RISKS Digest 28.64

Saturday 16 May 2015

Amtrak Says It Was Just Months Away From Installing Safety System

NYTimes <>

Date: Thu, 14 May 2015 21:24:14 -0400

The railroad said technical and regulatory roadblocks had delayed operation of the system, which might have prevented this week's train derailment.

Self-driving cars are getting into accidents in California

LATimes <>

Date: Tue, 12 May 2015 08:55:59 -0400

Worker fired for disabling GPS app that tracked her 24 hours a day

David Kravets via Jim Reisert <>

Date: Mon, 11 May 2015 19:02:15 -0600

"This intrusion would be highly offensive to a reasonable person."

David Kravets, Ars Technica, 11 May 2015

Let's just jump to the end of the article, shall we?

"The app had a "clock in/out" feature which did not stop GPS monitoring, that function remained on. This is the problem about which Ms. Arias complained. Management never made mention of mileage. They would tell her co-workers and her of their driving speed, roads taken, and time spent at customer locations. Her manager made it clear that he was using the program to continuously monitor her, during company as well as personal time."

Banned Researcher Commandeered a Plane

Kim Zetter <>

Date: Fri, 15 May 2015 21:12:42 PDT

(Courtesy of Dan Farmer: Fly the unfriendly skies?)

Kim Zetter, Feds Say That Banned Researcher Commandeered a Plane

A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.

Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane's Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.

FBI Special Agent Mark Hurley: “He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights, He also stated that he used Vortex software after comprising/exploiting or hacking the airplane's networks. He used the software to monitor traffic from the cockpit system.''

Hurley filed the search warrant application last month after Roberts was removed from a United Airlines flight from Chicago to Syracuse, New York, because he published a facetious tweet suggesting he might hack into the plane's network. Upon landing in Syracuse, two FBI agents and two local police officers escorted him from the plane and interrogated him for several hours. They also seized two laptop computers and several hard drives and USB sticks. Although the agents did not have a warrant when they seized the devices, they told Roberts a warrant was pending.

A media outlet in Canada obtained the application for the warrant today and published it online.

The information outlined in the warrant application reveals a far more serious situation than Roberts has previously disclosed.

Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted that he had not interfered with the operation of a plane while in flight.

He told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them. According to the FBI affidavit, however, he mentioned this to agents as well last February but also added that he had briefly commandeered a plane during one of those flights. He told the FBI he accessed the flights in which he accessed the in-flight networks more than a dozen times occurred between 2011 and 2014, but the affidavit does not indicate exactly which flight he allegedly caused to turn to the side.

He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by `wiggling and Squeezing the box', Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes.

Reaction in the security community to the new revelations in the affidavit have been harsh. Although Roberts hasn't been charged yet with any crime, and there are questions about whether his actions really did cause the plane to list or he simply thought they did, a number of security researchers have expressed shock that he attempted to tamper with a plane during a flight.

“I find it really hard to believe but if that is the case he deserves going to jail,'' wrote Jaime Blasco, director of AlienVault Labs in a tweet.

Alex Stamos, chief information security officer of Yahoo, wrote in a tweet, “You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.''

[Wonderful long item truncated for RISKS. PGN]

United launches bug bounty (but in-flight systems off limits)

Jeremy Kirk <>

Date: Sat, 16 May 2015 10:35:30 PDT

Jeremy Kirk (CSO), 15 May 2015

United Airlines is offering rewards to researchers for finding flaws in its websites but the company is excluding bugs related to in-flight systems, which the U.S. government says may be increasingly targeted by hackers.

The bug bounty program rewards people with miles that can be used for the company's Mileage Plus loyalty program as opposed to cash, which web giants such as Google, Facebook and Yahoo pay.

A Phantom Offer Sends Avon's Shares Surging

NYTimes <>

Date: Fri, 15 May 2015 08:29:44 -0400

The big drug database in the sky: One firefighter's year-long legal nightmare

Gabe Goldberg <>

Date: Tue, 12 May 2015 22:17:17 -0400

Together, Miller and Smith form the basis for what is now known as the "third-party doctrine." In its simplest form, the doctrine says that whenever someone hands over a private piece of information to a third party for a specific purpose, the Fourth Amendment doesn't protect her from a warrantless search of this information by authorities since she has already given up her privacy interest in the information by sharing it.

