The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 48

Monday 25 April 2016

Contents

Newcastle servers downed by water-main flood early last week
Lindsay Marshall
55-million Philippine voters' personal information exposed
PGN
Personal info of 93.4-million Mexicans exposed on Amazon
Marc Rotenberg
Bucking the Trend on Voting Rights
NYTimes editorial
The E.U.'s Dangerous Data Rules
Daphne Keller and Bruce D. Brown
Night-vision goggles case cause plane crash
WashPost
U.S. carriers mum on 60 Minutes report on vulnerability in SS7
FierceWireless via Geoff Goodfellow
U.S. Cyberwar aims to cripple ISIS operations
David Sanger
FBI admits it paid $1.3m to hack into that iPhone
*The Guardian* via danny burstein
Facebook bug bounty hunter find bug—and exploit in progress
Peter Houppermans
Kindle Unlimited Scam
Ann Christy via Charles B. Weinstock
If Emoji Are the Future of Communication Then We're Screwed
NYMag
Hacker: This is how I broke into Hacking Team
CSOonline via Monty Solomon
The big picture on software backdoors
Mark Thorson
Air Force blames deadly crash on goggles case
CNN via Monty Solomon
The Burr-Feinstein Proposal Is Simply Anti-Security
Electronic Frontier Foundation via David Farber
No Phones for You! Chic Businesses Are Abandoning Landlines
NYT
Windows Users - Apple and Govt say to remove Quicktime from your PC
Chris J Brady
Re: BMW's car-sharing service launches--and almost lands Ars a ticket
Richard Bos
Re: Bank Back Stabbing
Alister Wm Macintyre
Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE*
Martin Ward
John Levine
Rick Steeves
Matt Bishop
Info on RISKS (comp.risks)

Newcastle servers downed by water-main flood early last week

Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Tue, 19 Apr 2016 19:31:28 +0000
  [Please pass the word on to any of your friends and colleagues who would
  normally be reading RISKS via the UK redistribution on catless.ncl.ac.uk,
  courtesy of Lindsay Marshall.  Lindsay noted to me that catless was on a
  very old Newcastle server, and presumably will be rebooted—eventually.
  Lindsay has been our heroic maintainer of the risks.org RISKS repository
  and its redistribution of RISKS issues to the UK for years and years.
  However, this outage is way beyond his responsibility, and is agonizing.
  Meanwhile, you can read RISKS as comp.risks or at risks@ftp.sri.com.  PGN]

[Lindsay responded to my query: "It was a water main.  But our big machine
room has always been deep underground."]


55-million Philippine voters' personal information exposed

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 22 Apr 2016 14:41:54 PDT
The Philippines' Commission on Elections' entire database of of 55-million
Philippine voters was breached, initially on 27 Mar 2016.

Trend Micro reported it on 6 Apr, with subsequent items in *The Register*
and *The Guardian*.  *The New York Times* reported it on 22 Apr.
http://www.nytimes.com/aponline/2016/04/22/world/asia/ap-as-philippines-election-hacking-.html?emc=eta1


Personal info of 93.4-million Mexicans exposed on Amazon

Marc Rotenberg <rotenberg@epic.org>
Fri, 22 Apr 2016 15:06:05 -0400
"This incident clearly erodes the confidence of citizens in a of government
bodies. Some citizens might decide to never provide data again to the
Instituto Nacional Electoral, the next time their ID expires," Guzman adds,
noting that although it's a relief that financial and bank information were
not leaked, "the information could still be used for criminal purposes, since
the location[s] of citizens are available."

   * * *

With this leak, Mexico now joins a list of countries where almost the entire
population has had their personal information leaked or breached, as 93.4
million represents over 72% of Mexico's estimated population.  Belize,
Greece, Israel, Philippines, and Turkey have also experienced leaks of the
majority of their population's personal information. And of course, let's
not forget that Chris Vickery had also discovered 191 million U.S. voters --
data leaking due to a similarly misconfigured database.

http://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/


Bucking the Trend on Voting Rights (*The New York Times*)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Apr 2016 12:01:00 PDT
Lead editorial, *The New York Times*, 25 Apr 2016, relating to Virginia
Governor Terry McAuliffe restoring voting rights to more than 200,000 people
who have completed their sentences for felony convictions.  This reverses
Virginia's previous lifetime ban on voting.  [PGN-ed]

  Final paragraph: Congress should amend the Voting Rights Act to restore
  preclearance and apply it to all jurisdictions with a recent history of
  discriminatory voting practices.  And state officials who are not busy
  trying to disenfranchise people should be following Mr McAuliffe's
  example, and working to make it easier for people to vote.


