The RISKS Digest
Volume 29 Issue 78

Thursday, 22nd September 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

FBI overpaid $999,900 to crack San Bernardino iPhone 5c password
Dan Jacobson
Yahoo! confirms major breach that could be the largest hack ever: at least 500 million people
Business Insider
Microsoft dismisses Exchange vulnerability report
Peter Houppermans
How a few words to Siri unlocked a man's front door and exposed a major security flaw in Apple's HomeKit
Forbes
Police try to arrest robot
Al Macintyre
Chicago woman launches lawsuit against Canadian maker of app-based vibrator
CTVnews via Jim Reisert
The risks of getting your email address wrong
Amrith Kumar
For the Debaters: What Shall We Do About the Tech Careening Our Way?
NYTimes
The Success of the Voter Fraud Myth
NYTimes
Wells Fargo Warned Workers Against Sham Accounts, but 'They Needed a Paycheck'
NYTimes
World Economy at RISK? new TiSA-leaks
Wikileaks via Werner U
Re: Tesla fatal crash in Baarn, The Netherlands
Kurt Seifried
Martin Ward
Re: PC without OS
Dimitri Maziuk
Martin Ward
REVIEW: How to Measure Anything in Cybersecurity Risk, Douglas W. Hubbard and Richard Seiersen
Richard Austin
Info on RISKS (comp.risks)

FBI overpaid $999,900 to crack San Bernardino iPhone 5c password

Dan Jacobson <jidanni@jidanni.org>
Tue, 20 Sep 2016 12:28:43 +0800
http://www.theregister.co.uk/2016/09/19/fbi_overpaid_999900_to_crack_san_bernardino_iphone_5c_password/
Hacker brews fast NAND mirroring prototype for $100.
University of Cambridge senior research associate Sergei Skorobogatov
has laid waste to United States Federal Bureau of Intelligence (FBI)
assertions about iPhone security by demonstrating password bypassing
using a $100 NAND mirroring rig...


Yahoo! confirms major breach that could be the largest hack ever: at least 500 million people (Business Insider)

Lauren Weinstein <lauren@vortex.com>
Thu, 22 Sep 2016 12:06:02 -0700
via NNSquad
http://www.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9?op=1

  Yahoo revealed a massive data breach of its services on Thursday.  Yahoo
  "has confirmed that a copy of certain user account information was stolen
  from the company's network in late 2014 by what it believes is a
  state-sponsored actor," the company posted on its investor relations page.
  The stolen data include names, email addresses, telephone numbers,
  birthdays, hashed passwords, and some "unencrypted security questions and
  answers."  Yahoo believes that "at least" 500 million user account
  credentials were stolen, which would make it the biggest breach of all
  time, bigger than the MySpace breach of 427 million user accounts.

Note the part about "unencrypted security questions and answers." The
continued use of security questions is a scourge on security, even for
people who (as I generally recommend) provide different fake answers to
those questions at different sites, rather than the real answers to those
common questions that could subvert their security later.


Microsoft dismisses Exchange vulnerability report

Peter Houppermans <peter@houppermans.net>
Mon, 19 Sep 2016 13:31:02 +0200
It may be worthwhile to provide a bit of depth to the article "Microsoft
dismisses Exchange vulnerability report" at to see what the fuss is all
about.  <http://www.theregister.co.uk/2016/09/19/ms_exchange_alleged_bug/>

The issue is that the auto-discovery process prescribed for Microsoft
Exchange clients is not just not too fussy about whom it talks to, it also
doesn't do quite what you would expect.  When you set up a new MS Exchange
client to access "mailserver.domain.com <http://mailserver.domian.com/>", it
first tries to talk to just "domain.com <http://domain.com/>" and, if
presented with an SSL cert that has a trusted root, it is quite happy to
supply the password for the user in cleartext as answer to a normal Apache
authentication query (hence only needing a few lines of code to exploit it -
all the required tools are already built in to any webserver).

In other words, you may have secured your internal MS Exchange server, but
if the public webserver of that domain is hacked (on account of being
typically less secure) you may already be leaking passwords.  As a bonus,
the client will frequently revisit that URL to pick up configuration changes
so your hacked webserver will get plenty opportunity to grab the user's
password..

.. which may be the keys to the Kingdom as most organisations use Single
Sign On.  Uh oh.

