The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 93

Monday 21 November 2016

Contents

*Fake News* gives new meaning to *No news is good news*?!!
PGN
Programmers are having a huge discussion about the unethical and illegal things they've been asked to do
Business Insider
Nobody has real friends anymore
NYPost via Geoff Goodfellow
8 million GitHub profiles were leaked from GeekedIn's MongoDB -
Troy Hunt
Zuckerberg dies temporarily due to glitch
The Guardian
Vigilante who aided Steubenville football website hack to plead guilty
Ars Technica
In two weeks, it will be easier for Uncle Sam to search your computer
Ars Technica
IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies
CitizenLab
Chinese company installed secret backdoor on hundreds of thousands of phones
Ars Technica
The Cyber-War on the Tibetan Community - a case study
CyberLab
NSO Group's iPhone Zero Days used against a UAE Human Rights Defender
Bill Marczak and John Scott-Railton
Office Depot insider speaks out about unnecessary computer fixes
JesseJones
Kryptowire discovers mobile phone firmware that transmitted PII
Jim Reisert
Risks to toilets in computing systems
Toby Douglass
Testimony last week for a U.S. House Committee on IoT Security by Kevin Fu and Bruce Schneier
PGN
Hackers Claim Theft of Data from Gorilla Glue
Motherboard
Biggest Spike in Traffic Deaths in 50 Years? Blame Apps
The NYTimes
iPhones Secretly Send Call History to Apple, Security Firm Says
Kim Zetter
Re: iPhone 'Touch Disease'
Brian Clark via Werner U
Info on RISKS (comp.risks)

*Fake News* gives new meaning to *No news is good news*?!!

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 18 Nov 2016 9:58:53 PST
Fake News may be becoming the biggest Real-News story of the century.
It is certainly getting wide coverage.  Here are just a few of the
items that seem RISKS-relevant.

Facebook fake news writer Paul Horner reveals how he tricked Trump
supporters, and possibly influenced election
http://www.hollywoodreporter.com/news/facebook-fake-news-writer-president-donald-trump-win-948218

Facebook fake-news writer: "I think Donald Trump is in the White House
because of me."
https://www.washingtonpost.com/news/the-intersect/wp/2016/11/17/facebook-fake-news-writer-i-think-donald-trump-is-in-the-white-house-because-of-me/

Access to LinkedIn now officially blocked in Russia: new law requires
personal data of Russians must be stored within Russia.
https://consumerist.com/2016/11/17/access-to-linkedin-now-officially-blocked-in-russia/

Viral Fake Election News Outperformed Real News On Facebook In Final Months
Of The US Election; fake election news stories generated more total
engagement on Facebook than top election stories from 19 major news outlets
combined.
https://www.buzzfeed.com/craigsilverman/viral-fake-election-news-outperformed-real-news-on-facebook

Fake News on Facebook? In Foreign Elections, That's Not New
http://www.nytimes.com/2016/11/18/technology/fake-news-on-facebook-in-foreign-elections-thats-not-new.html

Automated Pro-Trump Bots Overwhelmed Pro-Clinton Messages, Researchers Say:
to rant, confuse people on facts, or simply muddy discussions,
http://www.nytimes.com/2016/11/18/technology/automated-pro-trump-bots-overwhelmed-pro-clinton-messages-researchers-say.html

President Obama on fake news problem: "We won't know what to fight for";
it represents a true threat to some of the fundamental U.S building
blocks of society.
https://techcrunch.com/2016/11/17/president-obama-on-fake-news-problem-we-wont-know-what-to-fight-for/

White supremacist Twitter users are creating fake 'black person' accounts to
stir up online racism
http://www.rawstory.com/2016/11/white-supremacist-twitter-users-are-creating-fake-black-person-accounts-to-stir-up-online-racism/

Facebook's New Plan to Deal With Fake News Is Too Vague and Too Late
http://gizmodo.com/facebooks-new-plan-to-deal-with-fake-news-is-too-vague-1789171552

Mark Zuckerberg Announces Facebook Will Fight Fake News—Next To An Ad
With Fake News
https://news.slashdot.org/story/16/11/19/1834205/mark-zuckerberg-announces-facebook-will-fight-fake-news----next-to-an-ad-with-fake-news

