RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 28.70

From: RISKS List Owner <risko () csl sri com>
Date: Tue, 16 Jun 2015 15:44:31 PDT
RISKS-LIST: Risks-Forum Digest  Tuesday 16 June 2015  Volume 28 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.70.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Armenia loses Internet access (PGN)
Encryption "would not have helped" at OPM, says DHS official (Ars)
Report: Russia, China Crack Snowden Docs (Daily Beast via LW)
LastPass hacked -- here's what to do now (ComputerWorld via LW)
Sex, lies and debt potentially exposed by OPM data hack -- and more
  (Arshad Mohammed and Joseph Menn plus Conor Friedersdorf via Henry Baker)
St. Louis Cardinals Investigated by FBI for Hacking Astros
  (Michael S. Schmidt via Gabe Goldberg)
"Be paranoid: 10 terrifying extreme hacks" (Roger A. Grimes)
Re: Chris Roberts and Avionics Security (Rogier Wolff)
Re: Corvette battery cable (Dimitri Maziuk)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 15 Jun 2015 19:01:20 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Armenia loses Internet access

  [Thanks to Paul Saffo.  PGN]

A 75-yr old woman digging for scrap metal cut into a fiber cable and cut off
Internet access for all of Armenia!

http://www.theguardian.com/world/2011/apr/06/georgian-woman-cuts-web-access

  [Perhaps she will get Armenial Servertude?]

------------------------------

Date: Tue, 16 Jun 2015 12:59:18 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Encryption "would not have helped" at OPM, says DHS official (Ars)

Ars Technica via NNSquad
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

  But even if the systems had been encrypted, it would have likely not
  mattered. Department of Homeland Security Assistant Secretary for
  Cybersecurity Dr. Andy Ozment testified that encryption would "not have
  helped in this case" because the attackers had gained valid user
  credentials to the systems that they attacked--likely through social
  engineering. And because of the lack of multifactor authentication on
  these systems, the attackers would have been able to use those credentials
  at will to access systems from within and potentially even from outside
  the network.

NO 2-FACTOR CREDENTIALS. Pretty much criminal negligence at this point.

------------------------------

Date: Sat, 13 Jun 2015 21:38:48 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Report: Russia, China Crack Snowden Docs

The Daily Beast via NNSquad
http://www.thedailybeast.com/cheats/2015/06/13/russia-china-got-snowden-files.html

  Russia and China have allegedly decrypted the top-secret cache of files
  stolen by whistleblower Edward Snowden, according to a report from The
  Sunday Times, to be published tomorrow. The info has compelled British
  intelligence agency MI6 to withdraw some of its agents from active
  operations and other Western intelligence agencies are now actively
  involved in rescue operations.

 - - -

If this report is true, it seems safe to assume that Snowden has likely lost
any chance he ever had of asylum or any other "minimum incarceration" return
to the West.

------------------------------

Date: Mon, 15 Jun 2015 15:53:06 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: LastPass hacked -- here's what to do now

ComputerWorld via NNSquad
http://www.computerworld.com/article/2936144/cloud-computing/lastpass-hacked-itbwcw.html?shr=t

  LastPass, the cloud-based password manager, has been hacked. If you use
  LastPass, it's probably time for a precautionary master-password
  change. It might also be a good idea to check out the other options for
  securing your account.

I don't use cloud-based password services. Now you know why.

------------------------------

Date: Mon, 15 Jun 2015 15:59:26 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Sex, lies and debt potentially exposed by OPM data hack

FYI -- I'm very sorry about this OPM data breach, because some members of my
family may also be victims, but perhaps some of these very same government
officials may now "get religion" re privacy issues.

Either keep such information secure -- using strong non-backdoorable
encryption -- or don't keep it at all.  These 2 articles talk about the
risks & costs of *keeping* such information.

By Arshad Mohammed and Joseph Menn
Sex, lies and debt potentially exposed by U.S. data hack
https://ca.news.yahoo.com/sex-lies-debt-potentially-exposed-u-data-hack-054657057.html

WASHINGTON (Reuters) -- When a retired 51-year-old military man disclosed in
a U.S. security clearance application that he had a 20-year affair with his
former college roommate's wife, it was supposed to remain a secret between
him and the government.