There seems to be no real mitigation possible other than bolting down the
associated webserver as it's simply the way the protocol is set up.


How A Few Words To Siri Unlocked A Man's Front Door And Exposed A Major Security Flaw In Apple's HomeKit

Lauren Weinstein <lauren@vortex.com>
Wed, 21 Sep 2016 08:49:15 -0700
NNSquad

  The iPad Pro sitting in the living room was able to hear Mike through the
  front door and issued the unlock command. Marcus was stunned. The two
  laughed it off. Marcus then tried to repeat the unlocking trick several
  more times and was surprised by how easy it was. He didn't even have to
  yell that loud.

http://www.forbes.com/sites/aarontilley/2016/09/21/apple-homekit-siri-security/#753ca1b36e8a


Police try to arrest robot

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Fri, 16 Sep 2016 22:07:34 -0500
Its alleged offenses:

* Disruptive at political rally

* Run away from home

* Jaywalking not at legal place to cross street, then park in middle of
  road, blocking traffic

http://www.mirror.co.uk/news/weird-news/notorious-runaway-robot-escaped-lab-8846563


Chicago woman launches lawsuit against Canadian maker of app-based vibrator

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sun, 18 Sep 2016 17:05:40 -0600
The Canadian Press, 14 Sep 2016

http://ottawa.ctvnews.ca/chicago-woman-launches-lawsuit-against-canadian-maker-of-app-based-vibrator-1.3071873

  TORONTO—An American woman has launched a proposed class-action lawsuit
  against the Canadian-owned maker of a smartphone-enabled vibrator,
  alleging the company sells products that secretly collect and transmit
  "highly sensitive" information.

  The suit alleges that unbeknownst to its customers, Standard Innovation
  designed the We-Connect app to collect and record intimate and sensitive
  data on use of the vibrator, including the date and time of each use as
  well as vibration settings.


The risks of getting your email address wrong

"Amrith Kumar" <amrith.kumar@gmail.com>
Mon, 19 Sep 2016 13:24:17 -0400
These days we receive more and more communications via electronic means. It
has been suggested that electronic delivery has a lower chance of misplaced
delivery and the associated risks of identity theft.

However, as more and more people begin to use email, the exact risks that we
had with postal mail appear to be coming to electronic delivery as well.

Whether it is the consumer who provides an incorrect email address, or the
receiver of the email address making a mistake in writing it down, or the
lack of a confirm-your-email mechanism, you end up with the exact same risks
as we had before.

I've written about my own ongoing saga with this (thankfully, this is not my
own identity that is at risk here).

Details at
https://hypecycles.com/2016/09/18/the-saga-of-the-mixed-up-email-continues/

A number of people (at this point, I can count three distinct people) have
mistakenly provided my email address as their own, in registrations for
cellphone bills, and life insurance.

Some vendors send information to email with no security (encrypted PDF, for
example). Others send documents with encryption using trivial passwords
(name+MMDD of birthday). To make it easier for you to guess the MMDD, they
send birthday wishes as well.

The question:

Shouldn't there be a universal 'opt-in' mechanism before any automated
system accepts an email address to be legitimate? Something based on a
shared secret is so trivial to implement, I wonder why it isn't mandatory,
or at least best practice.


For the Debaters: What Shall We Do About the Tech Careening Our Way?

Monty Solomon <monty@roscom.com>
Wed, 21 Sep 2016 09:41:59 -0400
http://www.nytimes.com/2016/09/22/technology/for-the-debaters-what-shall-we-do-about-the-tech-careening-our-way.html

Autonomous vehicles are symbolic of numerous technology advances, each
requiring a close look at benefits and risks, and leadership to navigate
them.


The Success of the Voter Fraud Myth (NYTimes)

Dewayne Hendricks <dewayne@warpspeed.com>
September 20, 2016 at 5:07:31 AM EDT
The Editorial Board of *The New York Times*, 19 Sep 2016
http://www.nytimes.com/2016/09/20/opinion/the-success-of-the-voter-fraud-myth.html>

How does a lie come to be widely taken as the truth?

The answer is disturbingly simple: Repeat it over and over again. When faced
with facts that contradict the lie, repeat it louder.

This, in a nutshell, is the story of claims of voting fraud in America --
and particularly of voter impersonation fraud, the only kind that voter ID
laws can possibly prevent.

