The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 49

Friday 29 April 2016

Contents

SWIFT system software compromised in order to hide the Bangladeshi Bank fraud
Peter Ladkin
What you need to know about election apps and your personal data
Cynthia Chen
Kuwait to impose genetic testing on all visitors and residents
Thomas Koenig
Trust in the Cloud Could Be Pinned to Online Scoring System
David Ellis
Latest Headlines on DATABREACHES.NET
Werner U.
DARPA Is Looking for the Perfect Encryption App; It's Willing to Pay
Lorenzo Franceschi-Bicchierai
Behind Mitsubishi's Faked Data, Fierce Competition
NYTimes
VW Presentation in '06 Showed How to Foil Emissions Tests
NYTimes
Social Media, Where Sports Fans Congregate and Misogyny Runs Amok
NYTimes
Malware reporting mailbox rejects emails containing malware
Martin Ward
Obama to make 'Nanny guns' push
Sarah Wheaton
Re: FBI admits it paid $1.3m to hack into that iPhone
Henry Baker
BeautifulPeople Dating Website records for sale
Chris Vickery
Re: If Emoji Are the Future of Communication Then We're Screwed
Martin Ward
Europe's Billion-Euro Bet on Quantum Computing
Anthony Cuthbertson
Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities
Paul Black
Deepwater Horizon: A Systems Analysis of the Macondo Disaster
Earl Boebert and James M. Blossom
Update on the catless.ncl.ac.uk outage
PGN
Info on RISKS (comp.risks)

SWIFT system software compromised in order to hide the Bangladeshi Bank fraud

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Tue, 26 Apr 2016 07:06:24 +0200
SWIFT is the international clearing house for bank transactions, and is a
cooperative with 3,000 members.  One of its members, the state bank of
Bangladesh, Bangladesh Bank, recently lost $81m due to fraudulent
transactions using SWIFT systems.

SWIFT has said that some of its software was compromised on Bangladesh Bank
computers in order to cover up the $81m loss, which has led to the
resignation of the Bank's governor.

It seems that authorised access was used to perform the illegitimate
transactions, of which the logs (and thus the visible audit trail) were then
hidden somehow by malware.

https://www.theguardian.com/technology/2016/apr/26/international-bank-transfer-system-hacked-swift-group-admits

BAE systems has some information on malware involved in covering up the
fraudulent transactions, but the incident is not yet fully understood. BAE
apparently doesn't know how the fraudulent transactions were created and
processed. SWIFT says the fraudulent transactions were initiated through
authorised access to its systems.

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld,
33594 Bielefeld, Germany

  [Different source (Reuters 26 Apr 2016 and DATABREACHES)
<http://www.databreaches.net/swift-warns-customers-of-multiple-cyber-fraud-cases-issues-software-security-update/>
  noted by Werner U.  PGN]


What you need to know about election apps and your personal data (Symantec)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 26 Apr 2016 08:14:35 -0600
Cynthia Chen, Symantec Employee, 25 Apr 2016
Presidential primary apps can gather a lot of information and may expose
sensitive data.

The number of apps related to the presidential primaries has grown
considerably. These apps are more popular than ever, thanks mostly to Donald
Trump, according to our data. However, we want to remind users that
presidential primary apps can gather a lot of information and may expose
sensitive data. Most primary apps are unofficial and not affiliated with a
campaign, but even official apps have some data exposure, as we found by
looking at two primary candidate apps using the Norton Mobile Security with
Norton Mobile Insight app.

http://www.symantec.com/connect/blogs/what-you-need-know-about-election-apps-and-your-personal-data


Kuwait to impose genetic testing on all visitors and residents

Thomas Koenig <tkoenig@netcologne.de>
Tue, 26 Apr 2016 00:17:12 +0200
Wow.

