The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 95

Tuesday 29 November 2016

Contents

Hacker demanded ransom from San Francisco Muni Metro
PGN
Locky ransomware uses decoy image files to ambush Facebook, LinkedIn
Tom Mendelsohn
New Variants of Cerber and Locky ransomware launched simultaneously
Check Point
NTSB on Aviation: Risks of checklists, especially when ignored
PGN
Brooklyn prosecutor caught wiretapping a love interest
The New York Times
Mr. Trump's Lies About the Vote
The New York Times
Inside a Fake News Sausage Factory: 'This Is All About Income'
Lauren Weinstein
Trump's presidential hires and advisors own a hell of a lot of fake news sites
BoingBoing
Fake News and the Internet Shell Game
The New York Times
Do away with the FCC?
The Washington Post via Eric Burger
Forget Net Neutrality, Trump FCC Advisor Wants to Kill the FCC Itself
Motherboard
Did Russian Agents Influence the U.S. Election with Fake News?
Vanity Fair
Re: Russian propaganda effort helped spread 'fake news' during election, experts say
Dick Mills
Why Trump and Fake News are Putting the Pressure on Facebook
Bloomberg
"How Fake and False News Distort Google and Others"
Lauren Weinstein
Macy's Website Suffers Disruptions During Critical Shopping_Day
Bloomberg via Gabe Goldberg
Good at Skipping Ads? No, You're Not
The New York Times
Research Says Samsung Galaxy S7 Safest Smartphone, iPhone 7 Worst
Inquisitr
Re: More on election integrity
Mark E. Smith
Info on RISKS (comp.risks)

Hacker demanded ransom from San Francisco Muni Metro

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 29 Nov 2016 11:35:16 PST
The Muni Metro had 900 employee computer workstations hacked with
ransomware, with demands for payment of 100 bitcoins (roughly $73,000) to
unlock those computers.  The Muni Metro management took a strong and very
sensible strategy—refusing to pay, essentially rebuilding the entire
system from backups, and making all rides free in the interim.  Although the
demands warned that personal information would be released if the payment
were not made, DHS advisors suggested that access to PII was unlikely --
given the nature of the attack.

Andrew Storms (VP of New Context in San Francisco) is quoted: “Critical
infrastructure, both large and small, remains a target and is susceptible
to ransomware.  IBM has named transportation as a key cyber-target, given
that the sector is increasingly relying on computer-based control, and yet
security is such that hackers can cause a lot of damage with comparative
ease.''

  [Source: Michael Cabanatuan and Marissa Lang, *San Francisco Chronicle*,
  29 Nov 2016, PGN-ed]

  [Other sources:
http://fortune.com/2016/11/28/muni-hack-san-francisco/
http://www.sfexaminer.com/muni-guarantees-customer-data-not-risk-hacker-sends-new-threat/
  ]

  [And who might still be saying "We don't need no steenkin' security!" --
  when what we have already really stinks.  PGN]


Locky ransomware uses decoy image files to ambush Facebook, LinkedIn accounts (Tom Mendelsohn)

Werner U <werneru@gmail.com>
Mon, 28 Nov 2016 22:50:18 +0100
Tom Mendelsohn, Ars Technica, 25 Nov 2016
Low-tech malware snares users via flaws in social networks' code to spread
automatically.
http://arstechnica.com/security/2016/11/locky-ransomware-decoy-image-files-boobytrap-facebook-linkedin/

According to the Israeli security firm Check Point, security flaws in the
two social networks allow a maliciously coded image file to download itself
to a user's computer.  Users who notice the download, and who then access
the file, cause malicious code to install "Locky" ransomware onto their
computers.  Check Point won't go into detail on how the exploit works until
the vulnerability is patched by LinkedIn and Facebook.