The E.U.'s Dangerous Data Rules (Keller/Brown)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Apr 2016 12:01:00 PDT
Daphne Keller and Bruce D. Brown
The E.U.'s Dangerous Data Rules
Op-Ed, *The New York Times*, 25 Apr 2016

Can Europe protect privacy without creating *splinternets*?

Important op-ed.  Here's the final paragraph:

Privacy is a real issue, and shouldn't be ignored in the Internet age.  But
applying those national laws to the Internet needs to be handled with more
nuance and concern.  These developments should not be driven only by privacy
regulators.  State departments, trade and justice ministries and telecom
regulators in France and other European countries should be demanding a
place at the table.  So should free-expression advocates.  One day,
international agreements may sort this all out.  But we shouldn't Balkanize
the Internet in the meantime.  Once we've erected barriers online, we might
not be able to tear them down.


Night-vision goggles case cause plane crash (WashPost)

Lauren Weinstein <lauren@vortex.com>
Tue, 19 Apr 2016 09:44:39 -0700
https://www.washingtonpost.com/news/checkpoint/wp/2016/04/19/night-vision-goggle-case-cause-of-plane-crash-that-killed-14-air-force-says/


U.S. carriers mum on 60 Minutes report on vulnerability in SS7

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 19 Apr 2016 09:12:53 -1000
A follow-up article on yesterday's article:
http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19


U.S. Cyberwar aims to cripple ISIS operations (David Sanger)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Apr 2016 12:01:00 PDT
David Sanger, *The New York Times* front page, 25 Apr 2016
A New Line of Attack: Using Secret Weapons to Infiltrate Computer Networks


FBI admits it paid $1.3m to hack into that iPhone (*The Guardian*)

danny burstein <dannyb@panix.com>
Thu, 21 Apr 2016 17:55:01 -0400 (EDT)
*The Guardian*

FBI admits it paid $1.3m to hack into San Bernardino shooter's iPhone

The FBI paid about $1.3m for software to hack into the iPhone of San
Bernardino gunman Syed Farook, director James Comey told a London audience
on Thursday.

The staggering price illustrates the growth of the so-called "exploit
market" for digital spy tools and cyber weapons as governments increasingly
use hacker tricks for law enforcement and war.  Prices for such software are
rarely disclosed, although anything in the seven-figure range is extremely
expensive.

https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid

  [Yes, the alleged cost is staggering, However, perhaps the FBI is
  including all sorts of secondary costs, or having paid multiple sources
  for multiple exploits, or simply not understanding that the vulnerability
  that they actually exploited was well known in various communities, and
  could have have been acquired for free from certain sources!  PGN]


Facebook bug bounty hunter find bug—and exploit in progress

Peter Houppermans <peter@houppermans.net>
Fri, 22 Apr 2016 12:53:25 +0200
In short, a bug bounty hunter (someone looking to find bugs to take
advantage of a reward program) was examining Facebook and eventually found a
way in, only to discover that someone was already in the specific system.
Facebook proclaimed this to be residue left by another bounty hunter (making
the later one a hunter-gatherer?), a statement I have some problems with as
I personally would clear out malware as fast I'd discover it.

The story is summarised here, including a link to the rather interesting
writeup of the technical details:

http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/


Kindle Unlimited Scam

"Charles B. Weinstock" <weinstock@conjelco.com>
Tue, 19 Apr 2016 11:34:26 -0400
According to Ann Christy, scammers are gaming the Amazon Kindle Unlimited
system by publishing fake books with many pages, and tricking people into
downloading them because:

1. They are free to download during the first five days of publication, and

2. They use click farms to force the books to the top of the Kindle
   Unlimited bestseller list.

http://www.annchristy.com/ku-scammers-on-amazon-what-you-need-to-know/

The books themselves encourage the reader to go to the last page of the book
to be entered into a contest or some such. This causes Amazon to believe
that the entire book was read and results in a maximum payout to the
scammer. (Authors earn royalties on Kindle Unlimited books based on the
number of pages read—apparently as measured by the last page read.)
Since the Kindle Unlimited royalty pool is fixed across all books this means
that authors of legitimate books are getting less than they should because
the scammers are taking thousands of dollars out of the pool.


