RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 30.32

From: RISKS List Owner <risko () csl sri com>
Date: Sat, 10 Jun 2017 20:39:23 PDT
RISKS-LIST: Risks-Forum Digest  Saturday 10 June 2017  Volume 30 : Issue 32

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/30.32>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
How Russian Propaganda Spread from a Parody Website to Fox News
  (Neil MacFarquahar and Andrew Rossback)
Securing our election systems? (Slate)
Stolen Roambee property reports itself to owner (Mark Brader)
Voice synthesis (Mark Brader)
Internet cameras have hard-coded password that can't be changed
  (Ars Technica)
UK police arrest man via automatic face-recognition tech
  (Ars Technica)
Cyberattack on Britain's National Health Service -- A Wake-up Call
  for Modern Medicine (Monty Solmon)
Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack
  (NYTimes)
Sneaky hackers use Intel management tools to bypass Windows firewall
  (Ars Technica)
Self-driving cars (Multiple items from Monty)
Re: Robot Copilot Lands 737 (Andrew Duane)
Re: Software is forever... Re: WannaCry (Paul Edwards)
Re: What Happens When Your Car Gets Hacked? (Dimitri Maziuk,
  Lothar Kimmeringer)
Re: Untold story of QF72: What happens when 'psycho' automation
  leaves pilots powerless? (John Levine, William Brodie-Tyrrell)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 10 Jun 2017 16:22:19 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: How Russian Propaganda Spread from a Parody Website to Fox News
  (Neil MacFarquahar and Andrew Rossback)

I've been meaning to submit this for the past few days, and finally
found a few spare moments:

How Russian Propaganda Spread from a Parody Website to Fox News
Neil MacFarquahar and Andrew Rossback
*The New York Times*, 8 June 2017

Here's the time sequence described in the article:

* Parody website (Made-up Russian attack on a U.S. shop
* Facebook (Parody article shared)
* Russian TV (Invented a quote from a U.S. Air Force general)
* The Sun (Reported on the Russian TV story)
* FoxNews.com (Article reprinted with only hints of skepticism)

------------------------------

Date: Thu, 8 Jun 2017 12:18:46 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Securing our election systems? (Slate)

"Despite the alarms raised by these revelations in recent days, there has
been little discussion of solutions.  But the way forward is relatively
clear.  Protecting our elections against foreign attackers ultimately
requires the will to squarely address known vulnerabilities -- a will that
has been lacking in Washington."

http://www.slate.com/articles/technology/future_tense/2017/06/congress_needs_to_act_now_to_secure_our_election_systems.html

------------------------------

Date: Fri,  9 Jun 2017 05:09:40 -0400 (EDT)
From: msb () vex net (Mark Brader)
Subject: Stolen Roambee property reports itself to owner

At the Roambee factory in Santa Clara, California, one or more thieves (the
kind who are dumb enough to leave their own blood and other evidence behind
them) stole a box of 100 of what they thought were cellphone chargers.

Actually they were Roambee Bees, which are GPS-based trackers that broadcast
their location.  (Their intended use is that a company shipping goods puts
one in each shipment and can always know where it is.)  And they can't be
turned off.

It wasn't long before police recovered the stolen goods and made an arrest,
and meanwhile the Roambee company got some free advertising...

http://www.mercurynews.com/2017/06/06/sjm-roambee-0607/
http://www.sfgate.com/bayarea/article/any-11204181.php

------------------------------

Date: Fri,  9 Jun 2017 05:24:14 -0400 (EDT)
From: msb () vex net (Mark Brader)
Subject: Voice synthesis

It says here:

  http://www.tdbank.com/bank/tdvoiceprint.html
  http://www.td.com/ca/products-services/investing/td-direct-investing/trading-platforms/voice-print-system-enroll.jsp

that customers of the Toronto-Dominion Bank can arrange to have the bank's
computer identify them, in part, by recognizing their voice on the phone.
(I therefore presume that other banks are now doing this also.)

It says here:

    http://www.cbc.ca/news/any-1.4084423

that a new Canadian company called Lyrebird has produced software which
(they say), given a 1-minute high-quality recording of anyone's voice, can
produce a highly accurate simulation of that person saying anything the user
chooses.  And given a 5-minute recording, the quality would be extremely
hard to tell from the real thing.

And someone thought that this was a GOOD idea?