Last week, a Washington Post-ABC News poll found that nearly half of
registered American voters believe that voter fraud occurs “somewhat'' or
“very'' often. That astonishing number includes two-thirds of people who
say they're voting for Donald Trump and a little more than one-quarter of
Hillary Clinton supporters. Another 26 percent of American voters said that
fraud “rarely'' occurs, but even that characterization is off the
mark. Just 1 percent of respondents gave the answer that comes closest to
reflecting reality: “Never.''

As study after study has shown, there is virtually no voter fraud anywhere
in the country. The most comprehensive investigation to date found that out
of one billion votes cast in all American elections between 2000 and 2014,
there were 31 possible cases of impersonation fraud. Other violations --
like absentee ballot fraud, multiple voting and registration fraud—are
also exceedingly rare. So why do so many people continue to believe this
falsehood?

Credit for this mass deception goes to Republican lawmakers, who have for
years pushed a fake story about voter fraud, and thus the necessity of voter
ID laws, in an effort to reduce voting among specific groups of
Democratic-leaning voters. Those groups—mainly minorities, the poor and
students—are less likely to have the required forms of identification.

Behind closed doors, some Republicans freely admit that stoking false fears
of electoral fraud is part of their political strategy. In a recently
disclosed email from 2011, a Republican lobbyist in Wisconsin wrote to
colleagues about a very close election for a seat on the State Supreme
Court.  “Do we need to start messaging 'widespread reports of election
fraud' so we are positively set up for the recount regardless of the final
number?'' he wrote. “I obviously think we should.''

Sometimes they acknowledge it publicly. In 2012, a former Florida Republican
Party chairman, Jim Greer, told *The Palm Beach Post* that voter ID laws and
cutbacks in early voting are “done for one reason and one reason only'' --
to suppress Democratic turnout. Consultants, Mr. Greer said, “never came in
to see me and tell me we had a fraud issue. It's all a marketing ploy.''

The ploy works. During the 2012 election, voter ID laws in Kansas and
Tennessee reduced turnout by about 2 percent, or about 122,000 votes,
according to a 2014 analysis by the Government Accountability
Office. Turnout fell the most among young people, African-Americans and
newly registered voters. Another study analyzing elections from 2006 through
2014 found that voting by eligible minority citizens decreased significantly
in states with voter ID laws and “that the racial turnout gap doubles or
triples in states'' with those laws.

There are plenty of shortcomings in the American voting system, but most are
a result of outdated machines, insufficient resources or human error—not
intentional fraud. All of these are made only worse by shutting down polling
places or eliminating early voting hours, measures frequently supported by
Republican legislators.


Wells Fargo Warned Workers Against Sham Accounts, but 'They Needed a Paycheck' (NYTimes, re: RISKS-29.76)

Monty Solomon <monty@roscom.com>
Mon, 19 Sep 2016 22:16:25 -0400
http://www.nytimes.com/2016/09/17/business/dealbook/wells-fargo-warned-workers-against-fake-accounts-but-they-needed-a-paycheck.html

Former employees say that their managers warned them not to bend the rules,
but they felt pressured by the bank's aggressive sales culture to create
fake accounts anyway.


World Economy at RISK? new TiSA-leaks

Werner U <werneru@gmail.com>
Sat, 17 Sep 2016 04:07:22 +0200
(Wikileaks via Twitter, 15 Sep 2016)

  [The claim is TiSA nations account for "...over 2/3rds of global GDP".]

New negotiating docs & analysis for 52-country mega 'trade' deal #*TiSA*
<https://twitter.com/wikileaks/status/776391090576457728>

Today, Thursday, 15 September 2016, 11:00am CEST, on the eve of new
negotiations, WikiLeaks releases new secret documents from the controversial
Trade in Services Agreement (TiSA) currently being negotiated by the US, EU
and 22 other countries that account for over 2/3rds of global GDP. ...
<https://wikileaks.org/tisa/>

"According to World Bank figures
<http://data.worldbank.org/indicator/BG.GSR.NFSV.GD.ZS> services comprise
around 75% of the EU economy, 80% of the US economy and the majority of
economies of most countries. The global economy is shifting towards a
service-oriented economy. Cross-border trade in services for around 13% of
the global GDP in 2015; for the EU twice that figure (around 24% of its
total GDP). But it is not just these numbers alone that prove that the TiSA
negotiations deserve a much higher attention in the public discussion than
they currently have.

