RISKS Forum mailing list archives
Risks Digest 29.78
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 22 Sep 2016 15:06:13 PDT
RISKS-LIST: Risks-Forum Digest Thursday 22 September 2016 Volume 29 : Issue 78 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.78> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: FBI overpaid $999,900 to crack San Bernardino iPhone 5c password (Dan Jacobson) Yahoo! confirms major breach that could be the largest hack ever: at least 500 million people (Business Insider) Microsoft dismisses Exchange vulnerability report (Peter Houppermans) How a few words to Siri unlocked a man's front door and exposed a major security flaw in Apple's HomeKit (Forbes) Police try to arrest robot (Al Macintyre) Chicago woman launches lawsuit against Canadian maker of app-based vibrator (CTVnews via Jim Reisert) The risks of getting your email address wrong (Amrith Kumar) For the Debaters: What Shall We Do About the Tech Careening Our Way? (NYTimes) The Success of the Voter Fraud Myth (NYTimes) Wells Fargo Warned Workers Against Sham Accounts, but 'They Needed a Paycheck' (NYTimes) World Economy at RISK? new TiSA-leaks (Wikileaks via Werner U) Re: Tesla fatal crash in Baarn, The Netherlands (Kurt Seifried, Martin Ward) Re: PC without OS (Dimitri Maziuk, Martin Ward) REVIEW: How to Measure Anything in Cybersecurity Risk, Douglas W. Hubbard and Richard Seiersen (Richard Austin) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 20 Sep 2016 12:28:43 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: FBI overpaid $999,900 to crack San Bernardino iPhone 5c password http://www.theregister.co.uk/2016/09/19/fbi_overpaid_999900_to_crack_san_bernardino_iphone_5c_password/ Hacker brews fast NAND mirroring prototype for $100. University of Cambridge senior research associate Sergei Skorobogatov has laid waste to United States Federal Bureau of Intelligence (FBI) assertions about iPhone security by demonstrating password bypassing using a $100 NAND mirroring rig... ------------------------------ Date: Thu, 22 Sep 2016 12:06:02 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Yahoo! confirms major breach that could be the largest hack ever: at least 500 million people (Business Insider) via NNSquad http://www.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9?op=1 Yahoo revealed a massive data breach of its services on Thursday. Yahoo "has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," the company posted on its investor relations page. The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some "unencrypted security questions and answers." Yahoo believes that "at least" 500 million user account credentials were stolen, which would make it the biggest breach of all time, bigger than the MySpace breach of 427 million user accounts. Note the part about "unencrypted security questions and answers." The continued use of security questions is a scourge on security, even for people who (as I generally recommend) provide different fake answers to those questions at different sites, rather than the real answers to those common questions that could subvert their security later. ------------------------------ Date: Mon, 19 Sep 2016 13:31:02 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Microsoft dismisses Exchange vulnerability report It may be worthwhile to provide a bit of depth to the article "Microsoft dismisses Exchange vulnerability report" at to see what the fuss is all about. <http://www.theregister.co.uk/2016/09/19/ms_exchange_alleged_bug/> The issue is that the auto-discovery process prescribed for Microsoft Exchange clients is not just not too fussy about whom it talks to, it also doesn't do quite what you would expect. When you set up a new MS Exchange client to access "mailserver.domain.com <http://mailserver.domian.com/>", it first tries to talk to just "domain.com <http://domain.com/>" and, if presented with an SSL cert that has a trusted root, it is quite happy to supply the password for the user in cleartext as answer to a normal Apache authentication query (hence only needing a few lines of code to exploit it - all the required tools are already built in to any webserver). In other words, you may have secured your internal MS Exchange server, but if the public webserver of that domain is hacked (on account of being typically less secure) you may already be leaking passwords. As a bonus, the client will frequently revisit that URL to pick up configuration changes so your hacked webserver will get plenty opportunity to grab the user's password.. .. which may be the keys to the Kingdom as most organisations use Single Sign On. Uh oh. There seems to be no real mitigation possible other than bolting down the associated webserver as it's simply the way the protocol is set up. ------------------------------ Date: Wed, 21 Sep 2016 08:49:15 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How