The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 73

Tuesday 29 August 2016

Contents

World's biggest aircraft crashes on landing
*The Guardian*
Russia's Powerful Weapon to Hurt Rivals: Falsehoods
Neil MacFarquahar
Good thing this wasn't one of those nuclear bomb/EMP detectors...
danny burstein
"U.S. convicts Russian hacker in credit card theft scheme"
Michael Kan
Russian hackers breached a computer used by county elections officials in Arizona, a state official said
WashPost
FL state election officials deny problems even as databases are hacked
PGN
Fundamental flaw in neuroscience research
Kate Murphy
Self-Driving Cars don't care about your moral dilemmas
Herns and Science via WU
They really did remove the streets from Google Maps
Dan Jacobson
How to shut down a 911 center? Hit the off button
NBC News
4 decades after a computer in the Bay Area connected to one in Boston, the effect of The Internet on our lives is hard to overstate
Jessica Floum
"Medical device security disclosure ignites an ethics firestorm"
Michael Kan
"New collision attacks against triple-DES, Blowfish break HTTPS sessions"
Fahmida Y. Rashid
DC 911 Outage Caused by Contractor Hitting Emergency Shutoff Button
NBC
Researchers use Excel to mangle gene names into dates
GenomeBiology via Patrick O'Beirne
"Baltimore cops using private company's aerial cameras to conduct secret surveillance"
Computerworld
Microsoft's maps lost Melbourne because it used bad Wikipedia data
Gabriel Goldberg
"Unauthorized, mislabeled Microsoft support tool leaks; could cause more trouble than it cures"
Ed Bott
"Fake resumes, jobs, lead to real guilty plea in H-1B fraud case"
Patrick Thibodeau
Apple patents technique for grabbing iPhone thieves' fingerprints and photo
Adrian Kingsley-Hughes
"The Dirt" about iOS 9.3.5
ZDnet
GozNym Trojan spreads to attack German banks
Charlie Osborne
"Is your Android phone being controlled by a rogue Twitter account? Botnet is first to receive commands via tweets"
ZDnet
Inside Facebook's —Totally Insane, Unintentionally Gigantic, Hyperpartisan—Political-Media Machine
NYTimes
Parking garage makes it easier for stalkers
Jeremy Epstein
Opera resets passwords after sync server hacked
Zack Whittaker
More Airline Outages Seen As Carriers Grapple With Aging Technology
Reuters via SlashDot
Re: Airlines' reservation systems
John Levine
Jeff S. Jonas
Re: Excel garbles microarray experiment data
Joe Loughry
Re: "When Hiding Passwords Is Stupid—or Worse!"
Don Norman
Re: Why you *still* can't trust password strength meters
Barry Gold
Re: Sleep 'resets' brain connections crucial for memory and learning
Jeff S. Jonas
Re: "Smart Power Outlets"
Peter Bernard Ladkin
Al Mac
Info on RISKS (comp.risks)

World's biggest aircraft crashes on landing

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 26 Aug 2016 10:10:21 PDT
The world's largest aircraft—part-plane, part-airship—crashes in
Bedfordshire.  Airlander 10 sustains damage but no one injured on landing in
fields during second test flight at Cardington airfield in the UK, ending
its second test flight.

<https://www.theguardian.com/uk-news/2016/aug/24/worlds-biggest-aircraft-crashes-bedfordshire-airlander-10>
<https://www.theguardian.com/world/air-transport>
<https://www.theguardian.com/world/video/2016/aug/24/worlds-largest-aircraft-crashes-during-test-flight-airlander-10-cardington-video>


Russia's Powerful Weapon to Hurt Rivals: Falsehoods (Neil MacFarquahar)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 29 Aug 2016 14:14:04 PDT
Neil MacFarquahar, *The New York Times*, 29 Aug 2016
Spreading Disinformation to Sow Doubt, Fear and Discord in Europe and U.S.

  With a vigorous national debate underway on whether Sweden should enter a
  military partnership with NATO, officials in Stockholm suddenly
  encountered an unsettling problem; a flood of distorted and outright false
  information on social media, confusing public perceptions of the issue.
  ... The claims were all false, but the disinformation had begun spilling
  into the traditional news media.

Disinformation has always been a remarkably effective weapon.  However, we
may now be getting to an era of disInformation Science and the Practice of
disInformation Theory.  disEntropy as a disEase?  disMalWare?  There's no
disPutin' disInformation?  PGN


Good thing this wasn't one of those nuclear bomb/EMP detectors...

danny burstein <dannyb@panix.com>
Thu, 25 Aug 2016 16:54:53 -0400 (EDT)
[Russia Today, but for a UK story that's nonpolitical]

  Lawnmower accidentally triggers Northern Lights alert

Stargazers in the UK were left disappointed after a "Red Alert" was
accidentally sent claiming the Northern Lights would be visible, only to
learn a lawnmower had triggered the alert.

After a sensor at Lancaster University recorded a surge in geomagnetic
activity on Tuesday, subscribers to the Aurora Watch UK mailing list
received the auto-generated alert. [...]

[It turned out...] that a university staff member had been using "a sit-on
mower" and after driving close to the sensor, the mower's electric motor
triggered a spike in activity resulting in the automatic alert to be issued.

https://www.rt.com/viral/357214-lawnmower-northern-lights-alert/


"U.S. convicts Russian hacker in credit card theft scheme" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Fri, 26 Aug 2016 11:58:13 -0700
Michael Kan, PC World, 25 Aug 2016
U.S. authorities accused Roman Seleznev of installing malware on
point-of-sale systems

http://www.pcworld.com/article/3112867/legal/us-convicts-russian-hacker-in-credit-card-theft-scheme.html

selected text:

Jurors in a U.S. federal court have convicted a Russian hacker of stealing
and selling more than 2-million credit-card numbers.

Testimony at his trial revealed that Seleznev's scheme defrauded US$169
million from 3,700 financial institutions, the U.S. Secret Service said in a
statement.

Seleznev was convicted on 38 counts, including wire fraud, intentional
damage to a computer and identify theft. He will be sentenced in December
and could face decades in prison and millions of dollars in fines.

