Prev

RISKS Digest 30.29

Saturday 13 May 2017

Fiat Chrysler Recalls 1.2 Million Ram Pickups Over Faulty Software

Bill Vlasic and Neal E. Boudette <neumann@csl.sri.com>

Date: Sat, 13 May 2017 08:13:18 PDT

*The New York Times*, 13 May 2017

After one death and two injuries, the recall is intended to fix faulty software that can disable airbags and seatbelt tension devices. Reportedly, "normal restraint-system function may be restored" by turning the ignition off and on again.

Today's Massive Ransomware Attack Was Mostly Preventable -- Here's How To Avoid It

Gizmodo <lauren@vortex.com>

Date: Fri, 12 May 2017 16:27:31 -0700

NNSquad http://gizmodo.com/today-s-massive-ransomware-attack-was-mostly-preventabl-1795179984

Here's what happened: Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren't updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer. The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update.

Dozens of countries hit by huge cyberextortion attack

McClatchy <lauren@vortex.com>

Date: Fri, 12 May 2017 15:10:41 -0700

via NNSquad http://www.mcclatchydc.com/news/politics-government/national-politics/article150231887.html

Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users' files for ransom at a multitude of hospitals, companies and government agencies. The attack appeared to exploit a vulnerability that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes and was later leaked to the Internet. Britain's national health service was hit hard, its hospitals forced to close wards and emergency rooms. Spain, Portugal and Russia were also struck. Several cybersecurity firms said they had identified the malicious software behind the attack in upward of 60 countries, with Russia apparently the hardest hit.

[On the UK NHS danny burstein burstein noted UK hospital system suffering nationwide computer issues (The Guardian):

NHS hospitals across England hit by large-scale cyber-attack Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls. https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack

See Also http://www.bbc.co.uk/news/health-39899646 PGN]

A British researcher says he found a kill switch for the malware crippling computers worldwide

The Washington Post <lauren@vortex.com>

Date: Sat, 13 May 2017 07:50:05 -0700

via NNSquad https://www.washingtonpost.com/news/worldviews/wp/2017/05/13/a-british-researcher-says-he-found-a-kill-switch-for-the-malware-crippling-computers-worldwide/

By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday ... About 3 p.m. Eastern time, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with "gwea.com." The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars.

Hackers Use Tool Taken from NSA in Global Attack

Nicole Perlroth and Davide E. Sanger <neumann@csl.sri.com>

Date: Sat, 13 May 2017 08:20:04 PDT

*The New York Times*, 13 May 2017 (front page)

A digital `perfect storm' hits hospitals, businesses, and a Russian ministry on 12 May 2017. By the end of the day, the attack had spread to more than 74 countries. According to Kaspersky Lab (a Russian cybersecurity company), Russia was the worst-hit, then Ukraine, India, and Taiwan. This seems to have been the largest ransomware attack to date. It was triggered by a simple phishing attack, and is believed to have exploited a vulnerability with a method developed—and leaked from or stolen from—NSA. [PGN-ed]

Indicators Associated With WannaCry Ransomware

US-CERT <lauren@vortex.com>

Date: Sat, 13 May 2017 08:39:09 -0700

via NNSquad https://www.us-cert.gov/ncas/alerts/TA17-132A

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S. This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.

WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware WannaCry attack!

Lauren Weinstein <lauren@vortex.com>

Date: Sat, 13 May 2017 09:08:37 -0700

Lauren's Blog https://lauren.vortex.com/2017/05/13/warning-antivirus-sites-may-be-helping-to-spread-the-current-global-malware-ransomware-wannacry-attack

It has been reported that a researcher discovered that spread of the current worldwide ransomware attack can be halted after he registered the domain:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

and built a sinkhole website that the malware could check. Reportedly the malware does not continue spreading if it can reach this site. HOWEVER, various antivirus websites/services are now reportedly adding that domain to their "bad domain" lists! If sites infected with this malware are unable to reach that domain due to their firewalls incorporating rules from antivirus sites that include a block for that domain, the malware will likely continue spreading across their machines. Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!

Global 'Wana' Ransomware Outbreak Earned Perpetrators $26,000 So Far

Krebs <lauren@vortex.com>

Date: Sat, 13 May 2017 16:11:39 -0700

NNSquad https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/

As thousands of organizations work to contain and clean up the mess from this week's devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what's being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam.