If Emoji Are the Future of Communication Then We're Screwed

Monty Solomon <monty@roscom.com>
Mon, 18 Apr 2016 22:13:46 -0400
http://nymag.com/following/2016/04/people-often-disagree-about-what-emoji-mean.html

Investigating the Potential for Miscommunication Using Emoji
http://grouplens.org/blog/investigating-the-potential-for-miscommunication-using-emoji/

*Blissfully happy* or *ready to fight*: Varying Interpretations of Emoji
http://grouplens.org/site-content/uploads/Emoji_Interpretation.pdf


Hacker: This is how I broke into Hacking Team

Monty Solomon <monty@roscom.com>
Mon, 18 Apr 2016 21:40:59 -0400
http://www.csoonline.com/article/3057980/security/hacker-this-is-how-i-broke-into-hacking-team.html

http://pastebin.com/raw/0SNSvyjJ


The big picture on software backdoors

Mark Thorson <eee@sonic.net>
Mon, 18 Apr 2016 22:48:09 -0700
Consider this.

http://smbc-comics.com/comics/1460904126-20160417.png


Air Force blames deadly crash on goggles case

Monty Solomon <monty@roscom.com>
Wed, 20 Apr 2016 01:00:31 -0400
http://www.cnn.com/2016/04/19/politics/us-air-force-plane-crash-afghanistan/index.html


[IP] The Burr-Feinstein Proposal Is Simply Anti-Security | Electronic Frontier Foundation

"David Farber" <dfarber@me.com>
Thu, 21 Apr 2016 15:10:34 -0400
https://www.eff.org/deeplinks/2016/04/burr-feinstein-proposal-simply-anti-security


No Phones for You! Chic Businesses Are Abandoning Landlines (NYT)

Monty Solomon <monty@roscom.com>
Wed, 20 Apr 2016 22:05:20 -0400
Many phone numbers these days merely lead to automated voice mail with
directions to a website. And some businesses have abandoned phones
altogether.
http://www.nytimes.com/2016/04/21/fashion/phones-businesses-landline.html


Windows Users - Apple and Govt say to remove Quicktime from your PC

Chris J Brady <chrisjbrady@yahoo.com>
Thu, 21 Apr 2016 00:25:25 +0000 (UTC)
The company releasing the info is Trend Micro/DV Labs as part of their "Zero
Day Initiative".

http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/http://zerodayinitiative.com/about/

but the actual flaw was discovered by Steven Seeley of Source Incite
-- according to the credit line in the reports:
  http://zerodayinitiative.com/advisories/ZDI-16-241/
  http://zerodayinitiative.com/advisories/ZDI-16-242/

The Department of Homeland Security’s U.S. Computer Emergency Readiness Team
(US-CERT) is a clearing house for computer security information, and is
simply passing along the information from the Zero Day Initiative advisories
  https://www.us-cert.gov/ncas/alerts/TA16-105A

And for completeness, here is the link to the Wall Street Journal article:
  http://www.wsj.com/articles/windows-users-its-time-to-dump-apples-quicktime-1461007437


Re: BMW's car-sharing service launches--and almost lands Ars a ticket (Ars, RISKS-29.47)

Richard Bos
Tue, 19 Apr 2016 16:47:33 GMT
Erm... no. Reading the article, it's clear that it wasn't the service that
led to the traffic violation, it was *the journalist blindly following the
satnav* that did it.  It would've resulted in a (almost) ticket, regardless
of whether this happened in a shared Beamer or the author's private Ford.

There is a RISKS lesson here, certainly, but it's an old one and it has
nothing to do with ReachNow specifically: when you turn on your satnav, do
not turn off your brain.


