The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 07

Tuesday 3 November 2015

Contents

UK: Internet firms to be banned from offering unbreakable encryption under new laws
The Telegraph
Weather radios down; severe weather a possibility
Ben Moore
Of cats and cliffs: the ethical dilemmas of the driverless car
Gabe Goldberg
Fyunch(click)-jacking [1]: The Internet of Ears
Daniel Dern
What We Know About the Computer Formulas Making Decisions in Your Life
Lauren Kirchner via Judy Clark
Chase Fraud *Protection*?
HASM
Risks of banks not practising what they preach
Steve Loughran
RushCard outage
Alister Wm Macintyre
$1 million iPhone Zero-day Bounty
Henry Baker
World's biggest tech companies get failing grade on data-privacy rights ... from me!
Tim Libert
S.Korea pulls plug on government-mandated child surveillance app
USNews via Lauren Weinstein
Wikipedia and Deepak Chopra: Open-Source Character Assassination
HuffPost
ISIS Hackers can target Critical Infrastructure?
IHLS
Arbitration Everywhere, Stacking the Deck of Justice
NYTimes
Re: E-mail encryption is still an oxymoron
Dimitri Maziuk
David E. Ross
Info on RISKS (comp.risks)

UK: Internet firms to be banned from offering unbreakable encryption under new laws (The Telegraph)

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Nov 2015 07:38:42 -0800
*The Telegraph* via NNSquad
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet-firms-to-be-banned-from-offering-out-of-reach-communications-under-new-laws.html

  Companies such as Apple, Google and others will no longer be able to offer
  encryption so advanced that even they cannot decipher it when asked to
  under the Investigatory Powers Bill ... It will also require Internet
  companies to retain the web browsing history of their customers for up to
  a year. ... It came as David Cameron, the Prime Minister, pleaded with the
  public and MPs to back his raft of new surveillance measures.

  [This is evidently David Cameron's next attempt, following on after
  previously wanting to ban *all* cryptography.  COMMENTS:
  * John Day noted in Dave Farber's forum: When you outlaw encryption
    without backdoors, only outlaws will have encryption without backdoors.
  * Henry Baker commented: The UK has suspended the laws of algebra and
    logic.  Good luck with that!
  PGN]


Weather radios down; severe weather a possibility

Ben Moore <benmoore@desotonet.com>
Mon, 2 Nov 2015 22:01:22 -0600
No one's weather radio is working in the entire Mid-South. The problem
has been going on for a week.
http://www.wbrc.com/story/30414750/weather-radios-down-severe-weather-expected

MEMPHIS, TN (WMC) "It has saved my life two or three times," Weather radio
user Shirley Son said.  Son has relied on her weather radio for ten years,
but now all she hears is static. No warnings, no weather. [...]


Of cats and cliffs: the ethical dilemmas of the driverless car

Gabe Goldberg <gabe@gabegold.com>
Fri, 30 Oct 2015 17:47:37 -0400
Odd decision table compares saving lives of two cats being equivalent to
saving lives of four dogs, and values a horse even less.
https://theconversation.com/of-cats-and-cliffs-the-ethical-dilemmas-of-the-driverless-car-49778

  [I guess it would be a boonDOGgle CATaloguing the fiNAGled relative merits
  of different species, RACCOONoitering among various POSSUMbilities
  SQUIRRELed away among roadkill alternatives.  However, some of the
  analysis needs to address risks more broadly: not just trading off damage
  to different animal species, but also to passengers, vehicles that might
  have been commanDEERed by a huge buck, and potentially also to the
  environment.  The tradeoffs also become interesting (for example) for a
  driverless safari vehicle that is remotely piloted by a well-sheltered
  guide and electronically locked to keep its passengers from exiting when
  confronted by angry beasts.  You would not want to become RHINOckwurst.