Seleznev has also been charged in separate cases in Neveda and Georgia
involving racketeering and bank fraud.


Russian hackers breached a computer used by county elections officials in Arizona, a state official said

Lauren Weinstein <lauren@vortex.com>
Mon, 29 Aug 2016 17:05:58 -0700
*The Washington Post* via NNSquad
https://www.washingtonpost.com/world/national-security/fbi-is-investigating-foreign-hacks-of-state-election-systems/2016/08/29/6e758ff4-6e00-11e6-8365-b19e428a975e_story.html

  Hackers targeted voter registration systems in Illinois and Arizona, and
  the FBI alerted Arizona officials in June that Russian hackers were behind
  the assault on the election system in that state.  The bureau told Arizona
  officials that the threat was "credible" and severe, ranking as "an 8 on a
  scale of 1 to 10," said Matt Roberts, a spokesman for the secretary of
  state's office.  As a result, Secretary of State Michele Reagan shut down
  the state voter registration system for almost a week.


FL state election officials deny problems even as databases are hacked

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 29 Aug 2016 17:08:16 PDT
Absentee Ballot Fraud - The Huffington Post
http://www.huffingtonpost.com/news/absentee-ballot-fraud/

Congressman Joe Garcia's former chief of staff will head to jail for
orchestrating a fraudulent, online absentee-ballot request scheme during
last year's election.
http://www.miamiherald.com/news/local/community/miami-dade/article1956526.h=
tml

Ex-aide to Miami Rep. Joe Garcia to head to jail in
http://www.miamiherald.com/news/local/community/miami-dade/article1956526.html


Fundamental flaw in neuroscience research (Kate Murphy)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 28 Aug 2016 10:54:17 PDT
Kate Murphy's *Do You Believe in God, or Is That a Software Glitch?, *The
New York Times* Sunday Review, 28 Aug 2016) considers the National Academies
of Science report on their study of faulty analyses of fMRI data.  "The
glitch can cause false positives—suggesting brain activity where there is
none—up to 70 percent of the time."  [This issue has been discussed
previously in RISKS-29.60,63,64.]
http://www.nytimes.com/2016/08/28/opinion/sunday/do-you-believe-in-god-or-is-that-a-software-glitch.html

The article also considers the needs for transparency and reproducibility.
Anders Eklund (Linkoping, Sweden, and a co-author of the NAS report) is
quoted: "If we don't have access to the data, we cannot say if studies
are wrong.  Finding errors is how scientific fields evolve.  This is how
science gets done."


Self-Driving Cars don't care about your moral dilemmas

Werner U <werneru@gmail.com>
Sat, 27 Aug 2016 09:50:40 +0200
  [Two articles by David Herns in *The Guardian*, 22 Aug 2016 refer to a 24
 June report in *Science*.  Starkly PGN-abridged]

*The social dilemma of autonomous vehicles*
<http://science.sciencemag.org/content/352/6293/1573> (*Science*, Vol.352
Issue 8293, 24 June - pay-walled)

  ABSTRACT—Autonomous vehicles (AVs) should reduce traffic accidents, but
  they will sometimes have to choose between two evils, such as running over
  pedestrians or sacrificing themselves and their passenger to save the
  pedestrians. Defining the algorithms that will help AVs make these moral
  decisions is a formidable challenge. We found that participants in six
  Amazon Mechanical Turk studies approved of utilitarian AVs (that is, AVs
  that sacrifice their passengers for the greater good) and would like
  others to buy them, but they would themselves prefer to ride in AVs that
  protect their passengers at all costs. The study participants disapprove
  of enforcing utilitarian regulations for AVs and would be less willing to
  buy such an AV. Accordingly, regulating for utilitarian algorithms may
  paradoxically increase casualties by postponing the adoption of a safer
  technology.  [...]

Alex Hern, *The Guardian*, 22 Aug 2016
If the age of self-driving cars is upon us, what's keeping them off the
roads?
<https://www.theguardian.com/technology/2016/aug/22/google-x-self-driving-cars>

As Google and Uber trial prototypes, the future of fully driverless cars and
safer roads should come sooner than anyone thought—but they're in no mood
to rush.

Alex Hern, *The Guardian*, 22 Aug 2016
Self-driving cars don't care about your moral dilemmas
<https://www.theguardian.com/technology/2016/aug/22/google-x-self-driving-cars>

Would it be better to hit a granny or swerve to hit a toddler? It seems like
a dilemma, but the designers of self-driving cars say otherwise.
As self-driving cars move from fiction to reality, a philosophical problem
has become the focus of fierce debate among technologists across the world.
But to the people actually making self driving cars, it=E2=80=99s kind of b=
oring.


They really did remove the streets from Google Maps

Dan Jacobson <jidanni@jidanni.org>
Sat, 27 Aug 2016 19:34:14 +0800
Who would have ever guessed Google would remove the streets from its maps?
https://productforums.google.com/forum/#!topic/maps/FdRFH9SLjos

I thought it was my graphics card on the fritz. Yes they really made the
streets so white, you can't see them anymore. It's sort of like no longer
being able to tell a five dollar bill from a ten dollar bill—you would
never expect it to happen. Just makes China seem so much wiser, not allowing
its populace to get over-dependent on Google products.


How to shut down a 911 center? Hit the off button (NBC News)

danny burstein <dannyb@panix.com>
Mon, 29 Aug 2016 15:13:32 -0400 (EDT)
DC 911 Outage Caused by Contractor Hitting Emergency Shutoff Button,
Officials Say

The District's 911 system went down for 90 minutes over the weekend because
a plumbing contractor hit an all-stop emergency shutoff button, officials
said Monday.

http://www.nbcwashington.com/news/local/DC-911-Outage-Caused-by-Contractor-Hitting-Emergency-Shutoff-Button-Officials-Say-391634231.html


4 decades after a computer in the Bay Area connected to one in Boston, the effect of The Internet on our lives is hard to overstate

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 27 Aug 2016 13:21:18 PDT
Source: Jessica Floum, [lower-case the] *San Francisco Chronicle*, 27 Aug
2016, PGN-ed]

Forty years ago today, SRI's Don Nielson's team drove the van (which
recently was celebrated at the Computer History Museum) to Rossotti's (the
Alpine Inn Beer Garden) in Portola Valley, California, and hooked up a wired
connection from the van to a computer on a picnic table, and then wirelessly
were able to connect to SRI and onto The Internet.  Don wrote in an e-mail,
"It is nice to see the event noted, but the capital-I Internet is so very
much more."  Today we celebrate the fortieth anniversary of the first
wireless connection to The Internet, for better (mostly) and for worse
(spam, ransomware, malware distribution, etc.)