The disclosure last week that hackers had penetrated a database containing
such intimate and possibly damaging facts about millions of government and
private employees has shaken Washington.

The hacking of the White House Office of Personnel Management (OPM) could
provide a treasure trove for foreign spies.

The military man's affair, divulged when he got a job with a defense
contractor and applied to upgrade his clearance, is just one example of the
extensive potential for disruption, embarrassment and even blackmail arising
from the hacking.

The man had kept the affair secret from his wife for two decades before
disclosing it on the government's innocuously named Standard Form 86 (SF
86), filled out by millions of Americans seeking security clearances.

His case is described in a judge's ruling, published on the Pentagon
website, that he should keep his security clearance because he told the
government about the affair. His name is not given in the administrative
judge's decision.

The disclosure that OPM's data had been hacked sent shivers down the spines
of current and former U.S. government officials as they realized their
secrets about sex, drugs and money could be in the hands of a foreign
government.

The data that may be compromised by the incident, which was first reported
by the Associated Press, included the detailed personal information on the
SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to
U.S. officials.

U.S. SUSPECTS LINK TO CHINA

As with another cyberattack on OPM disclosed earlier this month,
U.S. officials suspect it was linked to China, though they have less
confidence about the origins of the second attack than about the first.

China denies any involvement in hacking U.S. databases.

While the Central Intelligence Agency does its own clearance investigations,
agencies such as the State Department, Defense Department and National
Security Agency, which eavesdrops on the world, all use OPM's services to
some degree.

It was not immediately clear how many Americans' information may have been
compromised, nor precisely how many fill out form SF 86.  As of Oct. 1,
there were 4.51 million people cleared or eligible to receive national
security information, according to a report by the Office of the Director of
National Intelligence.

Intelligence veterans said the breach may prove disastrous because China
could use it to find relatives of U.S. officials abroad as well as evidence
of love affairs or drug use which could be used to blackmail or influence
U.S. officials.

An even worse scenario would be the mass unmasking of covert operatives in
the field, they said.

"The potential loss here is truly staggering and, by the way, these records
are a legitimate foreign intelligence target," said retired Gen. Michael
Hayden, a former CIA and NSA director.  "This isn't shame on China. This is
shame on us."

The SF 86 form, which is 127-pages long, is extraordinarily comprehensive
and intrusive.

Among other things, applicants must list where they have lived; contacts
with foreign citizens and travel abroad; the names and personal details of
relatives; illegal drug use and mental health counseling except in limited
circumstances.

A review of appeals of security denials published on the web shows the
variety of information now in possession of the hackers, including financial
troubles, infidelities, psychiatric diagnoses, substance abuse, health
issues and arrests.

"It's kind of scary that somebody could know that much about us," said a
former senior U.S. diplomat, pointing out the ability to use such data to
impersonate an American official online, obtain passwords and plunder bank
accounts.

SOME AGENCIES LESS VULNERABLE

A U.S. official familiar with security procedures, but who declined to be
identified, said some agencies do not use OPM for clearances, meaning their
employees' data was at first glance less likely to have been compromised.

However, the former senior diplomat said someone with access to a complete
set of SF 86 forms and to the names of officials at U.S. embassies, which
are usually public, could compare the two and make educated guesses about
who might be a spy.

"Negative information is an indicator just as much as a positive
information," said the former diplomat.

The case of the 51-year-old former military man who told the government, but
not his wife, about his 20-year affair came to light when he filed an appeal
because his effort to upgrade his security clearance ran into trouble.

According to a May 13 decision by an administrative judge who heard his
case, the man revealed the affair in the "Additional Comments" section of SF
86 in January 2012, ended the affair in 2013, and told his wife about it in
2014.

"DOD (Department of Defense) is aware of the affair because Applicant
disclosed it on his SF 86; the affair is over; and the key people in
Applicant's life are aware of it," the judge wrote, according to a Defense
Office of Hearings and Appeals document posted online.

His access to classified information was approved.

