RISKS Digest 29.1

Saturday 3 October 2015

NSA's Trojan Horse Scored Gold at Athens Olympics

Henry Baker <>

Date: Wed, 30 Sep 2015 10:13:42 -0700

The NSA—with the secret approval of the Greek govt—installed a malware implant that utilized existing 'lawful intercept' capabilities of the Ericsson system to spy during the Athens Olympics. But since the 'lawful intercept' capabilities of the Ericsson system had never been legally approved or paid for, the logging function of the 'lawful intercept' system was never turned on.

However, post-Olympics, the implants were not only not removed, but upgraded to subsequently spy on the the top officials of the Greek govt. The Ericsson telephone system in Greece became a *roach motel*—the NSA implants checked in, but they never checked out.

We now know why FBI Director Comey loves 'lawful intercept' capabilities of phone systems so much; they supply a substantial attack surface that's easy to subvert!

Incredible irony: in the ancient Greek world, the "Olympic Truce" protected the Games from war-like behavior:

'During the Truce period (lasting up to three months), wars were suspended, armies were prohibited from threatening the Games, legal disputes were stopped, and death penalties were forbidden'

'2004 Athens Summer Games: The Olympic Truce was promoted through Olympic Flame Relay [NSA's "Olympic Frame Relay" !?!] events. The UN supported the IOC in asking the nations of the world to stop all wars for 16 days during the Games.'

Some quotes from this too-long article:

“The world will be watching and so will NSA!''

“The key to the operation was hijacking a particular piece of software, the `lawful intercept' program.''

“Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA.''

“But without the IMS [logging] program there would be no audit trail.''

'But less than a week later, long after the Olympic Torch had been extinguished, new malware was implanted.'

“They [NSA] said when the Olympics is over, we'll turn [the interception capability] off and take it away. And after the Olympics they turned it off but they didn't take it away and they turned it back on and the Greeks discovered it.''

“They never [remove the malware implants]. Once you have access, you have access. You have the opportunity to put implants in, that's an opportunity.''

“From the very start, according to a former senior Greek official involved in the investigation, there was no doubt within the highest levels of government that the U.S. was behind the bugging.''

Snowden docs pertinent to the Athens Olympic Trojan Horse:

James Bamford, A Death in Athens: Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?, 29 Sep 2015

Documents published with James Bamford's item:

Another Successful Olympics Story Exploiting Foreign Lawful Intercept Roundtable Gold Medal Support for Olympic Games NSA Team Selected for Olympics Support SID Trains for Athens Olympics

Xerox "more secure" Supply Chain

Gizmodo via AlMac <>

Date: Tue, 29 Sep 2015 18:49:23 -0500

Some new technology comes out, which we are told is so much more secure than the prior alternatives, as to be fool proof, until history repeats with the new stuff. But we were also told something similar when the older technology first came out.

We are now told that the following are no good:

. Bar codes; . Holograms; . RFID chips.

I do not see what, conceptually, the new Xerox printed memory, is doing which could not be done with RFID chips, other than maybe expense. I wonder how printers to generate such labels, compare in cost to other alternatives. In my former day job, we had a supply chain tracking label system which added $ 0.001 to unit product cost, but some supply chain participants opted out of even that, because lowest possible cost was more important to them than: supply chain tracking; counterfeit and defect avoidance; or inventory accuracy.

Thin flexible memory chips are printed on a product label. This memory is re-writable via wi fi reader in a smart phone, or other hand held device, with or without Internet connection. Encryption theoretically limits access to the many thousands of business enterprises authorized to be in the supply chain, many of which have probably been hacked. We are not told about any back door which NSA may have requested.

In theory, supply chain tracking tech, wants to help businesses keep track of their inventory, maximize quality at minimum cost, back trace defects to responsible parties, and not fall prey to actions of crooks, and other parties, interested in:

. Selling counterfeits (Last year Uncle Sam confiscated $ 1.2 billion in counterfeit goods);

. Manipulating prices (when store checkout uses price inside this tech, some people buy it almost for free);

. Preventing shop lifting (consumer walks out door, with merchandise the check out person has not yet deactivated);

. Finding new hacker pathways;

. Delivering malware;

. Violating privacy.

Each upgrade needs to consider security against all risks, and consider all needs.

Otherwise upgrading, for one purpose, can invite vulnerabilities in other areas.

This may be old news, but I just found out about it.

Newly found TrueCrypt flaw allows full system compromise

PGN <>

Date: Wed, 30 Sep 2015 0:54:04 PDT

IT World is reporting this! Recall that Truecrypt was WITHDRAWN by its developer(s), perhaps a year ago, under circumstances that were never quite clear.