The doctrine "has been problematic throughout the years, and with every passing year the problems get more and more stark," said Nathan Wessler, a staff attorney at the American Civil Liberties Union who is litigating a prescription drug database case in Oregon. Nearly everything we do online reveals information to a third party, from e-mail stored in the cloud to photo sharing to instant messaging to browsing the Web to geolocation.

"It's totally clear that this doctrine has no place today in the digital age," Wessler added. "It's really impossible to participate in modern life, in social life, in work and business, to get medical care and legal advice without using digital technology and leaving behind a trail and digital bread crumbs."

Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

"Rombertik malware destroys computers if detected"

Jeremy Kirk <>

Date: Thu, 14 May 2015 09:55:51 -0700

Jeremy Kirk, InfoWorld, 5 May 2015 Rombertik is designed to steal any plain text entered into a browser window

A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. [...]

Extremely serious virtual machine bug threatens cloud providers everywhere

Ars Technica <>

Date: Wed, 13 May 2015 13:48:13 PDT

[This may be the tip of an iceberg in recognizing more broadly the risks inherent in outsourcing to a provider of unknown trustworthiness. PGN]

"Google Confirms Cops Can Wiretap Your Hangouts" <>

Date: Tue, 12 May 2015 09:12:25 -0700

Cybersecurity company accused of extortion

Henry Baker <>

Date: Thu, 14 May 2015 11:57:24 -0700

A cybersecurity company has been accused of using FBI/NSA-style "cybersecurity" extortion against clients. Clearly, private companies like LabMD are less willing than the US Congress to abide these extortion attempts. Tell me that cover story again about that "drunken govt employee" who "inadvertently" flew his "private" drone onto the White House lawn...

Apparently, when govt spooks go into private business, they forget to change their modus operandi...

Jose Pagliery, CNNMoney, 7 May 2015 Whistleblower accuses cybersecurity company of extorting clients

A cybersecurity company faked hacks and extorted clients to buy its services, according to an ex-employee. In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud—and mafia-style shakedowns. To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up. "Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained a transcript of the hearing.

The results were disastrous for at least one company that stood up to Tiversa and refused to pay. In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD's computers and pulled the medical records. The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency "incident response" cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the "data breach." When LabMD still refused, Tiversa let the Federal Trade Commission know about the "hack." [... LONG ITEM truncated for RISKS. PGN]

Former federal employee busted for attempted cyber-attack to sell nuclear secrets

Gabe Goldberg <>

Date: Thu, 14 May 2015 16:31:44 -0400

A former employee of the U.S. Department of Energy and U.S. Nuclear Regulatory Commission was busted in an FBI sting for allegedly attempting to set off a "spear fishing" cyber-attack to extract nuclear information from the agency for personal gain.

Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

Krebs via Lauren Weinstein <>

Date: Thu, 14 May 2015 19:41:51 -0700

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company's servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy "users."

Live by the sword, die by the sword.

[Also noted by Henry Baker, who remarked: “Any pot with this much honey will get hacked. Any bets on how long before Bluffdale gets hacked (again)?'' PGN]

Team cracks Nvidia GPUs with malware for Windows and OS X

Digital Trends <>

Date: 15 May 2015 19:39:46 -0400

Penn State severs engineering network after "incredibly serious" intrusion

Ars Technica <>

Date: Fri, 15 May 2015 14:34:54 -0700

"Penn State's College of Engineering has been disconnected from the Internet so it can recover from two serious computer intrusions that exposed personal information for at least 18,000 people and possibly other sensitive data, officials said Friday. The group responsible for one of the attacks appears to be based in China, a country many security analysts have said actively hacks and trawls the computer networks of western nations for a wide range of technical data. University officials said there's no evidence that the intruders obtained research data, but they didn't rule the possibility out. Officials have known of the breach since November 21, when the FBI reported an attack on the engineering college network by an outside entity."

Anonymous accused of running a botnet using thousands of hacked home routers

Daily Dot <>

Date: Tue, 12 May 2015 08:27:14 -0700

"Lazy security has allowed various groups of hackers, likely including Anonymous, to hijack hundreds of thousands of home and office Internet routers, according to a new report from cybersecurity firm Incapsula."

