Here's what you need to know.

HPE <>

Date: Tue, 6 Aug 2019 19:42:26 -0400

Complexity, uniqueness, and periodic change have long been the top best practices for passwords, but new recommendations have led to changes around password policies.

Re: Russian hackers are infiltrating companies via the office printer

Kelly Bert Manning <>

Date: Thu, 8 Aug 2019 13:06:33 -0400

Russia may be a new player, but I first became concerned about printer hacking when I read the manuals for the shiny new IP connected Lexmark printers that replaced PC connected and IBM SNA printers back in the 1990s. I contacted IT security to note that the printers came from the factory with a standard remote admin login ID and password, suggesting that it might be wise to change those.

The response was Move Along, Nothing to Worry About Here, even from BC Ministry of Health IT security.

Fast forward a couple of years and all Lexmark printers in the Ministry have to be disconnected, shut down and purged of a Lexmark Virus.

Things like that happened often enough that new staff were advised to always stay on my right side, although my view was that sometimes I found it a challenge to be influential and persuasive, in addition to being correct. White Hat Social Engineering, persuading and influencing people to make the correct choice, can be as important as having the best analysis, solution or mitigation.

Climate change: how the jet stream is changing your weather

FT <>

Date: Tue, 6 Aug 2019 14:25:36 -1000

*Northern Atlantic current is shifting course—with implications for crops and sea levels*


At the summit of the Greenland ice cap the temperature rarely rises above zero degrees centigrade—the elevation is 3,200m and the ice below is more than a mile thick.

But last Friday, as the sun beat down, a small weather station laden with sensors captured something highly unusual: the temperature crept past zero and up to 3.6C—the highest since records began three decades ago. As temperatures rose across the massive ice sheet, which blankets an area five times the size of Germany, around 60 per cent of the surface started to melt, one of the largest ever recorded.

Scientists know of only three prior occasions in the past 800 years when there has been melting at the very top of the ice cap, which is kept chilled by the large volume of ice beneath. But this seems to be getting more frequent—it is now the second time this decade it has happened.

“The last time we saw melting at the summit, in 2012, we thought it was the extreme of the extremes, and wouldn't happen again so quickly,'' says Konrad Steffen, a professor of climate and cryosphere at ETH Zurich, who operates a network of 18 monitoring stations across the ice sheet. “But now we are facing more of these extremes.;;

Prof Steffen's data shows that between July 30 and August 2 a heatwave in Greenland produced several record highs across the ice sheet, including at East Grip, the second highest monitoring station. “If you start melting at the top of the ice sheet, we are going to lose [the] Greenland ice sheet long-term,''he adds.

The immediate trigger for the heatwave was a shift in atmospheric currents high above the earth's surface: the North Atlantic Jet Stream, a fast current of wind that blows from west to east, had formed a buckle that was trapping warm air over Greenland. The same pattern had caused a record-setting heatwave in Europe a few days earlier, before shifting over to sit on top of the Greenland ice sheet.

It's not just Greenland's weather that is governed by the jet stream. Across Europe and North America, it controls extreme weather conditions of all kinds, from winter cold snaps, to heatwaves, to storms...

Re: AI Predictive Policing

George Jansen <>

Date: Tue, 6 Aug 2019 18:36:29 -0400

When this started making the news, I found myself thinking of entry 66 in Notebook F of Lichtenberg's *The Waste Books*:

"If physiognomy becomes what Lavater expects it to become, children will be hanged before they have perpetrated the deeds that deserve the gallows; a new kind of confirmation will thus be performed every year. A physiognomical *auto-da-fe*."

(There are slighting references to Lavater elsewhere in *The Waste Books,
*which NYRB has brought back into print:

Re: Hawley/SMART Act

Rob Slade <>

Date: Tue, 6 Aug 2019 15:44:21 -0700

Saints preserve us from "well-intentioned" politicians. This time around it's Josh Hawley, who wants to save us from social media addiction. I don't know anything about him. Wikipedia seems to indicate that he's a nice guy (except for that bit about not wanting people to have health care). OK, I'm with him so far. But the way he wants to do it is to make a simple fix. (Saints preserve us from "simple" solutions to complex problems.) He wants to limit how much "feed" you can get from a social media site on one go. Also limit your time on any given site to half an hour a day. (Ah, gee, Dad!)

Right. I think I see the problem here. You see, Hawley is a lawyer. Lawyers have to go to law school, so they are fairly smart. And they help people with problems, so they like to fix problems. All good so far. The problem is that lawyers get used to thinking they are smarter than other people (which is generally true), and that they can fix pretty much any problem (which is not true). In particular, they tend to start thinking they can start fixing problems they don't know anything about, especially when they pupate out of the larval (lawyer) stage and into full-grown politicians.

See, having a limit on how much socmed you can get in one go probably won't solve anything. And it's going to be a nuisance for many. Yesterday I had a meeting downtown. So, since I use Twitter for news, I went to my favorite bus stop, fired up Twitter, scrolled down as far as I could go, hopped on the 210 when it came, and noted which stories I wanted to read (later) all the way to the meeting. Which usually takes an hour. It would have been annoying to be limited to enough to cover just a few blocks. Not very effective use of my time.

(Nor, when I come to think of it, very possible. I mean, I was only "on" Twitter for the few minutes it took to load the feed. Is he going to make Twitter, and all other apps, cut off after being on screen for 30 minutes? How's that going to work for people with perceptual disabilities, who need more time to read things?)