Ars has asked for comment from both Facebook and LinkedIn.  See also

http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/
http://arstechnica.co.uk/security/2016/04/nuclear-ransomware-exploit-kit-details/
http://arstechnica.co.uk/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro/


New Variants of Cerber and Locky ransomware launched simultaneously (Check Point)

Werner U <werneru@gmail.com>
Mon, 28 Nov 2016 23:07:33 +0100
Check Point Threat Intelligence Team, 24 Nov 2016
Two thanksgiving presents from the leading ransomware
http://blog.checkpoint.com/2016/11/24/14959/
http://fortune.com/2016/11/28/muni-hack-san-francisco/
http://www.sfexaminer.com/muni-guarantees-customer-data-not-risk-hacker-sends-new-threat/


NTSB on Aviation: Risks of checklists, especially when ignored

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 26 Nov 2016 12:04:41 PST
http://www.ntsb.gov/investigations/AccidentReports/Pages/AAR1503.aspx
http://aviationweek.com/business-aviation/gulfstream-crash-triggers-finding-unsettling-data

  "Despite these positive comments, our investigation revealed an operation
  in which checklists and flight control checks were not accomplished by the
  flight crew, as specified in their training and the aircraft operations
  manual.  In order to successfully complete training, neither of these
  omissions would have been acceptable.  However, considering that each
  crewmember successfully completed recurrent training eight months before
  the crash, they obviously knew and demonstrated they were aware of these
  requirements."

It seems that checklists can be very important when observed, but still
somewhat of a placebo: The routine itself can be routinely treated rather
superficially.  The same thing applies to all safety-related procedures,
security upgrades, network reconfigurations, and more.  In addition,
training simulators may be inconsistent with reality, or at least have
emergency corner cases that might not be covered.


Brooklyn prosecutor caught wiretapping a love interest

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 29 Nov 2016 3:18:53 PST
http://www.nytimes.com/2016/11/28/nyregion/brooklyn-prosecutor-accused-of-using-illegal-wiretap-to-spy-on-love-interest.html


Mr. Trump's Lies About the Vote (The New York Times)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 29 Nov 2016 11:47:25 PST
Excerpts from today's editorial in *The New York Times*, 29 Nov 2016

  On Sunday, President-elect Trump unleashed a barrage of tweets complaining
  about calls for recounts or vote audits in several closely contested
  states, and culminating in this message: "In addition to winning the
  Electoral College in a landslide, I won the popular vote if you deduct the
  millions of people who voted illegally."

  This is a lie, part of Mr. Trump's pattern, stretching back many years, of
  disregard for indisputable facts.  There is no evidence of illegal voting
  on even a small scale anywhere in the country, let alone a systematic
  conspiracy involving "millions". [...]

  In addition to insulting law-abiding voters everywhere, these lies about
  fraud threaten the foundations of American democracy.

The entire editorial is worth reading, including the relative relevance of
the popular vote and the Electoral College.


Inside a Fake News Sausage Factory: 'This Is All About Income'

Lauren Weinstein <lauren@vortex.com>
Fri, 25 Nov 2016 21:46:44 -0800
via NNSquad
http://www.nytimes.com/2016/11/25/world/europe/fake-news-donald-trump-hillary-clinton-georgia.html

  Jobless and with graduation looming, a computer science student at the
  premier university in the nation of Georgia decided early this year that
  money could be made from America's voracious appetite for passionately
  partisan political news. He set up a website, posted gushing stories about
  Hillary Clinton and waited for ad sales to soar.  "I don't know why, but
  it did not work," said the student, Beqa Latsabidze, 22, who was savvy
  enough to change course when he realized what did drive traffic: laudatory
  stories about Donald J. Trump that mixed real—and completely fake --
  news in a stew of anti-Clinton fervor.