I'm delighted that the *Chronicle* [whose masthead says *San Francisco
Chronicle*, without the definite article—even though it is not the *only*
institution of that name.  We also note that we cannot refer to the SF
Chronicle, because there is also a Science Fiction Chronicle.] quotes Don
Nielson on the "capital-I Internet" and itself resists the slide into
nonuniqueness of other media.

Without The Internet, RISKS would not exist, and even if it did exist, a
rather large number of the computer-related risks cases would not have
existed.  So, kudos for Don Nielson for his role in creating the wireless
Internet era.  PGN


"Medical device security disclosure ignites an ethics firestorm" (Michael Kan)

Gene Wirchenko <genew@telus.net>
Mon, 29 Aug 2016 12:12:29 -0700
Michael Kan, ComputerWorld, 29 Aug 2016
Security firm Medsec tried to use its research findings to drive down
the stock of St. Jude Medical
http://www.computerworld.com/article/3113385/security/medical-device-security-ignites-an-ethics-firestorm.html

opening text:

One security research company is taking a controversial approach to
disclosing vulnerabilities: It's publicizing the flaws as a way to tank a
company's stock.


"New collision attacks against triple-DES, Blowfish break HTTPS sessions" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Fri, 26 Aug 2016 09:29:28 -0700
Fahmida Y. Rashid, InfoWorld, 25 Aug 2016
Legacy ciphers such as triple-DES and Blowfish are vulnerable to Sweet32
attacks, which let attackers decrypt HTTPS sessions even without the
encryption key
http://www.infoworld.com/article/3112324/security/new-collision-attacks-against-triple-des-blowfish-break-https-sessions.html

selected text:

There is now a practical, relatively fast attack on 64-bit block ciphers
that lets attackers recover authentication cookies and other credentials
from HTTPS-protected sessions, a pair of French researchers said. Legacy
ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher:
Deprecated and disabled everywhere.

"We show that a network attacker who can monitor a long-lived Triple-DES
HTTPS connection between a web browser and a website can recover secure HTTP
cookies by capturing around 785GB of traffic. In our proof-of-concept demo,
this attack currently takes less than two days, using malicious JavaScript
to generate traffic," said Bhargavan and Leurent. They are expected to
present the full paper in October at the 23rd ACM Conference on Computer and
Communications Security.


DC 911 Outage Caused by Contractor Hitting Emergency Shutoff Button, Officials Say

Gabe Goldberg <gabe@gabegold.com>
Mon, 29 Aug 2016 15:00:59 -0400
The District's 911 system went down for 90 minutes over weekend
<http://www.nbcwashington.com/news/local/Officials-Internal-Power-Failure-Led-to-DC-911-Outage-391533041.html>
because a plumbing contractor hit an all-stop emergency shutoff button,
officials said Monday.

The city's 911 system stopped working Saturday night after 11 p.m. It was
back in service by about 1 a.m., said officials, including Mayor Muriel
Bowser, who tweeted updates during the outage.

The contractor who hit the button at D.C.'s 911 call center was looking for
a plumbing leak that threatened highly sensitive equipment.

D.C. emergency officials plan to adding more security and signage to limit
access to the button involved in the outage.

  The risk? Too rare use of signs saying DO NOT PRESS THIS BUTTON. Or,
  perhaps, having plumbing near sensitive equipment.


Researchers use Excel to mangle gene names into dates

"Patrick O'Beirne" <obeirne.p.r@gmail.com>
Mon, 29 Aug 2016 18:01:03 +0100
http://genomebiology.biomedcentral.com/articles/10.1186/s13059-016-1044-7
Gene name errors are widespread in the scientific literature. Mark
Ziemann, Yotam Eren and Assam El-OstaEmail author Genome
Biology201617:177 DOI: 10.1186/s13059-016-1044-7©  The Author(s). 2016
Published: 23 August 2016

They provide their data sources.  They wrote scripts to trawl through
published papers on genetics which had data files attached, and checked
those files for data errors. They screened 35,175 supplementary Excel files
and confirmed gene name errors in 987 supplementary files from 704 published
articles in 18 journals.  Linear-regression estimates show gene name errors
in supplementary files have increased at an annual rate of 15 % over the
past five years, outpacing the increase in published papers (3.8 % per
year).  “In conclusion, we show that inadvertent gene name conversion
errors persist in the scientific literature, but these should be easy to
avoid if researchers, reviewers, editorial staff and database curators
remain vigilant.''

The root problem is that the researchers who uploaded those files *never*
checked them.

There is a paper about the problem from 2004 which also shows the problem
with Gene names being turned into dates. See
https://bmcbioinformatics.biomedcentral.com/articles/10.1186/1471-2105-5-80
So 12 years after the paper was published people geneticists still have not
learned how to solve the problem.

I've published a blog post explaining how to detect and prevent the error.
https://sysmod.wordpress.com/2016/08/28/excel-gene-mutation-and-curation/

Patrick O'Beirne, Systems Modelling Ltd, XLTest Spreadsheet Auditing
http://XLTest.com   mob:+353 86 835 2233 .