A Few Words To Siri Unlocked A Man's Front Door And Exposed A Major Security Flaw In Apple's HomeKit NNSquad The iPad Pro sitting in the living room was able to hear Mike through the front door and issued the unlock command. Marcus was stunned. The two laughed it off. Marcus then tried to repeat the unlocking trick several more times and was surprised by how easy it was. He didn't even have to yell that loud. http://www.forbes.com/sites/aarontilley/2016/09/21/apple-homekit-siri-security/#753ca1b36e8a ------------------------------ Date: Fri, 16 Sep 2016 22:07:34 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Police try to arrest robot Its alleged offenses: * Disruptive at political rally * Run away from home * Jaywalking not at legal place to cross street, then park in middle of road, blocking traffic http://www.mirror.co.uk/news/weird-news/notorious-runaway-robot-escaped-lab- 8846563 ------------------------------ Date: Sun, 18 Sep 2016 17:05:40 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Chicago woman launches lawsuit against Canadian maker of app-based vibrator The Canadian Press, 14 Sep 2016 http://ottawa.ctvnews.ca/chicago-woman-launches-lawsuit-against-canadian-maker-of-app-based-vibrator-1.3071873 TORONTO -- An American woman has launched a proposed class-action lawsuit against the Canadian-owned maker of a smartphone-enabled vibrator, alleging the company sells products that secretly collect and transmit "highly sensitive" information. The suit alleges that unbeknownst to its customers, Standard Innovation designed the We-Connect app to collect and record intimate and sensitive data on use of the vibrator, including the date and time of each use as well as vibration settings. ------------------------------ Date: Mon, 19 Sep 2016 13:24:17 -0400 From: "Amrith Kumar" <amrith.kumar () gmail com> Subject: The risks of getting your email address wrong These days we receive more and more communications via electronic means. It has been suggested that electronic delivery has a lower chance of misplaced delivery and the associated risks of identity theft. However, as more and more people begin to use email, the exact risks that we had with postal mail appear to be coming to electronic delivery as well. Whether it is the consumer who provides an incorrect email address, or the receiver of the email address making a mistake in writing it down, or the lack of a confirm-your-email mechanism, you end up with the exact same risks as we had before. I've written about my own ongoing saga with this (thankfully, this is not my own identity that is at risk here). Details at https://hypecycles.com/2016/09/18/the-saga-of-the-mixed-up-email-continues/ A number of people (at this point, I can count three distinct people) have mistakenly provided my email address as their own, in registrations for cellphone bills, and life insurance. Some vendors send information to email with no security (encrypted PDF, for example). Others send documents with encryption using trivial passwords (name+MMDD of birthday). To make it easier for you to guess the MMDD, they send birthday wishes as well. The question: Shouldn't there be a universal 'opt-in' mechanism before any automated system accepts an email address to be legitimate? Something based on a shared secret is so trivial to implement, I wonder why it isn't mandatory, or at least best practice. ------------------------------ Date: Wed, 21 Sep 2016 09:41:59 -0400 From: Monty Solomon <monty () roscom com> Subject: For the Debaters: What Shall We Do About the Tech Careening Our Way? http://www.nytimes.com/2016/09/22/technology/for-the-debaters-what-shall-we-do-about-the-tech-careening-our-way.html Autonomous vehicles are symbolic of numerous technology advances, each requiring a close look at benefits and risks, and leadership to navigate them. ------------------------------ Date: September 20, 2016 at 5:07:31 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: The Success of the Voter Fraud Myth (NYTimes) The Editorial Board of *The New York Times*, 19 Sep 2016 http://www.nytimes.com/2016/09/20/opinion/the-success-of-the-voter-fraud-myth.html> How does a lie come to be widely taken as the truth? The answer is disturbingly simple: Repeat it over and over again. When faced with facts that contradict the lie, repeat it louder. This, in a nutshell, is the story of claims of voting fraud in America -- and particularly of voter impersonation fraud, the only kind that voter ID laws can possibly prevent. Last week, a Washington Post-ABC News poll found that nearly half of registered American voters believe that voter fraud occurs ``somewhat'' or ``very'' often. That astonishing number includes two-thirds of people who say they're voting for Donald Trump and a little more than one-quarter of Hillary Clinton supporters. Another 26 percent of American voters said that fraud ``rarely'' occurs, but