(Reporting by Arshad Mohammed in Washington and Joseph Menn in San Francisco; Additional reporting by Mark Hosenball; 
Editing by David Storey, Sue Horton and Alan Crosby)

  - - - -

Conor Friedersdorf, *The Atlantic*, Jun 2015
Adjusting to a World Where No Data Is Secure
If government and corporations cannot safeguard their digital files, then they should regularly purge sensitive 
information.
http://www.theatlantic.com/politics/archive/2015/06/what-if-no-data-held-by-government-or-corporations-is-secure/395810/

Imagine a piece of information that would be useful to store digitally if it
could be kept secure, but that would do more harm than good if it ever fell
into the wrong hands.  With Friday's news that ``hackers have breached a
database containing a wealth of sensitive information from federal
employees' security background checks,'' just that sort of fraught
information has arguably been exposed to hackers.

One of the documents that they got, the Questionnaire for National Security
Positions, asked federal workers and contractors seeking security clearances
``to disclose everything from mental illnesses, financial interests, and
bankruptcy issues to any brush with the law, major and minor drug and
alcohol use as well as a robust listing of an applicant's family members,
associates, or former roommates,'' my colleague Adam Chandler explains.
``At the bottom of each page, a potential employee must submit his or her
social security number.  Given the length, that means if you;re filling out
this document, you will write your SSN over 115 times.''

That trove of information was useful to the national security bureaucracy in
its efforts to stop espionage, monitor potential blackmail, and otherwise
police its employees.

Yet it now seems like the U.S. would have been better off reviewing
information about cleared employees on intake and then destroying it, rather
than retaining the records.  ``These forms contain decades of personal
information about people with clearances,'' Joel Brenner, a former
high-ranking intelligence official told the Washington Post, ``which makes
them easier to recruit for espionage on behalf of a foreign country.''

In hindsight, retaining the documents betrayed a degree of hubris: National
security officials had excessive confidence in their ability to keep these
secrets from falling into the hands of malicious actors, so they risked
storing them indefinitely.

What else falls in this `better to destroy than to have stolen' category?

After Chelsea Manning, Edward Snowden, and numerous successful hacks of
various federal databases, perhaps the government should perform an audit
and a purge on the theory that it won't ever be competent enough to reliably
safeguard information.

Isn't there good reason to surmise that is true?

Perhaps the privacy activists who want to pass data retention laws forcing
private corporations to purge the data that they hold at periodic intervals
also have a point.  Would it be a national security threat if the Google
search histories and iPhone location data of all members of Congress,
U.S. military personnel, and American CEOs fell into the hands of Vladimir
Putin or China's government?  If so, perhaps it makes more sense to prohibit
retaining such information for longer than two years, even though the
precision of Internet ads might suffer as a result.

National security officials and Google leaders have institutional and
psychological incentives to assert and believe that if they're just careful
enough going forward, they can safeguard the information that they hold.
And we have an incentive to believe them.  Wouldn't it be great if our
government and corporations that make cool products for us could exploit the
benefits of unlimited data retention without any costs?

But I no longer believe that they can.  If you disagree, what sort of leak
or hack or data breach would it take to persuade you otherwise?  I expect
you'll see it sooner, rather than later.

------------------------------

Date: Tue, 16 Jun 2015 17:53:24 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: St. Louis Cardinals Investigated by FBI for Hacking Astros
  (Michael S. Schmidt)

Michael S. Schmidt, *The New York Times*, 16 Jun 2015

The FBI and Justice Department prosecutors are investigating front-office
officials for the St. Louis Cardinals, one of the most successful teams in
baseball over the past two decades, for hacking into the internal networks
of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a
network of the Houston Astros that housed special databases the team had
built, according to law enforcement officials. Internal discussions about
trades, proprietary statistics and scouting reports were compromised, the
officials said.

The officials did not say which employees were the focus of the
investigation or whether the team's highest-ranking officials were aware of
the hacking or authorized it. The investigation is being led by the FBI's
Houston field office and has progressed to the point that subpoenas have
been served on the Cardinals and Major League Baseball for electronic
correspondence.

The attack represents the first known case of corporate espionage in which a
professional sports team has hacked the network of another team.  Illegal
intrusions into companies' networks have become commonplace, but it is
generally conducted by hackers operating in foreign countries, like Russia
and China, who steal large tranches of data or trade secrets for military
equipment and electronics.