"Baltimore cops using private company's aerial cameras to conduct secret surveillance" (Computerworld)

Gene Wirchenko <genew@telus.net>
Thu, 25 Aug 2016 10:46:55 -0700
Computerworld | Aug 24, 2016 7:22 AM PT
A Cessna equipped with cameras is flying over Baltimore to conduct
unblinking surveillance likened to 'Google Earth with TiVo' capabilities.
http://www.computerworld.com/article/3112006/security/baltimore-cops-using-private-companys-aerial-cameras-to-conduct-secret-surveillance.html


Microsoft's maps lost Melbourne because it used bad Wikipedia data

Gabe Goldberg <gabe@gabegold.com>
Sun, 28 Aug 2016 23:16:05 -0400
Bing Maps relies on Wikipedia? Even a bit? Umm, guys, you do know anyone can
edit it?

We've got a screenshot of the Tweets above in case someone /ahem/ decides to
delete them.  <https://regmedia.co.uk/2016/08/23/wikipedia_tweets.jpg>

Deletion may be an option because our exploration of the Wikipedia page for
Melbourne suggests it had the correct co-ordinates back in February 2012. So
there you have it: Bing Maps sometimes relies on Wikipedia data. That data
can be edited by anyone and is therefore often contentious.

As commenters pointed out in Sunday's story on this mess, Microsoft's motto
was once “Where do you want to go today?''  If your answer was Melbourne,
you probably ended up using Linux.

http://www.theregister.co.uk/2016/08/23/microsoft_lost_a_city_because_it_used_bad_wikipedia_data/

Gabriel Goldberg, Computers and Publishing, Inc.  gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042   (703) 204-0433


"Unauthorized, mislabeled Microsoft support tool leaks; could cause more trouble than it cures" (Ed Bott)

Gene Wirchenko <genew@telus.net>
Thu, 25 Aug 2016 10:32:06 -0700
Ed Bott, ZDnet, 19 Aug 2016
Several mainstream tech sites this week published details of a purported new
Microsoft support tool designed to fix problems with the Windows 10
Anniversary Update. After some digging, I can report that it is no such
thing. My advice: Stay far away from this "Windows Self Healing Tool."
http://www.zdnet.com/article/unauthorized-mislabeled-microsoft-support-tool-leaks-could-cause-more-trouble-than-it-cures/

selected text:

  If you want to be a Windows expert, one of the most important lessons to
  learn is skepticism. Whenever someone claims to have a magic fix-it tool
  or a MakeRocketShipGoFast registry tweak, you should keep it away from any
  system you care about until you can confirm it does what it says it does.

In my experience, those claims rarely turn out to be true.

The trouble is, this tool was built for internal use by support techs trying
to resolve update issues on Surface devices. It was never authorized for
general release, and it does far too much to be unleashed on an unsuspecting
public with no documentation.

One engineer who looked closely at what this utility was doing called it "a
sledgehammer." Another support rep who also examined how it works was
reportedly "frightened by some of the things this is doing."


"Fake resumes, jobs, lead to real guilty plea in H-1B fraud case" (Patrick Thibodeau)

Gene Wirchenko <genew@telus.net>
Fri, 26 Aug 2016 11:53:14 -0700
Patrick Thibodeau, *Computerworld*, 26 Aug 2016
http://www.computerworld.com/article/3113032/h1b/fake-resumes-jobs-lead-to-real-guilty-plea-in-h-1b-fraud-case.html

opening text:

A Virginia couple has pled guilty to H-1B fraud charges in a scheme that
made them millions, the U.S. Department of Justice announced Thursday.


Apple patents technique for grabbing iPhone thieves' fingerprints and photo (Adrian Kingsley-Hughes)

Werner U <werneru@gmail.com>
Sun, 28 Aug 2016 17:48:06 +0200
Adrian Kingsley-Hughes, AppleInsider via ZDnet, Aug 26

http://www.zdnet.com/article/apple-patents-technique-for-grabbing-iphone-thieves-fingerprints-and-photo/

Apple has submitted a patent application for using the iPhone's (or iPad's)
Touch ID module, camera, and other sensors to grab information about whoever
is using the device...

The patent is called "biometric capture for unauthorized user identification
<javascript:void(0)>," (spotted by *AppleInsider
<http://appleinsider.com/articles/16/08/25/future-iphones-might-collect-fingerprints-photos-of-thieves>*)
and covers how an iOS device could be turned into a surveillance device
capable of capturing, storing, and even transmitting information on the
person using it following the receipt of a signal to do so, or after a
number of unauthorized use attempts have been made.

That information could be fingerprints, photos, video, and audio, as well
as other undisclosed forensic information (perhaps location information and
whether the device is moving or not).


"The Dirt" about iOS 9.3.5

Werner U <werneru@gmail.com>
Mon, 29 Aug 2016 17:36:15 +0200
(Lookout and Citize Lab blog posts as reported on ZDnet, Aug 25)
http://www.zdnet.com/article/apple-releases-important-security-update-for-iphone-after-malware-found/

Apple has released a security fix for iPhones and iPads following the
discovery of malware targeting the platform that was found circulating in
the Middle East.

The patches fix three vulnerabilities (dubbed "Trident" by security firm
Lookout)...  <https://blog.lookout.com/blog/2016/08/25/trident-pegasus/>
... which could be used to access the device's location, read contacts,
texts, calls, and emails, as well as turn on the device's microphone.

The company said that spyware that exploited the vulnerabilities were
developed by an Israel-based company specializing in zero-day exploits.
Citizen Lab explained in a blog post...
https://deibert.citizenlab.org/2016/08/disarming-a-cyber-mercenary-patching-apple-zero-days/
...that it had uncovered an operation by the security services of the United
Arab Emirates to try to get into the iPhone of a renowned human rights
defender, Ahmed Mansoor.  The Canada-based security lab said that the UAE,
which has long been criticized for its poor human rights record...
https://www.hrw.org/world-report/2015/country-chapters/united-arab-emirates
...could turn an affected iPhone into "a sophisticated bugging device",
adding:

"They would have been able to turn on his iPhone's camera and microphone to
record Mansoor and anything nearby, without him being wise about it. They
would have been able to log his emails and calls—even those that are
encrypted end-to-end. And, of course, they would have been able to track his
precise whereabouts," said the blog post.  Lookout said that the flaws
included a memory corruption flaw in WebKit...
<https://blog.lookout.com/blog/2016/08/25/trident-pegasus/> ...which would
let an attacker exploit a device when a user clicks on an affected link.