even that characterization is off the mark. Just 1 percent of respondents gave the answer that comes closest to reflecting reality: ``Never.'' As study after study has shown, there is virtually no voter fraud anywhere in the country. The most comprehensive investigation to date found that out of one billion votes cast in all American elections between 2000 and 2014, there were 31 possible cases of impersonation fraud. Other violations -- like absentee ballot fraud, multiple voting and registration fraud -- are also exceedingly rare. So why do so many people continue to believe this falsehood? Credit for this mass deception goes to Republican lawmakers, who have for years pushed a fake story about voter fraud, and thus the necessity of voter ID laws, in an effort to reduce voting among specific groups of Democratic-leaning voters. Those groups -- mainly minorities, the poor and students -- are less likely to have the required forms of identification. Behind closed doors, some Republicans freely admit that stoking false fears of electoral fraud is part of their political strategy. In a recently disclosed email from 2011, a Republican lobbyist in Wisconsin wrote to colleagues about a very close election for a seat on the State Supreme Court. ``Do we need to start messaging 'widespread reports of election fraud' so we are positively set up for the recount regardless of the final number?'' he wrote. ``I obviously think we should.'' Sometimes they acknowledge it publicly. In 2012, a former Florida Republican Party chairman, Jim Greer, told *The Palm Beach Post* that voter ID laws and cutbacks in early voting are ``done for one reason and one reason only'' -- to suppress Democratic turnout. Consultants, Mr. Greer said, ``never came in to see me and tell me we had a fraud issue. It's all a marketing ploy.'' The ploy works. During the 2012 election, voter ID laws in Kansas and Tennessee reduced turnout by about 2 percent, or about 122,000 votes, according to a 2014 analysis by the Government Accountability Office. Turnout fell the most among young people, African-Americans and newly registered voters. Another study analyzing elections from 2006 through 2014 found that voting by eligible minority citizens decreased significantly in states with voter ID laws and ``that the racial turnout gap doubles or triples in states'' with those laws. There are plenty of shortcomings in the American voting system, but most are a result of outdated machines, insufficient resources or human error -- not intentional fraud. All of these are made only worse by shutting down polling places or eliminating early voting hours, measures frequently supported by Republican legislators. ------------------------------ Date: Mon, 19 Sep 2016 22:16:25 -0400 From: Monty Solomon <monty () roscom com> Subject: Wells Fargo Warned Workers Against Sham Accounts, but 'They Needed a Paycheck' (NYTimes, re: RISKS-29.76) http://www.nytimes.com/2016/09/17/business/dealbook/wells-fargo-warned-workers-against-fake-accounts-but-they-needed-a-paycheck.html Former employees say that their managers warned them not to bend the rules, but they felt pressured by the bank's aggressive sales culture to create fake accounts anyway. ------------------------------ Date: Sat, 17 Sep 2016 04:07:22 +0200 From: Werner U <werneru () gmail com> Subject: World Economy at RISK? new TiSA-leaks (Wikileaks via Twitter, 15 Sep 2016) [The claim is TiSA nations account for "...over 2/3rds of global GDP".] New negotiating docs & analysis for 52-country mega 'trade' deal #*TiSA* <https://twitter.com/wikileaks/status/776391090576457728> Today, Thursday, 15 September 2016, 11:00am CEST, on the eve of new negotiations, WikiLeaks releases new secret documents from the controversial Trade in Services Agreement (TiSA) currently being negotiated by the US, EU and 22 other countries that account for over 2/3rds of global GDP. ... <https://wikileaks.org/tisa/> "According to World Bank figures <http://data.worldbank.org/indicator/BG.GSR.NFSV.GD.ZS> services comprise around 75% of the EU economy, 80% of the US economy and the majority of economies of most countries. The global economy is shifting towards a service-oriented economy. Cross-border trade in services for around 13% of the global GDP in 2015; for the EU twice that figure (around 24% of its total GDP). But it is not just these numbers alone that prove that the TiSA negotiations deserve a much higher attention in the public discussion than they currently have. "Successful opposition mounted to TPP and TTIP by a broad spectrum of actors -- from movements, to farmers, to elites -- means the neo-liberal lobby now places its hopes in TiSA as the vehicle for rewriting global rules and for securing a charter of corporate rights behind closed doors. The TiSA core text is not the main site of dissent, because it is designed to re-insert back into the