Trump's presidential hires and advisors own a hell of a lot of fake news sites (BoingBoing)

Lauren Weinstein <lauren@vortex.com>
Sat, 26 Nov 2016 09:50:19 -0800
via NNSquad
http://boingboing.net/2016/11/26/trumps-presidential-hires-an.html

  Floyd Brown invented the Reagan-era Willie Horton lie, helped create the
  Citizens United group, and now owns Liftable Media, including sites like
  Conservative Tribune (50th most-trafficked site in the USA) and Western
  Journalism (81st), whence came fake news stories like the lie that Obama
  had altered the White House logo to include a white flag of surrender (the
  logo change came from GWB's White House); the lie that Muslims had been
  "ordered" to vote for Hillary; the lie that Obama had encouraged
  millennial non-citizen Latinos to vote without fear of reprisals; the lie
  that Clinton had a Vegas "drug holiday" before the debate; the lie that
  Obama's birth certificate was not accepted by experts as genuine --
  Brown's sites are all included in Facebook's verified news sources.  Brown
  is a Trump advisor, also identified by Trump's spokesperson as "a close
  friend."

    [Don't forget Swift-boating.  We've had lots of opportunities to
    recognize the problem.  PGN]


Fake News and the Internet Shell Game (The New York Times)

Lauren Weinstein <lauren@vortex.com>
Mon, 28 Nov 2016 18:00:47 -0800
via NNSquad
http://www.nytimes.com/2016/11/28/opinion/fake-news-and-the-internet-shell-game.html

  The use of social media to spread political misinformation online is
  partly just a giant shell game.  Propagandists often don't care whether
  everyone, or even most people, really believe the specific things they are
  selling (although it turns out that lots of people always do).  They don't
  have to get you to actually believe the penny is under the wrong
  shell. They just have to get you confused enough so that you don't know
  what is true. That's still deception. And it is this kind of deception
  that dreadful for-profit conspiracy sites like Liberty Writers News have
  been particularly adept at spreading.  Sure, some percentage of people
  actually believed the content of such sites (for instance, that Hillary
  Clinton was behind the death of a federal agent). But a far greater number
  of people came away ever so slightly more doubtful of what is true. They
  didn't believe Hillary Clinton ordered a hit, but they didn't disbelieve
  it either. It simply became part of the background, one more unsettled
  question.


Do away with the FCC?

Eric Burger <eburger@standardstrack.com>
Tue, Nov 22, 2016 at 10:46 PM
(via Dave Farber)
https://www.washingtonpost.com/news/the-switch/wp/2016/11/22/we-dont-need-the-fcc-a-trump-advisers-proposal-to-dissolve-americas-telecom-watchdog/

Brian Fung, *The Washington Post*, 22 Nov 2016
We don't need the FCC: A Trump adviser's proposal to dissolve America's
telecom watchdog
<http://www.washingtonpost.com/people/brian-fung>

A top adviser to Donald Trump on tech policy matters proposed all but
abolishing the nation's telecom regulator last month, foreshadowing possible
moves by the president-elect to sharply reduce the Federal Communications
Commission's role as a consumer protection watchdog.

In a 21 Oct 2016 blog post, Mark Jamison, who on Monday was named one of two
members of Trump's tech policy transition team, laid out his ideal vision
for the government's role in telecommunications, concluding there is little
need for the agency to exist.
<http://www.techpolicydaily.com/communications/do-we-need-the-fcc/>


Forget Net Neutrality, Trump FCC Advisor Wants to Kill the FCC Itself (Motherboard)

Lauren Weinstein <lauren@vortex.com>
Wed, 23 Nov 2016 13:17:37 -0800
via NNSquad
http://motherboard.vice.com/read/forget-net-neutrality-trump-fcc-advisor-wants-to-kill-the-fcc-itself

  Open Internet advocates reacted with alarm to Jamison's proposal to
  abolish most of the FCC. "Such a proposal is dripping with irony, given
  that the dominant ISPs consistently rank among the most hated companies by
  consumers, ripping off their subscribers in numerous creative ways,"
  Lauren Weinstein, a veteran tech policy expert and net neutrality
  advocate, told Motherboard. "One of the few checks on their abuses has
  been the FCC." "Reducing the FCC's authority in this context would be a
  sure path toward the rich getting richer and subscribers being shafted
  even worse than they are today," Weinstein added. A FCC spokesperson
  declined to comment on Jamison's proposal.