  [I presume Mark is referring to the Toronto-Dominion Bank phone voice
  scheme rather than the Lyrebird scheme.  The latter is obviously a good
  idea, because it clearly points to the stupidity of the former.  PGN]

------------------------------

Date: Fri, 9 Jun 2017 13:08:28 -0700
From: Monty Solomon <monty () roscom com>
Subject: Internet cameras have hard-coded password that can't be changed
  (Ars Technica)

https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/

------------------------------

Date: Fri, 9 Jun 2017 13:07:00 -0700
From: Monty Solomon <monty () roscom com>
Subject: UK police arrest man via automatic face-recognition tech
  (Ars Technica)

https://arstechnica.com/tech-policy/2017/06/police-automatic-face-recognition/

------------------------------

Date: Fri, 9 Jun 2017 13:08:53 -0700
From: Monty Solomon <monty () roscom com>
Subject: Task force tells Congress health IT security is in critical condition

https://arstechnica.com/security/2017/06/task-force-tells-congress-health-it-security-is-in-critical-condition/

------------------------------

Date: Fri, 9 Jun 2017 13:19:53 -0700
From: Monty Solomon <monty () roscom com>
Subject: Cyberattack on Britain's National Health Service -- A Wake-up Call
  for Modern Medicine

http://www.nejm.org/doi/full/10.1056/NEJMp1706754

------------------------------

Date: Fri, 9 Jun 2017 13:16:07 -0700
From: Monty Solomon <monty () roscom com>
Subject: Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack

https://www.nytimes.com/2017/06/06/technology/hackers-ransomware-bitcoin-ponzi-wannacry.html

As more of our lives go online, online attackers are finding increasingly
creative ways to wreak havoc using ransomware, and now, pyramid schemes.

------------------------------

Date: Fri, 9 Jun 2017 13:09:57 -0700
From: Monty Solomon <monty () roscom com>
Subject: Sneaky hackers use Intel management tools to bypass Windows firewall
  (Ars Technica)

https://arstechnica.com/security/2017/06/sneaky-hackers-use-intel-management-tools-to-bypass-windows-firewall/

------------------------------

Date: Fri, 9 Jun 2017 13:16:41 -0700
From: Monty Solomon <monty () roscom com>
Subject: Self-driving cars

  [PGN has merges multiple items into one message:]

https://www.nytimes.com/2017/06/07/technology/google-self-driving-cars-handoff-problem.html
Robot Cars Can't Count on Us in an Emergency
Scientists call it the *handoff* problem. How do you keep humans focused
enough to take control of a self-driving car in an emergency?
  [This is an old argument that Don Norman has addressed.  Partial automation
  is risky.  On the other hand, if total automation allows overrides, it is
  really only partial automation, and risky!  PGN]

https://www.nytimes.com/2017/06/07/technology/autonomous-car-technology-challenges.html
A Guide to Challenges Facing Self-Driving Car Technologists
The underlying technology of autonomous vehicles has made dramatic strides
in recent years. But there are still plenty of issues to be worked out.

https://www.nytimes.com/2017/06/07/technology/why-car-companies-are-hiring-computer-security-experts.html
Why Car Companies Are Hiring Computer Security Experts: Researchers have
proved a car can be remotely hacked. Now imagine if that car was being
driven entirely by a computer.

https://www.nytimes.com/2017/06/07/technology/electronic-setups-of-driverless-cars-vulnerable-to-hackers.html
Electronic Setups of Driverless Cars Vulnerable to Hackers:
As cars become more like computers, cybercriminals will have more ways to
get into their important systems.

------------------------------

Date: Fri, 9 Jun 2017 08:58:36 -0400
From: Andrew Duane <e91.waggin () gmail com>
Subject: Re: Robot Copilot Lands 737 (RISKS-30.30)

... and also Re: Untold story of QF72: What happens when 'psycho' automation

  leaves pilots powerless?  (RISKS-30.30)

To paraphrase an old joke:

In the future, the cockpit of an airplane will have a computer, a pilot,
and a dog.
It's the computer's job to fly the plane.
It's the pilot's job to watch over the computer.
It's the dog's job to bite the pilot if he tries to touch the controls.

  [Indeed, an old joke, but we have lots of young readers, so it might
  be okay to run it every 20 years:
  In November 1997, RISKS-19.47 had this line from Robert Dorsett:
    "With autopilots, who needs a dog to keep an eye on the pilot?"
  (This was in a delightful item of a plane that took off without its pilot
  after he got out to crank the propeller.)

