The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 62

Tuesday 19 July 2016

Contents

Senatorial celestial GPS silliness
Paul Saffo
More than $3.1 billion lost in bogus 2014 IRS tax refunds
Joe Davidson via Henry Baker
U.S. Efforts To Regulate Encryption Have Been Flawed...
SlashDot via Werner U
Putin goes full Stasi; wants encryption keys for the Internet
Henry Baker
SMOP / Time Edition
Bob Frankston
IRS hacked again—say goodbye to that PIN system!
Lisa Vaas
2-million-person terror database leaked online
SlashDot
Security Issue at Redis Installations
RskBasedSecurity.com via SlashDot
Food chain Wendy's hit by massive hack
Dave Lee
Why Twitter Can't Even Protect Tech CEOs From Getting Hacked
SlashDot
Security researcher uncovers high-risk BIOS vulnerability in Lenovo PCs—yet again!!
The Tech Portal
Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets'
Fortune
You Can Now Browse Through 427 Million Stolen MySpace Passwords
SlashDot
Home computers connected to the Internet aren't private— court ruling
Michael Winser
Netherlands Gets First Nationwide 'Internet of Things'
SlashDot
Another Installment from the Internet-of-Not-Very-Secure-Things: D-Link Escalation Hazard
Bob Gezelter
"ACLU lawsuit challenges U.S. computer hacking law"
Grant Gross
How Sony, Microsoft, and Other Gadget Makers Violate Federal Warranty Law
SlashDot
UK bill introduces 10 year prison sentence for online pirates
TorrentFreak
"Google, Viacom win appeal in lawsuit over children's privacy"
Stephanie Condon
Teen girl who texted friend to commit suicide must stand trial
Ars Technica
"Firmware exploit can defeat new Windows security features on Lenovo ThinkPads" and "Nasty Lenovo UEFI exploit also affects products from other vendors"
Lucian Constantin
"Android's full disk encryption can be brute-forced on devices with Qualcomm chips"
Lucian Constantin
Android Malware Pretends To Be WhatsApp, Uber and Google Play
SlashDot
Interview With An 'NSA Hacker' Published By The Intercept
SlashDot
I just posted a note on the subject of Internet fragmentation
Karl Auerbach
Researchers Sue the Government Over Computer Hacking Law
WiReD
Info on RISKS (comp.risks)

Senatorial celestial GPS silliness

Paul Saffo <paul@saffo.com>
July 19, 2016 at 8:14:16 AM PDT
The first sentence is a real howler. I am a big fan of celnav (I own 5
sextants and know how to use them), but teaching celnav out of fear of GPS
sabotage demonstrates a profound lack of understanding about both GPS and
navigation in general. There are plenty of reasons to know how to use a
sextant, but these land-lubber senators have completely missed the boat.  -p

Joe Uchill - 07/15/16 11:27 AM EDT
Senators back celestial navigation for all Navy personnel


Senators Joni Ernst (R-Iowa) and Gary Peters (D-Mich.) are pushing the Navy
to teach all its sailors the ultimate backup plan in case of navigation
systems sabotage—celestial navigation.

The pair sent a letter to Secretary of the Navy Raymond Mabus, Jr.  asking
why the celestial training was only being taught to some, but not all,
personnel.

"Though celestial and nautical navigation skills are more challenging to
acquire, they are absolutely critical for our sailors," they wrote.  Navy
boats—and most navigation systems worldwide—rely on the Global
Positioning System run by the U.S. Air Force. But GPS operates on low-power
satellite broadcasts that are not difficult to jam.

This academic year, the Naval Academy began teaching celestial navigation
again, the first time since 2006. The centuries-old practice of telling
location by star locations is less susceptible to mechanical malfunction.

"We owe it to our sailors, enlisted and officer, to ensure these skills are
being taught and our sailors are being held to the highest standard before
we send them to the fleet.  It is imperative that this standard is kept
throughout the service."

http://thehill.com/policy/cybersecurity/287901-sens-back-celestial-navigation-for-all-navy-personnel


More than $3.1 billion lost in bogus 2014 IRS tax refunds

Henry Baker <hbaker1@pipeline.com>
Sat, 02 Jul 2016 08:18:29 -0700
FYI—Wow!  The govt could have purchased another half of a non-working
F-35 for that sum!

The govt should by all means weaken encryption so these frauds can be
stopped in their tracks.  ;-)

Another ill-fated "TPP" scheme gone awry.

https://www.washingtonpost.com/news/powerpost/wp/2016/07/01/3-1-billion-lost-to-id-theft-tax-fraudsters-in-2014-at-least/

Joe Davidson, *The Washington Post*, 1 July 2016
$3.1 billion—at least—lost in bogus tax refunds to ID thieves in 2014

Even during this era of cyber-insecurity, here's a chilling figure: 3.1
billion.  That's the number of dollars the Internal Revenue Service (IRS)
paid in bogus tax refunds in 2014 because of identity theft refund fraud,
according to the Government Accountability Office.