The Joy of Tech comic: The Internet of ransomware things!

GeekCulture <lauren@vortex.com>

Date: Sat, 13 May 2017 11:32:42 -0700

via NNSquad

http://www.geekculture.com/joyoftech/joyarchives/2340.html

Vehicle lien recorded in name of cartoon characters

Mark Brader <msb@vex.net>

Date: Thu, 11 May 2017 15:13:01 -0400 (EDT)

Apparently, some time ago someone in the Ontario provincial government's computer systems was running a test simulating the addition of a lien to the information record about someone's vehicle. For the lienholder's name they used fictional characters from the old animated TV show "The Flintstones" -- but for the vehicle they used a real VIN.

Result: the 75-year-old woman who owned the vehicle found herself blocked from selling it until the bogus lien was cleared. Apparently this took 9 months, but the matter only became public this week.

Naturally, the government is saying this was the only such case and it won't happen again, while the opposition takes a different view...

http://www.cbc.ca/news/anykey-1.4109296

Cochrane Report on IHealth EHR: Lessons for engaging users to provide QA feedback

Island Health via Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Mon, 8 May 2017 12:02:38 -0400 (EDT)

http://ihealth.islandhealth.ca/2016/11/the-cochrane-report/ http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/Summary-of-Recommendations.pdf http://ihealth.islandhealth.ca/wp-content/uploads/2016/11/ihealth-review-2017.pdf http://vancouverisland.ctvnews.ca/video?clipId=1115112

"Issue reporting and resolution

At roll out, when users were highly supportive and enthusiastic, they actively engaged in reporting issues of performance, usability and safety. At the time, reporting was accepted through multiple sources including the Patient Safety Learning System (PSLS), health informaticists, the Help Desk, emails, red dot reports and meetings. Peer mentors and informaticists were actively engaged in addressing issues as they arose.

Unfortunately, follow up with users that had reported a concern was inconsistent. Many users reported an absence of feedback. The reasons for the lack of feedback are not clear but may relate to the volume of issues being reported and Island Health's capacity to address them. As a result, from the users' perspective, many issues remained unexplained and unresolved, undermining confidence in the safety of the system and the effectiveness of the reporting systems. Users stopped reporting because of fatigue and the lack of feedback.

Some individuals who provided reports perceived that those responding to issues were transferring responsibility to the users. Explanations for issues included user error, bad habits, and users failing to remember. Island Health's reactions were described by interviewees as punitive and involved public shaming and bullying (see emotional responses below). It was claimed that there were no gaps in education or training, but rather gaps in remembering and a lack of engagement of staff for voluntary learning.

In a previous job a "Creating Satisfied Customers" course taught that a lack of problem reports indicates a failed system for users to report concerns, get status updates and see that concerns are addressed and resolved in a timely fashion.

Many customers will choose another service provider or product if one is available, and they keep encountering issues.

A minority of users will try to follow the problem reporting process. Most will give up if they find it too much bother to complete and they keep encountering issues.

Most will not bother to continue to report issues if they get no resolution to the initial issue reports.

Very few will persist in requesting follow up status reports, particularly if there is no regular feed back or perceived resolution. They just give up.

Microsoft patches Windows XP to fight 'WannaCrypt' attacks

Engadget via LW <lauren@vortex.com>

Date: Sat, 13 May 2017 08:22:23 -0700

via NNSquad https://www.engadget.com/2017/05/13/Microsoft-WindowsXP-WannaCrypt-NHS-patch/

Microsoft officially ended its support for most Windows XP computers back in 2014, but today it's delivering one more public patch for the 16-year-old OS. As described in a post on its Windows Security blog, it's taking this "highly unusual" step after customers worldwide including England's National Health Service suffered a hit from "WannaCrypt" ransomware. Microsoft patched all of its currently supported systems to fix the flaw back in March, but now there's an update available for unsupported systems too, including Windows XP, Windows 8 and Windows Server 2003, which you can grab here (note: if that link isn't working then there are direct download links available in the Security blog post).

Sure, now that the spread has apparently been largely contained through other means, Microsoft shows up, a day late and a dollar short, as usual.