I guess that with the huge amount of oil revenues these days, they don't
need a tourist trade, nor do they care if business people go there.

http://news.kuwaittimes.net/website/kuwait-to-enforce-dna-testing-law-on-citizens-expats-visitors-tests-wont-be-used-to-determine-genealogy-affect-freedoms/


Trust in the Cloud Could Be Pinned to Online Scoring System (David Ellis)

"ACM TechNews" <technews-editor@acm.org>
Wed, 27 Apr 2016 12:06:45 -0400 (EDT)
David Ellis, University of Adelaide, 22 Apr 2016

University of Adelaide researchers have developed an online tool to help
build users' trust in the cloud.  "Trust management is a top obstacle in
cloud computing, and it's a challenging area of research," says University
of Adelaide professor Michael Sheng.  He attributes this lack of faith in
the cloud to minimal transparency, and the difficulty in knowing whether
cloud-based applications are malicious or genuine.  Sheng has been
developing Cloud Armor, which aims to show which cloud sites, applications,
or providers are more trustworthy than others.  "The basic concept behind
this is like the website Rotten Tomatoes, which is widely used by people to
review and rank films," Sheng says.  Cloud Armor relies on a "credibility
model," a crawler engine that scans all of the comments made on the Internet
about any aspect of the cloud, and the model determines what feedback is
credible and what is not.  "We've tested this with and without our
credibility model--without the model, some cloud applications receive a
maximum score of 100; but with the model, that score might only get to 50 or
60," Sheng says.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e214x065498&


Latest Headlines on DATABREACHES.NET

Werner U <werneru@gmail.com>
Thu, 28 Apr 2016 16:46:07 +0200
I had not been aware of that site before following the link to an article
there in the last RISKS-digest (regarding the Mexican voters list)...

Just scanning over the list of the latest articles there (besides the
followup regarding the Mexican issue) might touch on topics of interest to
you or other RISKS-readers...

Latest Posts

- Another Greenshades client discloses breach of employee info
   <http://www.databreaches.net/another-greenshades-client-discloses-breach-of-employee-info/>
- Amazon denies Movimiento Cuidadano=E2=80=99s claim that they were hacked
   <http://www.databreaches.net/amazon-denies-movimiento-cuidadanos-claim-that-they-were-hacked/>
- American Samoa Domain Registry Was Exposing Client Data Since the mid-1990s
   <http://www.databreaches.net/american-samoa-domain-registry-was-exposing-client-data-since-the-mid-1990s/>
- Breach Response Portal Added by Massachusetts Regulator
  <http://www.databreaches.net/breach-response-portal-added-by-massachusetts-regulator/>
- Movimiento Ciudadano admits it was their copy of the Mexican voter
   list on AWS, tries to deflect blame to researcher
   <http://www.databreaches.net/movimiento-ciudadano-admits-responsibility-for-mexican-voter-data-leak-on-amazon/>
- Banks Sue Wendy=E2=80=99s Over Five-Month-Long Data Hack
  <http://www.databreaches.net/banks-sue-wendys-over-five-month-long-data-hack/>
- Vail Valley Medical Center notifies 3,118 patients whose PHI was stolen by
  departing employee
   <http://www.databreaches.net/vail-valley-medical-center-notifies-3118-patients-whose-phi-was-stolen-by-departing-employee/>
- Rhode Island Attorney General Pushing For A State-Level CFAA That Will
  Turn Researchers, Whistleblowers Into Criminals
  <http://www.databreaches.net/rhode-island-attorney-general-pushing-for-a-state-level-cfaa-that-will-turn-researchers-whistleblowers-into-criminals/
- PH: BIR probes employees for leaking sensitive data
  <http://www.databreaches.net/ph-bir-probes-employees-for-leaking-sensitive-data/>
- Norway Starts Requiring Data Breach Notification
  <http://www.databreaches.net/norway-starts-requiring-data-breach-notification/>


DARPA Is Looking for the Perfect Encryption App; It's Willing to Pay

"ACM TechNews" <technews-editor@acm.org>
Wed, 27 Apr 2016 12:06:45 -0400 (EDT)
Lorenzo Franceschi-Bicchierai, *Motherboard*, 22 Apr 2016

The Pentagon's blue-sky research program is looking for someone to create
the ultimate hacker-proof messaging app.  The "secure messaging and
transaction platform" would use the standard encryption and security
features of current messaging apps such as Signal, but also would use a
decentralized Blockchain-like backbone structure that would be more
resilient to surveillance and cyberattacks.  The goal of the U.S. Defense
Advanced Research Projects Agency (DARPA) is "a secure messaging system that
can provide repudiation or deniability, perfect forward and backward
secrecy, time to live/self delete for messages, one-time eyes-only messages,
a decentralized infrastructure to be resilient to cyberattacks, and ease of
use for individuals in less than ideal situations," according to a recent
notice for proposals.  DARPA wants "a public wall anyone can monitor or post
messages on, but only correct people can decrypt," says Frederic Jacobs, an
independent security researcher.  He notes one problem with this approach is
the structure would have higher latency and be harder to deploy at scale.
DARPA's effort also suggests the rise of encryption apps is inevitable.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e210x065498&