Well, "lax" security, anyway.

Witness Accounts in Midtown Hammer Attack Show the Power of False Memory

NYTimes <>

Date: Fri, 15 May 2015 09:04:11 -0400

Two people who saw a police encounter on Wednesday reported different details; surveillance videotape showed that both of them were wrong.

Trains re: All cars must have tracking devices

David Damerell <>

Date: Wed, 13 May 2015 18:49:44 +0100

An increasingly common arrangement (in the UK, at least) is that the signal control room can observe the level crossing via CCTV. That, especially with in-cab signaling, might allow the train to start a brake application before the driver or radar could see the stranded vehicle, either not hitting it or buying time.

However - while I'm not disputing that people would do it - the fundamental problem here seems to be: 1) your vehicle stops moving on a level crossing. 2) the level crossing gates close. 3) you stay in the vehicle.

There is not much the railway can do about that.

Re: Computer Scientists Use Twitter to Predict UK General Election Result

Gene Wirchenko <>

Date: Mon, 11 May 2015 18:52:26 -0700

Congratulations to Mr. Page et al. on a very good result, BUT what about the people who do not use Twitter? Excluding them could skew results. There is a famous precedent: "*The Literary Digest*'s failure to predict the 1936 U.S. presidential election (as covered:

Some quotes from that article:

"The prospective voters were chosen from the subscription list of the magazine, from automobile registration lists, from phone lists, and from club membership lists."

"Based on the poll, The Literary Digest predicted that Landon would win the 1936 presidential election with 57.1% of the popular vote and an electoral college margin of 370 to 161. In fact, Roosevelt won the election with 60.8% of the popular vote (27,751,841 to 16,679,491) and an electoral college landslide of 523 to 8 (the largest ever in a presidential election). Roosevelt won 46 of 48 states, losing only Maine and Vermont.

The *Literary Digest*, using similar techniques, had correctly predicted the outcome of the last four presidential elections. But in this case, the magazine was not just wrong, it was spectacularly wrong. In part because of the subsequent loss of prestige and credibility, the magazine died just two years later.

What went wrong? Clearly the sample was skewed towards wealthier voters--those who could afford magazine subscriptions, cars, phones, and club memberships in the depths of the Great Depression. This sort of bias would not matter if wealthier voters behaved in a similar manner to voters as a whole (as was basically the case in the previous four elections). But in 1936, at a time of great tension between economic classes, this was definitely not the case.

Another problem, not easily understood, is self-selection bias. Were the voters who chose to return the questionnaires different, in terms of how they planned to vote, from the voters who did not respond?"

Note that "The Literary Digest" had been correct for the previous four elections and then stunningly blew it. Might we have a repeat coming up?

Re: Dealing with rogue drones, Copping a 'copter

Dick Mills <>

Date: Fri, 15 May 2015 17:45:20 -0400

On the *Economist* article about authorities trying to thwart drones: They better be careful, I saw this in recent news.

"The Federal Aviation Administration felt the need to issue a statement Friday asking the general public not to shoot at drones flying over head as a small Colorado town is considering an ordinance urging townsfolk to shoot down unmanned aerial vehicles. Shooting at an unmanned aircraft could result in criminal or civil liability, just as would firing at a manned airplane,' the statement from the FAA read.

Other news comments warn states and law enforcement about the same legal liability risk if they did take action against drones. The legal status of drones needs clarification.

Re: Authentication vs Identification ...

John Levine <>

Date: 12 May 2015 00:24:32 -0000

That horse left the barn several generations ago, unfortunately.

The problem is the fiction that the SSN is secret, so anyone who presents your SSN must be you. I'd prefer to address it directly by saying, sure, they can demand an SSN all they want, but any transaction validated with an SSN isn't enforceable.

Did they ask for your SSN when you applied for a credit card? Great! You don't have to pay the bill.

Did they use your SSN to request a credit report? They better not make any adverse decisions based on it.

This might be a challenge to enforce, but I think the idea is right. There are other issues like the lack of a check digit and the dense number space makes it way too easy to get the number wrong (transpose the last two digits and you'll likely have the valid SSN of someone else born roughly when and where you were), but they're side issues compared to the faux secrecy.