The IRS has a Taxpayer Protection Program (TPP) that sounds like it should
provide security.  It does, but not enough to prevent IRS from paying $30
million to identity theft fraudsters in 2014, based on the 1.6 million
screened by the program.  That's just one of the ways Uncle Sam fights
identity theft fraud.  About 7,200 of them were bogus.  In total, IRS
processed more than 150 million individual tax returns in 2015.

Overall, the GAO report indicates the IRS does a decent job of detecting and
stopping ID fraud, which is a big business.  Crooks attempted to get $25.6
billion from bogus refunds in 2014.  The IRS beat them most of the time,
stopping or recovering the theft of $22.5 billion, 88 percent of the
attempted pillage.  But in the remaining cases, crooks got the $3.1 billion.
That could be a low-ball estimate, however.  GAO says the IRS might have
been beaten an unknown number of times for an undetermined amount of money
by undetected cheating.

Regarding TPP authentication, IRS likely underestimated how many fraudulent
returns it passed "because the agency did not include potential IDT
(identity theft) returns that closely matched information returns provided
by third parties, such as W-2s" said James R. McTigue, Jr., GAO's director
of strategic issues.

TPP is designed to reduce identity theft fraud by verifying the identities
of suspicious tax filers.  But it has some holes.

"TPP uses single-factor authentication procedures that incorporate one of
the following authentication elements: 'something you know,' 'something you
have,' or 'something you are,'" GAO said.  "TPP's single-factor
authentication procedures are at risk of exploitation because some
fraudsters obtain the PII (personally identifiable information) necessary to
pass the questions asked during authentication."

Criminals can find answers to at least one of those "somethings" by
searching the web or even purchasing information from vendors.

IRS did a risk assessment in 2012 and "determined that improper
authentication through TPP posed low or moderate risks to both the agency
and taxpayers, and therefore required no more than single-factor
authentication."   [Long item pruned for RISKS.  PGN]

The GAO report was requested by four members of Congress, including
Sen. Susan Collins (R-Maine), chairwoman of the Special Committee on Aging.
"While the IRS has developed tools and programs to detect and prevent refund
fraud due to identity theft," she said in a statement, "GAO's report shows
that substantial improvement is still needed."


U.S. Efforts To Regulate Encryption Have Been Flawed... (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 16:23:10 +0200
(Posted by BeauHD on Thursday June 30, 2016)
<https://it.slashdot.org/story/16/06/30/0522216/us-efforts-to-regulate-encryption-have-been-flawed-government-report-finds>
-- from a report via The Guardian:

U.S. Republican congressional staff said in a report released Wednesday that
previous efforts to regulate privacy technology were flawed and that
lawmakers need to learn more about technology before trying to regulate it.
<https://www.theguardian.com/technology/2016/jun/29/government-encryption-regulation-report-criticism>

The 25-page white paper is entitled Going Dark, Going Forward: A Primer on
the Encryption Debate and it does not provide any solution to the encryption
fight. However, it is notable for its criticism of other lawmakers who have
tried to legislate their way out of the encryption debate. It also sets a
new starting point for Congress as it mulls whether to legislate on
encryption during the Clinton or Trump administration. "Lawmakers need to
develop a far deeper understanding of this complex issue before they attempt
a legislative fix," the committee staff wrote in their report. The committee
calls for more dialogue on the topic and for more interviews with experts,
even though they claim to have already held more than 100 such briefings,
some of which are classified. The report says in the first line that public
interest in encryption has surged once it was revealed that terrorists
behind the Paris and San Bernardino attacks "used encrypted communications
to evade detection."
<https://yro.slashdot.org/story/16/02/17/1347207/congressman-court-order-to-decrypt-iphone-has-far-reaching-implications>

Congressman Ted Lieu is pushing the federal government to treat ransomware
attacks on medical facilities as data breaches and require notifications of
patients.
<https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications>


Putin goes full Stasi; wants encryption keys for the Internet

Henry Baker <hbaker1@pipeline.com>
Fri, 08 Jul 2016 07:14:17 -0700
FYI—Theresa May, James Comey, Cyrus Vance, et al, can't wait to go full
Stasi, as well.

'Putin-in-the-middle' attacks, anyone?

https://meduza.io/en/news/2016/07/07/putin-gives-federal-security-agents-two-weeks-to-produce-encryption-keys-for-the-internet

Putin gives federal security agents two weeks to produce 'encryption keys'
for the Internet, Meduza, 7 july 2016

After signing controversial anti-terrorist legislation earlier today,

President Putin ordered the Federal Security Service (the FSB, the
post-Soviet successor to the KGB) to produce encryption keys to decrypt all
data on the Internet.  According to the executive order, the FSB has two
weeks to do it.  Responsibility for carrying out Putin's instructions falls
on Alexander Bortnikov, the head of the FSB.

The new "anti-terrorist" laws require all "organizers of information
distribution" that add "additional coding" to transmitted electronic
messages to provide the FSB with any information necessary to decrypt those
messages.  It's still unclear what information exactly online resources are
expected to turn over, given that all data on the Internet is encoded, one
way or another, and in many instances encryption keys for encrypted
information simply don't exist.

  [Long item pruned for RISKS.  PGN.  There's LOTS MORE as well:]
https://meduza.io/en/feature/2016/06/27/the-duma-s-new-big-brother-legislation-kills-russia-s-internet-companies-and-hurts-ordinary-web-users-here-s-how


SMOP / Time Edition

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
30 Jun 2016 16:19:44 -0400
The continuing saga of corporations losing control due to relatively
straightforward software problems. It's not a new problem and is likely to
get much worse. In these series some examples of problems with the choice of
how to represent "time".

Now Southwest Can Act Like Other Airlines. Uh-Oh?

http://www.msn.com/en-us/money/companies/now-southwest-can-act-like-other-airlines-uh-oh/ar-AAhM9Qn?li=BBmkt5R

  "Red-eye flights. Southwest negotiated red-eye flying with its pilots in
  June 2012 but hasn't been able to take advantage of these overnight
  flights to the East Coast and Midwest. Technology has been the chief
  culprit,"

This reminds me of comments at a recent conference at about banks losing a
lot of money because they can't charge interest during a daylight saving
change because of the ambiguities in their time representations. The cost is
in the many millions of dollars.
http://sot2016.cfa.harvard.edu/

The leap second is another product of a naive choice of representation. The
minute is not fundamental. The precise calculations can be done using
seconds. So there is no reason to undefined the minute. We can simply rename
time zones every few centuries. The leap second is like Southwest solving
the red-eye problem by landing planes at the nearest airport at midnight
local time and then taking off again as another flight number rather than
having a representation not tied to the name of the day.


IRS hacked again—say goodbye to that PIN system! (Lisa Vaas)

Dewayne Hendricks <dewayne@warpspeed.com>
Tue, Jun 28, 2016 at 1:23 AM
  [Note: This item comes from reader Randall Head.  DLH]

Lisa Vaas, Naked Security, 27 Jun 2016

https://nakedsecurity.sophos.com/2016/06/27/irs-hacked-again-say-goodbye-to-that-pin-system/

In the wake of automated attacks speeding up, the US tax overlords—the
Internal Revenue Service (IRS)—has [sic] likewise sped up plans to
deep-six its repeatedly hacked PIN system.

The IRS on Thursday announced that it's removed its electronic filing PIN
tool (e-File PIN), formerly available on IRS.gov or by toll-free phone call,
following additional questionable activity.

Additional, as in, on top of 800 identity thefts that had already caused the
IRS to suspend the PIN system in March 2016 (though it told taxpayers who
already had an IP PIN at the time to continue to file their tax returns as
they normally would).

The e-File PIN, also known as the Identity Protection (IP) PIN, is a
supposedly special, strong form of two-factor authentication (2FA) meant to
protect taxpayers from ID fraud: a six-digit number that, oddly enough, the
US tax authority only sent to taxpayers who'd already been victimized.

Those PINs were for victimized taxpayers to include on future tax returns as
an extra layer of security, since cybercrooks had already stolen their
taxpayer IDs—i.e., their Social Security Numbers (SSNs).

The idea was that without a valid IP PIN, you couldn't login, even if you
were a crook armed with somebody's SSN.

Great! we said, as did the vast majority of readers. Why can't everybody get
one?

The problem with the PIN retrieval system, presumably, was that it used the
same knowledge-based authentication that led to last year's breach of the
agency's Get Transcript service: a service that allowed taxpayers to
retrieve details of their past tax returns.

Applicants had to answer four questions about themselves to get a number,
along the lines of "On which of the following streets have you lived" or
"What is your total scheduled monthly mortgage payment?"

But scammers can dig out, guess, or buy personal data like that online.
That can enable them to get the PIN, with which they then try to file a
bogus return.

Even before last year's Get Transcript breach, a report by the Government
Accountability Office pointed out the weaknesses in the PIN retrieval
system.

But for whatever reason, the IRS left it in place.

And along with that status quo came an increase, over recent years, in
automated attacks from crooks who've gone out of their way to get access to
innocent users' online tax submission accounts.

In February, we got wind of the thieves having struck again. This time, they
used a list of known SSNs to repeatedly try to access the IRS's Get My
Electronic Filing PIN portal.

At the time, the crooks were after the PINs corresponding to 464,000
previously stolen SSNs and other taxpayer data. The IRS blocked that
automated bot, but not before it had successfully grabbed 100,000
PINs. [...]


