The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 17

Tuesday 15 December 2015

Contents

Former National Security Officials Urge Government to Embrace Risks of Encryption
Ellen Nakashima
What the government should've learned about backdoors from the Clipper Chip
Sean Gallagher
"Final cyber security bill paves way for the surveillance state"
Caroline Craig
Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update
TechDirt
Personalized news hits home
Quealy and Sanger-Katz via Charles C Mann
European Space Agency records leaked for amusement, attackers say
CSO
FAA Wants Your Credit Card Number when you register your drones
Lauren Weinstein
Thai Man May Go to Prison [for 37 years] for Insulting King's Dog on social media
NYTimes
13 million MacKeeper users exposed after MongoDB door was left open
Ars Technica
Bangladesh extends social media ban, blocking Twitter and Skype
Lauren Weinstein
Hackers actively exploit critical vulnerability in sites running Joomla
Ars Technica
Small, community banks using machine learning to reduce fraud
NetworkWorld
Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy
Scientific Computing
British government admits selling Internet addresses to Saudi Arabia and says it can't stop ISIS extremists using them
????
Your iPhone Is Ruining Your Posture—and Your Mood
David Damerell
Google links back to itself
Peter Houppermans
A looming anniversary, and an offer
Gene Spafford
Re: America's secret cyberarsenal
Henry Baker
Info on RISKS (comp.risks)

Former National Security Officials Urge Government to Embrace Rise of Encryption (Ellen Nakashima)

Peter G Neumann <neumann@csl.sri.com>
Tue, 15 Dec 2015 10:59:57 -0800
Ellen Nakashima, *The Washington Post*, 14 Dec 2015
https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html

  [This is a remarkable article, suggesting (among other things) that law
  enforcement needs to adapt to the use of encryption rather than expect
  exceptional systemic access to decrypted and unencrypted information.
  Mike McConnell notes that strong encryption is a greater strategic need.
  Michael Chertoff notes that deliberately compromising security to make it
  easier for law enforcement would run the risk of simply sending bad guys
  elsewhere.  Michael Hayden notes that backdoors and built-in keys would
  drive the market away.  Joel Brenner notes that the likelihood others will
  gain access is quite high.  All four of these men have held very high
  positions in the U.S. Government.  PGN-ed]


What the government should've learned about backdoors from the Clipper Chip (Sean Gallagher)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 15 Dec 2015 12:16:13 PST
Sean Gallagher, Ars Technica, 15 Dec 2015
http://arstechnica.com/information-technology/2015/12/what-the-government-shouldve-learned-about-backdoors-from-the-clipper-chip/

This article revisits arguments Whit Diffie made at a Congressional hearing
22 years ago, relating to the key-escrow approach of the Clipper Chip—all
of which seem relevant today, more or less as originally stated:

* The backdoor would put providers in an awkward position with other
  governments and international customers, weakening its value.
* Those who want to hide their conversations from the government for
  nefarious reasons can get around the backdoor easily.
* The only people who would be easy to surveil would be people who didn't
  care about government surveillance in the first place.
* There was no guarantee someone else might not exploit the backdoor for
  their own purposes.


"Final cyber security bill paves way for the surveillance state" (Caroline Craig)

Gene Wirchenko <genew@telus.net>
Tue, 15 Dec 2015 09:32:53 -0800
Caroline Craig, InfoWorld, 11 Dec 2015
Closed-door negotiations in Congress threaten to strip privacy
provisions from final version of the merged cyber security bill
http://www.infoworld.com/article/3013728/government/final-cyber-security-bill-paves-way-for-the-surveillance-state.html


Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update (TechDirt via NNSquad)

Lauren Weinstein <lauren@vortex.com>
Mon, 14 Dec 2015 15:58:37 -0800
https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml

  Literally. Philips has just slapped fans like us in the face and kicked
  interoperability out the door. Without any communication they delivered a
  new firmware to the system that disables adding products that they don't
  approve of. Basically they are banning other Zigbee Light Link products
  despite the fact that they are a Connected Lighting Alliance member whose
  mission is to promote interoperability.  As it seems (and unless this is
  just a huge mistake on Philips' side), they have without a warning turned
  their open product into a walled garden. They have also destroyed the
  value of the solutions that the customers have set up based on Philips'
  promises.