And the sweet young thing beside me, following all of her friends and their latest "haul" videos, is not going to be limited by having to refresh the screen every few entries. She's doing that anyway. It just means that she's going to be refreshing the screen at some point when she should be watching for that car coming through the intersection where she's crossing the street. Plus, after she gets finished with Instagram, she'll be onto Whatapp, and then Facebook, and then ... well, you get the picture.

Sorry, Josh. You haven't solved anything.

Re: Hawley/SMART Act

Dimitri Maziuk <>

Date: Tue, 6 Aug 2019 16:24:21 -0500

> ... infinite scroll would be illegal, as would autoplay videos.

Great! I will once again be able to see how much content there is on a page by just looking at the scroll bar. And it won't distract my eyes and waste bandwidth on the junk I never wanted to see in the first place.

Re: Apple's Siri overhears your drug deals and sexual activity

Amos Shapir <>

Date: Wed, 7 Aug 2019 18:00:03 +0300

In other words, never discuss SIRIous matters (or a TV SERIes, etc, etc..) when Siri is present.

Re: Siemens contractor pleads guilty to planting logic bomb in company, spreadsheets

Martin Ward <>

Date: Fri, 9 Aug 2019 12:03:57 +0100

Two quotes from the ZDNet article:

> But while Tinley's files worked for years, they started malfunctioning > around 2014. Every time the scripts would crash, Siemens would call > Tinley, who'd fix the files for a fee.

It seems that if you work for Siemens, the poorer the quality of the work you produce, the more you will get paid. Just don't try to get too clever and use automation to emulate poor quality work: or at least, if you do, don't hand over the administrative password. You don't want your customer to gain control over the software which runs *their* business!

If you are wondering why there is so much poor quality software out there: an ecosystem which gives higher rewards for poorer quality might possibly be a contributor!

At least this particular contractor didn't try to use plausibly deniable bug injection: cf the "Underhanded C Contest"

Researchers wrest control of one of world's most secure industrial controllers

The Times of Israel <>

Date: Thu, 8 Aug 2019 23:31:31 -0400

“Siemens is aware of the research from Technion, Haifa and Tel-Aviv University to be presented at BlackHat USA 2019,” Siemens said in an emailed statement to The Times of Israel.

In response, the firm recommended that users of the controller SIMATIC S7-1200/S7-1500 enable the feature `access protection' to prohibit unauthorized modifications of the devices. Siemens also recommended to follow and implement the defense-in-depth approach for plant operations, and to configure the environment according to its operational guidelines for Industrial Security.

Good response, "prohibit unauthorized modifications of the devices".

Writing about writing

Rob Slade <>

Date: Thu, 8 Aug 2019 14:44:49 -0700

I came across a post on the ISC2 blog. It's an article by Chris Veltsos (*Dr.* Chris Veltsos, if you please, or, to his friends, Dr. Infosec) on "Writing Cybersecurity Articles--Getting Through the Tough Times." As the title somewhat implies, it's about how to get through writer's block when writing about infosec. through-the-tough-times.html

I'm really not sure how to take this.

First off, if you work in infosec, you pretty much automatically have the best inspiration in the world. There is always something new happening in infosec. There is always something new happening that is applicable to infosec. Techies, in various fields, are always arguing about which field in high tech is the fastest moving. I figure infosec has a lock on it: whatever is happening, in whatever tech field, has security implications.

As a bit of background, I've published four books. (Or six, depending on how you count them.) Over the years I've written monthly columns for at least three periodicals. For twenty years I had a project doing books reviews in technical literature. (Always at least weekly: often daily.) I've abandoned a number of blogs. Since I got into infosec I have *never* run out of things to write about. I don't have the *time* to write about everything I want to. (I desperately want voice recognition to get good enough to take dictation.)

I don't understand "writer's block." I don't understand dry spells. (Fatigue, I could understand ...)

So, then, to the specifics of what Chris has to say about it.

He says you need motivation. (And aqueducts, apparently.) Oh, come on. You work in infosec. You are saving people's privacy, money, jobs. Your colleagues, your friends, your family. How is that not enough motivation? (Yeah, sure, the stupid things your colleagues, friends, and family do is sometimes depressing. So, take some time to yell at them via your writing ...)

He says you need to think about why you are writing. Sorry, isn't that the same thing as your motivation? (Oh, unless you are just writing for self-promotion. Yeah, I could see how that could get pretty dry at times ...)

He says you need to think about your writing "environment." Yeah, I hear about that all the time. Saw a movie last night that had a writer who couldn't write without everything just so in the "environment." Again, while I understand that having the building collapsing around you could be a distraction, I don't understand this "environment" business. I've written at home, on planes, in airports, on trains, at work between demands, on the bus, in coffee shops and restaurants, in hotels, and while waiting to be called to testify in court. You're writing about infosec. It needs to be done.

He says you should think about pen and paper, if a computer doesn't do it for you. OK, if necessary. I mostly use a computer, or laptop, or something with a keyboard. I've used tablets and smartphones. (I *hate* soft keyboards.) I've used pen (or even pencil) and paper. (My handwriting is terrible. Always has been.) (But I've always wanted to try out those pens that save what you've written ...) I've used whiteboards, blackboards, chalk, or a piece of burnt stick on a rock. Whatever works.

His last three suggestions are, basically, give it a rest and come back to it. OK. I've often got multiple bits on the go, so I might leave one for a time and concentrate on others.

But I'm writing about infosec. There's too much to leave it for long ...