2-million-person terror database leaked online (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 16:40:29 +0200
  Posted by BeauHD, 30 Jun 2016, via The Stack:
<https://developers.slashdot.org/story/16/06/30/0255250/2-million-person-terror-database-leaked-online>

A 2014 version of the World-Check database containing more than 2.2 million
records of people with suspected terrorist, organized crime, and corruption
links has been leaked online.
<https://thestack.com/security/2016/06/29/2-million-person-terror-database-leaked-online/>

The World-Check database is administered by Thomson-Reuters and is used by
4,500 institutions, 49 of the world's 50 largest banks and by over 300
government and intelligence agencies.
<http://financial.thomsonreuters.com/content/dam/openweb/documents/pdf/governance-risk-compliance/fact-sheet/world-check-risk-screening-fact-sheet.pdf>

The unregulated database is intended for use as "an early warning system for
hidden risk" and combines records from hundreds of terror and crime suspects
and watch-lists into a searchable resource. Most of the individuals in the
database are unlikely to know that they are included, even though it may
have a negative impact on their ability to use banking services and operate
a business.

A Reddit user named Chris Vickery says he obtained a copy of the database,
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>
...saying he won't reveal how until "a later time."
<https://www.rt.com/news/348874-world-check-database-leaked/> To access the
database, customers must pay an annual subscription charge, that can reach
up to $1 million, according to Vice,
<https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions>
...with potential subscribers then vetted before approval. Vickery says he
understands that the "original location of the leak is still exposed to the
public Internet" and that "Thomas Reuters is working feverishly to get it
secured." He told The Register...
<http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/?mt=1467196913211>
...that he alerted the company to the leak, but is still considering whether
to publish the information contained in it.


Security Issue at Redis Installations (RskBasedSecurity.com via SlashDot)

Werner <werneru@gmail.com>
Sun, 10 Jul 2016 16:12:30 +0200
[TANSTAFS—a corollary of TANSTAFL
  <There Ain't No Such Thing As a Free Lunch>]

Researchers Find Over 6,000 Compromised Redis Installations
<https://developers.slashdot.org/story/16/07/09/0448257/researchers-find-over-6000-compromised-redis-installations>
(Posted by EditorDavid on Saturday July 09, 2016)

An anonymous SlashDot reader wrote:

Security researchers have discovered over 6,000 compromised
installations of Redis,
<https://www.riskbasedsecurity.com/2016/07/redis-over-6000-installations-compromised/>
....the open source in-memory data structure server, among the tens of
thousands of Redis servers indexed by Shodan. "By default, Redis has no
authentication or security mechanism enabled, and any security
mechanisms must be implemented by the end user."

The researchers also found 106 different Redis versions compromised,
suggesting "there are a lot of Redis installations that are not
upgrading to the most recent versions to fix any known security issues."
5,892 infections were linked to the same email address, with two more
email addresses that were both linked to more than 200. "The key take
away from this research for us has been that insecure default
installations continue to be a significant issue, even in 2016."

EditorDavid commented:

Redis "is designed to be accessed by trusted clients inside trusted
environments," according to its documentation.
<http://redis.io/topics/security>

"This means that usually it is not a good idea to expose the Redis
instance directly to the Internet or, in general, to an environment
where untrusted clients can directly access the Redis TCP port or UNIX
socket... Redis is not optimized for maximum security but for maximum
performance and simplicity."


Food chain Wendy's hit by massive hack (Dave Lee)

Dewayne Hendricks <dewayne@warpspeed.com>
Fri, Jul 8, 2016 at 11:45 AM
  [Note:  This item comes from friend Jen Snow.  DLH]

Dave Lee, Food chain Wendy's hit by massive hack
Popular US food chain Wendy's has been hit by a massive cyber attack, the
company has confirmed.

Jul 8 2016
<http://www.bbc.com/news/technology-36742599>

The company reported suspicious activity earlier this year, but the scale
of the breach is far bigger than first anticipated.

At least 1,025 of its restaurants were targeted - with debit and credit
card information stolen.

The company did not speculate how many people may have been affected,
though it did say all of the locations were in the US.

Malware - malicious software - had been installed on point-of-sale systems
in the affected locations.

The chain said it was confident the threat had been removed, and was now
offering help to customers who may have been affected.

Help includes the offer of one year of "complimentary" fraud protection
services.

Suspicious activity

In a statement outlining the details of the attack, Wendy's said the
malware could have been operational in its restaurants from as early as
Autumn 2015.

Suspicious activity was noticed in February of this year. The company went
public with this discovery in May - saying it believed around 300
restaurants had been affected.

But with the number rising to more than 1,000, this hack ranks among one of
the most significant in US history.

The Wendy's hack bears some similarity to the attack on Target in 2013. In
that breach, around 40 million customers' details were stolen via malware
installed on point-of-sale computers.

Wendy's has blamed a third-party for the intrusion, saying a "service
provider" that had remote access to the till systems was compromised.

The company did not say who that service provider was, nor did it explain
why it had remote access to the tills of 1,025 of the firm's 5,700
restaurants.

[snip]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>


Why Twitter Can't Even Protect Tech CEOs From Getting Hacked (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 17:14:12 +0200
  (Posted by manishs on Friday July 01, 2016)
<https://it.slashdot.org/story/16/07/01/140242/why-twitter-cant-even-protect-tech-ceos-from-getting-hacked>

Over the past few weeks, we have seen a number of CEOs—including Google's
Sundar Pichai, and Facebook's Mark Zuckerberg—become victims of Twitter
hacks. One must ask, what's wrong with Twitter that so many people --
including high-profile names—keep getting hacked? BuzzFeed dives deep
into the problem, and says it's how Twitter interacts with third-party apps
that's at fault.
<https://www.buzzfeed.com/josephbernstein/why-twitter-cant-even-protect-tech-ceos-from-hacks>

>From the article:

Over the past several weeks, however, a three-person hacking team called
OurMine has made clear that years after the problem first came to light,
third-party authentication is still a security nightmare for Twitter. By
gaining access to apps with third-party write access, OurMine has been able
to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark
Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick.  In
other words, whichever write-authorized app connected to your Twitter is
least secure is exactly how secure your Twitter account is. [...] The public
nature of Twitter, whose main point is to share information as quickly and
widely as possible, has made these attacks a much bigger issue for Jack
Dorsey's company than they are for Facebook. And there's very little Twitter
can do to solve the problem that doesn't defeat the incentives for
third-party writing privileges in the first place: Speed and
functionality. Adding layers of security—like an extra login—to access
Twitter through a third-party app defeats the purpose of speedy
cross-platform sharing. And disabling third-party writing would anger
developers and hurt engagement, a cost Twitter probably isn't willing to
bear.


Security researcher uncovers high-risk BIOS vulnerability in Lenovo PCs—yet again!! (The Tech Portal)

Lauren Weinstein <lauren@vortex.com>
Mon, 4 Jul 2016 13:06:34 -0700
http://thetechportal.com/2016/07/05/security-researcher-uncovers-high-risk-bios-vulnerability-lenovo-pcs/

  According to researcher Dmytro Oleksiuk aka Cr4sh, the erroneous code
  exploits the 0day privileges escalation vulnerability in Lenovo's
  BIOS. This bug allows users to exploit the flash write protection,
  disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard on
  most Windows Enterprise powered Lenovo PCs. And this is just a small list
  of possible evil things that can be executed using this vulnerability.
  The vulnerability is present in most ThinkPad Series laptops, ranging from
  the newest T450s to the oldest X220s. The faulty firmware drivers seems to
  have been copy-and-pasted by the PC-manufacturer using data supplied by
  Intel. Though it is still uncertain whether the vulnerable code is
  available in the public, but it has already been detected in another HP
  laptop dating back to 2010.


Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets' (Fortune)

Lauren Weinstein <lauren@vortex.com>
Wed, 29 Jun 2016 08:27:40 -0700
http://fortune.com/2016/06/29/symantec-norton-vulnerability/

  Google's "project zero" team, a group of security analysts tasked with
  hunting for computer bugs, discovered a heap of critical vulnerabilities
  in Symantec and Norton security products.  The flaws allow hackers to
  completely compromise people's machines simply by sending them malicious
  self-replicating code through unopened emails or unclicked links.  The
  vulnerabilities affect millions of people who run the company's endpoint
  security and antivirus software, rather ironically to protect their
  devices.  Indeed, the flaws rendered all 17 enterprise products (Symantec
  brand) and eight consumer and small business products (Norton brand) open
  to attack.

    [Gene Wirchenko noted Charlie Osborne for Zero Day, ZDNet, 29 Jun 2016
http://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/
    PGN]


You Can Now Browse Through 427 Million Stolen MySpace Passwords (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 17:18:05 +0200
 (Posted by manishs on Friday July 01, 201)
<https://it.slashdot.org/story/16/07/01/1437254/you-can-now-browse-through-427-millon-stolen-myspace-passwords>

Stan Schroeder, writing for Mashable:

An anonymous hacker managed to obtain an enormous number of user credentials
in June 2013 from fallen social networking giant MySpace—some 427 million
passwords, belonging to approx. 360 million users.
<https://it.slashdot.org/story/16/05/27/1845202/hackers-claim-to-have-427-million-myspace-passwords>

In May 2016, a person started selling that database of passwords on the dark
web.  Now, the entire database is available online for free.
<http://mashable.com/2016/07/01/myspace-password-database/#GxHE3Yw52mqx>

Thomas White, security researcher also known by the moniker "Cthulhu," put
the database up for download as a torrent file on his website, here.  "The
following contains the alleged data breach from MySpace dating back a few
years. As always, I do not provide any guarantees with the file and I leave
it down to you to use responsibly and for a productive purpose," he
wrote. The file is 14.2 GB in size; downloading it might take some time. It
is password-protected, but White made the password available on Twitter and
his site.


Home computers connected to the Internet aren't private—court ruling

Michael Winser <michaelw.net@gmail.com>
July 1, 2016 at 2:32:49 PM EDT
  [Via Dave Farber]

  [The usual pattern of using horrible defendants to create horrible
  precedents.  Not only does this ruling continue to chip away at personal
  privacy, it seems to also establish a precedent that computer security
  will always be ineffectual.  Michael Winser]

http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html

A federal judge for the Eastern District of Virginia has ruled that the user
of any computer that connects to the Internet should not have an expectation
of privacy because computer security is ineffectual at stopping hackers.
The June 23 ruling came in one of the many cases resulting from the FBI's
infiltration of PlayPen, a hidden service on the Tor network that acted as a
hub for child exploitation, and the subsequent prosecution of hundreds of
individuals. To identify suspects, the FBI took control of PlayPen for two
weeks and used, what it calls, a "network investigative technique," or NIT's
program that runs on a visitor's computer and identifies their Internet
address.

Continues... http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html>


Netherlands Gets First Nationwide 'Internet of Things' (SlashDot)

Werner <werneru@gmail.com>
Fri, 1 Jul 2016 16:01:16 +0200
  [Interesting Times...]

(Posted by BeauHD on Thursday June 30, 2016)
<https://tech.slashdot.org/story/16/06/30/208253/netherlands-gets-first-nationwide-internet-of-things>

The Netherlands has become the first country in the world to implement a
nationwide long-range (LoRa) network for the Internet of Things, says Dutch
telecoms group KPN on Thursday. "As from today the KPN LoRa network is
available throughout The Netherlands," KPN said in a statement. Phys.Org
reports: "The rollout of a low data rate (LoRa) mobile communications
network is critical to connect objects as many may not be able to link up
with home or work Wi-Fi networks to gain Internet access. The LoRa network
is complementary to KPN's networks for the 2G, 3G and 4G phones. KPN has
already reached deals to connect some 1.5 million objects, a number which
should steadily grow now that the LoRa network is available across the
country. Tests are being carried out at the Schiphol airport in Amsterdam --
one of Europe's busiest air hubs—for baggage handling. Meanwhile in the
Utrecht rail station an experiment is under way to allow LoRa to monitor
rail switches."


Another Installment from the Internet-of-Not-Very-Secure-Things: D-Link Escalation Hazard

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 08 Jul 2016 06:12:29 -0700
Internet enabled devices provide unprecedented ease-of-access. That access
is double edged. It makes remote management easier and more convenient; but
the existence of connectivity also provides malevolent actors new avenues
for attack.

* From the Senrio blog article:

"In today's age of constant connectivity the allure of remotely checking on
your home and loved ones is appealing and manufacturers of Wifi Cameras
promise a 'second set of eyes around the home or office.'  However, you may
not be the only one peeping in. The dangers of unsecured webcams and baby
monitors have been reported in 2014 with cautionary tales warning consumers
to change their default passwords. So that's the end of the story, right?
Adding a password will protect me from creepy strangers looking into my
home. Not so fast. Researchers at Senrio discovered a vulnerability in a
popular Wifi camera that lets attackers overwrite the administrator
password."

It is worth noting that more than twenty years ago, in the "Computer
Security Handbook, Third Edition" (1995, Wiley), I observed that firms
should place critical assets within walled compartments with access
controlled by firewalls, separating them from both the general
organizational intranet and the public Internet. What holds true for money
transfer, trading, and industrial control systems also holds true for baby
cams, refrigerators, and HVAC systems.

The ZDnet article can be found at:
http://www.zdnet.com/article/security-flaw-in-120-d-link-wi-fi-iot-products-can-be-exploited-with-one-click/

The underlying blog post is at:
http://blog.senr.io/blog/home-secure-home


"ACLU lawsuit challenges U.S. computer hacking law" (Grant Gross)

Gene Wirchenko <genew@telus.net>
Thu, 30 Jun 2016 11:21:46 -0700
Grant Gross, ComputerWorld, 29 Jun 2016
The Computer Fraud and Abuse Act limits online discrimination research, the
group says
http://www.computerworld.com/article/3089478/security/aclu-lawsuit-challenges-us-computer-hacking-law.html
selected text:

The American Civil Liberties Union on Wednesday filed a lawsuit challenging
a 30-year-old hacking-crimes law, saying the law inhibits research about
online discrimination.


How Sony, Microsoft, and Other Gadget Makers Violate Federal Warranty Law (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 20:49:16 +0200
(Posted by manishs on Tuesday June 28, 2016)
<https://hardware.slashdot.org/story/16/06/28/1559232/how-sony-microsoft-and-other-gadget-makers-violate-federal-warranty-law>

Reader citadrianne shares a Motherboard article:

There are big "no trespassing" signs affixed to most of our electronics.  If
you own a gaming console, laptop, or computer, it's likely you've seen one
of these warnings in the form of a sticker placed over a screw or a seam:
"Warranty void if removed." In addition, big manufacturers such as Sony,
Microsoft, and Apple explicitly note or imply in their official agreements
that their year-long manufacturer warranties—which entitle you to a
replacement or repair if your device is defective—are void if consumers
attempt to repair their gadgets or take them to a third party repair
professional. What almost no one knows is that these stickers and clauses
are illegal under a federal law passed in 1975 called the Magnuson-Moss
Warranty Act
<http://motherboard.vice.com/read/warranty-void-if-removed-stickers-are-illegal>

To be clear, federal law says you can open your electronics without voiding
the warranty, regardless of what the language of that warranty says.
<http://motherboard.vice.com/read/warranty-void-if-removed-stickers-are-illegal>


UK bill introduces 10 year prison sentence for online pirates

Lauren Weinstein <lauren@vortex.com>
Wed, 6 Jul 2016 09:43:38 -0700
NNSquad
https://torrentfreak.com/uk-bill-introduces-10-year-prison-sentence-for-online-pirates-160706/

  The UK Government's Digital Economy Bill, which is set to revamp current
  copyright legislation, has been introduced in Parliament. One of the most
  controversial changes is the increased maximum sentences for online
  copyright infringement.  Despite public protest, the bill increased the
  maximum prison term five-fold, from two to ten years.

Oscar Pistorius just received a sentence of about half that for murdering
his girlfriend.


"Google, Viacom win appeal in lawsuit over children's privacy" (Stephanie Condon)

Gene Wirchenko <genew@telus.net>
Wed, 29 Jun 2016 09:10:13 -0700
Stephanie Condon, ZDNet, Between the Lines, Jun 27 2016
In a setback for consumers seeking more privacy online, an appeals
court largely sided with Google and Viacom over their use of cookies
on a children's website.
http://www.zdnet.com/article/google-viacom-win-appeal-in-lawsuit-over-childrens-privacy/


Teen girl who texted friend to commit suicide must stand trial (Ars)

Lauren Weinstein <lauren@vortex.com>
Fri, 1 Jul 2016 14:15:20 -0700
via NNSquad
http://arstechnica.com/tech-policy/2016/07/teen-girl-who-texted-friend-to-commit-suicide-must-stand-trial/

  Massachusetts' top court ruled Friday that a teenager may stand trial on
  involuntary manslaughter charges in connection to text messages she sent
  urging her friend to commit suicide.  In a unanimous ruling, the Supreme
  Judicial Court said a local grand jury had enough probable cause to indict
  Michelle Carter in connection to the 2014 suicide of Carter Roy III, who
  was found dead about 50 miles south of Boston in a Fairhaven parking
  lot. Carter was 17 at the time of Roy's suicide, and she is accused of
  sending Roy several texts, including one saying "get back in" the day the
  18-year-old teen took his own life via carbon monoxide fumes inside his
  truck.

Very sad case, but clearly prosecutor overreach by a DA trying to make
a name for themselves.

  [Beware of giving advice—especially on social media and even e-mail.
  PGN]


"Firmware exploit can defeat new Windows security features on Lenovo ThinkPads" and "Nasty Lenovo UEFI exploit also affects products

Gene Wirchenko <genew@telus.net>
Tue, 05 Jul 2016 12:33:11 -0700
Lucian Constantin, PC World, 1 Jul 2016
Firmware exploit can defeat new Windows security features on Lenovo ThinkPads
The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads
http://www.pcworld.com/article/3091104/firmware-exploit-can-defeat-new-windows-security-features-on-lenovo-thinkpads.html

opening text:

A newly released exploit can disable the write protection of critical
firmware areas in Lenovo ThinkPads and possibly laptops from other vendors
as well.

  and

Lucian Constantin, PC World, Jul 5 2016
Nasty Lenovo UEFI exploit also affects products from other vendors
The same critical vulnerability was found in the firmware of an HP
laptop and several Gigabyte motherboards.
http://www.pcworld.com/article/3091766/security/lenovo-thinkpwn-uefi-exploit-also-affects-products-from-other-vendors.html

opening text:

A critical vulnerability that was recently found in the low-level firmware
of Lenovo ThinkPad systems also reportedly exists in products from other
vendors, including HP and Gigabyte Technology.