Malware and The Cloud

Lauren Weinstein <lauren@vortex.com>

Date: Sat, 13 May 2017 13:31:04 -0700

via NNSquad https://plus.google.com/+LaurenWeinstein/posts/cMA7HsuR7UC

I might note that there's a strong argument to be made that many of these systems crippled by the current malware epidemic by all rights should have instead had their data in the cloud, where professionals are able to keep security and privacy parameters up to date. Successful attacks are becoming more common with virtually every OS. And most systems in homes and offices are not adequately backed up—if they're backed up at all. Fundamentally, this tech has become too integral to society and too complex for amateurs to maintain by themselves in the long run.

[On the other hand, RISKS readers understand the the "cloud" is not all that secure, and still entails [I originally wrote entrails] many risks, even though many cloud providers might have better security than small institutions, and a very large one—evidently, most of the U.S. Government! PGN]

"How the Macron campaign slowed cyberattackers"

Fahmida Y. Rashid <genew@telus.net>

Date: Tue, 09 May 2017 10:12:57 -0700

Fahmida Y. Rashid, InfoWorld, 9 May 2017

Did the French president-elect's security team use cyberdeception techniques to fight off phishing attacks? Submitting fake credentials definitely qualifies http://www.infoworld.com/article/3195018/security/how-the-macron-campaign-slowed-cyber-attackers.html

opening text:

In the wake of French president-elect Emmanuel Macron's victory over Marine Le Pen, IT armchair quarterbacks should look at the Macron campaign's security playbook for ideas on how to fight off targeted phishing and other attacks.

Counter intelligence in the French elections - this changes cybersecurity forever.

Gadi Evron <gevron@gmail.com>

Date: Tue, 9 May 2017 21:33:09 +0300

I'm extremely excited about what happened at the French elections. Up until today, when it comes to information operations, I could only look up to Russia. What (supposedly, we don't really know too much yet) in France changes all that.

Add supposedly and likely to every sentence: 1. They seeded attack attempts with data that will slow them down. Sending credentials to phishing attempts. 2. They created a few fake documents, which allowed them when the time came to cast doubt on the entire data dump.

I wrote a full analysis based on what is currently known here, I hope you enjoy it: https://hackernoon.com/analyzing-a-counter-intelligence-cyber-operation-how-macron-just-changed-cyber-security-forever-22553abb038b

I am so excited a public case exists that shows thinking of the type I love and live. With cyberdeception they have essentially shown they can increase the economic costs of the attackers to shift the burden of anomaly detection to them. I've bet my career and life on starting Cymmetria to do this, and now—finally, someone else is thinking the same way I do, and more than that, actively working on cyberdeception to control the battle ground and act dynamically.

Interesting side-note: Late last year the various French political parties were summoned to a government brief on phishing attacks. All but one came to the meeting.

Facebook takes to newspapers to teach UK users how to spot "fake news"

Ars Technica <lauren@vortex.com>

Date: Mon, 8 May 2017 08:07:02 -0700

via NNSquad https://arstechnica.com/business/2017/05/facebook-fake-news-newspaper-ad/

Facebook has attempted to lightly rein in the spread of misinformation on the free content ad network by taking out full-page adverts in UK newspapers with "tips for spotting false news" ahead of next month's General Election. The Mark Zuckerberg-run company, which has long-swerved any suggestion that it is the publisher of content that is shared on its site by nearly two billion people worldwide, makes it clear in its press ad that the onus is on its users to police dodgy-looking posts. "Be skeptical of headlines," it warned. Apparently, "catchy headlines in all caps with exclamation marks" could contain false news and users should be wary of clicking on clickbaity, screeching claims.

"HP computer owners: Check for the MicTray Conexant keylogger"

Woody Leonhard via Gene Wirchenko <genew@telus.net>

Date: Thu, 11 May 2017 15:27:19 -0700

Woody Leonhard, InfoWorld, 11 May 2017 The Conexant audio driver logs all keystrokes on certain HP machines and publishes them to a file in the Public folder http://www.infoworld.com/article/3196125/data-security/on-hp-computers-check-for-the-conexant-keylogger-called-mictray.html

selected text:

Swiss security firm modzero AG released a white paper (PDF) that contains details about a keylogger in certain HP audio drivers. The keylogger stores records of all of your keystrokes in a file located in the public folder C:\Users\Public\MicTray.log.

The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, ... including many current models.

Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It's still there today with driver Version 1.0.0.46.

If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior.

I have no idea how the driver passed Microsoft certification, but apparently it has.

Modzero isn't happy with the runaround it's getting from HP. The group says it discovered the keylogger in MicTray 1.0.0.31 back on April 28. Modzero contacted Conexant the same day, and when the keylogger was found in the latest audio drivers, it contacted HP Enterprise on May 1. Then on May 5, modzero got a response from HP Enterprise, which “tried to reach for security folks at HP Inc. to gain attention.'' Looks like HP Enterprise and HP Inc. aren't talking to each other—I bet they start talking now.

[Also noted by Al Mac;

https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html https://consumerist.com/2017/05/12/keylogging-spyware-found-on-dozens-of-hp-laptop-models/ https://thenextweb.com/insider/2017/05/11/hp-is-shipping-audio-drivers-with-a-built-in-keylogger/#.tnw_OV69vf8G HP list of their models affected: https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt

... and Bob Gezelter: https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/

PGN]

MUST READ "Open MIC" report: Corporate responsibility in an age of alternative facts -- with emphasis on Facebook and Google

Lauren Weinstein <lauren@vortex.com>

Date: Tue, 9 May 2017 10:40:40 -0700

NNSquad http://fakenews.openmic.org/

Among the recommendations discussed in this report:

To avoid government regulation and/or corporate censorship of information, tech companies should carry out impact assessments on their information policies that are transparent, accountable, and provide an avenue for remedy for those affected by corporate actions.

Tech companies should appoint ombudspersons to assess the impact of their content algorithms on the public interest.

Tech companies should report at least annually on the impact their policies and practices are having on fake news, disinformation campaigns and hate speech. Reports should include definitions of these terms; metrics; the role of algorithms; the extent to which staff or third-parties evaluate fabricated content claims; and strategies and policies to appropriately manage the issues without negative impact on free speech.

China Is on Track to Fully Phase Out Cash

Motherboard <lauren@vortex.com>

Date: Fri, 12 May 2017 21:06:29 -0700

via NNSquad https://motherboard.vice.com/en_us/article/china-cashless

Experts believe it won't be long before China, the first country to introduce paper money, becomes the first to go totally cashless.

The better to track you by, my dear.

Sony PlayStation leads to the arrest of 15 member gang

Diomidis Spinellis <dds@aueb.gr>

Date: Tue, 9 May 2017 12:19:48 +0300

A Sony PlayStation helped the police arrest 15 members of a gang that specialized in stealing company safes in Greece last week. According to the police's press release [1], the gang members were involved in 145 cases, including 58 armed robberies, 52 burglaries, and 24 car thefts. In order to evade detectives, the gang used hundreds of cellphones, stolen cars, fake license plates, and diverse hideouts. The "Kathimerini" daily newspaper reports [2] that one of the leads that helped the police to narrow down on the gang's members was a Sony PlayStation. In December 2016 the gang stole from a company 700 euros and a truck with 2179 PlayStation consoles. The police, in cooperation with Sony and the local ISPs, found that one of the stolen consoles was used the next day at the house of one of the gang members.

[1] http://www.astynomia.gr/index.php?option=ozo_content&lang=%27..%27&perform=view&id=71085&Itemid=1883&lang [2] http://www.kathimerini.gr/908617/article/epikairothta/ellada/lhstes-twn-xrhmatokivwtiwn-to-krhsfygeto-sto-menidi-o-arravwnas-kai-to-klemmeno-playstation

Diomidis Spinellis - https://www.spinellis.gr/

UK Telecomms Service Stopped by Bureaucracy

Chris Drewe <e767pmk@yahoo.co.uk>

Date: Thu, 11 May 2017 21:26:23 +0100

RISKS has featured telecomms services stopped by hack attacks, software faults, infrastructure failures, and so forth, but one UK network has been disabled by officialdom, according to reports in a couple of newspapers. Years ago, pagers were widely used to keep in contact with people on the move, but their use has greatly declined with the popularity of cellphones, and the UK currently only has two service providers, PageOne, owned by Capita, and Vodafone. Vodafone wanted to transfer its 1,000 users to PageOne, but the UK Competition and Markets Authority objected and wanted a full investigation, which Vodafone didn't want to get involved with for such a tiny market, so announced that it will simply close its service...