Here's why Twitter turned down a Donald Trump advertising campaign
http://www.recode.net/2016/11/19/13685832/twitter-rejects-donald-trump-ad-campaign

A real-names domain-registration policy would discourage political lying
http://cis471.blogspot.com/2016/11/a-real-names-domain-registration-policy.html

How Fake News Goes Viral
http://www.nytimes.com/2016/11/20/business/media/how-fake-news-spreads.html?partner=rss&emc=rss

NYTimes Editorial: Facebook and the Digital Virus Called Fake News
http://www.nytimes.com/2016/11/20/opinion/sunday/facebook-and-the-digital-virus-called-fake-news.html

Call it a 'crazy idea,' Facebook, but you need an executive editor
https://www.washingtonpost.com/lifestyle/style/call-it-what-you-want-facebook-but-you-need-an-executive-editor/2016/11/20/67aa5320-aaa6-11e6-a31b-4b6397e625d0_story.html

For the 'new yellow journalists,' opportunity comes in clicks and bucks
https://www.washingtonpost.com/national/for-the-new-yellow-journalists-opportunity-comes-in-clicks-and-bucks/2016/11/20/d58d036c-adbf-11e6-8b45-f8e493f06fcd_story.html

Misinformation in China
Watching the Election from The Post-Truth Future
https://medium.com/@xuhulk/watching-the-election-from-the-post-truth-future-97a0d66bdcfe#.hsjwf0wbk


Programmers are having a huge discussion about the unethical and illegal things they've been asked to do

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Nov 2016 21:49:01 -0800
NNSquad
http://www.businessinsider.com/programmers-confess-unethical-illegal-tasks-asked-of-them-2016-11

  "We are killing people," Martin says. "We did not get into this business
  to kill people. And this is only getting worse."  He pointed out that
  "there are hints" that developers will increasingly face some real heat in
  the years to come. He cited Volkswagen America's CEO, Michael Horn, who at
  first blamed software engineers for the company's emissions cheating
  scandal during a Congressional hearing, claimed the coders had acted on
  their own "for whatever reason." Horn later resigned after US prosecutors
  accused the company of making this decision at the highest levels and then
  trying to cover it up.  But Martin pointed out, "The weird thing is, it
  was software developers who wrote that code. It was us. Some programmers
  wrote cheating code.  Do you think they knew? I think they probably knew."


Nobody has real friends anymore

<Geoff.Goodfellow@iconia.com>
Sat, 19 Nov 2016 08:48:47 -1000
http://nypost.com/2016/11/17/social-media-is-making-you-a-bad-friend/


8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours

Monty Solomon <monty@roscom.com>
Thu, 17 Nov 2016 19:52:57 -0500
https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/


Zuckerberg dies temporarily due to glitch

Dan Jacobson <jidanni@jidanni.org>
Thu, 17 Nov 2016 08:12:48 +0800
https://www.theguardian.com/technology/2016/nov/11/facebook-profile-glitch-deaths-mark-zuckerberg
By the way, here are his
https://www.facebook.com/4/groups , and here are some more,
https://www.facebook.com/search/4/groups (view on desktop computer).


Vigilante who aided Steubenville football website hack to plead guilty

Monty Solomon <monty@roscom.com>
Thu, 17 Nov 2016 20:01:32 -0500
http://arstechnica.com/tech-policy/2016/11/kyanonymous-to-plead-guilty-to-2-of-4-federal-counts-in-hacking-case/


In two weeks, it will be easier for Uncle Sam to search your computer

Monty Solomon <monty@roscom.com>
Thu, 17 Nov 2016 19:58:15 -0500
http://arstechnica.com/tech-policy/2016/11/judges-getting-new-powers-to-expand-electronic-surveillance-state/


IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies (CitizenLab)

Werner U <werneru@gmail.com>
Sat, 19 Nov 2016 01:13:00 +0100
https://citizenlab.org/2016/09/imsi-catcher-report-calls-transparency-proportionality-minimization-policies/

Christopher Parsons, 13 Sep 2016
<https://citizenlab.org/category/author/christopher-parsons/>
Tamir Israel <https://cippic.ca/about-us#staff>

The Citizen Lab and CIPPIC are releasing a report, *Gone Opaque? An Analysis
of Hypothetical IMSI Catcher Overuse in Canada*, which examines the use of
devices that are commonly referred to as cell site simulators, IMSI
Catchers, Digital Analyzers, or Mobile Device Identifiers, and under brand
names such as Stingray, DRTBOX, and Hailstorm.  IMSI Catchers are a class of
of surveillance devices used by Canadian state agencies. They enable state
agencies to intercept communications from mobile devices and are principally
used to identify otherwise anonymous individuals associated with a mobile
device and track them.