WTO. It does reveal two major points of disagreement (most-favored nation treatment and domestic regulation) which are important because the US and EU are facing off on issues that are critical. The major disagreements that are likely to prove most problematic are occurring off stage in the annexes. "The published documents are from June and July 2016, document the state of negotiations before and after the previous TiSA round. By comparing the TiSA Core Text and the corresponding Annexes with previous releases of the same documents from WikiLeaks, the public can gain insight into how governments and negotiators shift positions on certain aspects of the text over time. This is also reflected in the three analysis documents that express the expert opinions on selected chapters and annexes of TiSA. "This release comes just days before the next TiSA negotiation round begins on September, 19th 2016 in Geneva. The publication of additional TiSA documents is planned for the near future. ------------------------------ Date: Fri, 16 Sep 2016 16:25:41 -0600 From: Kurt Seifried <kurt () seifried org> Subject: Re: Tesla fatal crash in Baarn, The Netherlands (Kristiansen, R-29.77) I'm going to assume that the majority of Tesla drivers are carrying a cell phone, most likely a smart phone. So the privacy ship has sailed, hit an iceberg and sunk already. Your carrier knows where you are for sure, and many of your apps are also snitching on your location. Just wait until a self driving car service uses biometric identification to helpfully bill you for car use in case you forgot/lost your cell or want to ride share/split the cost. Humans suck at paying attention when they are trying. When they're not even trying... According to the numbers I can find: "1 out of every four car accidents in the United States is caused by texting and driving." That's even more terrible then I would have guessed. ------------------------------ Date: Sat, 17 Sep 2016 16:13:17 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: Tesla fatal crash in Baarn, The Netherlands (Kristiansen, R-29.77) Few, if any, cars are designed to withstand a head-on collision with a tree at 95 mph. The Tesla battery has much stronger protection than the fuel tank of a petrol or diesel vehicle: which of course, contains a highly inflammable liquid. Elon Musk claimed, in 2013, that a fire was five times more likely in a gasoline car than in a Tesla car. This was before the .25 inch aluminium shield around the battery was upgraded to a three-layer titanium shield. In the UK alone there were nearly 20,000 accidental road vehicle fires in 2003, about 40 per billion km, with 79 fatalities: http://webarchive.nationalarchives.gov.uk/20120919132719/http://www.communities.gov.uk/pub/894/FireStatisticsUnitedKingdom2003PDF1724Kb_id1124894.pdf The telemetry communicated to Tesla is only vehicle diagnostics: https://www.youtube.com/watch?v=cRHH7NmoVPk (See from 9:00 to 10:55) Other data is stored locally on the car. When you are involved in a head-on collision with a tree at 95 mph you have forfeited your privacy where this would prevent the investigators from finding out exactly what happened. ------------------------------ Date: Sat, 17 Sep 2016 13:58:54 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: PC without OS (Ward, RISKS-29.78) No, the monopoly OS supplier can pay PC makers to include a copy of Windows with every PC they are selling *for $500*. Nobody's stopping them from selling barebones PCs *for $1000*. If you read the article, "the CJEU ruled that it's legal to bundle PCs with software without indicating their prices separately" while refusal to offer "no OS" option is up to the local courts to rule on. Aside from the guy getting a Windows discount on his laptop *and* asking for Windows MSRP back (plus a few grand in damages), Apple is bundling iOS with iPhone while AT&T is bundling their product'n'service with hugely discounted Samsung handsets. You seriously expect a court to rule all that illegal in the entire EU? ------------------------------ Date: Sat, 17 Sep 2016 15:29:23 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: PC without OS (Sayer, RISKS-29.76) The missing middle term of the syllogism (which was omitted because it is widely acknowledged and understood) is that without a legal obligation to offer a machine without an OS, the monopoly OS supplier (Microsoft) can force PC makers to include a copy of Windows with *every* PC that they sell: effectively eliminating competition from the So, consumers are unable to buy a PC from a major manufacturer without paying the "Microsoft Tax": whether they want to or not. ------------------------------ Date: Tue, 20 Sep 2016 00:33:58 -0600 From: "Cipher Editor" <cipher-editor () ieee-security org> Subhect: REVIEW: How to Measure Anything in Cybersecurity Risk, Douglas W. Hubbard and Richard Seiersen (Richard