  However, now that we have HORSEless carriages, perhaps it was certainly
  logical that we would get to DRIVERless and PASSENGERless vehicles (e.g.,
  drones and robots).  On the other hand, if we still had PASSENGER PIGEONS,
  we might have conceived of them pecking at the touch-sensitive screen to
  control a car (as was apparently done with missiles in WW II).  However,
  nothing in the foregoing to the contrary notwithstanding, now that we seem
  to believe we can trust untrustworthy computers controlling autonomous
  entities, perhaps we don't need the less reliable members of the animal
  kingdom any more.  End of technosarcasm/rant/whatever it might be.  PGN]


Fyunch(click)-jacking [1]: The Internet of Ears

Daniel Dern <dern@pair.com>
Fri, 30 Oct 2015 16:34:57 -0400 (EDT)
  [Browse on "Fyunch Click" if you are not a Facebookworm and
  don't understand the reference.  PGN]

Earlier this week, my (Android) phone was next to the radio when this NPR
story came on,

"OK Google: Where Do You Store Recordings Of My Commands?"
<http://www.npr.org/sections/alltechconsidered/2015/10/29/451981811/ok-google-where-do-you-store-recordings-of-my-commands>
and when the radio played the first search question, including the "get
phone's attention" keyword, within half a sentence, my phone was chiming in,
like a backup singer.

Startling, to say the least.

I'm sure I'm not the only listener this happened to...

And I think I saw a news item within the past week on how [hackers] are
directly voice commands at other peoples' phones.

Time to see if there's a way to customize the "attention" word for my phone.

[1] From Niven & Pournelle, THE MOTE IN GOD'S EYE, and THE GRIPPING HAND, of
course.

(This was also a minor (non-tech) plot point in Grant Morrison's Justice
League WORLD WAR III, over a decade ago, with the kid who inadvertently got
Johnny Thunderbolt's pen with the Bandeisian Thunderbolt (stuck) in it,
where reciting "Say you love Satan" included the release phrase ("ceie-u")
for said Band.  Thund.) (Great stuff, I heartily recommend Morrison's
Justice League run. All avail in trade book format.)

And, as a member of the list I'd posted to has subsequently noted, there's
the (apocryphal) tale of a speech input demo at a lecture, where someone
from the back of the crowd shouted out

   FORMAT C COLON RETURN

  [Something like that was in RISKS perhaps 20 years ago, and then again in
  RISKS-19.65: NCR phone instruction for Tower Star multiport removal:
  pronouncing "execute rm -r star".  But I've always wondered about how
  ambiguity-resolving punctuation might be treated in voice-actuated
  systems.  Perhaps Victor Borge had the answer to that when he developed
  explicit audibles for punctuation.  PGN]


What We Know About the Computer Formulas Making Decisions in Your Life (Lauren Kirchner via Judy Clark)

Hendricks Dewayne <dewayne@warpspeed.com>
November 2, 2015 at 4:17:26 PM EST
  [Note:  This item comes from friend Judi Clark.  DLH](via Dave Farber)

Lauren Kirchner, ProPublica, 30 Oct 2015
http://www.propublica.org/article/what-we-know-about-the-computer-formulas-making-decisions-in-your-life

We reported yesterday on a study of Uber's dynamic pricing scheme that
investigated Uber's surge pricing patterns in Manhattan and San Francisco
and showed riders how they could potentially avoid higher prices. The
study's authors finally shed some light on Uber's black box, the algorithm
that automatically sets prices but that is inaccessible to both drivers and
riders.

That's just one of a nearly endless number of algorithms we use every
day. The formulas influence far more than your Google search results or
Facebook newsfeed. Sophisticated algorithms are now being used to make
decisions in everything from criminal justice to education.

But when big data uses bad data, discrimination can result. Federal Trade
Commission chairwoman Edith Ramirez recently called for *algorithmic
transparency*, since algorithms can contain "embedded assumptions that lead
to adverse impacts that reinforce inequality."

Here are a few good stories that have contributed to our understanding of
 this relatively new field. [...]


Chase Fraud *Protection*?

HASM <risks@martins.cc>
Fri, 30 Oct 2015 19:01:09 -0700
After hours purchase on the Home Depot website.  Entered my Chase credit
card number at checkout.  Transaction complete.  A couple minutes later I
got two emails.

One from Home Depot, with a card denied message.  Why they didn't wait for
approval before confirming is a mystery.  And then there is no option on the
website to re-enter another card.  After calling in, a new order number was
generated which wasn't tied to my online account with them, resulting in a
zombie transaction on the account.