Though these devices are not new, the ubiquity of contemporary mobile
devices, coupled with the decreasing costs of IMSI Catchers themselves, has
led to an increase in the frequency and scope of these devices' use. Their
intrusive nature, as combined with surreptitious and uncontrolled uses,
pose an insidious threat to privacy.

This report investigates the surveillance capabilities of IMSI Catchers,
efforts by states to prevent information relating to IMSI Catchers from
entering the public record, and the legal and policy frameworks that govern
the use of these devices. The report principally focuses on Canadian
agencies but, to do so, draws comparative examples from other jurisdictions.
The report concludes with a series of recommended transparency and control
mechanisms that are designed to properly contain the use of the devices and
temper their more intrusive features.

The report is structured across four sections:

 - Section One provides an overview of the technical capabilities of IMSI
   Catchers.
 - Section Two focuses on civil society and journalists' efforts to
   render transparent how IMSI Catchers are used.
 - Section Three examines the regulation of IMSI Catchers and avenues
   towards lawful regulation of their use.
 - Section Four sets out best practices that should be incorporated into
   a framework governing IMSI Catcher use.

https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report-Gone_Opaque.pdf
https://citizenlab.org/wp-content/uploads/2016/09/Rapport-Aller_Opaque-Somm_Exec-FR.pdf


Chinese company installed secret backdoor on hundreds of thousands of phones

Monty Solomon <monty@roscom.com>
Thu, 17 Nov 2016 20:51:50 -0500
http://arstechnica.com/security/2016/11/chinese-company-installed-secret-backdoor-on-hundreds-of-thousands-of-phones/


The Cyber-War on the Tibetan Community - a case study (CyberLab)

Werner U <werneru@gmail.com>
Sat, 19 Nov 2016 15:19:15 +0100
(CyberLab, 17 Nov 2016)

[Remember when the Chinese began to 'show up' offline and online looking for
education and cooperation in security matters?!?  I considered them
'up-to-no-good' then... and do still today.  It's now nearly 20 years that I
found the computers of Tibetan refugees infected with malware that made
calls to Asian service numbers, which AT&T insisted on billing them for ($$$
hundreds monthly), rather than reversing the scam-charges as they should and
could have...]

It's Parliamentary: KeyBoy and the targeting of the Tibetan Community
17 Nov 2016

<https://citizenlab.org/tag/china/>,
<https://citizenlab.org/tag/malware/>,
<https://citizenlab.org/tag/targeted-threats/>,
<https://citizenlab.org/tag/tibet/>
Adam Hulcoop, Etienne Maynier, John Scott Railton, Masashi
Crete-Nishihata, Matt Brooks
<https://citizenlab.org/category/research-news/reports-briefings/,
News <https://citizenlab.org/category/research-news/>

Key Findings

 - In this report we track a malware operation targeting members of the
   Tibetan Parliament over August and October 2016.
 - The operation uses known and patched exploits to deliver a custom
   backdoor known as KeyBoy.
 - We analyze multiple versions of KeyBoy revealing a development cycle
   focused on avoiding basic antivirus detection.
 - This operation is another example of a threat actor using *just
   enough* technical sophistication to exploit a target.


NSO Group's iPhone Zero Days used against a UAE Human Rights Defender (Bill Marczak and John Scott-Railton)

Werner U <werneru@gmail.com>
Fri, 18 Nov 2016 19:33:07 +0100
Bill Marczak and John Scott-Railton (Senior Researchers at The Citizen Lab
University of Toronto, with the assistance of the research team at Lookout
Security.)
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

This report describes how a government targeted an internationally
recognized human rights defender, Ahmed Mansoor, with the Trident, a chain
of zero-day exploits designed to infect his iPhone with sophisticated
commercial spyware.