Crash with Impact

The New York Times <pinknoiz@me.com>

Date: Sat, 13 May 2017 12:36:24 -0700

https://www.nytimes.com/2017/04/22/us/politics/james-comey-election.html

FBI agents in New York seized Mr. Weiner's laptop in early October. The investigation was just one of many in the New York office and was not treated with great urgency, officials said. Further slowing the investigation, the F.B.I. software used to catalog the computer files kept crashing.

NYU Accidentally Exposed Military Code-Breaking Computer Project to Entire Internet

Sam Biddle <geoff@iconia.com>

Date: Thu, 11 May 2017 11:22:31 -1000

Sam Biddle, The Intercept, 11 May 2017 https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/

In early December 2016, Adam was doing what he's always doing, somewhere between hobby and profession: looking for things that are on the Internet that shouldn't be. That week, he came across a server inside New York University's famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an Internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. Dozens of documents spanning hundreds of pages detailed the project, a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. And they were available for the entire world to download. [...]

Confidential patient data breach at NYC's Bronx Leb Hospital

Data Breaches via danny burstein <dannyb@panix.com>

Date: Wed, 10 May 2017 21:36:36 -0400 (EDT)

Third party vendor, rsync backups...

https://www.databreaches.net/confidential-medical-records-from-bronx-lebanon-hospital-exposed-online-by-vendors-error/

Security Alert from Intel concerning Business-grade Processors with detection tool -- followup

Bob Gezelter <gezelter@rlgsc.com>

Date: Mon, 08 May 2017 09:30:25 -0700

The security vulnerability involving Intel involves more than servers, business laptops are also vulnerable. Advice is to run the Intel tool to determine vulnerability, then get the update from the manufacturer. The Intel article also includes interim mitigation information.

Intel has released detailed notes on checking for the vulnerability. See https://downloadcenter.intel.com/download/26755

An extensive article also appeared in The Register at:

https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/

"Supply chain attack on HandBrake video converter app hits Mac users"

Lucian Constantin <genew@telus.net>

Date: Mon, 08 May 2017 11:41:55 -0700

Lucian Constantin, ComputerWorld, 8 May 2017 Mac users who downloaded the app earlier this month may have their computers infected with the Proton Trojan program http://www.computerworld.com/article/3194935/security/supply-chain-attack-on-handbrake-video-converter-app-hits-mac-users.html

selected text:

Hackers compromised a download server for HandBrake, a popular open-source program for converting video files, and used it to distribute a macOS version of the application that contained malware.

The HandBrake development team posted a security warning on the project's website and support forum on Saturday, alerting Mac users who downloaded and installed the program from May 2 to May 6 to check their computers for malware.

This is just the latest in a growing string of attacks over the past few years in which attackers compromised software update or distribution mechanisms.

Last week Microsoft warned of a software supply-chain attack in which a group of hackers compromised the software update infrastructure of an unnamed editing tool and used it to distribute malware to select victims: mainly organizations from the financial and payment processing industries.

This is not the first time Mac users have been targeted through such attacks either. The macOS version of the popular Transmission BitTorrent client distributed from the project's official website was found to contain malware on two separate occasions last year.

The FCC says an attack -- not John Oliver -- hampered its website

The Washington Post <monty@roscom.com>

Date: Mon, 8 May 2017 22:09:58 -0400

The FCC says an attack—not John Oliver—hampered its website. John Oliver renewed a call asking his viewers to support net neutrality rules. https://www.washingtonpost.com/news/the-switch/wp/2017/05/08/the-fcc-says-an-attack-not-john-oliver-hampered-its-website/

U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies

The Washington Post <monty@roscom.com>

Date: Tue, 9 May 2017 09:40:03 -0400

The Pentagon wanted to target servers in allied countries, but CIA, State and FBI said those nations had to be notified. https://www.washingtonpost.com/world/national-security/us-military-cyber-operation-to-attack-isis-last-year-sparked-heated-debate-over-alerting-allies/2017/05/08/93a120a2-30d5-11e7-9dec-764dc781686f_story.html

Re: Someone hacked every tornado siren in Dallas. It was loud.