Two other kernel vulnerabilities would let an attacker jailbreak the device,
and then the attacker can silently install malware to carry out
surveillance.

  [...which raises the 'old question' again: Is there any relief in finding
  out that it was "Our Guys" doing it ?!?  Consider "If the FBI found its
  own iPhone backdoor, should it show Apple?"

http://www.zdnet.com/article/should-the-fbi-tell-apple-how-it-unlocks-seized-iphone/

  Using a zero-day flaw to bypass an iPhone's security is a backdoor by
  another name.]

  [Gene Wirchenko noted Shaun Nichols, *The Register*, 25 Aug 2016,
  Update your iPhones, iPads right now—govt spy tools exploit vulns
  Pegasus snoopware package used against activists and journalists
http://www.theregister.co.uk/2016/08/25/update_your_ios_devices_now_theres_an_apt_in_the_wild/

  See also
IPhone Users Urged to Update Software After Security Flaws Are Found
http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html
  ]


GozNym Trojan spreads to attack German banks (Charlie Osborne)

Werner U <werneru@gmail.com>
Mon, 29 Aug 2016 22:30:37 +0200
Charlie Osborne, IBM X-Force via ZDnet, 24 Aug 2016
<http://www.zdnet.com/article/goznym-trojan-spreads-to-attack-german-banks/>
for Zero Day <http://www.zdnet.com/blog/security/>

GozNym is continuing its rampage across Europe and has sourced a swathe of
fresh banking targets in Germany.

Researchers from IBM X-Force said on Tuesday that the financial malware, a
Trojan discovered in April this year, has recently targeted 13 German banks
and their local subsidiaries.
<https://securityintelligence.com/goznyms-euro-trip-launching-redirection-attacks-in-germany/>
<http://www.zdnet.com/article/goznym-banking-trojan-ramps-up-attacks-targets-europe/>

It appears the operators behind GozNym have been busy during the summer
season, with a sharp hike in attacks across Europe. According to the
researchers, in August alone there has been a 3,550 percent spike in
activity and a 526 percent rise in comparison to the total number of
recorded attacks in April to July this year.  GozNym first hit the spotlight
after starting its journey in the United States. In early April, IBM
revealed the Trojan—a hybrid comprised of the powerful Nymaim Trojan and
Gozi ISFB source code—has been at the heart of the theft of "millions of
dollars" from US banks and credit unions.
<http://www.zdnet.com/article/goznym-the-double-headed-malware-monster-targeting-us-banks/>  [...]

The hybrid malware included an exploit kit dropper, web-injection
capabilities, encryption, anti-VM, and control flow obfuscation, making the
malware persistent, difficult to detect, and also powerful.

IBM researchers say that the malware is now also used in redirection schemes
which send victims to fraudulent, carbon-copy websites of financial
institutions in order to lure them into parting with their online banking
details.

"It is evident that the gang operating the malware has the resources and
savvy to deploy sophisticated cybercrime tactics against banks," the
researchers say. "The project is very active and evolving rapidly, making it
likely to spread to additional countries over time."

The security team ranks GozNym as the eighth most active financial Trojan in
existence, standing up against other malware which has been on the scene far
longer, such as Zeus variants, Zberp, and Tinba. [...]


"Is your Android phone being controlled by a rogue Twitter account? Botnet is first to receive commands via tweets" (ZDnet)

Gene Wirchenko <genew@telus.net>
Thu, 25 Aug 2016 10:40:56 -0700
ESET researchers say by using Twitter to orchestrate infected devices,
Twitoor is the first malicious software of its kind.
http://www.zdnet.com/article/is-your-android-phone-being-controlled-by-a-rogue-twitter-account-botnet-is-first-to-receive/


Inside Facebook's —Totally Insane, Unintentionally Gigantic, Hyperpartisan—Political-Media Machine (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 25 Aug 2016 10:31:29 -0400
Inside Facebook's (Totally Insane, Unintentionally Gigantic, Hyperpartisan)
Political-Media Machine
http://www.nytimes.com/2016/08/28/magazine/inside-facebooks-totally-insane-unintentionally-gigantic-hyperpartisan-political-media-machine.html

How a strange new class of media outlet has arisen to take over our news feeds.


Parking garage makes it easier for stalkers

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Thu, 25 Aug 2016 17:54:51 -0400
Reston VA (an "edge city" outside Washington DC, near Dulles Airport) has
become increasingly urban.  A few months ago, the company that owns many of
the parking garages announced a plan to start charging to park there, which
led to a large outcry from locals, and many people stating that they'll stop
shopping in that neighborhood rather than pay for parking.

But the more critical part of the new plan is the "feature" being added
along with paid parking: the company is providing a web app where you enter
your license plate number, and it shows a photo of your car, enabling you to
find it quickly if you forget where you park.

As I understand it, these cameras that capture where everyone is parked are
relatively common, but the difference here is that anyone can look up
anyone's license plate, not just their own.  Concerns have been expressed
that this could lead to privacy concerns, and enable stalkers.

I've looked on the web site for the parking company, and it's silent on the
details of how the app prevents such privacy issues.  Avoiding the app
presumably doesn't protect you—you won't be able to find your car, but
others will find it in your place.
(https://www.restontowncenter.com/parking/parking-faq)

According to the article (link below) in the local paper, the system doesn't
just show a photo of the license plate, but of the car, and potentially
people getting in and out of the car.  This is a significantly greater
privacy risk.  Yes, someone could be standing in the parking garage taking
photos, but this automates the risk.