Personalized news hits home (Quealy and Sanger-Katz)

Charles C Mann <ccmann@comcast.net>
Tue, 15 Dec 2015 14:11:29 +0000 (UTC)
Kevin Quealy and Margo Sanger-Katz, *The New York Times* interactive, 15 Dec
2015, The Experts Were Wrong About the Best Places for Better and Cheaper
Health Care

http://www.nytimes.com/interactive/2015/12/15/upshot/the-best-places-for-better-cheaper-health-care-arent-what-experts-thought.html

While reading this interesting NYTimes article about health care costs, I
was surprised to have the article reach out and grab me by the collar.
Embedded in the article—flowed into the text, not separate in any way --
was a sentence or two and a little graphic that told me about health care
costs in Springfield, MA, where it guessed I was reading from (I live about
half an hour away, so not a bad guess).  I have attached a screen capture
and would be curious if the whole enterprise worked as well in other
geographic areas.  [Omitted for RISKS.  PGN]

This is the first time I can remember encountering anything like this in a
news story—reaching out to tap the reader on the shoulder in the middle of
the article, as opposed to letting the reader click on something. To me, it
was at once useful and creepy. On the one hand, I was curious about the
results for my local area. On the other, I was creeped out by being reminded
of the giant eyeball on the other end that is watching me.  [...]

  [My own browsing of this *interactive* article focuses on San Mateo
  County, California, which is where SRI is located.  I think *The Times*
  interactive folks have done quite a spectacular job, as the entire article
  includes statistics related to *my* location.  Moreover, from the graphic,
  it appears that the article is prepared to be instantiated specifically to
  at least 280 different locations (rough count).  At this rate, it won't be
  long until interactive *Times* articles are personalized down to each
  county, or each city, or even each household...  PGN]


European Space Agency records leaked for amusement, attackers say

Lauren Weinstein <lauren@vortex.com>
Mon, 14 Dec 2015 08:30:15 -0800
http://www.csoonline.com/article/3014507/security/european-space-agency-records-leaked-for-amusement-attackers-say.html

  Along with database schemas and server stats, a second post by Anonymous
  also included 8,107 names, email addresses, and passwords. A third post
  exposed contact details for various ESA supporters and researchers.  The
  leaked data highlights a troubling problem with regard to passwords used
  on the compromised domains. Of the 8,107 passwords exposed, 39 percent
  (3,191) of them were just three characters long (e.g. 'esa', '469', '136',
  etc.).  The second largest set of passwords - 1,314 (16%) - were eight
  characters long, and based on their construction would have been easily
  cracked by most rule sets and dictionaries. Passwords such as trustno1,
  rainbow6, password, 12345678, and those based on the person's name or
  email address would be the first to fall.


FAA Wants Your Credit Card Number when you register your drones

Lauren Weinstein <lauren@vortex.com>
Mon, 14 Dec 2015 10:29:04 -0800
    Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number
               http://lauren.vortex.com/archive/001138.html

Oh goodie. The FAA has announced its ultra-rushed plan for a drone registry
-- they desperately wanted to get this on the books before Christmas. It's
worse than even the most vocal critics had anticipated:

https://www.faa.gov/uas/registration/faqs/

Over the next 60 days, the FAA is requiring that anyone who flies drones
outside (other than very small toy drones) must register on a web site (in
theory paper-based filing is possible, but the FAA obviously anticipates
most registrations to be over the web).

The FAA is also demanding your credit card number before you fly. In
fact, they demand $5 via credit card every three years. Forever. [...]

No need to worry though, right? All that required personal information --
name, physical/mailing address, credit card data, email address, etc. will
be in the warm embrace of a "third party contractor" who no doubt will take
really good care of it to meet the abysmal security and privacy practices of
the federal government.

The black hat hackers are already salivating over this one. Home
addresses! Credit cards! "Hey comrade, do they ship Porsches to Moscow?"


Thai Man May Go to Prison [for 37 years] for Insulting King's Dog on social media

Lauren Weinstein <lauren@vortex.com>
Mon, 14 Dec 2015 18:21:00 -0800
http://www.nytimes.com/2015/12/15/world/asia/thailand-lese-majeste-tongdaeng.html?emc=eta1

  In a case brought in a Thai military court, the worker, Thanakorn
  Siripaiboon, was charged with making a "sarcastic" Internet post related
  to the king's pet. He also faces separate charges of sedition and
  insulting the king.  Mr. Thanakorn could face a total of 37 years in
  prison for his social media posts, highlighting what has become a feverish
  campaign to protect the monarchy and rebuff critics of the country's
  military rulers.


13 million MacKeeper users exposed after MongoDB door was left open

Monty Solomon <monty@roscom.com>
Tue, 15 Dec 2015 09:43:53 -0500
http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-after-mongodb-door-was-left-open/


Bangladesh extends social media ban, blocking Twitter and Skype

Lauren Weinstein <privacy@vortex.com>
Mon, 14 Dec 2015 14:32:22 -0800
https://thestack.com/security/2015/12/14/bangladesh-extends-social-media-ban-blocking-twitter-and-skype/

  A month after temporarily blocking social media sites including Facebook
  and WhatsApp, the Bangladeshi government has now taken steps to take down
  Microsoft's online chat software Skype and social networking service
  Twitter.  Citing 'threats to national security', the government ordered
  the blocking of the six leading social media apps in Bangladesh -
  Facebook, Messenger, Line, WhatsApp, Viber and Tango. The decision came
  after a supreme court ruling which sentenced two opposition leaders,
  Salauddin Quader Chowdhury and Ali Ahsan Muhajid, to death, having found
  them guilty of crimes committed in the 1971 war of independence from
  Pakistan.