Jim Reisert <jjreisert@alum.mit.edu>

Date: Wed, 10 May 2017 11:24:41 -0600

Denver, CO has upgraded their tornado warning system:

http://www.thedenverchannel.com/news/local-news/tornado-warning-system-in-denver-upgraded-after-dallas-hacking-incident

I love this paragraph:

"The sirens in Denver can be activated from the OEM, Denver 911, or at DIA. The city holds 86 sirens. Each of them received new hardware, making it impossible for anyone to take over the system."

I wonder who will consider this a challenge?

Progress To Date on Deepwater Horizon

Earl Boebert <bitsmasherpress@gmail.com>

Date: Mon, 8 May 2017 14:36:50 -0600

[This is a follow-up to earlier items on the book by Earl Boebert and James Blossom (RISKS-29.80), at my request. PGN]

It's always a tense situation when you release a complex technical analysis like our Deepwater Horizon book, one that I am familiar with from the many National Academies studies I've been on: Is somebody going to appear from nowhere and invalidate one of your main conclusions? The book came out in October and so far the answer is, "not yet, anyway." Reviews have been sparse but good, and our informal working group has been joined by readers, including the person who ran the simulations for the Chemical Safety Board report. As a result of his work, the group thinks we have a plausible theory for what failed down in the well. We'll be writing this up and adding it to the website soon. It suggests an answer to the last outstanding question, but doesn't invalidate any of the conclusions in the book.

Re: The Lost Picture Show

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>

Date: Tue, 9 May 2017 14:05:50 -0500

We have a couple of obsolete drives sitting on the shelf in a server room. At this point

a) I don't know what interface they have (some flavour of scsi I expect) but I'm certain we don't have a computer with that kind of interface card and

b) I am fairly certain the lubricants have solidified and rubber belts, if any, will either crack and turn into black dust, or ooze into a sticky black goo, the moment one tries to use them.

In theory you could retain the hardware indefinitely, but you have to choose that hardware very carefully first.

Re: The Lost Picture Show

Gabe Goldberg <gabe@gabegold.com>

Date: Sat, 13 May 2017 11:29:23 -0400

Hardware deteriorates (bearings, lubrication, plastics, connections, etc.). I wouldn't trust a ten-year old drive to reliably spin up, let alone one reaching back far further to read irreplaceable/historical archive tapes. Since it'll be hard to acquire spare parts, how many copies of each data generation's hardware would be needed? Then there's needing people experienced in servicing them, plus manuals and schematics. And needing computers capable of connecting to and driving them. And, of course, tapes themselves deteriorate too.

Re: The Lost Picture Show

Brian Inglis <Brian.Inglis@systematicsw.ab.ca>

Date: Wed, 10 May 2017 21:31:38 -0600

> It most certainly does *not* mean that. It might mean that film > archivists must retain hardware capable of reading the obsolescent > tapes.

In order to do that, film archivists must have the capability to: archive the tapes in readable condition; maintain hardware and their interfaces, and spares for those; software to use those interfaces; documentation and media for the hardware, software, operation, and maintenance; and retain staff able to use and maintain those; to read the tapes, recover data going bad, and write the contents to new media.

A rather larger set of requirements and risks to manage. The biggest risk is probably retention of tech staff interested in and capable of maintaining obsolescent hardware and software for years.

Organizations may weight the risks and costs differently to choose their most effective approach.

Re: The Lost Picture Show

Jeff Jonas <jeffj@panix.com>

Date: Wed, 10 May 2017 02:31:31 -0400 (EDT)

I'd say it goes both ways.

Libraries are digitizing cylinder recordings to make them available, but they keep the original recordings, particularly as new developments allow for more faithful recreation of the sound. But there's a video of a fellow holding a priceless cylinder recording that shatters. Multiple copies on various media guard against that, particularly if at various locations.

I'm keeping my LPs because I have turntables, but they're useful only to folks with turntables.

But magtape, 8" floppy disks, QIC tapes and other computer media are problematic because few drives are available to read them. Even drives in storage self-destruct as rubber parts either dry up and crack, or turn to chewing-gum. So then the problem becomes preserving the drives to preserve the ability to read archives, vs. copying up to current media readable by just about anyone.

[Overlapping comments from Erling Kristiansen. PGN]

Re: Man gets fined for discovering an engineering flaw

John Levine <johnl@iecc.com>

Date: 9 May 2017 19:38:42 -0000

It's true that they fined him for calling himself an Engineer, and these days, that is ridiculous. It is also clear from the context that they did so out of malice, because they didn't like what he said about red light cameras that generate ticket revenue.