Did Russian Agents Influence the U.S. Election with Fake News? (Vanity Fair)

Lauren Weinstein <lauren@vortex.com>
Sat, 26 Nov 2016 13:10:49 -0800
via NNSquad
http://www.vanityfair.com/news/2016/11/fake-news-russia-donald-trump

  Two new reports suggest that the Russian government tried to destroy
  Hillary Clinton's reputation and tilt the election towards Donald Trump.
  ...

  Facebook and Google have been falling over themselves in the past few
  weeks, trying to figure out how to solve their fake-news problem. Now the
  scope of their challenges [is] coming into view: a new report from two
  groups of independent researchers suggests that the two platforms were
  leveraged by propagandists, funded by the Russian government, to influence
  the outcome of the U.S. presidential election by filling Americans' news
  feeds with false stories intended to sow distrust of democracy.  The
  Foreign Policy Research Institute and PropOrNot, a nonpartisan group of
  researchers, independently provided reports to The Washington Post that
  detailed a sophisticated, multi-pronged disinformation campaign designed
  to propagate two specific messages: first, that Hillary Clinton was
  deathly ill and was secretly plotting to turn America into a plutocracy
  run by "shadowy financiers"; and second, that the world was on the brink
  of a war with Russia. The groups traced 200 of the biggest fake news
  websites to the Russian government, as well as a group of botnets and
  human "trolls", which planted stories and reached at least 15 million
  Americans. (For a sense of scale, more than 135 million people voted in
  2016. Clinton appears likely to win the popular vote by more than two
  million ballots despite decisively losing the electoral college.)


Re: Russian propaganda effort helped spread 'fake news' during election, experts say

Dick Mills <dickandlibbymills@gmail.com>
Mon, 28 Nov 2016 08:44:15 -0500
Alas, truth is so much in the eye of the beholder.

The Washington Post said: "Two teams of independent researchers found that
the Russians exploited American-made technology..."

https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html

But *The Intercept* suggests, that the Post's source is a group of fake
researchers.

"In casting the group behind this website as *experts*, The Post described
PropOrNot simply as "a nonpartisan collection of researchers with foreign
policy, military and technology backgrounds."  Not one individual at the
organization is named. The executive director is quoted, but only on the
condition of anonymity, which the Post said it was providing the group "to
avoid being targeted by Russia's legions of skilled hackers."

https://theintercept.com/2016/11/26/washington-post-disgracefully-promotes-a-mccarthyite-blacklist-from-a-new-hidden-and-very-shady-group/

Why do we beat ourselves up arguing about truth rather than facts?  Bare
facts need no explanation, no context, no commentary, no characterizations,
are never misleading, and do not constitute propaganda, lessons, or public
education.  A fact by definition is something that can be verified by third
parties, and all third parties can be expected to come to the same
conclusion.

To me, a trusted news source sticks to bare facts and abstains from all
embellishments.  But in my lifetime, I've never seen such a news source.

We can all agree about facts, but never agree on the truth.

Dick Mills, Sailing Vessel Tarwathie


Why Trump and Fake News are Putting the Pressure on Facebook (Bloomberg)

"Dave Farber" <farber@gmail.com>
Sat, 26 Nov 2016 13:45:00 -0500
Bloomberg, 25 Nov 2016

Following criticism that fake news had an impact on the U.S. election,
Facebook has promised to tackle phony articles. Bloomberg's Ramy Inocencio
reports on "Bloomberg Daybreak: Asia."  Fake news is big news these days.
There's an emotional debate over the explosion of information on the
Internet—and on social media sites in particular—that's provably false
or intentionally misleading. As content of dubious authenticity swirls on
platforms like Facebook, Twitter and Google, many in the media worry
consumers may lose trust in stories that are actually true. Maybe most
uncomfortable are the social media companies, Facebook especially. They make
millions in ad revenue by distributing information, but the last thing they
want are the responsibilities that come with being a publisher, like
ensuring stories are accurate.