*Updated (Sept 1, 2016)*: Today Apple released security updates
<https://support.apple.com/en-us/HT201222> for Desktop Safari and Mac OS X.
These updates patch the Trident vulnerabilities that identified in this
report for desktop users.  The Trident vulnerabilities used by NSO could
have been weaponized against users of non iOS devices, including OSX.


Office Depot insider speaks out about unnecessary computer fixes (JesseJones)

Lauren Weinstein <lauren@vortex.com>
Wed, 16 Nov 2016 15:36:13 -0800
via NNSquad
  Office Depot is selling fixes for computer problems that don't exist and
  pushing customers to purchase costly repairs, a KIRO 7 investigation
  found.  Now, after watching Jesse investigation, the company is pledging
  take appropriate action.
http://jessejones.com/story/office-depot-insider-speaks-out/


Kryptowire discovers mobile phone firmware that transmitted PII

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 16 Nov 2016 17:54:48 -0700
15 Nov 2016
Kryptowire discovers mobile phone firmware that transmitted personally
identifiable information (PII) without user consent or disclosure
http://www.kryptowire.com/adups_security_analysis.html

  Kryptowire has identified several models of Android mobile devices that
  contained firmware that collected sensitive personal data about their
  users and transmitted this sensitive data to third-party servers without
  disclosure or the users' consent. These devices were available through
  major US-based online retailers (Amazon, BestBuy, for example) and
  included popular smartphones such as the BLU R1 HD. These devices actively
  transmitted user and device information including the full-body of text
  messages, contact lists, call history with full telephone numbers, unique
  device identifiers including the International Mobile Subscriber Identity
  (IMSI) and the International Mobile Equipment Identity (IMEI). The
  firmware could target specific users and text messages matching remotely
  defined keywords. The firmware also collected and transmitted information
  about the use of applications installed on the monitored device, bypassed
  the Android permission model, executed remote commands with escalated
  (system) privileges, and was able to remotely reprogram the devices.

  The firmware that shipped with the mobile devices and subsequent updates
  allowed for the remote installation of applications without the users'
  consent and, in some versions of the software, the transmission of
  fine-grained device location information. The core of the monitoring
  activities took place using a commercial Firmware Over The Air (FOTA)
  update software system that was shipped with the Android devices we tested
  and were managed by a company named Shanghai Adups Technology Co. Ltd.


Risks to toilets in computing systems

Toby Douglass <toby_public@winterflaw.net>
Thu, 17 Nov 2016 19:44:02 +0100
Thin supply chains are efficient but potentially fragile, as they in their
efficiency lack redundancy or immediately available spare capacity.

In Berlin, there is found a chain of large, low-cost gyms by the name of
McFit.  This gym chain owns a subsidiary brand, High5, composed of smaller,
more highly branded gyms.  The gyms are largely automatic, with minimal
staff counts - typically one staff member, two at busy times, with perhaps
two hundred people in the gym.  Access to the gym, the lockers and even the
vending machines is by key-card.

McFit offers a minimum membership of one year.  High5 offers a monthly
subscription, and with an option to be able to attend McFit gyms.  As such,
it is not uncommon for people to join High5 and then attend only a McFit
gym.

This leads to the question of the integration of the computer systems at
these two chains, such that the High5 card can function at the McFit gyms.

For the last three weeks, the High5 cards have not functioned in McFit gyms,
either to access the gym, or to open and close lockers.  The High5 web-site
itself no longer allows users to log into their accounts; clicking on the
"login" button leads - without explanation, and so confusingly - to the
"join now" page.  In theory it is possible to log in *at* the High5 gyms,
but it turns out that if the account in question lacks a photo, attempting
to login silently disables the account, and so it is then no longer possible
to log in even at the gym.  (I have been looking to do so to change the IBAN
used to pay for my account.)

When a High5 member now attends a McFit gym, they must wait for assistance,
which typically takes five to ten minutes.  The gym has a small supply of
unallocated McFit access cards to allow for locker use in such cases.  It
has become increasingly common for High5 members to take such a card but not
return it, and then on their next visit, simply to edge past the access
turnstile (there is room to do so), so that they need not suffer the onerous
wait for assistance.  As such, the supply of locker cards is running low.

Where the demands upon staff time have now significantly risen, routine
maintenance - emptying bins, cleaning the toilets, etc - has suffered.
During peak times, the bins begin to overflow and the toilets and urinals,
not the least fragrant even in the best of times, stink.