Re: Bank Back Stabbing (RISKS-29.47)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 25 Apr 2016 14:43:10 -0500
  [Fin: Uh...and just whose rating would that be? I can hand out stars, too,
  and will be more than happy to if you send me the names of the
  institutions. - Fin]

fin@nym.hush.com asked a question about what rating system I was using for
the due diligence, in my "Bank Back stabbing" post, for which I plan
additional future installments, after I have cooled down enough from my
anger with recent incidents, to describe with clarity and conciseness, to
best of my ability.

In the USA, banks are regulated by the FDIC government organization, which
awards stars for a variety of adherence to best practices and level of risk
of default, such as having enough money to sustain obligations, diversity of
investments across different industry sectors . what we laymen call SAFE and
SECURE, from both a financial perspective and a cyber perspective.  One star
means it has one foot in the grave.  Five stars is the best.

Via Internet search, we can find sites which list banks in our area, and
what their FDIC ratings are, and other info.  It is not as well organized
for other kinds of financial institutions, some of which have better
insurance funds than the FDIC.

There are also both government, and better-business-bureau type resources
which tell us what kinds of complaints other consumers have had against
institutions, and how they were resolved.  I don't care if there are a lot
of complaints.  I care that they are resolved swiftly, politely, and with
justice.

Then after finding high star, or equivalent, institutions, which apparently
behave in a civilized way, my next due diligence interests include rate
competitiveness, and ease of access to their services.

Alister Wm Macintyre (Al Mac)  https://www.linkedin.com/in/almacintyre
Panama Papers group:  https://www.linkedin.com/groups/8508998


Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47)

Martin Ward <martin@gkc.org.uk>
Tue, 19 Apr 2016 08:56:12 +0100
As you probably know by now, this story is now claimed to be a hoax by the
original forum poster. The Independent has this update:

"Since this story was posted, Mr Marsala has claimed that his original post
was a hoax and written as a marketing stunt, but that it had happened to a
client of his in 2006. Contacted by The Independent, Mr Marsala said that
the post was guerilla [*] marketing for another, unnamed, company."

ServerFault has deleted the original question.

The real RISK is that these days, anyone can post anything to just about any
popular forum and have it taken up and printed by the major news networks
without any checking or verification. As if to illustrate this point, one of
the sidebars to this story is a link to the story "Women considered to write
better code than men as long as they don't reveal their gender, study
suggests"
http://www.independent.co.uk/life-style/gadgets-and-tech/news/women-better-code-men-github-study-a6870836.html

This story reports on a paper "authored by a group of six students from
California Polytechnic State University and North Carolina State University,
[which] has been published online, *but is not yet peer-reviewed.*" (my
emphasis).

So: some students wrote a paper, put it on a web site, and it gets picked up
by major news networks: before it has even been peer-reviewed.

"A lie can travel halfway around the world before the truth can get its
boots on" (Incorrectly attributed to Mark Twain: but the truth is still
trying to catch up with the incorrect attribution!)

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/

  [* "300-pound guerilla my dreams?"  (in British currency) PGN]


Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47)

"John Levine" <johnl@iecc.com>
18 Apr 2016 23:56:08 -0000
The reason it sounded too good to be true is that it was.  It's a hoax.

http://www.repubblica.it/tecnologia/2016/04/15/news/cancella_l_azienda_per_sbaglio_la_disavventura_tecnologica_di_marco_marsala-137693154/

http://www.nydailynews.com/news/national/man-deleted-entire-company-hoax-article-1.2604511


Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47)

Rick Steeves <risks@corwyn.net>
Mon, 18 Apr 2016 20:13:53 -0400
And news that even RISKS users can fall for a hoax:

http://www.pcworld.com/article/3057235/data-center-cloud/that-man-who-deleted-his-entire-company-with-a-line-of-code-it-was-a-hoax.html

(really, someone who claims the original error, and then follows it up with
then claiming that he got the if / of command reversed when attempting a
recovery was a good clue).


Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47)

Matt Bishop <mabishop@ucdavis.edu>
Tue, 19 Apr 2016 21:01:08 -0700
According to Snopes, this is a hoax: see
  http://www.snopes.com/man-deletes-company-code/

  ... From that: "Marsala admitted to making up the scenario in order to
  promote his small company, which (naturally) provides outsourced server
  management services."

Not sure that's how I'd go about promoting a server management company ...

Please report problems with the web pages to the maintainer

Top