The second one was from Chase. It tells me that the transaction was denied,
lists the transaction and asks "Do you recognize this charge?

Then, if I allowed my email agent to display images, it would have showed me
two buttons with http links for YES and NO, which would have directed me to
the appropriate page on their website.

As I don't generally allow images to be displayed, it showed me the ALT tags
of such images, which were YES and ... YES!  And YES, I did choose YES if
you're wondering.


Risks of banks not practising what they preach

Steve Loughran <steve.loughran@gmail.com>
Sat, 31 Oct 2015 12:57:51 +0000
It was with some irony that I read the entry in RISKS-29.06 of a Merryl
Lynch article warning that "Cybersecurity is one of the top global risks
today."

Irony, because 10 minutes earlier I'd been trying to safely handle an email
asserting to be from Merryl Lynch:

  From: Feedback, Bol <bolfeedback@ml.com>
  Date: 27 October 2015 at 13:40
  To: "steve.loughran@gmail.com" <steve.loughran@gmail.com>

  You have received a secure message from Bank of America Merrill Lynch If
  you have concerns about the validity of this message, please contact the
  sender directly. Messages will expire after 90 days.

  This message can be read from a computer or mobility device as follows:

  *To view this secure message from a computer:*

  1. Click the *securedoc.html* attachment to open (download) the secure
  message. For best results, save the file first and open it from the saved
  location using a Web browser.

  2. *First-time recipients* may need to register after opening the
  *securedoc.html* attachment.

  3. * Existing recipients*, enter current password.

  4. Click the *Open* button. If you are unable to open the message,
  select the *Open Online* link.

*To view this secure message from a mobile device (e.g. smartphone,
tablets):*

  1. Forward this message with the *securedoc.html* attachment to
  mds@bankofamerica.com. You will receive a new email containing a link to
  access the secure message.

  2. *First-time recipients* may need to register after opening the link.
  If you have not previously registered, click the *Open* button to initiate
  registration.

*Additional Information*

- First-time recipients are advised to read the Recipient Guide
<http://securemsg.bankofamerica.com/Secure_Email_Recipient_Guide_en.pdf>
- Review the Help, FAQs and Guides <http://securemsg.bankofamerica.com/>

As I was actually expecting a message, I did actually d/l and view it,
initially in text editor and then in a disposable Linux VM. Needless to say,
it contains a large amount of unreadable Javascript code [omitted by PGN]

This is pretty much exactly the checklist of what you'd expect from
phishing: an email from a bank saying "read this", with the "this" being an
HTML page containing obfuscated javascript and a binary payload.

If Merryl Lynch are *rightly* concerned about security, perhaps they should
look at their own processes for communicating with customers and consider
whether it encourages safe practises from their customers, or simply gets
them to expect banks to given them HTML messages with scripted payloads so
leads them wide open to phishing attacks


RushCard outage

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sun, 1 Nov 2015 21:43:42 -0600
  (Sources: USA Today, Verge, Week)

If our economy, bank ATMs, and Internet, all crashed tomorrow, for how many
days do you have cash for emergencies, and kitchen reserves, before you are
flat broke, and out of food?  For thousands of Americans, this happened to
them in October.

RushCard failed Oct-12 and took almost 2 weeks to get fixed.  It operates
outside the consumer protections of standard debit and credit cards.  Now US
gov agencies are looking into imposing regulations and oversight over this
formerly underground economy.  The outage was allegedly triggered the
company changing over to a new processing provider.  Did they believe in
testing?  Even after announcements that the problems had been fixed, may
customers report a string of nightmares proving that they are not able to
access their money, and customer service has absurdly long wait times.
Didn't it dawn on them to increase customer service bandwidth after an
outage?

RushCard is for the poorest Americans, who do not have access to traditional
banking services, so many RushCard customers did not have cash for basic
needs.

According to The Week Nov-6 issue:

. 17 million Americans are "unbanked" without any bank accounts.

. 58 million Americans are "under banked" without debit cards or savings
  accounts.

These poorest of the poor rely on  payday-loans, check cashers, pawn shops,
and other services with high service charges, like the RushCard.

