The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 59

Tuesday 28 June 2016

Contents

Petition for second EU referendum may have been manipulated
Nicola Slawson via Henry Baker
FAA Officials Discuss Standards to Neutralize Cyberattacks
Gabe Goldberg
Healthcare workers prioritize helping people over information security
BoingBoing
Hacker Advertises Slew of Alleged Healthcare Organization Records
Motherboard
Clinton's private e-mail was blocked byspam filters, so State IT turned them off
Sean_Gallagher
Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade
Gizmodo
"Swagger stumbles: Flaw enables remote code execution"
Fahmida Y. Rashid
"Severe flaws in widely used open source library put many projects at risk"
Lucian Constantin
"Over half of world's top domains weak against email spoofing"
Charlie Osborne
"US Customs wants foreign nationals to reveal their social media handles"
Chris Duckett
What are the risks guns could be banned from video games?
Paul Robinson
Vacationing Security Researcher Exposes Austrian ATM Skimmer
SlashDot
Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes
SlashDot
Yet another study showing old hard drives should be destroyed
Benoit Goas
Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats
TechCrunch
Crypto Ransomware Attacks Have Jumped 500% In The Last Year
SlashDot
Why You Should Stop Using Telegram Right Now
SlashDot
More Redacted Redactions
LA Times via Henry Baker
The "Cobra Effect" that is disabling paste on password fields
Troy Hunt
Writing aid for the blind provides a case study for "compassionate engineering" at Carnegie Mellon
TechCrunch
What if we're all forced to be average?
IEEE Spectrum via Bob Frankston
Re: Tesla Model X autonomously crashes into building
Amos Shapir
Info on RISKS (comp.risks)

Petition for second EU referendum may have been manipulated

Henry Baker <hbaker1@pipeline.com>
Sun, 26 Jun 2016 07:04:07 -0700
FYI—This particular type of voting fraud is only one of the most obvious
risks of online voting.

"over 39,000 residents of Vatican City [pop. 800] appeared to have signed
the petition"

http://www.theguardian.com/politics/2016/jun/26/petition-for-second-eu-referendum-may-have-been-manipulated

Petition for second EU referendum may have been manipulated

Data shows people from countries including Iceland and Tunisia backed
petition that should only be signed by Britons and UK residents

Nicola Slawson @nicola_slawson, *The Guardian*, 26 Jun 2016

A petition calling for a second EU referendum which has gained more than 3
million signatures appears to have been manipulated.  The request on
parliament's official petitions website should have been signed only by
British citizens and UK residents.  However, the petition's data shows
signatories from countries around the world, including Iceland, the Cayman
Islands and Tunisia, and in some cases there are more signatures than total
population.  [...]

  [Lots of anecdotal stuff deleted.  PGN]


FAA Officials Discuss Standards to Neutralize Cyberattacks

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Jun 2016 09:43:03 -0400
WASHINGTON  Even as U.S. and European regulators jointly pursue ways to fend
off cyberattacks against aviation, they are increasingly focused on devising
standards to ensure that any successful hackers will be detected and
neutralized.

Those twin goals are being widely discussed at an international safety
conference here this week, while new details emerge about proposed
safeguards being developed by a Federal Aviation Administration-created
panel of government and industry officials.
<http://www.wsj.com/articles/panel-reaches-preliminary-agreement-on-airliner-cybersecurity-standards-1465848030>
<http://www.wsj.com/articles/u-s-panel-aims-to-shield-planes-from-cyberattack-1435537440>
http://www.wsj.com/articles/faa-officials-discuss-standards-to-neutralize-cyberattacks-1466081595
or if that doesn't work because of paywall, try this ugly URL:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjw2av-or7NAhXDbiYKHY5YDL0QFggcMAA&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Ffaa-officials-discuss-standards-to-neutralize-cyberattacks-1466081595&usg=AFQjCNE7IXDL1EOXGxJ26OUCZ31uM_6oOA&sig2=YeflpvBDLuJrA3FvpQRGWA


Healthcare workers prioritize helping people over information security [disaster ensues]

Lauren Weinstein <lauren@vortex.com>
Tue, 28 Jun 2016 09:33:49 -0700
NNSquad
http://boingboing.net/2016/06/28/healthcare-workers-prioritize.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29

  These workarounds were driven by clinicians' need to get their jobs done
  and by IT's failure to understand what that entailed. For example, IT's
  imposition of password rotation schedules meant that no one knew what
  their passwords were from moment to moment, forcing them to write them
  down and share them (in some cases, IT might have had this policy set by
  vendors or regulators/insurers). Aggressive timeouts on terminals meant
  that clinicians spent an undue amount of time logging in, making it
  impossible to get their work done.  Other IT-based checks forced
  even-more-dangerous workarounds, like the system that wouldn't let doctors
  save work without ordering potentially lethal blood thinners, which they'd
  have to remember to log back in and cancel, or kill their patients.  A
  thumbprint-based signing system for death certificates only accepted
  thumbprints from one doctor, meaning that his signature was on every death
  certificate, regardless of whose patient the deceased had been.