Google's Cute Cars And The Ugly End Of Driving

Lauren Weinstein <>

Date: Thu, 1 Oct 2015 08:53:57 -0700

The main thing you should know about autonomous vehicles is that they are utterly inevitable.

Leaving aside technical, financial, and cultural issues for the moment, the question I'd really like to see us thinking about now—before we really need the full answers—is how we're going to prevent mass government abuse of these vehicles.

The amount of video and other data these vehicles will be collecting will be immense. You can bet governments will want it, both in individual cases and en masse. Governments will want to know where every car is or was, every moment. They will make license plate scanners totally obsolete.

They will want remote control capabilities. Whether or not vehicles can be started. Whether they will keep running or automatically pull over to the side of the road to await a police vehicle (or drive into the nearest police station, with the windows and doors locked?) if they believe a suspect is inside. Whether or not you can drive if you haven't been paying your bills or are having a legal dispute. They will want the ability to block all vehicles from areas where they don't want to be observed, and shoo all vehicles already there out of the area. This means individual and en masse remote control. Pretty powerful stuff.

And remote control is likely to come irrespective of law enforcement, because it's the most practical way to deal with situations beyond the scope the car's AI (unusual weather or road conditions, accident and construction sites with authorities giving voice instructions to drivers, etc.), assuming a human driver capable of taking over in such situations is not present.

Remote control capabilities for authorities are also likely to be mandated at some point due to LEO concerns (already being widely discussed) of unoccupied vehicles (the "vehicle on demand" scenario) being used in criminal or terrorist plots.

Most of these issues have already been covered quite convincingly by prescient science fiction for many decades.

Autonomous vehicle proponents would do well to consider how they're going to respond to government demands along these lines. 'Cause you can be sure that there are teams already in governments around the world brainstorming about their side of this equation.

Nerves rattled by highly suspicious Windows Update

Ars <>

Date: Wed, 30 Sep 2015 12:03:01 -0700

People around the world are receiving a highly suspicious software bulletin through the official Windows Update, raising concerns that Microsoft's automatic patching mechanism may be broken or, worse, has been compromised to attack end users. This Web search, which queries the random-appearing string included in the payload, suggests that it's being delivered to people in multiple regions. The same unexplained and almost certainly unauthorized patch is being reported in a variety of online posts, including this one hosted by Microsoft. The updates appear to be coming directly from servers that are cryptographically certified to be part of Microsoft's Windows Update system.

Not clear what's going on here yet.

France pushes for global surveillance

EFF <>

Date: Thu, 1 Oct 2015 21:13:31 -0700

France's Government Aims to Give Itself--and the NSA--Carte Blanche to Spy on the World [EFF via NNSquad]

By legalizing France's own plans to spy on the rest of the world, France would take a step to establishing the NSA model as an acceptable global norm. Passing the law would undermine France's already weak surveillance protections for its own citizens, including lawyers, journalists and judges. And it would make challenging the NSA's practices far more difficult for France and other states.

You'll recall France is also pushing for its "Right To Be Forgotten" censorship to apply globally.

Michael Chertoff on encryption, etc.

HuffPost <>

Date: Sat, 3 Oct 2015 08:04:46 -0700

If you can't lock your door, you can't maintain the privacy of your home. If you can't encrypt your phone, you can't keep your personal data private, either. As tech companies and law enforcement agencies clash over encryption, security and privacy, a former Bush administration official is coming down forcefully on the side of technology that supports civil liberties rather than erodes them. Michael Chertoff, who served under President George W. Bush as the nation's second Secretary of Homeland Security, suggested to The Huffington Post that using encryption to keep your data or messages personal is like having a quiet, private conversation between friends.

Chertoff is an interesting character. Given his actions in the Bush administration, one would not necessarily have predicted his current stance on these issues.

Experian hack exposes 15 million people's personal information

The Guardian and Ars Technica <>

Date: Thu, 1 Oct 2015 17:54:18 -0400

*The Guardian*, 1 Oct 2015>

[Also, Dan Goodin, Ars Technica, 1 Oct 2015: PGN]

Gigabytes of user data from hack of Patreon donations site dumped online

Dan Goodin <>

Date: Fri, 2 Oct 2015 02:11:49 -0400

Dan Goodin, Ars Technica, 1 Oct 2015 The inclusion of source code and databases suggest breach was extensive.

A billion Android phones are vulnerable to new Stagefright bugs

Dan Goodin <>

Date: Fri, 2 Oct 2015 02:17:46 -0400

Dan Goodin, Ars Technica, 1 Oct 2015 Stagefright 2.0 comes as Android users were still recovering from Stagefright 1.