Major League Baseball has been aware of and has fully cooperated with the
federal investigation into the illegal breach of the Astros' baseball
operations database, a spokesman for baseball's commissioner, Rob Manfred,
said in a written statement.

http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html

  [Also noted by Jim Reisert.  PGN]

------------------------------

Date: Tue, 16 Jun 2015 12:14:36 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Be paranoid: 10 terrifying extreme hacks" (Roger A. Grimes)

Roger A. Grimes, InfoWorld, 15 Jun 2015
Nothing is safe, thanks to the select few hacks that push the limits
of what we thought possible
http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html

------------------------------

Date: Tue, 16 Jun 2015 09:54:09 +0200
From: Rogier Wolff <wolff () bitwizard nl>
Subject: Re: Chris Roberts and Avionics Security (Schneier, RISKS-28.69)


The real issue is that the avionics and the entertainment system are
on the same network. That's an even stupider thing to do. Also last
month, I wrote about the risks of hacking airplanes, and said that I
wasn't all that worried about it. Now I'm more worried.


Are they?

With Boeing saying that "it is impossible" (at least at first), I suspect
that they have taken measures to prevent exactly what Roberts claims to have
accomplished.

Let's take a step back.

Think of a Boeing aviation electronics engineer. Turns out that
ethernet-connectivity on the plane is becoming more and more common. So
instead of having a separate wire running from each of the sensors in the
tail to the cockpit, there now is an ethernet link carrying information from
many different sensors along the plane.  Before you know it, also the
engines have ethernet connectivity and can be commanded over their ethernet
connection.

So, one day he's sitting in his office and a guy from the cabin-electronics
group walks in and says: "We have a plan for a new in-cabin-entertainment
system. We need ethernet connectivity and hear you already have an ethernet
link running along the plane, can we use that?"

Multiple choice time (*): He answers: A) Sure! B) Sure, as long as you
promise not to use more than 50% of the bandwidth, C) WTF are you thinking?

I have enough confidence in Boeing that they got this one right.

A few months later, the cabin-electronics guy walks into the aviation
electronics office again, and asks: "We get questions from the passengers if
they can get technical information about the flight on their infotainment
screen. Stuff like airspeed and altitude. We'd be no trouble at all, we can
gather this information from your flight-computer ourselves."  MC time
again... He suggests: A) Let's buy a hub: cheap, light, no hassle, great! B)
We need to buy a switch, otherwise traffic from the autopilot to the engines
will leak onto the entertainment network. C) We need a firewall.

I still have enough confidence in Boeing that they got this right.  But from
the claims from the FBI and Chris, I strongly suspect that from this point
on some mistakes were made. Somehow the "firewall" function got integrated
into a computer "already there" or the firewall was expanded to have
multiple functions, allowing someone to e.g., gain access by finding a
vulnerability in a web script, and then continue to hack on "the other
side".

My opinion is that if you continue to threaten to throw guys like Chris in
jail, the next time you'll find out about these bugs/design problems is when
a plane is crashed by a teenager who accidentally deletes the engine
calibration data or something like that.

But "allowing" hacking on live planes is troublesome too. Difficult issue.

(*) In many multiple choice tests, the correct answer is often the
longest. In case you haven't noticed: not here.

R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2600998
Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233

------------------------------

Date: Tue, 16 Jun 2015 11:55:17 -0500
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: Corvette battery cable (RISKS-28.68,69)]

  [I don't remember this when I saw the original article.  I only though of
  it now.]

Some twenty or so years ago in Australia I heard a story about "back when
electric windows were new". Apparently somebody's fuse blew killing both the
air-conditioner and (closed tight of course) electric windows.  In the 40+C
heat in the middle of nowhere. So the poor guy drove 300 km to the first gas
station where the owner/mechanic told them "this is an electrical problem,
I'm not a licensed electrician, the nearest vehicle electrician is 400 km
that way".

(That's 105+ degrees and 190 & 250 miles resp. in the "standard" units.)

The more things change...

Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.70
************************
Previous By Date Next
Previous By Thread Next

Current thread: