precedence: bulk
Subject: Risks Digest 29.36
RISKS-LIST: Risks-Forum Digest Friday 18 March 2016 Volume 29 : Issue 36
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.36.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
China bans wordplay in attempt at pun control (Tania Branigan)
Pentagon skips tests on key component of U.S.-based missile defense system
(David Willman)
Microsoft servers to bottom of ocean (I-HLS)
U.S. war on Tor encryption (I-HLS)
Brazen Heist of Millions Puts Focus on the Philippines (NYTimes)
Denver Police Caught Misusing Databases Got Light Punishments (NYTimes)
Where Computers Defeat Humans, and Where They Can't (NYTimes)
How Microsoft copied malware techniques to make Get Windows 10 the world's
PC pest (The Register)
Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist
(NYTimes)
This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA
(Ars Technica)
CRYPTO-GRAM, March 15, 2016 (Bruce Schneier)
Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million (NYTimes)
Re: Hackers steal $81M from Bangladesh (John Levine)
Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh central
bank ... (Bob Frankston)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 16 Mar 2016 18:51:59 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: China bans wordplay in attempt at pun control
Chinese is a language that to Westerners seems rife with puns, with many
words pronounced similarly (if you ignore the four tones) that have quite
different meanings and completely different ideograms. Many native Chinese
may presume those different words that are phonetically confusing to
foreigners may not be thought to be puns -- they are just different words.
However, intentionally contrived puns in spoken Chinese languages that
introduce clever ambiguities and humor apparently have been deemed
threatening to Chinese culture. (Incidentally, quite intentional puns are
rampant throughout many Shakespeare plays.) PGN
Tania Branigan, *The Guardian*, 28 Nov 2014 [old item, but still timely]
Officials say casual alteration of idioms risks nothing less than
`cultural and linguistic chaos', despite their common usage.
From online discussions to adverts, Chinese culture is full of puns. But
the country's print and broadcast watchdog has ruled that there is nothing
funny about them. It has banned wordplay on the grounds that it breaches
the law on standard spoken and written Chinese, makes promoting cultural
heritage harder, and may mislead the public -- especially children. The
casual alteration of idioms risks nothing less than `cultural and
linguistic chaos', it warns.
Chinese is perfectly suited to puns because it has so many homophones.
Popular sayings and even customs, as well as jokes, rely on wordplay.
But the order from the State Administration for Press, Publication, Radio,
Film and Television says: ``Radio and television authorities at all levels
must tighten up their regulations and crack down on the irregular and
inaccurate use of the Chinese language, especially the misuse of idioms.''
...
http://www.theguardian.com/world/2014/nov/28/china-media-watchdog-bans-wordplay-puns?CMP=share_btn_fb
[Thanks to Laura S. Tinnel for pun-ting this one to me. PGN]
------------------------------
Date: Thu, 17 Mar 2016 12:21:09 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Pentagon skips tests on key component of U.S.-based missile defense
system (David Willman)
* From the government's perspective: If we don't test it, then we don't
know that it won't work, so we don't have to include the cost of fixing it
in our current budget. That way, the cost overruns won't have to be
offset from other spending.
* From the contractor's perspective: If they don't know it won't work,
then we get paid. And when they find out later it won't work, we get paid
again to fix it.
[BTW, does anyone else recall that none of the U.S. submarine torpedoes
in WWII worked until quite late into the war? I don't believe that it
was acknowledged at the time -- due to secrecy -- and then after the war
no one cared because we won. HB]
David Willman, *LA Times*, 17 Mar 2016
Pentagon skips tests on key component of U.S.-based missile defense system
http://www.latimes.com/nation/la-na-missile-defense-hot-fire-testing-20160317-story.html
Against the advice of its own panel of outside experts, the U.S. Missile
Defense Agency is forgoing tests meant to ensure that a critical component
of the nation's homeland missile defense system will work as intended.
The tests that are being skipped would evaluate the reliability of small
motors designed to help keep rocket interceptors on course as they fly
toward incoming warheads.
The components, called alternate divert thrusters, are vital to the
high-precision guidance required to intercept and destroy an enemy warhead
traveling at supersonic speed -- a feat likened to hitting one speeding
bullet with another.
The interceptors, deployed in underground silos at Vandenberg Air Force Base
in Santa Barbara County and at Ft. Greely, Alaska, are the backbone of the
Ground-based Midcourse Defense system (GMD) -- the nation's main defense
against a sneak attack by North Korea or Iran.
The interceptors are multi-stage rockets, each with a 5-foot-long *kill
vehicle* at its tip. The 150-pound kill vehicle is designed to separate
from its rocket in space, fly independently at 4 miles per second and crash
into an enemy warhead, destroying it.
The performance of the divert thrusters, which are supposed to keep the kill
vehicles on course during their final approach to their targets, has been a
source of concern for several years. In response, the Missile Defense
Agency oversaw development of a new and supposedly better version, the
alternate divert thruster.
An outside panel of experts privately advised the agency to put the
alternate divert thrusters through *hot fire* testing, in which they would
be revved up on the ground to see whether they burned smoothly and delivered
adequate propulsion.
But in order to stay on schedule for a planned expansion of the GMD system,
none of the 40 thrusters that are being installed on 10 new interceptors
will undergo hot-fire testing, government officials told the Los Angeles
Times.
Forgoing the tests ``increases the risk for reliability issues going
undetected,'' according to a newly released report by the U.S. Government
Accountability Office. The report says that such testing ``verifies proper
performance and workmanship.'' [...]
http://www.gao.gov/assets/680/675263.pdf
------------------------------
Date: Fri, 18 Mar 2016 12:53:40 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Microsoft servers to bottom of ocean (I-HLS)
Microsoft has found that the bottom of the ocean is a good place for
servers, because water at the bottom of an ocean usually stays at a stable
relatively cold temperature, eliminating need for much of the vigorous
cooling traditional data centers require.
What could go wrong with server farms on the bottom of the ocean? Read
science fiction if the answers are not obvious.
In Missing Man novel, cyber attack takes out an under-water city, by
tampering with the air-conditioning controls.
https://sciencefictionruminations.wordpress.com/2011/10/08/book-review-missing-man-katherine-maclean-1976/
Sea Floor datacenters had better have good off-site (on land) backup, in
case of a leak taking them out of commission, and good insurance if human
technicians are to be sent down there to maintain the hardware (How severe
risk of the bends, and are there sharks down there?). How difficult would
it be for a drone submarine to hack their contents? (We know drug smugglers
use narco-subs to transport drugs from the shores of Columbia to the inland
rivers of North America.)
http://i-hls.com/2016/02/68173/
The team behind the project is also looking to wave power generating
equipment to harvest the hydrokinetic energy of the sea, further reducing
operating costs. That is another area of risk. If we muck with ocean
currents, that could undermine their path, and if Europe loses the warmth of
the Gulf Stream, that is tantamount to an act of weather war.
https://en.wikipedia.org/wiki/Gulf_Stream
[Don't forget that certain sea creatures might be attracted to the
differential warmth, just as squirrels have knocked out SRI's power on
multiple occasions -- more recently at the junction between our
co-generation plant and PG&E. PGN]
------------------------------
Date: Fri, 18 Mar 2016 12:18:06 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: U.S. war on Tor encryption (I-HLS)
A federal judge confirmed that the Software Engineering Institute (SEI
<http://www.sei.cmu.edu/> ) of Carnegie Mellon University (CMU) was
commissioned by the US government to break ultra-secure Tor network
encryption, according to court documents.
<https://assets.documentcloud.org/documents/2719591/Farrell-Weds.pdf> PDF
Prior to this confirmation, the FBI was able to deny or cover up some of the
facts, and people, who believed the FBI, drew erroneous conclusions about
what was going on. There were also some suspicions when these researchers
canceled a presentation on this topic. That sometimes happens when there
is a court order to shut up.
This project may have destroyed CERT <http://www.cert.org/> Coordination
Center (CERT/CC) reputation both as an honest broker in protecting
cyber-security, and having the integrity of academic standards that human
beings privacy and civil rights should never be violated by research or
other means, without informed consent, or National Security Letter (NSL), or
proper court approval. If it was an NSL, recipients may go through their
lawyer to protest it, and SEI-CMU administrators should have realized the
potential damage to their reputations by accepting this mission. The US has
spent $1.73 billion on this? DoD organized the project, while the FBI got
the advantage from it, leading to some people speculating that the FBI had
conducted this hacking operation. Perhaps SEI-CMU has decided to exit the
Cert/CC service, and go into different fields of specialty.
US defendants have a right to face their accusers, which includes how the
evidence was obtained, so when the government's evidence was obtained by new
technologies they want to keep secret, they have a choice:
* Use only evidence obtained by means they do not want to keep secret;
* Use the formerly secret evidence gathering, knowing that the trial will
reveal it;
* Do not prosecute those people;
* Seek secret trial.
As statements come out in court as to how the IP addresses of the defendants
were uncovered, Tor thinks a vulnerability has been identified, that they
can patch, to prevent that from ever happening again.
http://i-hls.com/2016/03/carnegie-mellon-tor-attack-confirmed/
http://thehackernews.com/2016/02/tor-hack.html
https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html
https://www.deepdotweb.com/2016/02/28/court-documents-confirm-cmu-paid-by-government-in-tor-attacks/
http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security-researchers/
https://blog.torproject.org/blog/statement-tor-project-re-courts-february-23-order-us-v-farrell
https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation
------------------------------
Date: Thu, 17 Mar 2016 03:18:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Brazen Heist of Millions Puts Focus on the Philippines
The country's lightly regulated casinos and tough bank secrecy laws had
prompted warnings from the United States and money-laundering experts before
the theft.
http://www.nytimes.com/2016/03/17/business/dealbook/brazen-heist-of-millions-puts-focus-on-the-philippines.html
------------------------------
Date: Thu, 17 Mar 2016 09:22:01 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Denver Police Caught Misusing Databases Got Light Punishments
The mining of criminal justice databases for personal use has raised
questions on privacy abuse in cases across the country.
http://www.nytimes.com/2016/03/18/us/denver-police-criminal-databases-personal-use.html
------------------------------
Date: Thu, 17 Mar 2016 09:26:51 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Where Computers Defeat Humans, and Where They Can't
http://www.nytimes.com/2016/03/16/opinion/where-computers-defeat-humans-and-where-they-cant.html
Why it matters that Google's program defeated the world's best [human] Go
player.
------------------------------
Date: Fri, 18 Mar 2016 11:53:58 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: How Microsoft copied malware techniques to make Get Windows 10 the
world's PC pest
Windows users who decline to use it find it is repeatedly reintroduced.
The language of the counter-malware industry is more appropriate than the
language of enterprise IT for GWX. GWX subverts a channel intended for
one purpose (security hotfixes) for another (advertising); it changes its
*attack vectors*, it uses *polymorphic* techniques; and it consistently
overrides users' actions and permissions.
http://www.theregister.co.uk/2016/03/17/microsoft_windows_10_upgrade_gwx_vs_humanity/
------------------------------
Date: Thu, 17 Mar 2016 14:12:41 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Apple Encryption Engineers, if Ordered to Unlock iPhone, Might
Resist (NYTimes)
If the F.B.I. wins its court fight to force Apple's help in unlocking an
iPhone, the agency may run into yet another roadblock: Apple's engineers.
Apple employees are already discussing what they will do if ordered to
help law enforcement authorities. Some say they may balk at the work,
while others may even quit their high-paying jobs rather than undermine
the security of the software they have already created, according to more
than a half-dozen current and former Apple employees. Among those
interviewed were Apple engineers who are involved in the development of
mobile products and security, as well as former security engineers and
executives.
http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html?partner=rss&emc=rss
[Monty Solomon noted:
The potential resistance adds a wrinkle to a very public fight over access
to an iPhone used by one of the San Bernardino attackers.
PGN]
------------------------------
Date: Thu, 17 Mar 2016 13:58:10 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA
This is the phone NSA suggested Clinton use: A $4,750 Windows CE PDA
http://arstechnica.com/information-technology/2016/03/this-is-the-phone-nsa-suggested-clinton-use-a-4750-windows-ce-pda/
When former Secretary of State Hillary Clinton was pushing to get a waiver
allowing her to use a BlackBerry like President Barack Obama back in 2009,
the National Security Agency had a very short list of devices approved for
classified communications. It was two devices built for the Secure Mobile
Environment Portable Electronic Device (SME PED) program. In fact, those
devices were the only thing anyone in government without an explicit
security waiver (like the one the president got, along with his souped-up
BlackBerry 8830) could use until as recently as last year to get mobile
access to top secret encrypted calls and secure e-mail. Despite $18
million in development contracts for each of the vendors selected to build
the competing SME PED phones (or perhaps because of it), the resulting
devices were far from user-friendly. The phones -- General Dynamics'
Sectéra Edge and L3 Communications' Guardian -- were not technically
*smart phones*, but instead were handheld personal digital assistants with
phone capability, derived from late 1990s and early 2000s technology that
had been hardened for security purposes -- specifically, Windows CE
technology.
------------------------------
Date: Tue, 15 Mar 2016 02:03:58 -0500
From: Bruce Schneier <schneier@schneier.com>
Subject: CRYPTO-GRAM, March 15, 2016 (Bruce Schneier)
[I often excerpt from Bruce's Crypto-Gram. This issue is so full of
goodies that I'm just listing the Table of Contents. PGN]
In this issue:
Data Is a Toxic Asset
The FBI vs. Apple: Decrypting an iPhone
Lots of News and Essays about the FBI vs. Apple
The Importance of Strong Encryption to Security
News
Security Implications of Cash
WikiLeaks Publishes NSA Target List
Schneier News
Resilient Systems News: IBM to Buy Resilient Systems
Cheating at Professional Bridge
Simultaneous Discovery of Vulnerabilities
Bruce Schneier, CTO, Resilient Systems, Inc. https://www.schneier.com
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily
those of Resilient Systems, Inc. Copyright (c) 2016 by Bruce Schneier. For
back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.
------------------------------
Date: Thu, 17 Mar 2016 09:33:39 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million
(NYTimes)
http://www.nytimes.com/2016/03/16/world/asia/bangladesh-bank-chief-resigns-after-cyber-theft-of-81-million.html
------------------------------
Date: 16 Mar 2016 23:14:31 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Hackers steal $81M from Bangladesh (RISKS-29.35)
[was: Typo thwarts hackers in $1 billion cyber heist]
*Thwarts* is rather an overstatement, since the crooks stole $101M -- of
which only $20M has been retrieved, and $81M is a lot of money for a country
as poor as Bangladesh. The $81M went to banks in the Philippines -- $50M to
accounts belonging to casinos, and $30M in cash to a man in Manila. It's a
political issue there, as well. ($30M in $100 bills weighs over 600 pounds,
so it's not like the guy walked out of the bank with a briefcase.)
Bangladesh's well-regarded finance minister has resigned, and several of his
subordinates were fired (and probably more) for trying to cover up the theft
and not telling him about it.
According to the *Financial Times*, they were SWIFT transfer requests that
were fully authenticated at the New York end. The FT says that the current
assumption is that Bangladeshi computers were compromised by malware, and a
lot of people would like to know the details. Another question is why the
thefts, which happened a month ago, have just become public now.
https://next.ft.com/content/4275601e-be2d-3529-a5f0-702e635e02ca
[Clearly, no one should be allowed to have meaningfully secure computers
and strong crypto -- not even the U.S. Government! That would solve
problems such as this one, even if it is not yet April Fools' Day. PGN]
------------------------------
Date: 17 Mar 2016 22:45:45 -0400
From: "Bob Frankston" <Bob2@bob.ma>
Subject: Re: Typo thwarts hackers in $1 billion cyber heist on Bangladesh
central bank ... (RISKS-29.35)
The interesting question is what does ``The spokesman said the payment
instructions were 'fully authenticated' using standard methods.'' mean given
the amounts involved?
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.36
************************