I heard one suggestion that the problem is lack of authentication of the
people making authentication inquiries.  While authenticating who is making
the inquiry might be useful, the bigger problem is that an arbitrary person
should only be able to inquire about his/her own car, not any car.  This
could be done by connecting to the DMV database, allowing verification of
whose car it is—but that would introduce other risks, as well as reducing
the "friendliness" of the feature.

https://www.restonnow.com/2016/08/23/rtcs-parking-cameras-are-security-risk-some-users-say/


Opera resets passwords after sync server hacked (Zack Whittaker)

Werner U <werneru@gmail.com>
Mon, 29 Aug 2016 22:48:25 +0200
Zack Whittaker for Zero Day, 28 Aug 2016
Opera Security via ZDnet, 26 Aug 2016
<http://www.zdnet.com/article/opera-resets-passwords-after-server-hack/>

Opera has confirmed that a hacker breached one of the company's sync
servers, potentially exposing passwords.

The Norway-based Internet browser maker said in a blog post
https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/
that it "quickly blocked" an attack on its systems earlier this week, but it
admitted that some data was compromised, including "some of our sync users'
passwords and account information", such as login names.

But the company said it doesn't know the full scope of what was compromised.

Opera said that it has reset all the Opera sync account passwords as a
precaution.

At the time of the attack, more than 1.7 million active users last month
used the feature, which allows users to share website passwords across
devices.

The company confirmed that passwords are hashed and salted—an
industry-standard practice to scramble passwords so that they are unusable
-- but didn't provide specifics on how, leaving no clear indication if the
passwords can be unscrambled by an attacker.
Opera staffer Tarquin Wilton-Jones, who wrote the blog post, said the
company will "not divulge exactly how authentication passwords on our
systems are prepared for storage", as this would "only help a potential
attacker"

Tarquin Wilton-Jones, Opera, 26 Aug 2016
*Opera server breach incident*
https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/

  [PGN-pruned]


More Airline Outages Seen As Carriers Grapple With Aging Technology (Reuters via SlashDot)

Werner U <werneru@gmail.com>
Fri, 26 Aug 2016 07:20:00 +0200
<http://www.reuters.com/article/us-delta-air-outages-it-analysis-idUSKCN10N1A3>

*Airlines will likely suffer more disruptions like the one that grounded
about 2,000 Delta flights this week...

https://it.slashdot.org/story/16/08/08/1251252/delta-air-lines-grounded-around-the-world-after-computer-outage


Re: Airlines' reservation systems (Werner U, RISKS-29.72)

"John Levine" <johnl@iecc.com>
25 Aug 2016 15:47:56 -0000
> Recovering from a crash (i.e., restarting and resynchronizing with the
> rest of the networked aviation world 'out there') must be "a nightmare"
> --WU

Actually, it's not.  In the rare event that it crashes, TPF reboots in a few
seconds.

In the recent Delta fiasco, their TPF-based reservation system, which was
somewhere else, was fine.  The systems that failed and didn't restart were
likely running more "modern" systems.


Re: Airlines' reservation systems (WernerU, RISKS-29.52)

"Jeff S. Jonas" <jeffj@panix.com>
Fri, 26 Aug 2016 02:29:06 -0400 (EDT)
> The airlines' reservation system appears to have evolved
> based on some 1960's technology IBM software marketed since the 70's

Some of the legacy/vintage technology isn't so bad after all.  Before it was
called "cookies", invisible text was on the screen so "send screen" sent an
entire record including the program-generated invisible text to continue the
transaction/session.  I am under the impression that CICS depended on that
trick a lot.

> Recovering from a crash (i.e., restarting and resynchronizing with the
> rest of the networked aviation world 'out there') must be "a nightmare"

Long ago there was "checkpoint/restart":
http://www.computerworld.com/article/2588055/disaster-recovery/checkpoint-and-restart.html
https://en.wikipedia.org/wiki/Application_checkpointing

But that was before network links with context at the other end, shared file
systems and other extremely volatile data.  Integrating the process'
checkpoint/restart to a ZFS snapshot MIGHT help but there's still a lot of
data outside that domain.  'tis a puzzlement!


Re: Excel garbles microarray experiment data (RISKS-24.19)

Joe Loughry <joe.loughry@gmail.com>
Wed, 24 Aug 2016 19:57:57 -0600
A decade after unrecoverable data loss associated with use of Microsoft
Excel on genomic data was first reported in RISKS-24.19, hundreds of
scientific papers in the literature (including the same journal where the
problem was originally reported) were found to suffer from corruption.

http://genomebiology.biomedcentral.com/articles/10.1186/s13059-016-1044-7

Relevant quotes: "To date, there is no way to permanently deactivate
automatic conversion to dates in MS Excel and other spreadsheet software
such as LibreOffice Calc or Apache OpenOffice Calc."

and

"We also recorded several cases where gene name errors were located in the f=
irst few lines of a file=E2=80=94this suggests to us that these files were n=
ot properly reviewed before publication."


Re: "When Hiding Passwords Is Stupid—or Worse!"

Don Norman <dnorman@ucsd.edu>
Sat, 27 Aug 2016 14:16:07 -0700
Thank you, Lauren, for your wonderful post explaining why hiding passwords
increases frustration and decreases security.

It goes along with my long standing statement: The more secure you make
something, the less secure it is.  (Lock all the doors at night and
hard-working, dedicated employees/students will prop them open with whatever
is available.)

How do I deal with the invisible password I first select a password and
write it down. Then I carefully paste it into as many fields as needed.If
paste is not allowed, I simply use a simple password in order to avoid
typing errors. Does this enhance security? I leave the answer as an exercise
for the reader.

And don't get me started on passwords with onerous requirements that you are
told about only have you have failed to do it correctly the first, before
you were allowed to see the rules.

And poorly laid out keyboards on portable, screen devices, so I try hard to
use only lowercase because it is so difficult to switch among the many
layouts (upper case, symbols, digits) that invariably in switching I err,
but because the password is invisible I can't tell. (And if I try to be
alert for the brief flash of the typed item, the need to switch visual
attention between the screen keyboard and the quick flash of the selected
character leads to other errors.

What about security questions? I recall when I was asked for my favorite
color, but when I typed "red" I was told that it had to be at least four
letters. Or the system that asked for and then wouldn't let me use my
father's middle name because it only had one letter. Fortunately, he spent
most of his life in the pre-computer, pre-high-security era with his single
letter middle name: he would not survive today.

