The RISKS Digest
Volume 29 Issue 43

Friday, 1st April 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Keeping technology real—in the movies
Avi Rubin
New variant of ransomware spreading, please do not share
Kevin Fu

Keeping technology real (in the movies)

Avi Rubin <>
Fri, 1 Apr 2016 00:33:23 -0400
  [Special to RISKS, included with permission]

Ever notice how some shows are more realistic than others in their portrayal
of technology.  Consider the popular TV series *24*, an entertaining but
laughably implausible program, where, satellite imagery captures absolutely
everything that happens anywhere in real time, and where the government can
easily decrypt any cipher. On the other hand, shows like The Good Wife and
Mr. Robot clearly utilized expert consultants to achieve more genuine
descriptions of technology. I think movies, such as the recent.  *The
Martian* and my old favorite, *Sneakers*, which employ expert consultants,
have a more legitimate feel, even for lay audiences, and the final product
is better when the use of technology and science is realistic.

Three days ago, I was approached by movie producers Brian Grazer and Ron
Howard of Imagine Entertainment with an offer that will be hard to
refuse. They are working on a film project about a team of hackers that
manages to subvert the primaries of both parties in a US Presidential
election. I've been asked to consult with the screenwriters so that their
portrayal of the hackers and their activities passes the *sniff test* as
they call it. In other words, they don't want techies to cringe when they
see the movie.

Without spoiling the plot (which would result in huge sanctions due to the
strongly worded NDA I had to sign), the story is quite fascinating. The
hackers are able to systematically infiltrate the underlying tallying
mechanism used in every state, despite the wide variety of systems. Even the
caucuses are not safe. On the Republican side, the system is rigged so that
a bigoted, childish, and boastful billionaire demagogue runs away with the
election. The hackers are so skilled that they manage to also rig exit polls
so that nobody even questions whether the results are legitimate. On the
Democratic side, the hackers are more careful, and keep their candidate in
second place, and orchestrate a surge midway through the primary
season. They manage to keep an unlikely, over-the-hill, radically liberal,
self-declared socialist in the hunt, by carefully manipulating the primaries
and caucuses such that his rise seems gradual.

According to the script, alongside the hackers is a well-orchestrated
hijacking of the media, whose coverage feigns outrage at the success of the
two surprising candidates, while at the same time providing just enough
cover to the story so that the public believes it. Word is that Larry David
is being considered for the role of the Democratic candidate, but the studio
is struggling to find someone to play the Republican. Perhaps the character
is just not credible enough. Rumor has it that Charlie Sheen is angling for
the job, but Imagine Entertainment feels he is too likeable.

The producers have not shared the ending with me yet, and I'm dying to see
how it turns out, but I have to say, that making this scenario believable is
the biggest challenge I have ever faced.  For some reason they insist on
paying me in small denominations of unmarked bitcoin, deposited to an
untraceable Cuban account. The coins are only valid on April 1 in odd
numbered years.

Avi Rubin, JOHNS HOPKINS UNIVERSITY, Professor, Computer Science
Technical Director, Information Security Institute 410-516-8177

New variant of ransomware spreading, do not share

Kevin Fu <>
Fri, 1 Apr 2016 00:34:16 -0400
  [Special to RISKS, included with permission]

I have an important alert about a new variant of ransomware. If you were not
one of the lucky few to receive FBI's call for help in battling ransomware,
now you can be in the know. Please keep this alert confidential. As you
know, malware has been invading hospitals across the world, causing
disruptions to operations. California.  Kentucky. West Virginia. The
Baltimore-Washington Region. Australia.  Germany. The ransomware variants
are multiplying with gibberish names like CryptoLocker, Locky, and
CryptoWall. The latest, Samas, is unique in that its infection vector does
not use phishing to trick a user into clicking on a link that installs the
malware. Rather, Samas directly attacks servers running JBoss. This is where
things get really scary.

I've been working closely with authorities, and because I trust you, I need
to warm you about a new variant.  Stefan Savage of UCSD explains to me that
there are three key reasons why ransomware has become so profitable.  First,
the Wassenaar Agreement no longer requires that ransomware use
export-controlled cryptography.  Thus, hackers now have advanced
cryptography that is virtually unbreakable without the help of Bruce
Schneier.  Second, ransomware relies on anonymous payments (Bitcoin).
Third, the ransomware operators provide excellent customer service so that
victims always hear from their friends that paying the ransom results in the
data being successfully decrypted.

Alas, these three pillars of ransomware are crumbling.  First, the Obama
Administration softened its stance the Wassenaar Agreement. Second,
organized crime is smart and recognizes that the recent collapse of various
Bitcoin exchanges means an unstable virtual currency that threatens their
business model.  Third, crowdsourced customer support is likely to become
significantly more expensive with Bernie Sanders demanding a federal minimum
online wage being raised to 0.036 Bitcoins.

It's this perfect storm of instability that has quietly led to the newest
variant of ransomware dubbed, "Handsomware."  The old ransomware used
Bitcoin to keep payments anonymous.  The new Handsomware variant uses Flooz
instead of Bitcoin.  Flooz is an alternate currency popularized by celebrity
spokesperson Whoopi Goldberg.  In ads for consumer use of Flooz currency,
Whoopi urges parents, "It's just like money.  Give 'em Flooz!"

Unlike Bitcoin, Flooz does not rely on exchanges that cause wide and
frequent fluctuations in value.  Philip Kaplan, a noted expert on Flooz,
colorfully wrote on his MySpace page, "Holy crap, Flooz is the shit."  He
further wrote of Flooz that, "Investors have pumped $51.5 million into three
rounds."  This virtually ensures the success of Flooz as an alternate
currency.  There's no stopping it.

While Whoopi has been advertising Flooz for more everyday things like
graduation gifts, she had no idea that organized crime would flock to Flooz
like GOP candidates to third party runs.

The Handsomware variant also changes the encryption scheme.  Instead of
using slow number-theoretic algorithms like RSA, it uses something known as
the One Direction fandomized encryption technique pioneered by Goldwasser
and Micali.  Unlike trapdoor-based public key encryption systems, the One
Direction encryption system ignores all text files and binaries.  Instead,
it focuses on what you really care about: images.  Handsomware uses One
Direction to replace plaintext images such screenshots of your best Candy
Crush scores or radiological images with photos of 1D boy-band singer Liam
Payne with the Handsomware binary embedded steganographically the images
using the Recursion Theorem.  This scheme is devious, because teenage girls
across the country immediately open the encrypted images and share them with
their friends---further spreading Handsomware to Snapchat and other critical
infrastructure that fuels the American economy.

The Handsomware writers were also able replace the costly customer support
that was limited by minimum Bitcoin wage laws. Instead, they use the silent
majority of disgruntled workers who feel no one has listened to them.
Malware writers sense an opportunity, and have made grandiose promises.  An
anonymous post on one Handsomware site proclaims, "Make Ransomware Great
Again!"  Another post says, "Build a Firewall!"

Yes, that's right.  A new piece of malware has invaded our countryland.  It
calls itself handsome, it brags of its massive currency, and it encrypts
your drive to think carefully.  Nothing can Trump this new malware.
Although this message is confidential, you have my permission to forward
this message to your most trusting friends.

April Fools!

Kevin Fu, Associate Professor, EECS Department, The University of Michigan	Twitter @DrKevinFu

Please report problems with the web pages to the maintainer