(As an aside, as far as I am aware, there has been no communication from
High5 or McFit to their customers regarding these matters; the web-site is
silent in these matters and there has been no email.)

When conducting failure analysis, the correct approach is to follow the
chain of failure as far as possible, to find the *earliest* point at which
corrective action could have been taken.

With this in mind, I must first note that all of this would have been
avoided had McFit offered the same pricing plans as High5; people would have
joined McFit directly.

Beyond this, I must look past the computing problems so described, and
observe that although I live in central Berlin, this McFit is the only fully
equipped (weights, machines, cardio machines, etc) gym within 20 minutes
walking distance of home.

I would as you can imagine by now have changed gym - if I could; however, I
find if I must take the metro to get to the gym, my attendance falls off
dramatically.

These computer problems, from my point of view, would be solved by the
presence of alternative gyms - safety in variety of supply, as Churchill
remarked upon the switch by the Royal Navy from coal to oil.

Given the large population here, I must think that there are unusual factors
which are strongly discouraging the supply of gymnasiums.  I would be
interested to have some understanding of those factors, as fixing them would
in effect fix these problems further down the chain of failure.

My gut feeling is that this may related to Risks to the Public from
Government and Related Systems.


Testimony last week for a U.S. House Committee on IoT Security

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 17 Nov 2016 11:32:45 PST
* Kevin Fu, Infrastructure Disruption: Internet of Things Security,
  Testimony before the U.S. House of Representatives Committee on Energy and
  Commerce, Subcommittee on Communications and Technology and Subcommittee
  on Commerce, Manufacturing, and Trade, November 16, 2016.
https://energycommerce.house.gov/hearings-and-votes/hearings/understanding-role-connected-devices-recent-cyber-attacks

* Bruce Schneier, Testimony before the U.S. House of Representatives
  Committee on Energy and Commerce, Subcommittee on Communications and
  Technology and Subcommittee on Commerce, Manufacturing, and Trade,
  November 16, 2016.
https://energycommerce.house.gov/hearings-and-votes/hearings/understanding-role-connected-devices-recent-cyber-attacks


Hackers Claim Theft of Data from Gorilla Glue (Motherboard)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 17 Nov 2016 13:16:21 -0700
https://motherboard.vice.com/read/hackers-claim-theft-of-data-from-gorilla-glue
Motherboard, 17 Nov 2016

Hackers say they have stolen a wealth of company and personal information
from US adhesive, glue, and tape company Gorilla Glue. The hackers have
previously tried to extort medical organizations by demanding a sizable
ransom payment in exchange for not releasing hacked data publicly.

“We have everything they ever created,” someone from the hacking group
The Dark Overlord told Motherboard in an online chat.

The hackers claim to have over 500GB of research and development materials,
including intellectual property and product designs, and access to Dropbox
and personal email accounts related to the family-run Gorilla Glue.


Biggest Spike in Traffic Deaths in 50 Years? Blame Apps

Monty Solomon <monty@roscom.com>
Wed, 16 Nov 2016 21:47:42 -0500
Highway deaths have surged in the last two years, and experts put much of
the blame on in-car use of smartphones and dashboard apps.
http://www.nytimes.com/2016/11/16/business/tech-distractions-blamed-for-rise-in-traffic-fatalities.html


iPhones Secretly Send Call History to Apple, Security Firm Says (Kim Zetter)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 17 Nov 2016 12:49:50 PST
https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/


Re: iPhone 'Touch Disease' (RISKS-29.92)

Werner U <werneru@gmail.com>
Fri, 18 Nov 2016 16:21:56 +0100
Apple denies responsibility (Bryan Clark in The Next Web)

Bryan Clark, The Next Web, 18 Nov 2016
Apple finally acknowledges iPhone 'Touch Disease' problem ...by denying
responsibility

http://thenextweb.com/apple/2016/11/18/apple-finally-acknowledges-iphone-touch-disease-problem-by-denying-responsibility/

Also: TechCrunch, 17 Nov 2016
Apple addresses Touch Disease with reduced cost repair for iPhone 6 Plus
https://techcrunch.com/2016/11/17/apple-addresses-touch-disease-with-reduced-cost-repair-for-iphone-6-plus/

Please report problems with the web pages to the maintainer

Top