  [DARPA and DoD and most other government agencies *need* strong
  encryption.  Law Enforcement does not.  It's not just a Lexican Standoff.
  PGN]


Behind Mitsubishi's Faked Data, Fierce Competition

Monty Solomon <monty@roscom.com>
Thu, 28 Apr 2016 14:12:11 -0400
The latest automaker scandal has focused attention on the company's
struggles in the brutally competitive Japanese microcar market.
http://www.nytimes.com/2016/04/22/business/mitsubishi-cheating-fuel-economy-investigation.html


VW Presentation in '06 Showed How to Foil Emissions Tests (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 28 Apr 2016 14:12:05 -0400
The proposal, discovered as part of the investigations into Volkswagen,
provides a direct link to the genesis of the diesel deception.
http://www.nytimes.com/2016/04/27/business/international/vw-presentation-in-06-showed-how-to-foil-emissions-tests.html


Social Media, Where Sports Fans Congregate and Misogyny Runs Amok

Monty Solomon <monty@roscom.com>
Fri, 29 Apr 2016 08:28:05 -0400
Two sports journalists decided to publicly address the vile messages they
receive on social media, comments like "please kill yourself I will provide
the bleach."
http://www.nytimes.com/2016/04/29/sports/more-than-mean-women-journalists-julie-dicaro-sarah-spain.html


Malware reporting mailbox rejects emails containing malware

Martin Ward <martin@gkc.org.uk>
Fri, 29 Apr 2016 09:11:42 +0100
The City of London Police have an email address for members
of the public to report phishing attempts and other malware:

https://reportlite.actionfraud.police.uk/Survey.mvc/Tab/1/11

The address is NFIBPhishing@city-of-london.pnn.police.uk.

Unfortunately, if you try to report malware to the malware
reporting mailbox, by forwarding the malware as requested,
the mailbox will reject your malware report:
because it contains malware!

 > A message that you sent could not be delivered to one or more of its
 > recipients. This is a permanent error. The following address(es) failed:
 >
 >   NFIBPhishing@city-of-london.pnn.police.uk
 >     delivery canceled
...
 > X-ACL-Warn: X-Virus Scan: Sophos AV 9
 > X-ACL-Warn: X-Virus Status: infected by malware (Mal/DrodZp-A)
 > X-ACL-Warn: X-Virus Note: Certain attachments are not checked for viruses

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/


Obama to make 'Nanny guns' push (Sarah Wheaton)

Henry Baker <hbaker1@pipeline.com>
Thu, 28 Apr 2016 21:15:20 -0700
Sarah Wheaton, Politico <swheaton@politico.com>

  [About the only things more insane than 'smart' guns are 4,000-pound
  4-wheel autonomous drone missiles careening through our neighborhood
  streets at 60 mph...  HB]

The govt isn't interested in 'smart' guns, so much as 'back-doored' guns
that can be silenced using a big red button controlled by a bureaucrat...

A truly 'smart' gun would have to solve the 'Trolley Problem' in real time,
using the full power of IBM's Watson/Jeopardy technology, but also having
the legal wisdom of the U.S. Supreme Court in order to withstand the "Monday
Morning Quarterbacks".

https://en.wikipedia.org/wiki/Trolley_problem
http://www.politico.com/story/2016/04/obama-smart-gun-technology-222574


Re: FBI admits it paid $1.3m to hack into that iPhone (*The Guardian*)

Henry Baker <hbaker1@pipeline.com>
Mon, 25 Apr 2016 13:58:51 -0700
"Yes, the alleged cost [of the San Bernardino iPhone hack] is staggering"

For the FBI to advertise that it paid $1.3 million for a single hack is part
of its cynical effort to secure increased funding for next year:

https://www.fbi.gov/news/testimony/fbi-budget-request-for-fiscal-year-2017

"$38.3 million for operational technology investments related to the Going
Dark initiative"

"$85.1 million to enhance cyber investigative capabilities"

"$27 million to leverage Intelligence Community Information Technology
Enterprise components and services within the FBI"

"$8.2 million to enhance surveillance capabilities"

"Overall, the FY 2017 request represents an *increase* of $703.6 million
over the FY 2016 enacted levels, including an additional $229.1 million for
salaries and expenses and $474.5 million for construction."