In Oregon, the semi-independent Board of Examiners for Engineering and Land Surveying licenses professional engineers and has for a long time. PEs sign blueprints and similar safety critical documents. Every state has a similar PE licensing system, and it's an important part of what keeps our roads and bridges and oil refineries and other construction projects safe. Some engineering grads do the extra work to get a PE license, some don't, depending on whether they plan a career that involves stuff that PEs have to sign.

For example, my father has two engineering degrees but never got a PE license because he designed and built airplane fuel gauges and other electronic instruments for which the license isn't relevant. He has never called himself a PE because he isn't one. Nonetheless he is a life member of the IEEE (and before that a member of the ISA and IRE.)

In sensible places, which I think includes the other 49 states, they regulate the term Professional Engineer. When I look at the Oregon law, it is ambiguously written, about whether the regulated term is professional engineer or plain engineer, and it was a mistake not to challenge the $500 ticket in the first place. Given the wide usage of the term engineer to refer to people who don't have a license, I expect courts would throw it out on first amendment grounds. Perhaps the IEEE, which welcomes both licensed and unlicensed engineers, would offer an amicus brief.

PS: I agree that calling people "Software Engineers" is an egregious misuse of language. So-called software engineers don't have any of the training that actual engineers do, other than perhaps taking a few of the same courses in school.

I realize the software engineer horse has long left the barn, there is a fairly well agreed definition of what such a person does, and no sensible person confuses us with a licensed PE.

Re: Senseless Government Rules Could Cripple the Robo-Car Revolution

Mike Spencer <mspencer@tallships.ca>

Date: Tue, 9 May 2017 17:51:39 -0300

If vehicles are to have minds of their own, maybe it's time for everyone to re-read Valentino Braitenberg's Vehicles—Experiments in Synthetic Psychology. (MIT Press, 1984).

Re: Bobby Tables and electoral fraud

Dave Horsfall <dave@horsfall.org>

Date: Wed, 10 May 2017 07:14:36 +1000 (EST)

Jeremy Epstein wrote:

> Not disputing that it's a potential threat; just for the record it > appears to have been unsuccessful.

No claim was made that it was successful; in fact, upon studying the item again it was clearly intended as a joke (the SQL appears to be preceded by "pwn", which is of course cracker slang for "broke into".

But yes, that was seven years ago, and as Bruce Schneier is always saying, attacks only get better over time...

Re: Bobby Tables and electoral fraud

Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Tue, 9 May 2017 18:17:42 -0400 (EDT)

"(Basically it injects a "DROP TABLE" command.)"

And?

In DB2 the running process would have to be authorised for the DROP Table action in that particular named Tablespace.

How common is that? Is Drop Table less Restricted in other Relation DB Management Systems?

I will concede that my experience has been that a number of IMS and CICS developers GRANT EXECUTE on DB2 Plans to PUBLIC, even though they have the option to restrict that GRANT to a particular named CICS or IMS subsystem. Even then, CREATE and DROP tablespace should involve scratch pad or work tablespaces which are intended to be used for transient data, not the same tablespaces used for long term data. The running process should not be using a DB Admin or Developer ID.

I pointed out to Security Admins and Sys Admins that a GRANT to PUBLIC without limiting the scope to a named subsystem meant that programmers with a screw loose or axe to grind could invoke the program from batch, TSO... They told me that I was being too paranoid, so I applied that restriction to my own work and didn't pursue it for the entire server.

My 1st 1979 IMS project involved a contractor who inspired a policy that a tape should never be sent offsite without a Group Data Security Admin signature. Years later I saw him in the middle of a Group Photo when I started a new job and asked "Oh, Does first name last name work here?".

That was met with a sudden silence. I told the story of my interaction with him and was told that the 1st time he had been on the overnight on call support rotation the phone number he had given turned out to be for "Dial a Prayer".

My new manager took to having me vet the names of potential hires. If I didn't recognise the name I could often dig up work related comments such as showing up after office hours when a manager was working alone, with a shotgun, to dispute work assignments.

As I wrote, some folks just have a screw loose, no matter how technically brilliant they may be.