Austin) Excerpted from the Electronic CIPHER, Issue 134, 19 Sep 2016 Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 134 September 19, 2016 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor@ ieee-security.org cipher-assoc-editor @ ieee-security.org Book Review By Richard Austin September 15, 2016 Douglas W. Hubbard and Richard Seiersen How to Measure Anything in Cybersecurity Risk Wiley 2016. ISBN 978-1-119-08529-4 Table of Contents: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119085292.html This is a very useful follow-up to Hubbard's previous book "How to Measure Anything: Finding the Value of Intangibles in Business" applied to cybersecurity risk. Though this book can be read standalone, many details are referenced to the previous one, and it would be good to have a copy at hand for reference. The book addresses the very important question: Is it really possible to do anything beyond rating scales when assessing cybersecurity risk? We're all familiar with variations of high-medium-low and the sometimes arcane rituals of how to "multiply" a medium rate of occurrence by a low impact. We've also likely felt vaguely uncomfortable about doing math on ratings but haven't really had an alternative. The authors are quick to assure us that there is a better way that will allow us to defensibly produce quantitative risk assessments using the data and knowledge we have (but may not realize we have). Their techniques relies on simulation - they call it "Monte Carlo" which would have put my long-ago professor in a computer simulation course into hysterics: "Monte Carlo is a method for integrating messy functions not a catchy byword for applying simulation to problems". A quick Google shows that "Monte Carlo" enjoys wide usage in the sense used by the authors but I still have the emotional scars from that course and won't use the term that way. To do a good simulation, you need reasonable data and the authors spend a good portion of the book showing that we know a lot more than we think we do. One of their core techniques is "calibration" which basically means that when an expert says that something has a probability of .2 to .4 they really mean it. While that sounds suspiciously obvious, the authors quote substantial research to show that experts, in the beginning, really don't believe their estimates (in the sense of being willing to wager on the outcome) but can be taught to produce good estimates. The tool they use for their simulation studies is the spreadsheet (examples available on the book's website), but rather than creating another spreadsheet oracle, they clearly explain how the spreadsheet calculations work so that the astute reader will be able to understand and defend their conclusions. There are a couple of pimples on this otherwise excellent presentation. First is that too much is made of the great frequentist versus subjectivist divide in the field of statistics. Outside of academia, I find that the professional statisticians I know (a biased sample if ever there was one) are frequentists when they can be and subjectivists the rest of the time. As one of the more waggish opined: "Whatever makes the math easier". If you must classify yourself, my advice is to follow the authors and be unabashedly subjectivist (or Bayesian). The second is the some of the presentation is frankly polemical and boils down to "If you don't agree with us then you don't understand statistics at all". The authors are experts in their field (otherwise we wouldn't be reading their book) and the research results of applying their techniques speak for themselves, so the polemics could have been left out with no loss to the presentation. Some readers may suffer from a phobia when it comes to statistics and probability (usually traceable to a bad experience in their first statistics class). The authors have successfully taught their methods to audiences from many backgrounds and the book is heavily tutorial in nature. When you finish working your way through it, you will be able to stare probability distributions, confidence intervals and other scary accoutrements of quantitative risk assessment in the eye without flinching. This is an awesome book on a critical topic. The decisions we made in securing our information assets, the infrastructures that support them and the services that depend on them are too critical for us to depend on mumbo jumbo when making decisions about risk. The authors make a forceful case that there is a better way that depends on comprehensible techniques with a substantial body of research in many fields behind them. I fervently hope that you will studiously read this book and apply its techniques in your own work. We and our profession will be all the better for it. ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.78 ************************
Current thread:
- Risks Digest 29.78 RISKS List Owner (Sep 22)