Let's be 100% clear about this lethal situation. It is 100% the fault of the
IT industry for creating systems that are so abysmally suited to the tasks
at hand that healthcare workers need to behave these ways to get their jobs
done and save lives.


Hacker Advertises Slew of Alleged Healthcare Organization Records

Lauren Weinstein <lauren@vortex.com>
Tue, 28 Jun 2016 11:51:50 -0700
Motherboard via  NNSquad
http://motherboard.vice.com/read/hacker-advertises-slew-of-alleged-healthcare-organization-records

  A hacker is advertising hundreds of thousands of alleged records from
  healthcare organizations on a dark web marketplace, including social
  security and insurance policy numbers.  The data could be used for
  anything from getting lines of credit to opening bank accounts to carrying
  out loan fraud and much more, the hacker selling the data, who goes by the
  handle "thedarkoverlord," told Motherboard.  News site Deep Dot Web first
  reported the news on Saturday. The breaches supposedly come from three
  different healthcare organizations: one in Farmington, Missouri with
  48,000 records; another in Atlanta, Georgia with 397,000 entries, and the
  third in the Central/Midwest US with 210,000 records. Thedarkoverlord has
  decided to not name the organizations, as he has threatened each with a
  ransom demand.


Clinton's private e-mail was blocked byspam filters, so State IT turned them off (Sean_Gallagher)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 23 Jun 2016 10:42:59 -0600
Sean Gallagher, *Ars Technica*, 23 Jun 2016

Documents recently obtained by the conservative advocacy group Judicial
Watch show that in December 2010, then-Secretary of State Hillary Clinton
and her staff were having difficulty communicating with State Department
officials by e-mail because spam filters were blocking their messages. To
fix the problem, State Department IT turned the filters off—potentially
exposing State's employees to phishing attacks and other malicious e-mails.

The mail problems prompted Clinton Chief of Staff Huma Abedin to suggest to
Clinton, "We should talk about putting you on State e-mail or releasing your
e-mail address to the department so you are not going to spam." Clinton
replied, "Let's get [a] separate address or device but I don't want any risk
of the personal [e-mail] being accessible."

http://arstechnica.com/information-technology/2016/06/clintons-private-e-mail-was-blocked-by-spam-filters-so-state-it-turned-them-off/


Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Mon, 27 Jun 2016 09:10:38 -0700
Gizmodo via NNSquad
http://gizmodo.com/woman-wins-10-000-from-microsoft-after-unwanted-window-1782666146

  A California woman has won a $10,000 judgment from Microsoft after the
  company dropped its appeal in a case in which she alleged that her work
  computer became slow and unreliable after automatically upgrading itself
  to Windows 10.

Class action suit, anyone?

  [Gene Wirchenko also spotted more:
http://www.seattletimes.com/business/microsoft/microsoft-draws-flak-for-pushing-windows-10-on-pc-users/
http://www.theregister.co.uk/2016/06/27/woman_microsoft_windows_10_upgrades/
  ]


"Swagger stumbles: Flaw enables remote code execution" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Tue, 28 Jun 2016 10:51:47 -0700
Fahmida Y. Rashid, InfoWorld, 27 Jun 2016
Swagger's code generators and parsers forgot the core tenet of
software development, which is never to trust user input
http://www.infoworld.com/article/3088569/security/swagger-stumbles-flaw-enables-remote-code-execution.html

selected text:

Because Swagger's generators and parsers don't verify input when generating
code, a maliciously-crafted Swagger document can result in remote code
execution, Rapid7 said in a blog post disclosing the vulnerability.


"Severe flaws in widely used open source library put many projects at risk" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 24 Jun 2016 10:26:07 -0700
When was the last time you heard the Open Source saw about number of
eyeballs?

Lucian Constantin, InfoWorld, 22 Jun 2016
Input validation flaws in libarchive could lead to remote code execution
http://www.infoworld.com/article/3087347/security/severe-flaws-in-widely-used-open-source-library-put-many-projects-at-risk.html

selected text:

Libarchive ... provides real-time access to files compressed with a variety
of algorithms, ...