To read the entire article, go to http://bloom.bg/2fx6BRu

Sent from the Bloomberg iPad application. Download the free application at
http://itunes.apple.com/us/app/bloomberg-for-ipad/id364304764?mt=8


Lauren's Blog: "How Fake and False News Distort Google and Others"

Lauren Weinstein <lauren@vortex.com>
Fri, 25 Nov 2016 14:01:48 -0800
via NNSquad
https://lauren.vortex.com/2016/11/25/how-fake-and-false-news-distort-google-and-others

With all of the current discussions regarding the false and fake news glut
on the Internet—often racist in nature, some purely domestic in origin,
some now believed to be instigated by Putin's Russia—it's obvious that
the status quo for dealing with such materials is increasingly untenable.

But what to do about all this?

As I have previously discussed, my general view is that more information --
not less—is the best solution to these distortions that may have easily
turned the 2016 election on its head.

https://lauren.vortex.com/2016/11/16/crushing-the-internet-liars

Labeling, tagging, and downranking of clearly false or fake posts is an
approach that can help to reduce the tendency for outright lies to be
treated equivalently with truth in social media and search engines.  These
techniques also avoid invoking the actual removal of lying items themselves
and the "censorship" issues that then may come into play (though private
firms quite appropriately are indeed free to determine what materials they
wish to permit and host—the First Amendment only applies to governmental
restraints on speech in the USA).

How effective might such labeling be? Think about the labeling of "fake
news" in the same sort of vein as the health warnings on cigarette packs. We
haven't banned cigarettes. Some people ignore the health warnings, and many
people still smoke in the USA. But the number of people smoking has dropped
dramatically, and studies show that those health warnings have played a
major role in that decrease.

Labeling fake and false news to indicate that status—and there's a vast
array of such materials where no reasonable arguments that they are not
untrue can reasonably exist—could have a dramatic positive
impact. Controversial? Yep. Difficult? Sure. But I believe that this can be
approached gradually, starting with top trending stories and top search
results.

A cure-all? No, just as cigarette health warnings haven't been cure-alls.
But many lives have still been saved. And the same applies to dealing with
fake news and similar lies masquerading as truthful posts.

Naysayers suggest that it's impossible to determine what's true or isn't
true on the Internet, so any attempts to designate anything that's posted as
really true or false must fail. This is nonsense. And while I've previously
noted some examples (Man landing on the moon, Obama born in Hawaii) it's not
hard to find all manner of politically-motivated lies that are also easy to
ferret out as well.

For example, if you currently do a Google search (at least in the USA) for:
    Southern Poverty Law Center
You will likely find an item on the first page of results (even before some
of the SPLC's own links) from online [...] Breitbart—whose [...]
Steve Bannon has now been given a senior role in the upcoming Trump
administration.

The link says:
    FBI Dumps Southern Poverty Law Center as Hate Crimes Resource

Actually, this is a false story, dating back to 2014. It's an item that was
also picked up from Breitbart and republished by an array of other racist
sites who hate the good work of the SPLC fighting both racism and hate
speech.

Now, look elsewhere on that page of Google search results—then on the
next few pages. No mention of the fact that the original story is false,
that even the FBI itself issued a statement noting that they were still
working with the SPLC on an unchanged basis.

Instead of anything to indicate that the original link is promoting a false
story, what you'll mostly find on succeeding pages is more anti-SPLC
right-wing propaganda.

This situation isn't strictly Google's fault. I don't know the innards of
Google's search ranking algorithms, but I think it's a fair bet that "truth"
is not a major signal in and of itself. More likely there's an implicit
assumption—which no longer appears to necessarily hold true—that
truthful items will tend to rise to the top of search results via other
signals that form inputs to the ranking mechanisms.