'nuf said.

  [Note: The $1.3M figure was an estimate derived from a rather indirect
  statement from James Comey, and should be considered an imprecise
  estimate.  PGN]


BeautifulPeople Dating Website records for sale (Chris Vickery)

Werner U <werneru@gmail.com>
Thu, 28 Apr 2016 18:24:00 +0200
Chris Vickery, Blog MacKeeper

Chris Vickery reports on the MacKeeper blog (dated April 27) of another
unsecured MongoDB site he discovered and reported in 2015 to their owners
(like the Verizon case) which, however, has since become available for
purchase on DarkNet...

(...with a potential for tragic personal consequences not unlike the Ashley
Madison incident)

Dating Website Leaks 1.2 million profiles
<https://mackeeper.com/blog/post/218-dating-website-leaks-12-million-profiles>
Now their data is being sold online in 2016

MacKeeper Security Researcher Chris Vickery discovered the unsecured
database in late 2015 and contacted BeautifulPeople.com to secure the user
data. The bad part of this story is that the data was downloaded by cyber
criminals sometime between this gap of when the database was unsecured, when
it was discovered by Vickery, and when beautifulpeople were notified to
secure the database. Now those criminals are selling the data of 1.2 million
users online.  [...]

*Attention - Portions of this article may be used for publication if
properly referenced and credit is given to MacKeeper Security Researcher:
Chris Vickery.*  [Indeed.  We have done so.  PGN]


Re: If Emoji Are the Future of Communication Then We're Screwed

Martin Ward <martin@gkc.org.uk>
Tue, 26 Apr 2016 10:42:19 +0100
There are (at least) two causes for the huge potential for miscommunication
using emoji:

(1) There are a huge number of different emoji: Unicode lists over 300 faces
  and gestures, from U+1F600 (GRINNING FACE) to U+1F574 (MAN IN BUSINESS
  SUIT LEVITATING), and over 1600 emoji in total.

(2) Copyright laws mean that every company has to, or believes that they
  have to, produce their own designs for each emoji character which are
  significantly *different* from everyone else's: in order to avoid
  copyright claims.  Also, each company wants to have their own "style" of
  emoji: even the country flags are.

Also some devices interpret the same code as a very different symbol: the
"yellow heart" on iOS (which I assume is U+1F49B YELLOW HEART) is
interpreted on Android as a red "hairy heart" (or perhaps "heart with black
spikes": this does not appear on the Unicode list).

The image received could be very different to the one sent:
http://www.engadget.com/2014/04/30/you-may-be-accidentally-sending-friends-a-hairy-heart-emoji/

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk  http://www.cse.dmu.ac.uk/~mward/


Europe's Billion-Euro Bet on Quantum Computing (Anthony Cuthbertson)

"ACM TechNews" <technews-editor@acm.org>
Wed, 27 Apr 2016 12:06:45 -0400 (EDT)
Anthony Cuthbertson, *Newsweek*, 28 Apr 2016

The European Commission's (EC) just-announced Quantum Flagship project will
invest $1.13 billion over the next 10 years to place Europe "at the
forefront of the second quantum revolution" via quantum technology
development, according to an EC spokesperson.  The project seeks to
encompass not only quantum computers, but also quantum secure communication,
quantum sensing, and quantum simulation.  Scheduled to launch in 2018, the
Quantum Flagship is a response to the Quantum Manifesto urging substantial
quantum technology investment, which was endorsed by several thousand
individuals from industry, academia, and government institutions.  According
to the manifesto, quantum technologies will give birth to a "knowledge-based
industrial ecosystem," which will generate long-term economic, scientific,
and societal benefits.  ETH Zurich professor Matthias Troyer thinks Quantum
Flagship recognizes quantum technologies are ready to make the transition
from research labs to commercial and industrial applications "that within
the next decade will be able to perform tasks that classical devices are
incapable of."  Cambridge Quantum Computing CEO Ilyas Khan agrees with this
assessment.  "It has become increasingly clear that it is now only a matter
of a relatively short time before quantum technologies become of practical
importance at the strategic level for governments and large corporations,"
Khan says.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e20ax065498&


Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities

"Black, Paul E. (Fed)" <paul.black@nist.gov>
Tue, 26 Apr 2016 15:42:44 +0000
We invite you to submit a position statement to a workshop on Software
Measures and Metrics to Reduce Security Vulnerabilities.
https://samate.nist.gov/SwMM-RSV2016.html

when: Tuesday, 12 July 2016, 9 am to 4:30 pm
where: NIST, Gaithersburg, MD, USA

The U.S. Federal Cybersecurity Research and Development Strategic Plan seeks
to fundamentally alter the dynamics of security, reversing adversaries'
asymmetrical advantages. Achieving this reversal is the mid-term goal of the
plan, which calls for "sustainably secure systems development and
operation." Part of the mid-term (3-7 years) goal is "the design and
implementation of software, firmware, and hardware that are highly resistant
to malicious cyber activities ..." and reduce the number of vulnerabilities
in software by orders of magnitude.  Measures of software play an important
role.

Industry requires evidence to tell how vulnerable a piece of software is,
what techniques are most effective in developing software with far fewer
vulnerabilities, determine the best places to deploy countermeasures, or
take any of a number of other actions. This evidence comes from measuring,
in the broadest sense, or assessing properties of software. With useful
metrics, it is straight-forward to determine which software development
technologies or methodologies lead to sustainably secure systems.

The goal of this workshop is to gather ideas on how the U.S. Federal
Government can best use taxpayer money to identify, improve, package,
deliver, or boost the use of software measures and metrics to significantly
reduce vulnerabilities.  We call for position statements from one to three
paragraph long.  Position statements may be on any subject like the
following: * existing measures of software that can make a difference in
three to seven years, * means of validating software measures or confirming
their efficacy (meta-measurements), * properties in software that can be
measured, * standards (in both étalon and norme senses) needed for software
measurement, * cost vs. benefit of software measurements, * surmountable
barriers to adoption of measures and metrics, * areas or conditions of
applicability (or non-applicability) of measures, * software measurement
procedures (esp. automated ones), or * sources of variability or uncertainty
in software metrics or measures.

The output of this workshop and other efforts is a plan for how best the
U.S. Federal Government can employ taxpayer money to significantly curtail
software vulnerabilities in the mid-term.

The workshop will be at the U.S. National Institute of Standards and
Technology (NIST) in Gaithersburg, Maryland.  This workshop is open to all.
There is no cost to attend the workshop, but prior registration is required
to enter NIST grounds. No walk-in (on-site) registration is available.

A "position" may include articulations of a problem, an issue to discuss, as
well as a solution or opinion.  The program committee will review the
position statements, and invite some to make a presentation.  Position
statements will be published if agreed to by both the author and the program
committee.  Send statements to Elizabeth Fong efong@nist.gov by 22 May 2016.

Important Dates
  May  22      deadline to submit statements
  June  8      invitations to present sent
  TBA          deadline to register
  July 12      workshop

For more information, go to the web site or contact Elizabeth Fong
<efong@nist.gov>, Paul E. Black <paul.black@nist.gov>, or Thomas D. Hurt
<thomas.d.hurt.civ@mail.mil>


Deepwater Horizon: A Systems Analysis of the Macondo Disaster (Earl Boebert and James M. Blossom)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 27 Apr 2016 8:15:49 -0900
One of the most relevant RISKS-related books I have ever read has been
written by Earl Boebert and James M. Blossom.  It provides a DEEP analysis
of everything that went wrong, and should be instructive for all RISKS
readers.  Amazon is now accepting pre-orders for this book, although it will
not be released until 6 Sep 2016.  I'll write more about the book as the
time approaches.  (Incidentally, I was not fooled by my search engine
offering to correct "Boebert" to "Bieber"—Justin-time spelling
correction?)


Update on the catless.ncl.ac.uk outage

RISKS List Owner <risko@csl.sri.com>
Wed, 27 Apr 2016 10:21:00 PDT
Lindsay Marshall (who for many years has managed the RISKS repository at
Newcastle: catless.ncl.ac.uk) notes that the CATLESS RISKS repository will
eventually be rebuilt after the serious water-main break that took down
*all* of their servers.  (CATLESS apparently has low priority in the crunch
to rebuild everything else.)  However, we have agreed that there is no
longer any reason to ship only one copy of each issue across the pond to
Lindsay's CATLESS redistribution service, and so we plan to move *everyone*
there onto the regular SRI distribution.  However, we cannot do that until
CATLESS is reconstituted. PGN

Please report problems with the web pages to the maintainer

Top