The library is used by file and package managers included in many Linux and
BSD systems, as well as by components and tools in OS X and Chrome OS.

The Cisco Talos researchers found an integer overflow, a buffer overflow,
and a heap overflow in the libarchive code that handles 7-Zip, mtree and rar
files, respectively.


"Over half of world's top domains weak against email spoofing" (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Fri, 24 Jun 2016 11:06:48 -0700
Charlie Osborne for Zero Day, ZDN, 23 Jun 2016
Misconfigured email servers could prompt spoof emails being 'sent'
from legitimate services.
http://www.zdnet.com/article/over-half-of-worlds-top-email-services-weak-to-spoofing/

selected text:

By using only a few lines of Python, the firm's researchers found that over
50 percent of top 500 Alexa websites were vulnerable to spoofing—either
through having no authentication configured or by having settings
misconfigured.


"US Customs wants foreign nationals to reveal their social media handles"

Gene Wirchenko <genew@telus.net>
Tue, 28 Jun 2016 11:03:27 -0700
Chris Duckett, ZDNet, 27 Jun 2016
Travelers looking to enter the United States will be asked by US
Customs for their social media IDs under a new proposal.
http://www.zdnet.com/article/us-customs-wants-foreign-nationals-to-reveal-their-social-media-handles/

selected text:

US Customs and the Department of Homeland Security (DHS) want to ask foreign
nationals entering the United States to hand over their social media handles
at a cost of almost $300 million a year.

According to a notice posted on the US federal register, travelers would be
asked to "Please enter information associated with your online presence --
Provider/Platform—Social media identifier".

Responding to the question would be optional.

   And how long would this be optional?


What are the risks guns could be banned from video games?

Paul Robinson <rfc1394@yahoo.com>
Sat, 25 Jun 2016 06:28:02 +0000 (UTC)
Some people have wondered, because of the public shootings that occur every
so often, including the most recent ones in Orlando and Germany, is there a
risk that computer games might be forbidden to show weapons - specifically
guns - or that video games that show guns being used to wound or kill
people, especially in apocalyptic or "collapse of civilization" scenarios,
where players might engage in rampages, including the potential for the
killing of soldiers and police officers, could be banned or prohibited from
distribution?

Short version:

The various governments of the United States—which means: the federal
government and both a state government and a sub agency of a state
government such as a county or city - lack the power to prohibit a maker of
a video game from including guns in a video game, the use of guns in a video
game, the use of guns on a video game to kill people, or the use of video
games to kill soldiers, uniformed police officers, or even a protected class
of people or an identifiable minority or religious group such as blacks,
Jews, Catholics, Muslims, Protestants, gays, whites, American Indians, men,
women, or children.

  [Long version much too long for RISKS. Truncated.  PGN]


Vacationing Security Researcher Exposes Austrian ATM Skimmer (SlashDot, 26 Jun 2016)

Werner <werneru@gmail.com>
Sun, 26 Jun 2016 21:01:19 +0200
(Posted by EditorDavid on Sunday June 26, 2016)
<https://news.slashdot.org/story/16/06/25/1945233/vacationing-security-researcher-exposes-austrian-atm-skimmer>

While vacationing with his family in Vienna, Ben Tedesco (from security
company Carbon Black) discovered an ATM skimmer "in the wild", perfectly
crafted to look like the original card reader.
(<https://www.carbonblack.com/2016/06/24/finding-atm-skimmer-pays-paranoid/>)

New submitter rmurph04 shares Ben's story:

  I went to grab some cash from an ATM. Being security paranoid, I repeated
  my typical habit of checking the card reader with my hand as I have
  hundreds of times. Today's the day when my security awareness paid off!

Ben's blog post includes a video demonstrating the ATM skimmer, as well as
close-ups showing the device had its own control board, strip reader, and
even its own battery.


Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes (SlashDot)

Werner <werneru@gmail.com>
Sun, 26 Jun 2016 21:18:33 +0200
<https://tech.slashdot.org/story/16/06/25/1844252/lenovo-warns-users-to-upgrade-pre-installed-tool-with-severe-security-holes>
(Posted by EditorDavid on Saturday June 25, 2016)

Long-time SlashDot reader itwbennett writes:
Lenovo is advising users to upgrade to version 3.3.003 of Lenovo
Solution Center (LSC)
<https://support.lenovo.com/us/en/product_security/len_7814>, which
includes fixes for two high-severity vulnerabilities in the tool
<http://www.csoonline.com/article/3088526/security/lenovo-patches-two-high-severity-flaws-in-pc-support-tool.html>.
[The tool] allows users to check their system's virus and firewall
status, update their Lenovo software, perform backups, check battery
health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has
control of a limited account on a PC to execute malicious code via the
privileged LocalSystem account. And the CVE-2016-5248 vulnerability
allows any local user to send a command to LSC.Services.SystemService in
order to kill any other process on the system, privileged or not.