Back to security questions. I have learned to write all the questions and
answers down, else I will never remember my answers. Does case matter? Who
knows.

Or lazy programmers who insist on phone number syntax that either require
certain symbols as delimiters or prohibit them. Same with date formats.
When they are simply avoiding work, because there are lots of example cases
where it is done properly (Microsoft has long been the leader), that allow
almost any phone or date format, as long as it is unambiguous—they can
convert it.

Why do we have such bad security: because lazy and inept programming and
security rules force us to simplify and cheat. And write things down. (Yes,
I use 1Password, which doesn't have a nice free-text field where I can write
down security questions and answers: I have to do workarounds..)

  Poor security practices lead to insecure systems because people try to
  defeat them with insecure workarounds (hence the prevalence of reused
  passwords and answers to security questions).

These problems are well known. Moreover, they have been well known for a
decade or more.

But this is a common risk often discussed in RISKS: incidents repeat
themselves in regular fashion. There appears to be no learning. Now, that
turns out to be good for me and for other professionals in the4 usability
and security business. There is no end of people who need our help. Even so,
it is demoralizing. Should I write a book about these issues. (Oh, I already
have. Many of them.  But they only seem to be read by people who already
understand these issues. I suspect that is true of the readership of RISKS:
those who need these lessons the most do not read the books, journal
articles, RISKS, and do not attend SOUPS and other relevant
conferences. SOUPS, Symposium on Usable Privacy and Security, is now in it's
12th year!)

Don Norman, Prof. and Director, DesignLab, UC San Diego  dnorman@ucsd.edu
https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=dnorman@ucsd.edu
designlab.ucsd.edu/  www.jnd.org  <http://www.jnd.org/>


Re: Why you *still* can't trust password strength meters

Barry Gold <barrydgold@ca.rr.com>
Thu, 25 Aug 2016 06:51:47 -0700
This is an excellent article, although I would have preferred for Monty to
quote or paraphrase at least part of the article: I don't like having to
click through just to get more than the subject line.

I have one disagreement with the article: locking users out will only
protect against crackers using brute force at the login interface. That is
easy to protect against: after a few bad tries, make the user go through the
password reset protocol (which generally involves being able to receive
email). Or you can insert gradually increasing delays in your response time
based on the number of bad attempts.

But as I understand it, the dictionary attacks are mostly not used at the
login interface. It's comparatively slow—you have to go over the net to
attack it, and most sites _do_ block you after some number of failures.

The dictionary attack is most useful after a cracker has stolen the
encrypted password database. Sure, the encryption is (theoretically) one
way: You can't "decrypt" the password even if you also steal the encryption
key. But you _can_ run a massive brute force attack on the database: try
everything in your dictionary (including common misspellings). Encrypt each
proposed password via the "one way" algorithm, and compare with every entry
in the DB. "Salting" helps slow that down, but the attacker can have nearly
unlimited computing power thanks to botnets (which can, I understand, be
rented by the hour).

So I would propose that website operators not be _too_ aggressive in
applying lockouts. I was recently "locked out" of Firefox Sync for too many
bad tries because I had trouble remembering exactly how I had misspelled my
password (made by sticking multiple words together which have a link that is
meaningful to me, but unlikely to be found by a dictionary attack). Having
to go through the reset protocol on multiple machines was a real pain.


Re: Sleep 'resets' brain connections crucial for memory and learning

"Jeff S. Jonas" <jeffj@panix.com>
Fri, 26 Aug 2016 02:55:29 -0400 (EDT)
I'm confused: when should I "sleep on it"
and when should I continue my "flow time"?

Some tasks require a lot of uninterrupted time to focus on one extremely
engaging task, particularly learning.  But sometimes taking a
break/nap/sleep is required to stop spinning one's wheels and let another
solution percolate.

Our profession is not unique for pulling all-nighters but it's sometimes
legitimized, even glorified as the way to get things done.  I hope this is
finally shedding light on what causes burnout.

> [Why is this RISKS-relevant?

I can think of many reasons, some directly RISKS related

A) Operator fatigue contributes to crashes and other failures.  That's why
pilots and commercial drivers are allegedly limited to number of working
hours.

B) Long ago there were time & motion studies to optimize productivity.  Now,
productivity spyware is often used to pressure employees to work faster
regardless of the task's difficulty or quality of service delivered for that
quick outcome.  Call centers are the main user of that tactic to maximize
calls handled-per-hour, but at the risk of over stressing their employees.

Physical injuries such as Carpal Tunnel and other Repetitive Stress Injuries
can be proven via x-ray or ultrasound.  But what of mental stress and other
intangible injuries?  Perhaps this is a step to giving some insight for
that.


Re: "Smart Power Outlets" (RISKS-29.72)

Peter Bernard Ladkin <ladkin@causalis.com>
Thu, 25 Aug 2016 13:25:26 +0200
AlMac writes "The latest gift of The Internet of Things industry, revealed
last week by security researchers at Bitdefender, is smart electrical
sockets that can be hacked to hand over e-mail credentials, create a botnet,
or (potentially) burn your house down by firing up connected appliances."
<http://motherboard.vice.com/read/smart-electrial-sockets-could-be-the-next-botnet>

Burning your house down by firing up appliances? Electrical safety standards
are not perfect, but they have been around a long time (in Germany, about
120 years). Indeed, for about as long as mice have been gnawing through
insulation on cables.

Advice to those contemplating installation of "smart power outlets" seems
obvious: if you are going to be spending on house electrics and you don't
want to worry about your house burning down, then if your circuitry is more
than a decade old your "smart money" goes first on residual-current devices
and maybe arc-fault circuit breakers ("interrupters" in the US). It won't
cost you much. You'll likely have something left over for your "smart power
outlets".

I have Type A RCDs on everything and was thinking of installing arc-fault
protection. My electrician looked at me as you'd look at a person who puts
on a bicycle helmet to walk down the stairs and said, quite slowly, "I can
certainly do that if you wish".

Some background to all this.