"Successful opposition mounted to TPP and TTIP by a broad spectrum of
actors—from movements, to farmers, to elites—means the neo-liberal
lobby now places its hopes in TiSA as the vehicle for rewriting global
rules and for securing a charter of corporate rights behind closed doors.
The TiSA core text is not the main site of dissent, because it is designed
to re-insert back into the WTO. It does reveal two major points of
disagreement (most-favored nation treatment and domestic regulation) which
are important because the US and EU are facing off on issues that are
critical. The major disagreements that are likely to prove most problematic
are occurring off stage in the annexes.

"The published documents are from June and July 2016, document the state of
negotiations before and after the previous TiSA round. By comparing the
TiSA Core Text and the corresponding Annexes with previous releases of the
same documents from WikiLeaks, the public can gain insight into how
governments and negotiators shift positions on certain aspects of the text
over time. This is also reflected in the three analysis documents that
express the expert opinions on selected chapters and annexes of TiSA.

"This release comes just days before the next TiSA negotiation round begins
on September, 19th 2016 in Geneva. The publication of additional TiSA
documents is planned for the near future.


Re: Tesla fatal crash in Baarn, The Netherlands (Kristiansen, R-29.77)

Kurt Seifried <kurt@seifried.org>
Fri, 16 Sep 2016 16:25:41 -0600
I'm going to assume that the majority of Tesla drivers are carrying a cell
phone, most likely a smart phone. So the privacy ship has sailed, hit an
iceberg and sunk already. Your carrier knows where you are for sure, and
many of your apps are also snitching on your location. Just wait until a
self driving car service uses biometric identification to helpfully bill you
for car use in case you forgot/lost your cell or want to ride share/split
the cost.

Humans suck at paying attention when they are trying. When they're not even
trying...  According to the numbers I can find: "1 out of every four car
accidents in the United States is caused by texting and driving."  That's
even more terrible then I would have guessed.


Re: Tesla fatal crash in Baarn, The Netherlands (Kristiansen, R-29.77)

Martin Ward <martin@gkc.org.uk>
Sat, 17 Sep 2016 16:13:17 +0100
Few, if any, cars are designed to withstand a head-on collision with a tree
at 95 mph. The Tesla battery has much stronger protection than the fuel tank
of a petrol or diesel vehicle: which of course, contains a highly
inflammable liquid. Elon Musk claimed, in 2013, that a fire was five times
more likely in a gasoline car than in a Tesla car. This was before the .25
inch aluminium shield around the battery was upgraded to a three-layer
titanium shield.

In the UK alone there were nearly 20,000 accidental road vehicle fires in
2003, about 40 per billion km, with 79 fatalities:

http://webarchive.nationalarchives.gov.uk/20120919132719/http://www.communities.gov.uk/pub/894/FireStatisticsUnitedKingdom2003PDF1724Kb_id1124894.pdf

The telemetry communicated to Tesla is only vehicle diagnostics:
https://www.youtube.com/watch?v=cRHH7NmoVPk
(See from 9:00 to 10:55)

Other data is stored locally on the car. When you are involved in a head-on
collision with a tree at 95 mph you have forfeited your privacy where this
would prevent the investigators from finding out exactly what happened.


Re: PC without OS (Ward, RISKS-29.78)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Sat, 17 Sep 2016 13:58:54 -0500
No, the monopoly OS supplier can pay PC makers to include a copy of Windows
with every PC they are selling *for $500*. Nobody's stopping them from
selling barebones PCs *for $1000*.

If you read the article, "the CJEU ruled that it's legal to bundle PCs with
software without indicating their prices separately" while refusal to offer
"no OS" option is up to the local courts to rule on.

Aside from the guy getting a Windows discount on his laptop *and* asking for
Windows MSRP back (plus a few grand in damages), Apple is bundling iOS with
iPhone while AT&T is bundling their product'n'service with hugely discounted
Samsung handsets. You seriously expect a court to rule all that illegal in
the entire EU?


Re: PC without OS (Sayer, RISKS-29.76)

Martin Ward <martin@gkc.org.uk>
Sat, 17 Sep 2016 15:29:23 +0100
The missing middle term of the syllogism (which was omitted because it is
widely acknowledged and understood) is that without a legal obligation to
offer a machine without an OS, the monopoly OS supplier (Microsoft) can
force PC makers to include a copy of Windows with *every* PC that they sell:
effectively eliminating competition from the

So, consumers are unable to buy a PC from a major manufacturer
without paying the "Microsoft Tax": whether they want to or not.