Drop-dead simple exploit completely bypasses Macs malware Gatekeeper

Dan Goodin <>

Date: Fri, 2 Oct 2015 02:26:58 -0400

Dan Goodin, Ars Technica, 30 Sep 2015 A key limitation makes it trivial for attackers to skirt Gatekeeper protections.

UN proposes massive Internet censorship

WashPo <>

Date: Fri, 2 Oct 2015 15:37:25 -0700

The United Nations has a radical, dangerous vision for the future of the Web

At one point toward the end of the paper, the U.N. panel concludes that "political and governmental bodies need to use their licensing prerogative" to better protect human and women's rights, only granting licenses to "those Telecoms and search engines" that "supervise content and its dissemination." In other words, the United Nations believes that online platforms should be (a) generally responsible for the actions of their users and (b) specifically responsible for making sure those people aren't harassers. Regardless of whether you think those are worthwhile ends, the implications are huge: It's an attempt to transform the Web from a libertarian free-for-all to some kind of enforced social commons.

There's no way the UN vision could be implemented without mass global censorship.

Open Office on Ubuntu

SMB via PGN <>

Date: Tue, 29 Sep 2015 17:52:36 PDT

[Noted by Steve Bellovin, in the context of testing for VW misuse:]

By chance, just drifted through my Twitter feed. To summarize: Open Office couldn't print on Tuesdays on some versions of Ubuntu because of a problem with the 'file' command.

Testing is so accurate...

Re: EPA v VW cheatware, AI & "machine learning"

Paul Fenimore <>

Date: Wed, 30 Sep 2015 06:24:40 -0600

I fail to see why there is no clear path forward after discovering VW engineered their vehicles to specifically defeat emissions regulations. Specifically defeating regulations, whether by selecting an adaptive algorithm or some other means, is an unlawful act. The path forward is called criminal and civil sanctions for the perpetrators; hiding the human actions behind a "learning" algorithm is a mis-direction. The car design process from year to year is under the close supervision of the manufacturer: there is no rogue software element here.

This *human* responsibility is acutely important in the VW case: Vehicle emission regulations are life-safety regulations that address the major cause of mortality that arises from treating the open air as a sewer. In the USA, for example, air pollution results in vast numbers of premature deaths. <>

The real question is whether homicide charges are relevant when there is comparative uncertainty about the death of specific individuals as opposed to certainty that in aggregate large numbers of people have been killed by VW's deliberate violation of the law.

Re: VW Scandal

Pete Kaiser <>

Date: Tue, 29 Sep 2015 19:34:23 +0200

In the 1980s I worked as a developer for a software company whose sole product was a big-ticket package sold largely to the US federal government, where the purchasing process included certain standard benchmarks. The complex inner workings of the package included self-checking, plausibility checks, recovery mechanisms, and so forth, and in normal operation those deep inner features couldn't be turned off.

But secretly buried deep in the package by the original developer—the company's sole owner—was code that detected when it was running one of these standard benchmarks, and turned off all the integrity-checking and safety features, giving the performance a boost. I was stunned to find this, and foolishly brought it up to the owner, not with good results for me.

Adblock sells out -- refuses to identify the buyer

NextWeb <>

Date: Fri, 2 Oct 2015 13:58:19 -0700

The Next Web, 2 Oct 2015 [via NNSquad] Adblock extension with 40 million users sells to mystery buyer, refuses to name new owner

What's strange is that the company won't disclose who it's been sold to, why it was sold, or how much it was sold for. For the extension's claimed 40 million users this raises an interesting question: Can the extension continue to be trusted if the new proprietor is entirely anonymous? TNW contacted Adblock's remaining staff to ask if they'd disclose the buyer but the company refused, saying that the purchaser had specifically asked not to be named. The only thing the team would tell us is that the tool's creator Michael Gundlach will no longer have any relationship with the company—that probably means he's cashed out.

As you'll recall, this is the extension that requires most firms to pay extortion to bypass the extension's blocking.

The ad-block-alypse has arrived: a mobile carrier has for the first time begun blocking *all* ads on its customers' phones

Monty Solomon <>

Date: Thu, 1 Oct 2015 08:54:25 -0400

Re: Ad-blocking

John Levine <>

Date: 29 Sep 2015 20:24:36 -0000

I think the answer is really "because they can", or perhaps "because they think they can".

People have ignored ads as long as there's been ads, and advertisers have always hated it. But until the Internet, they couldn't tell who was looking at the ads and who wasn't. Now the users are making it clear just how not interested in the ads they are, which is very bad for marketers' fragile egos.

If I ever write an ad blocker, it's going to be the moral equivalent of going to the kitchen when the TV shows an ad, while leaving the TV on. It'll still fetch all the web ads in the background, but it won't display them. This will give the users what they want, while protecting the aforementioned fragile egos.