Yet another study showing old hard drives should be destroyed

Benoit Goas <goasben@hawk.iit.edu>
Tue, 28 Jun 2016 22:05:29 +0200
I just read about another study on what can be recovered from old hardrives.
Risks are obvious!
See at
http://www.theregister.co.uk/2016/06/28/ebay_hard_drives_still_contain_sensitive_data_study/


Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Mon, 27 Jun 2016 16:52:15 -0700
https://techcrunch.com/2016/06/27/cryptography-pioneer-marty-hellman-on-using-compassion-in-personal-cyber-and-international-threats/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

  Hellman no longer does crypto research, though he retains a position at
  Stanford; instead, he has been advocating for changes in policy that
  acknowledge the new, more interconnected global community.  "I see
  cyberweapons as very similar to nuclear weapons," he said. "Early on we
  had a monopoly on nuclear weapons so we thought they were the greatest
  thing going. But unlike a nuclear weapon, a cyberweapon doesn't destroy
  itself, so like with Stuxnet, our adversaries were able to take it apart
  and figure out how it works. We need to start thinking this through more
  carefully."


Crypto Ransomware Attacks Have Jumped 500% In The Last Year

Werner <werneru@gmail.com>
Sun, 26 Jun 2016 21:25:38 +0200
<https://it.slashdot.org/story/16/06/25/157247/crypto-ransomware-attacks-have-jumped-500-in-the-last-year>
(Posted by EditorDavid on Saturday June 25, 2016)

Kaspersky Lab is reporting that the last year saw a 500% increase in the
number of users who encountered crypto ransomware. Trailrunner7 shares
an article from On The Wire:
Data compiled by Kaspersky researchers from the company's cloud network
shows that from April 2015 to March 2016, the volume of crypto
ransomware encountered by users leapt from 131,111 to 718,536
<https://www.onthewire.io/crypto-ransomware-attacks-jump-nearly-500/>.
That's a massive increase, especially considering the fact that
ransomware is a somewhat mature threat. It didn't just burst onto the
scene a couple of years ago. Kaspersky's researchers said the spike in
crypto ransomware can be attributed to a small group of variants.
"Looking at the malware groups that were active in the period covered by
this report, it appears that a rather short list of suspects is
responsible for most of the trouble caused by crypto-ransomware..."

It's difficult to overstate how much of an effect the emergence of
ransomware has had on consumers, enterprises, and the security industry
itself. The FBI has been warning users about crypto ransomware for some
time now, and has consistently advised victims not to pay any ransoms.
Security researchers have been publishing decryption tools for specific
ransomware variants and law enforcement agencies have had some success
in taking down ransomware gangs.

Enterprise targets now account for 13% of ransomware attacks, with
attackers typically charging tens of thousands of dollars, the article
reports, and "Recent attacks on networks at the University of Calgary
<https://news.slashdot.org/story/16/06/12/082234/ransomware-thieves-cost-canada-university-c20000-in-bitcoin>
and Hollywood Presbyterian Medical Center
<https://yro.slashdot.org/story/16/02/18/0253216/la-hospital-pays-off-ransomware-thieves-to-reclaim-its-network>
have demonstrated the brutal effectiveness of this strategy."


Why You Should Stop Using Telegram Right Now (SlashDot)

Werner <werneru@gmail.com>
Sun, 26 Jun 2016 21:37:10 +0200
<https://yro.slashdot.org/story/16/06/25/155214/why-you-should-stop-using-telegram-right-now>
(Posted by manishs on Saturday June 25, 201)

Earlier this week, The Intercept evaluated the best instant messaging
clients from the privacy standpoint
<https://it.slashdot.org/story/16/06/22/1934232/battle-of-the-secure-messaging-apps-signal-triumphs-over-whatsapp-allo>.
The list included Facebook's WhatsApp, Google's Allo, and Signal --
three apps that employ end-to-end encryption. One popular name that was
missing from the list was Telegram. A report on Gizmodo sheds further
light on the matter, adding that Telegram is riddled with a wide range
of security issues, and "doesn't live up to its proclamations as a safe
and secure messaging application." Citing many security experts, the
report states
<http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415>:
One major problem Telegram has is that it doesn't encrypt chats by
default, something the FBI has advocated for. "There are many Telegram
users who think they are communicating in an encrypted way, when they're
not because they don't realize that they have to turn on an additional
setting," Christopher Soghoian, Principal Technologist and Senior Policy
Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram
has delivered everything that the government wants. Would I prefer that
they used a method of encryption that followed industry best practices
like WhatsApp and Signal? Certainly. But, if it's not turned on by
default, it doesn't matter."