"Android's full disk encryption can be brute-forced on devices with Qualcomm chips" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 05 Jul 2016 12:26:33 -0700
Lucian Constantin, 5 Jul 2016
Android smartphone makers can help law enforcement break full-disk
encryption on Qualcomm-based devices.
http://www.pcworld.com/article/3091091/security/android-full-disk-encryption-can-be-brute-forced-on-qualcomm-based-devices.html


Android Malware Pretends To Be WhatsApp, Uber and Google Play (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 21:49:07 +0200
(Posted by manishs on Wednesday June 29, 2016)
<https://it.slashdot.org/story/16/06/29/1519257/android-malware-pretends-to-be-whatsapp-uber-and-google-play>

itwbennett writes:

Security vendor FireEye said on Tuesday that malware that can spoof the
user interfaces of Uber, WhatsApp and Google Play...
<http://www.csoonline.com/article/3089498/data-breach/this-malware-pretends-to-be-whatsapp-uber-and-google-play.html>
...has been spreading through a phishing campaign over SMS. Once
downloaded, the malware, which has struck Android users in Denmark,
Italy and Germany, will create fake user interfaces on the phone as an
'overlay 's top of real apps. These interfaces ask for credit card
information and then send the entered data to the hacker.


Interview With An 'NSA Hacker' Published By The Intercept (SlashDot)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 22:11:21 +0200
<https://yro.slashdot.org/story/16/07/03/224256/interview-with-an-nsa-hacker-published-by-the-intercept>
(Posted by EditorDavid on Sunday July 03, 2016)

The Intercept published a 4,000 word article based on a journalist's
three-hour interview with an "NSA hacker"
<https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/>
...who recently left the agency for a career in cybersecurity.  Offering a
portrait of life within the U.S. intelligence agency, "Lamb" says he worked
on "ridiculously cool projects that I'll never forget...  Technically
challenging things are just inherently interesting to me."

He's the author of some of the memos leaked by Edward Snowden about how the
NSA tries to identify Tor users or break into sys-admin accounts.  ("One of
his memos outlined the ways the NSA reroutes (or "shapes") the Internet
traffic of entire countries,
<https://www.documentcloud.org/documents/2919677-Network-Shaping-101.html>
and another memo was titled "I Hunt Sysadmins.")
<https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/>
"If you tell me, 'This can't be done,' I'm going to try and find a way to do
it."

EditorDavid comments: It's interesting that he ended one memo with "Current
mood: devious" and wrote in another that Tor "generally makes for sad
analysts". But in his interview, he warns that "There is no real safe,
sacred ground on the Internet. Whatever you do on the Internet is an attack
surface of some sort and is just something that you live with."


I just posted a note on the subject of Internet fragmentation

Karl Auerbach <karl@cavebear.com>
July 4, 2016 at 4:41:31 PM EDT
http://www.cavebear.com/cavebear-blog/internet_quo_vadis/

I perceive a rather different future than most.  Rather than seeing a future
in which there is a global Internet, I perceive a future in which we will
have a network of internets.  I use the phrase "islands and bridges" to
describe that future.

Because users of today use "Apps" they care little about the end-to-end
principle as applied to IP packets.  Thus the door has been opened to an
increasingly intense use of walled gardens that are connected to "the
dangerous outside" by portals tuned to allow only traffic from certain Apps.
It is not a big step for those walled gardens (such as China or Facebook) to
harden the walls and intensify the portals so that they become essentially
private Internets.

Each of these Internets could, if it chooses, have its own entire IPv4/6
address space, its own DNS, its own everything.  These rather explicit
islands would be connected by equally explicit, and highly controlled,
bridges created using application-level-gateway, also sometimes called
"proxy" techniques.

The forces that are pushing us in these directions are strong: security
fears, nationalism, culturalism, national security interests in channeling
traffic so that it may be observed, commercial interests in channeled
traffic so that it may be regulated and subject to fees, etc.


Researchers Sue the Government Over Computer Hacking Law

Lauren Weinstein <lauren@vortex.com>
Wed, 29 Jun 2016 08:25:21 -0700
*WiReD* via NNSquad
https://www.wired.com/2016/06/researchers-sue-government-computer-hacking-law/

  But four academic researchers who specialize in uncovering algorithmic
  discrimination say that a decades-old federal anti-hacking statute is
  preventing them from doing work to detect such discrimination. They say a
  provision of the Computer Fraud and Abuse Act could be used to criminally
  prosecute them for research that involves scraping publicly available data
  from these sites or creating anonymous user accounts on them, if the
  sites's terms of service prohibit this activity.  The researchers, along
  with First Look Media Works, which publishes The Intercept, filed a
  lawsuit today against the Justice Department, asserting that opening fake
  profiles to pose as job and housing seekers constitutes speech and
  expressive activity that is protected under the First Amendment. They
  further argue that because sites can change their terms of service at any
  time without informing visitors, this can suddenly turn any speech or
  activity on the site into a criminal act--a violation, they say, of the
  Fifth Amendment right to due process, which requires proper notice to the
  public of what constitutes criminal behavior.

Please report problems with the web pages to the maintainer

Top