In this case, we know with absolute certainly that the original story on
page one of those results is a continuing lie, and the FBI has confirmed
this (in fact, anyone can look at the appropriate FBI pages themselves and
categorically confirm this fact as well).

Truth matters. There is no equivalency between truth and lies, or otherwise
false or faked information.

In my view, Google should be dedicated to the promulgation of widely
accepted truths whenever possible. (Ironic side note: The horrible EU "Right
To Be Forgotten"—RTBF—that has been imposed on Google, is itself
specifically dedicated to actually hiding truths!)

As I've suggested, the promotion of truth over lies could be accomplished
both by downranking of clearly false items, and/or by labeling such items as
(for example) "DEEMED FALSE"—perhaps along with a link to a page that
provides specific evidence supporting that label (in the SPLC example under
discussion, the relevant page of the FBI site would be an obvious link
candidate).

None of this is simple. The limitations, dynamics, logistics, and all other
aspects of moving toward promoting truth over lies in social media and
search results will be an enormous ongoing effort—but a critically
crucial one.

The fake news, filter bubbles, echo chambers, and hate speech issues that
are now drowning the Internet are of such a degree that we need to call a
major summit of social media and search firms, experts, and other concerned
parties on a multidisciplinary basis to begin hammering out practical
industry-wide solutions. Associated working groups should be established
forthwith.

If we don't act soon, we will be utterly inundated by the false "realities"
that are being created by evil players in our Internet ecosystems, who have
become adept at leveraging our technology against us—and against truth.

There is definitely no time to waste.


Macy's Website Suffers Disruptions During Critical Shopping_Day (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Fri, 25 Nov 2016 20:19:12 -0500
Bloomberg, 25 Nov 2016
http://bloom.bg/2gpFtFp

The Macy's Inc. website suffered service disruptions on Black Friday,
dealing a setback to a company trying to persuade shoppers—and investors
-- that it can handle e-commerce.

Different sort of DDOS—too many customers!


Good at Skipping Ads? No, You're Not

Monty Solomon <monty@roscom.com>
Sun, 27 Nov 2016 01:39:13 -0500
http://www.nytimes.com/2016/11/25/books/review/black-ops-advertising-mara-einstein.html


Research Says Samsung Galaxy S7 Safest Smartphone, iPhone 7 Worst

Monty Solomon <monty@roscom.com>
Sun, 27 Nov 2016 10:23:40 -0500
http://www.inquisitr.com/3747881/research-says-samsung-galaxy-s7-edge-safest-smartphone-iphone-7-one-of-the-worst/


Re: More on election integrity (PGN, RISKS 29.94)

"Mark E. Smith" <mymark@gmail.com>
Fri, 25 Nov 2016 19:05:52 -0800
In https://www.washingtonpost.com/posteverything/wp/2016/11/23/u-s-elections-are-a-mess-whether-this-one-was-hacked-or-not/

Bruce Schneier wrote:

"The risks are real: Electronic voting machines that don't use a paper
ballot are vulnerable to hacking."

True. But elections using electronic voting machines that do use paper
ballots are also vulnerable to hacking, because the voting machines only
record the votes, they do not count or tally them. That function is
performed by central tabulators, and central tabulators are also computers
that have been proven vulnerable to hacking.

In fact, all computers are vulnerable to hacking. If there were any
hack-proof computers, governments, intelligence agencies, banks, and big
corporations would buy them, and dispense with the services of security
technologists like Bruce Schneier.

  [And as we keep learning, election integrity is a total-system problem,
  from beginning to end, where every step has potential vulnerabilities --
  as I have repeatedly pointed out here.  Even if we had hack-proof
  computers (which would still be susceptible to insider misuse), there are
  many problems that are completely non-computer-related.  PGN]

Please report problems with the web pages to the maintainer