"Cipher Editor" <cipher-editor@ieee-security.org>
Tue, 20 Sep 2016 00:33:58 -0600
  Excerpted from the Electronic CIPHER, Issue 134, 19 Sep 2016
  Newsletter of the IEEE Computer Society's TC on Security and Privacy
  Electronic Issue 134                              September 19, 2016
  Hilarie Orman, Editor                    Sven Dietrich, Assoc. Editor
cipher-editor@ ieee-security.org cipher-assoc-editor @ ieee-security.org

    	         Book Review By Richard Austin
                        September 15, 2016

Douglas W. Hubbard and Richard Seiersen
How to Measure Anything in Cybersecurity Risk
Wiley 2016.
ISBN 978-1-119-08529-4
Table of Contents:
http://www.wiley.com/WileyCDA/WileyTitle/productCd-1119085292.html

This is a very useful follow-up to Hubbard's previous book "How to Measure
Anything: Finding the Value of Intangibles in Business" applied to
cybersecurity risk.  Though this book can be read standalone, many details
are referenced to the previous one, and it would be good to have a copy at
hand for reference.  The book addresses the very important question: Is it
really possible to do anything beyond rating scales when assessing
cybersecurity risk?  We're all familiar with variations of high-medium-low
and the sometimes arcane rituals of how to "multiply" a medium rate of
occurrence by a low impact.  We've also likely felt vaguely uncomfortable
about doing math on ratings but haven't really had an alternative.

The authors are quick to assure us that there is a better way that will
allow us to defensibly produce quantitative risk assessments using the data
and knowledge we have (but may not realize we have).

Their techniques relies on simulation - they call it "Monte Carlo" which
would have put my long-ago professor in a computer simulation course into
hysterics: "Monte Carlo is a method for integrating messy functions not a
catchy byword for applying simulation to problems".  A quick Google shows
that "Monte Carlo" enjoys wide usage in the sense used by the authors but I
still have the emotional scars from that course and won't use the term that
way.

To do a good simulation, you need reasonable data and the authors spend a
good portion of the book showing that we know a lot more than we think we
do.  One of their core techniques is "calibration" which basically means
that when an expert says that something has a probability of .2 to .4 they
really mean it.  While that sounds suspiciously obvious, the authors quote
substantial research to show that experts, in the beginning, really don't
believe their estimates (in the sense of being willing to wager on the
outcome) but can be taught to produce good estimates.

The tool they use for their simulation studies is the spreadsheet (examples
available on the book's website), but rather than creating another
spreadsheet oracle, they clearly explain how the spreadsheet calculations
work so that the astute reader will be able to understand and defend their
conclusions.

There are a couple of pimples on this otherwise excellent presentation.
First is that too much is made of the great frequentist versus subjectivist
divide in the field of statistics.  Outside of academia, I find that the
professional statisticians I know (a biased sample if ever there was one)
are frequentists when they can be and subjectivists the rest of the time.
As one of the more waggish opined: "Whatever makes the math easier".  If you
must classify yourself, my advice is to follow the authors and be
unabashedly subjectivist (or Bayesian).  The second is the some of the
presentation is frankly polemical and boils down to "If you don't agree with
us then you don't understand statistics at all".  The authors are experts in
their field (otherwise we wouldn't be reading their book) and the research
results of applying their techniques speak for themselves, so the polemics
could have been left out with no loss to the presentation.

Some readers may suffer from a phobia when it comes to statistics and
probability (usually traceable to a bad experience in their first statistics
class).  The authors have successfully taught their methods to audiences
from many backgrounds and the book is heavily tutorial in nature.  When you
finish working your way through it, you will be able to stare probability
distributions, confidence intervals and other scary accoutrements of
quantitative risk assessment in the eye without flinching.

This is an awesome book on a critical topic.  The decisions we made in
securing our information assets, the infrastructures that support them and
the services that depend on them are too critical for us to depend on mumbo
jumbo when making decisions about risk.  The authors make a forceful case
that there is a better way that depends on comprehensible techniques with a
substantial body of research in many fields behind them.  I fervently hope
that you will studiously read this book and apply its techniques in your own
work.  We and our profession will be all the better for it.

Please report problems with the web pages to the maintainer

x
Top