Building circuits have overcurrent protection, short-circuit protection,
more recently residual-current protection of various sensitivities, and, for
the cognoscenti, arc-fault protection. Overcurrent and short-circuit
protection is pretty much regulation in all developed countries;
residual-current protection increasingly so, but countries also differ on
the amount of residual-current detection/protection they require for new
installations, even within Europe. I understand regulations in the US now
require arc-fault protection in some, but not all, housing circuits in new
installations. https://en.wikipedia.org/wiki/Arc-fault_circuit_interrupter
In Germany, an arc-fault protection device is called a "fire protection
(circuit-)breaker" (Brandschutzschalter), emphasizing its perceived role.

Building electrical installations vary notably in age and effectiveness.
It's an interesting question to try to determine the age and adequacy of
building electrics everywhere.

In a survey via questionnaire of electrical home installations in a small
town, Lübbecke, near Bielefeld, Christoph Goeker found that, of the homes
of his respondents, 61% of building electrics were older than 30 years, and
only a quarter younger than 20 years.
https://rvs-bi.de/publications/Theses/Masterthesis_Christoph_Goeker.pdf (in
German)

Some general figures. It is said that 93% of Italian dwellings have
residual-current protection, but only 32% of French (I have no idea how
reliable these figures are.  They occur in the last paragraph of Section 6.1
of
http://www.leonardo-energy.org/sites/leonardo-energy/files/root/Documents/2009/Feeds_lo.pdf
in inverse: the proportion of dwellings which don't have RCDs). Well over
60% of UK buildings have RCDs (Table in Section 6 of
http://www.electricalsafetyfirst.org.uk/news-and-campaigns/policies-and-research/statistics/
broken down by building-ownership category) In Switzerland, apparently the
figure is 100% since a 2010 law (3rd paragraph of
https://de.wikipedia.org/wiki/Fehlerstrom-Schutzschalter#Schweiz , in
German).

Arc-fault detection and protection first came to the fore in aviation, after
TWA 800 was discovered to have been the likely victim in July 1996 of a fire
in fuel vapors in an "empty" tank ignited by residual current in the fuel
quantity measuring system stemming from an arc fault somewhere in a wiring
bundle. Although some people didn't think so. For example,
http://catless.ncl.ac.uk/Risks/21/08#subj9.1
https://rvs-bi.de/publications/Papers/Scarry-refutation.pdf

It was regarded as infeasible to inspect all wiring bundles in all aging
aircraft, and arc-fault detection and protection seemed to be a reasonable
solution. Since then, prices for arc-fault protection have come down
considerably.

Some 15-20 people die in Germany each year due to electrocution, and some
600 in building fires, of which about a third are thought to be caused by
faulty electrics (general figures from Georg Luber of Siemens AG, the German
representative on the IEC Advisory Committee on Safety), so let's say about
200 per annum.  In the US, it seems the figure is 455 p.a.
http://www.nfpa.org/public-education/by-topic/top-causes-of-fire/electrical/electrical-safety-in-the-home

This is about the same number of people who die from the most common types
of food poisoning, salmonella (380 p.a.) and campylobacter (76 p.a.)
https://www.cdc.gov/salmonella/
http://www.cdc.gov/foodsafety/diseases/campylobacter/index.html In the UK,
it seems that the number was only 46 deaths in 2011/12, with only 25 deaths
put down to faults.  See Section 3 of this:
http://www.electricalsafetyfirst.org.uk/news-and-campaigns/policies-and-research/statistics/

(From these figures, the US has ten times the incidence of fire deaths from
electrical faults as the UK, with a little over five times the population.
But it appears Germany has five times the incidence amongst a population
only one-third larger. So, caveat lector—something doesn't quite seem
right to me about these figures as they are—I've lived in and looked at
electrics in all three places.)


Re: "Smart Power Outlets" (RISKS 29.72)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 25 Aug 2016 19:00:49 -0500
I know that electrical and other safety standards have existed since before
I was born, and that over the years there is continuous improvement.

I also know that enforcement of these standards is non-existent many places
in the world, particularly in small towns, such as those I have resided in
for many decades of my career, from which I am now retired.

A little over 35 years ago, I moved into an apartment, where some of the
lights used an open flame, because the building was ancient, using both
electric and gas.  This open flame for the gas lighting in the living room
was totally legal in the town where I was working.  I was unfamiliar with
best safety practices when using open flames, so I refrained from using
them, and instead got some electric lamps which could be plugged into
electrical sockets, which incidentally did not have any grounding, which was
also legal in that town.  This is a common reality in parts of the USA,
where the voters are generally opposed to government regulations.

Regarding risks of setting a building on fire, by powering up appliances
when no human nose is around to detect the smoke, I have known of instances
of:

. Building contractor work done by someone not qualified for the work they
did, who supplied the property owner with fraudulent credentials;

. A home burning down thanks to defective electrical components, killing all
occupants;

. Me getting close to dead when my bedroom caught on fire, when I was
sleeping there.  No, I was not smoking in bed.  I was in a town whose
building safety standards were non-existent, so every building was a fire
hazard.

In the fraudulent building contractor case, the property owner later found
out and went to the police, but nothing could be done, because that was not
a crime where it happened.

In my personal experience, including proprietary knowledge of electrical
recalls, about which I cannot speak about in public, electrical and other
safety standards are poorly enforced in many areas of USA, including:

. Retail sales of electrical components, some of which may be
counterfeit, or improperly labeled.

. Smalltown America building safety standards can be non-existent.

. Rental property management, where things are replaced only when they break
down, and sometimes not even then.

. Manufacturing supply chain record keeping, not good enough to make defects
traceable.

. Pipelines and Utilities located where, so contractors know where not to
dig.

In this USA reality, I think it is criminal negligence to sell a home "smart
power" app which makes it possible for anyone in the world to turn on
electrical appliances when no one is home, to detect whether anything is
over-heating, or smoke coming from wall plug.  In fact I think a great deal
of ioT sales, without any security, constitute criminal negligence, which
are placing many people at needless risks.

Please report problems with the web pages to the maintainer

Top