The other issue that security experts have taken a note of is that
Telegram employs its own encryption, which according to them, "is widely
considered to be a fatal flaw when developing encrypted messaging apps."
The report adds:

"They use the MTproto protocol which is effectively homegrown and I've
seen no proper proofs of its security," Alan Woodward, professor at the
University of Surrey told Gizmodo. Woodward criticized Telegram for
their lack of transparency regarding their home cooked encryption
protocol. "At present we don't know enough to know if it's secure or
insecure. That's the trouble with security by obscurity. It's usual for
cryptographers to reveal the algorithms completely, but here we are in
the dark. Unless you have considerable experience, you shouldn't write
your own crypto. No one really understands why they did that."

The list goes on and on.
<http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415>


More Redacted Redactions

Henry Baker <hbaker1@pipeline.com>
Mon, 27 Jun 2016 16:25:37 -0700
FYI—If you accidentally redact a redaction, you get the original back!

Another example of the Streisand effect.
http://www.latimes.com/politics/la-na-benghazi-democrats-20160627-snap-story.html

"Democrats released but redacted a transcript of Clinton confidant Sidney
Blumenthal answering the committee's questions ... But the redaction marks
are easily erased by anyone able to use a computer's cut-and-paste
function."


The "Cobra Effect" that is disabling paste on password fields

Lauren Weinstein <lauren@vortex.com>
Mon, 27 Jun 2016 21:03:25 -0700
TroyHunt via NNSquad
https://www.troyhunt.com/the-cobra-effect-that-is-disabling/

  Unfortunately, the enterprising locals saw things differently and
  interpreted the "cash for cobras" scheme as a damn good reason to start
  breeding serpents and raking in the dollars.  Having now seen the flaw in
  their original logical, the poms quickly scrapped the scheme meaning no
  more snake bounty.  Naturally the only thing for the locals to do with
  their now worthless cobras was to set them free so that they may seek out
  a nice cosy British settlement somewhere.  This became known as the Cobra
  Effect or in other words, a solution to a problem that actually makes the
  whole thing a lot worse.  Here's a modern day implementation of the Cobra
  Effect as it relates to the ability to paste your password into a login
  field ...

The inability to paste into a password field drives me bats. It makes
security *worse*, not better!


Writing aid for the blind provides a case study for "compassionate engineering" at Carnegie Mellon (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Mon, 27 Jun 2016 17:27:48 -0700
NNSquad
https://techcrunch.com/2016/06/27/writing-aid-for-the-blind-provides-a-case-study-for-compassionate-engineering-at-carnegie-mellon/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

  New mobile games and robot butlers are all well and good, but there are
  also many applications for the latest technology in poverty-stricken
  school districts and in the service of the disabled.  A Carnegie Mellon
  project that targets both of those things is described by its creators as
  an exercise in what they call "compassionate engineering."


What if we're all forced to be average?

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
22 Jun 2016 16:51:08 -0400
The AI Dashcam App That Wants to Rate Every Driver in the World

http://spectrum.ieee.org/cars-that-think/transportation/sensors/the-ai-dashcam-app-that-wants-to-rate-every-driver-in-the-world/?utm_source=CarsThatThink&utm_medium=Newsletter&utm_campaign=CTT06222016

Imagine if everyone is held to the letter of the law by a world of minders?
Just with DRM what happens if we talk rules that works socially and remove
human discretion? If meaning comes from context there is a major risk in all
these efforts to enforce the letter of the law. One of the big advantages of
the US has been our ability to reinvent ourselves.


Re: Tesla Model X autonomously crashes into building, owner claims (Macky, RISKS-29.58)

Amos Shapir <amos083@gmail.com>
Fri, 24 Jun 2016 13:44:30 +0300
> Teslas are instrumented. When there's a crash like this one, it's probably
> a good idea to wait until the log contents are revealed before repeating
> the driver's claims; the logs often show the opposite.

But then if a crossed wire or some other bug causes pressure on the brake
to be misinterpreted by the system as pressure on the accelerator, the logs
would also show that the accelerator was pressed!

The question is, are the logs generated by the same system that we want to
debug?

Please report problems with the web pages to the maintainer

Top