RushCard is now offering "fee free" from Nov-1 to Feb-29, to compensate
customers inconvenienced by the 10+ day outage.  Also a fund is being setup
to compensate customers who had extra expenses to cope financially during
the outage.

http://www.theverge.com/2015/10/30/9646864/rushcard-outage-russell-simmons-compensate-card-holders-losses

http://www.usatoday.com/story/money/columnist/tompor/2015/11/01/rushcards-glitch-puts-prepaid-cards-spotlight/74888816/

Examples of nightmares for RushCard customers, which continued AFTER
RushCard claimed the problem had been fixed.
http://thinkprogress.org/economy/2015/10/30/3717811/rushcard-announcement/

US Consumer Financial Protection Bureau (CFPB) statement about the RushCard
situation:
http://www.consumerfinance.gov/newsroom/statement-by-cfpb-director-richard-cordray-on-rushcard-prepaid-card-incident/


$1 million iPhone Zero-day Bounty

Henry Baker <hbaker1@pipeline.com>
Mon, 02 Nov 2015 14:59:24 -0800
FYI—Zerodium is the quicker sticker upper:

At $1 million, Zerodium is 2x more exorbitant, so it can handle any iMess
that comes its way.

At least these bug bounties are finally getting near a market-clearing
price; companies will finally now be able to "afford" to build high-quality
software code.  Funny thing—these same companies couldn't "afford" to
build quality code when the bounties cost only $10,000.

These zero-day bounties are all fun-and-games today, but this whole bounty
market will end in big tears, when software developers learn that they can
"build in" bugs that they (or their friends) can later sell to reap the
bounties.

http://thehill.com/policy/cybersecurity/258883-1m-bounty-paid-for-iphone-hack

Katie Bo Williams, The Hill, 2 Not 2015
Hackers get $1M bounty for breaking into iPhone

A security firm that hunts for undiscovered software bugs is paying out $1
million to a hacking group for breaking into Apple's mobile operating
system.  The company, Zerodium, compiles what are known as zero days, or
security flaws that are unknown to the software manufacturer.
It announced in September that it would pay $1 million for jailbreaking
Apple's newly-released iOS 9.  The reward is the largest such bounty ever
offered.

"Our iOS #0day bounty has expired, and we have one winning team who made a
remote browser-based iOS 9.1/9.2b #jailbreak (untethered).  Congrats!"
Zerodium tweeted on Monday.

According to the terms of the bounty, the iPhone exploit must "be achievable
remotely, reliably, silently, and without requiring any user interaction
except visiting a web page" or reading a text message.

Bug bounties are becoming increasingly popular as companies struggle to
keep up with an onslaught of cyber intrusions.  In May, United Airlines
began offering free miles to people who uncover security flaws in its
websites and digital infrastructure.

Zerodium's offer required hackers not to disclose the vulnerability to
Apple, so that its customers can use the hack in secret.  Critics say that
Zerodium's tactics could lead to zero-day flaws falling into the hands of
governments with poor human rights records that would use the information as
a surveillance tool. [...]


World's biggest tech companies get failing grade on data-privacy rights...from me!

Tim Libert <tim@timlibert.me>
November 3, 2015 at 4:22:37 AM EST
  [From Jonathan M. Smith via Dave Farber]

After a lifetime of saying tech companies suck, I've now helped make it
official exactly how much they suck by spending three years assisting in
designing and implementing a complex scoring system on human rights, free
expression, and privacy.  Today those rankings have been released.  You can
see the front-page The Guardian story here:
http://www.theguardian.com/technology/2015/nov/03/data-protection-failure-google-facebook-ranking-digital-rights
- or visit our site for more detail and interactive data:
https://rankingdigitalrights.org/2015/11/03/index-now-online/


S.Korea pulls plug on government-mandated child surveillance app

Lauren Weinstein <lauren@vortex.com>
Sun, 1 Nov 2015 19:21:40 -0800
  Moon Hyun-seok, a senior official at the Korea Communications Commission,
  told The Associated Press that "Smart Sheriff" has been removed from the
  Play store, Google's software marketplace, and that existing users are
  being asked to switch to other programs.  The government plans to shut
  down the service to existing users "as soon as possible," he said.  Smart
  Sheriff's maker, an association of South Korean mobile operators called
  MOIBA, declined comment.  Smart Sheriff's disappearance is a blow to South
  Korea's contentious effort to keep closer tabs on the online lives of its
  youngest citizens. Less than a year ago, the government and schools sent
  letters to students and parents to encourage them to download Smart
  Sheriff.  A law passed in April requires all new smartphones sold to those
  18 and under to be equipped with software which parents can use to snoop
  on their kids' social media activity. Smart Sheriff, the most popular of
  more than a dozen state-approved apps, was meant to keep children safe
  from pornography, bullying and other threats, but experts say its abysmal
  security left the door wide open to hackers and put the personal
  information of some 380,000 users at risk.
http://www.usnews.com/news/business/articles/2015/11/01/apnewsbreak-south-korea-pulls-plug-on-child-monitoring-app


Wikipedia and Deepak Chopra: Open-Source Character Assassination

Lauren Weinstein <lauren@vortex.com>
Mon, 2 Nov 2015 18:15:01 -0800
http://www.huffingtonpost.com/ryan-castle/wikipedia-deepak-chopra-o_b_8449394.html

Worth reading this entire article.

  The body of editors who are dominating Deepak Chopra's biography page are
  a dozen or so skeptics* who are so extreme in their views that they resort
  to online activism, many of whom consider the concept of spirituality or a
  mind-body connection to be a threat to human intelligence. They consider
  Deepak Chopra to be the embodiment of these concepts and so treat his
  biography as an opportunity to explain how foolish and dangerous his
  beliefs are. These editors are no more empowered than any other volunteer
  editor, but their ideological zeal and willingness to viciously attack any
  opposing editor has driven off most impartial editors. After all,
  Wikipedia is 100% volunteer, so why would someone voluntarily spend their
  time being called a moron and facing endless opposition to every neutral
  edit? There is no one to report to, as a collaborative platform Wikipedia
  has no formal management structure, even when collaboration turns into mob
  mentality.


ISIS Hackers can target Critical Infrastructure? (IHLS)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sat, 31 Oct 2015 13:03:30 -0500
Different professionals disagree whether ISIS is or is not how serious a
cyber threat to our critical infrastructure.

Connecting everything to the Internet, without solid security, when we
usually have serious enemies in the world, is asking for trouble.  There
have been worrisome incidents with cyber and physical attacks on our power
grid, and other critical infrastructure, where the industries have been
resistant to spending money to beef up their security.

The FBI says that highly capable hacking software is available for purchase
on the black market and could be used to hack networks associated with
energy companies, fuel refineries, or water-pumping stations.

http://www.securityweek.com/isis-cyber-ops-empty-threat-or-reality
http://i-hls.com/2015/10/can-isis-attack-our-infrastructure/
http://i-hls.com/2015/10/is-now-a-cyber-watershed-for-isis/
http://gwtoday.gwu.edu/isis-cyber-security-threat
http://thehill.com/policy/cybersecurity/242280-isis-preps-for-cyber-war


Arbitration Everywhere, Stacking the Deck of Justice

Monty Solomon <monty@roscom.com>
Sat, 31 Oct 2015 23:53:43 -0400
With a clause in complex contracts that few people read, corporations have
insulated themselves from lawsuits and locked Americans into a system where
arbitrators overwhelmingly favor business.
http://www.nytimes.com/2015/11/01/business/dealbook/arbitration-everywhere-stacking-the-deck-of-justice.html


Re: E-mail encryption is still an oxymoron (Baker, RISKS-29.06)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Fri, 30 Oct 2015 15:56:28 -0500
It's probably worth noting that if you want to protect your e-mail, you need
to encrypt end-to-end and hope that nobody has a backdoor to the encryption
you used. "Top mail providers" using various DMARCs and STARTTLSes at some
of the hops is, by definition, "not it".


Re: E-mail encryption is still an oxymoron (RISKS-29.06)

"David E. Ross" <david@rossde.com>
Fri, 30 Oct 2015 14:00:01 -0700
It must be noted that, when Thunderbird sends an E-mail message after it has
been composed, it alters the message's line-lengths.  This invalidates any
OpenPGP encryption or digital signature applied during composition.  An
encrypted message cannot then be decrypted, and a digital signature cannot
be verified.

Please report problems with the web pages to the maintainer

Top