Hackers actively exploit critical vulnerability in sites running Joomla

Monty Solomon <monty@roscom.com>
Tue, 15 Dec 2015 09:37:22 -0500
Attackers are actively exploiting a critical remote command-execution
vulnerability that has plagued the Joomla content management system for
almost eight years, security researchers said.

http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/


Small, community banks using machine learning to reduce fraud

Monty Solomon <monty@roscom.com>
Tue, 15 Dec 2015 09:22:45 -0500
http://www.networkworld.com/article/2991925/security/small-community-banks-using-machine-learning-to-reduce-fraud.html


Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy

Monty Solomon <monty@roscom.com>
Tue, 15 Dec 2015 09:25:52 -0500
http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy

  [Wow!  75 percent!  That means in 25 percent of the cases, everyone is
  likely to be falsely accused of something?  PGN]


British government admits selling Internet addresses to Saudi Arabia and says it can't stop ISIS extremists using them

Lauren Weinstein <privacy@vortex.com>
Tue, 15 Dec 2015 11:00:41 -0800
“The government owns millions of unused IP addresses which we are selling to
get a good return for hardworking taxpayers.  We have sold a number of these
addresses to telecoms companies both in the UK and internationally to allow
their customers to connect to the Internet.  We think carefully about which
companies we sell addresses to, but how their customers use this Internet
connection is beyond our control.''

The government did not reveal how much money was made from selling the IP
addresses to the pair of Saudi firms, because it regards this information as
commercially sensitive.

The Saudi deal was first revealed after hackers claimed that a number of
Islamic State supporters' social media accounts are being run from Internet
addresses which could be linked to the Department of Work and Pensions.

http://www.mirror.co.uk/news/technology-science/technology/british-government-admits-selling-internet-7017287


Your iPhone Is Ruining Your Posture—and Your Mood (R 29 16)

David Damerell <damerell@chiark.greenend.org.uk>
Tue, 15 Dec 2015 14:04:47 +0000
  The Dreaded iHunch? ... very effectively dealt with here:

http://steamtraen.blogspot.co.uk/2015/12/a-cute-story-to-be-told-and-self-help.html

starting with the observation that this is a tiny study from 2013, which has
not yet been peer-reviewed and yet is felt good enough for *The New York
Times*.

The risks of sensationalist newspaper articles based on dubious science will
be familiar to us, I'm sure - but having the sensationalist article written
by one of the authors of the dubious science is certainly more efficient
than the usual approach.


Google links back to itself

Peter Houppermans <peter@houppermans.net>
Tue, 15 Dec 2015 09:24:37 +0100
Ah, why oh why would Google offer links that would point back to itself?

> A side note, Google appears to be (in some instances) not providing users
> direct links to articles - Google instead provides links to Google with
> search terms.  Have others noticed this? And if so, can anyone speculate as
> to why?

You may want to look up what a chap by the name Gordon Welchman did during
WW II.  What you're looking at is meta-data collection: tracking
relationships.  Google is tracking whom you are sharing the link with so
they can establish a link between you and the originator.  From such casual
events metrics and profiles are spun, and it's not just Google who does this
-- I find especially LinkedIn rather aggressive in this too.

I always strip links back to the actual resource before I forward them to
others as I find it uncivil to subject someone to unwanted (and mostly
undetected) tracking, and links I receive from third parties get the same
treatment before I use them.

To quote the late Spike Milligan, there is a lot of it about!


A looming anniversary, and an offer

Gene Spafford <spaf@purdue.edu>
Tue, 15 Dec 2015 11:05:16 -0500
Next year is the 25th anniversary of the publication of Practical Unix
Security.  The book has attracted quite a readership over the years.

As a celebration of the anniversary, and as a way of helping raise some
funds for two worthwhile non-profit organizations (EPIC and the ISSA
Foundation), we are making a special offer to get a copy of the book signed
by the authors.

We encourage people to participate --
if nothing else, to provide some support to two worthwhile organizations
supporting security & privacy work
(Details: http://ceri.as/puis).


Re: America's secret cyberarsenal (RISKS-29.16)

Henry Baker <hbaker1@pipeline.com>
Mon, 14 Dec 2015 17:33:28 -0800
The most important link was omitted from my post:
http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331

Please report problems with the web pages to the maintainer

Top