  Incidentally, in its early days, NASA insisted that computers had to be
  buried under layers of equipment so that it would be very difficult for
  astronauts to fiddle with the hardware.  There was one later case where an
  in-space repair actually had to be made.  However, software is easy to
  remediate without physical access.  PGN]

------------------------------

Date: Fri, 9 Jun 2017 20:35:52 +1000
From: Paul Edwards <paule () cathicolla com>
Subject: Re: Software is forever... Re: WannaCry (Keating, RISKS 30.31)


... How bad would the state need to be before this last option starts
looking good?


Far, far worse than it does now, frankly. One issue that is often overlooked
in this debate is that of application affinity.

I work in financial services; it's scary how many applications will not work
on anything more modern than Windows XP, or rely on appallingly out-of-date
and deprecated versions of Java. A friend of mine works in healthcare in IT;
she faces a similar problem with certain applications that are used to
monitor patient well-being in ICU.

Forcibly turning off non-supported OSes, frameworks or languages that the
given applications require? What could possibly go wrong?

------------------------------

Date: Thu, 8 Jun 2017 16:29:37 -0500
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.31)

As synchronicity would have it, RedHat has recently fixed a security problem
in Remote Procedure Calls detailed in CVE-2017-8779:

".. a memory leak can occur when parsing specially crafted XDR messages. An
attacker sending thousands of messages to rpcbind could cause its memory
usage to grow without bound, eventually causing it to be terminated"

The "fix" is causing rpcbind to crash 4 seconds after starting.

By now probably the largest user of RPC is file sharing via Network File
System (NFS) and the result of the "fix" is network shares disappearing.  If
remember my NFS correctly, this would not affect already connected shares,
so the problem may possibly go unnoticed for quite some time.

We downgraded our rpcbind and are waiting for the fix of the fix. In the
meantime other patches are not getting installed so as to not accidentally
reinstall the bad one.

Funny enough, the "older unpatched" RHEL 5 systems are not very vulnerable
to this particular problem because they're EOL and not receiving any fixes
anymore. Including bad ones. The vulnerability itself requires a skilled
attacker inside your security perimeter sending "thousands of specially
crafted messages" to eventually accomplish the exact thing that RedHat did
in 4 seconds with a single patch.

------------------------------

Date: Fri, 9 Jun 2017 21:51:07 +0200
From: Lothar Kimmeringer <lothar () kimmeringer de>
Subject: Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.30)


knowledgeable Windows 7 users block automatic patches [...]
They wait a week or more to see what other experience with
new patches before accepting them.


The patch for the bug in SMB was marked as "critical, wormable".  Whoever
calls him/herself "knowledgeable" and waits with installing that kind of
patch, should be called by others in a completely different way.

Waiting to install a patch that fixes a typo in a context-menu is one thing
but ignoring a patch fixing a wormable bug is something completely
different. That's an announced shot into your own foot or - taking real
consequences into account - potentially killing people in the UK because
they couldn't be treated due to the hospitals' computers got affected.

------------------------------

Date: 8 Jun 2017 23:01:26 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: Untold story of QF72: What happens when 'psycho' automation
  leaves pilots powerless? (Manning, RISKS-30.31)


 ... sometimes with disastrous results.


But sometimes without.  In this article, William Langewiesche credits the
successful ditching of US 1549 as much to the Airbus flight automation as to
the skill of the pilot.

http://www.vanityfair.com/culture/2009/06/us_airways200906

The question is whether the pilot or the software is more likely to go nuts.
The answer is not obvious to me, particularly in cases like the Air France
flight off Brazil where the instruments went nuts in a way that would have
been harmless if the crew ignored them, but instead the crew did exactly the
wrong thing and lost the plane.

------------------------------

Date: Fri, 9 Jun 2017 08:56:31 +0930
From: William Brodie-Tyrrell <william () brodie-tyrrell org>
Subject: Re: Untold story of QF72: What happens when 'psycho' automation
  leaves pilots powerless? (Manning, RISKS-30.31)

Does Prof. Leveson also refuse to go near roads?

This is a wonderful illustration of people who should know better still
optimising away the tiniest risks that seem controllable while ignoring
other greater but less-newsworthy risks.  I can well believe that the Boeing
philosophy is safer, but I'd take the deaths per passenger-mile in an Airbus
over just about any other form of transport including a taxi to the airport.

In light of terrorism vs car crashes, Airbus vs heart attacks, sharks vs
falling out of bed, one could almost make a generalisation that "if
everyone is frightened of it, it's probably not a threat to you".  Same
thing seems to apply in infosec: all the panic over 0-days, APT, etc vs
people not bothering to apply vendors' patches and reusing the same
password on 50 different websites.

------------------------------

Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 30.32
************************
Previous By Date Next
Previous By Thread Next

Current thread: