A plane crash, killing almost an entire Brazilian football team, has been explained. The plane operators violated some standards. They neglected to have a refueling stop, and the plane plain ran out of fuel There's been some finger pointing about that. An airport official said she warned the plane crew that they needed to fuel up before leaving, but the crew assured her they had enough. Gov blaming her for not doing what she said she did, so she has fled across a border seeking asylum. https://en.wikipedia.org/wiki/LaMia_Flight_2933 https://www.youtube.com/watch?v=h9oPQSanKUo http://www.mirror.co.uk/news/world-news/chapecoense-plane-crashed-due-lack-9362053
Iain Thomson, *The Register*, 9 Dec 2016 PwC has issued a denial that there is anything wrong with their software. How do we know there's any truth in their denial? I suppose it is inconceivable to an audit firm that anyone ought to audit them. Normally when flaws are found in a corporate software package, clients report the problem to tech support, and the situation gets fixed, and the fix can be tested. Here a company is not providing normal industry standard support. They want people to take their word for it that their software is fine, even when evidence has been revealed to them that there is a problem. This is reminiscent of the Volkswagen cover-up that their cars could be stolen via hacking the auto door locks. Did they ever fix that? Iain Thomson, *The Register*, 9 Dec 2016 Fatal flaw found in PricewaterhouseCoopers SAP security software Instead of fixing the issue, PwC lawyered up http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap_software/ <http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap_software/%0b> http://opensources.info/pricewaterhousecoopers-software-flaw-can-allow-hackers-to-manipulate-accounting-result-claims-report/ http://www.ibtimes.co.uk/flaw-pricewaterhousecoopers-software-can-allow-hackers-manipulate-accounting-results-report-1595830 A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own. German security research firm ESNC has been analyzing the Automated Controls Evaluator (ACE), which extracts relevant security and configuration data from an SAP system, analyzes it, and generates exception reports by review. But there appears to be a high-risk hole in the software. "This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," ESNC said in an advisory. http://seclists.org/fulldisclosure/2016/Dec/33 https://www.esnc.de/> "This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money." Comments to the Register article ask: * How the PWC software can be so badly written as to allow this to happen? Does it have anything to do with the company being run by non-tech people? * How PWC can be so clueless about fixing flawed software, that they'd rather lawyer up than fix it? ESNC gave them 90 days after discovery and notification, before going public. * The next time anyone finds a PWC vulnerability, they won't do them the courtesy of notification & reasonable time to fix, they'll just go public to warn other PWC customers. * Search for "PWC scandal" to find lots of times this company has been in big trouble already. * There was a question about lawyer hacker vulnerability. Someone who must be unaware that there has already been massive hacking of major law firms, to facilitate such things as crooked insider trading, and telling the world about Panama Papers. Here's info about SAP: https://en.wikipedia.org/wiki/SAP_SE For a company to be vulnerable to this breach vulnerability, they'd have to be running on SAP with the PWC's ACE Here's directory of industries served by PWC: http://www.pwc.com/us/en/industry.html
Another installment from the "When will they ever learn" files: Netgear R7000 and R6400 routers have been found to contain an "arbitrary command injection" vulnerability. CERT Vulnerability Note VU#582384, entitled "Multiple Netgear routers are vulnerable to arbitrary command injection" describes the details of the the vulnerability, for which an exploit example is available. As reported by the CERT notice, there is presently no corrected firmware available for the devices. CERT recommends that the use of affected devices be discontinued until such time as a fix is available. The CERT Notice can be found at: https://www.kb.cert.org/vuls/id/582384 Bob Gezelter, http://www.rlgsc.com
Nathaniel Popper, The New York Times, 7 Dec 2016 Companies are vying to create automated financial assistants that employ artificial intelligence; one was directly inspired by science fiction. http://www.nytimes.com/2016/12/07/business/dealbook/automated-assistants-will-soon-make-a-bid-for-your-finances.html
Cecilia Kang, The New York Times, 13 Dec 2016 Under the rules, cars would be able to use wireless technology to detect if another vehicle was moving too fast in their direction and headed for a collision. http://www.nytimes.com/2016/12/13/technology/cars-talking-to-one-another-they-could-under-proposed-safety-rules.html
AP item via The Boston Globe, 9 Dec 2016 https://www.boston.com/news/local-news/2016/12/09/aclu-sues-rhode-island-over-computer-benefits-system-delays
John Markoff, *The New York Times*, 11 Dec 2016 A Massachusetts start-up is part of a new wave of efforts in the United States, Europe, and Asia to improve battery technologies as consumers demand more from phones and cars. http://www.nytimes.com/2016/12/11/technology/designing-a-safer-battery-for-smartphones-that-wont-catch-fire.html
via NNSquad http://www.npr.org/2016/12/14/505547295/fake-news-expert-on-how-false-stories-spread-and-why-people-believe-them?utm_medium=RSS&utm_campaign=news Craig Silverman of BuzzFeed News has spent years studying media inaccuracy. He explains how false stories during the presidential campaign were spread on Facebook and monetized by Google AdSense.
Google Won't Alter the Holocaust-Denying Results For 'Did the Holocaust Happen' https://plus.google.com/+LaurenWeinstein/posts/WcQYp9A7YJs?sfc=true http://gizmodo.com/google-wont-alter-the-holocaust-denying-results-for-di-1790025043 SHAME ON YOU, GOOGLE! - While I agree with your decision to not remove the lying hate speech link in question, you should clearly label it as being false, a lie, or at least as having no credibility. Call it "CredRank" Zero if you wish, but the fact is that most users of Google implicitly trust you so much that they assume you wouldn't rank vile, lying crap at the top of your search results. You know and I know that those top results don't mean that they are "correct"—and they don't mean that you endorse them. But it is widely believed that what Google puts at the top can be trusted. Once upon a time, you dealt with the search term "Jew" by including a note about related hate speech. The time has come for Google to lead the way against hate speech and fake news. Here's how I hope you will do so: "Action Items: What Google, Facebook, and Others Should Be Doing RIGHT NOW About Fake News": See also: https://www.theguardian.com/commentisfree/2016/dec/11/google-frames-shapes-and-distorts-how-we-see-world https://lauren.vortex.com/2016/12/06/action-items-what-google-facebook-and-others-should-be-doing-right-now-about-fake-news
Officials fear cyber-meddling by Moscow in upcoming elections in France, the Netherlands and Germany. http://www.politico.eu/article/europe-russia-hacking-elections/ Politico's cybersecurity newsletter today + an alternative intelligence view re direct Russian involvement COMMISSIONS, SELECT COMMITTEES AND MORE - There are now no fewer than five different proposals for how Congress might push an investigation into alleged Russian election meddling and related cybersecurity issues. Sens. Ben Cardin, Dianne Feinstein and Patrick Leahy on Monday proposed an independent commission, with a different name but similar makeup to one proposed in the House by Reps. Eric Swalwell and Elijah Cummings. Sen. Cory Gardner on Monday again called for the creation of a Permanent Select Committee on Cybersecurity, inspired in part by the campaign hacks. Senate Armed Services Chairman John McCain over the weekend suggested a select committee that would exist only temporarily to investigate election hacking. <http://go.politicoemail.com/?qs=d883538c4ff44c757157576daf15c07e7cebeb350829b9daf76541e83acbadf3> <http://go.politicoemail.com/?qs=d883538c4ff44c752de20738b20c61f9510ec56d15e297be05b621c5b9dc2b3b> <http://go.politicoemail.com/?qs=d883538c4ff44c751dd7073f06fd6b0e4196144b3624873cfd672901867c50dc> Some of those proposals might yet become reality, but what looks most likely in the near term is the idea endorsed by Senate Majority Leader Mitch McConnell, where the Senate Intelligence Committee would lead an investigation into potential foreign influence in the election and Senate Armed Services delving into the more general threat of cyberattacks. <http://go.politicoemail.com/?qs=d883538c4ff44c753afdab49117411747a0ed6040025628e14a527055dbcf7f3> In the House, the most likely result is no special investigation at all. [...]
http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the "change password" button. "This is a legitimate email," Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta's aides, who had noticed the alert. "John needs to change his password immediately." With another click, a decade of emails that Mr. Podesta maintained in his Gmail account—a total of about 60,000 - were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an "illegitimate" email, an error that he said has plagued him ever since.
Pardon me for maybe missing something, but is Russia's (possibly) hacking the election really the key problem? The issue is not that Russia has (possibly) hacked the election, the issue is that it is deemed perfectly possible it could. I may be kicking in an open door here, but if a vital democratic mechanism is so mistrusted that any statement of it being hacked is deemed credible (and from the reports I've seen of some voting systems there's indeed reason to believe it possible), isn't that a big hint that things need fixing rather urgently? Writing accusingly about an increase of burglaries in your neighbourhood might sell more newspapers but personally, I would rather make sure my locks are up to scratch. [Many locks are vulnerable, and they should be scratched! PGN]
Eric Lipton, David E. Sanger and Scott Shane, *The New York Times*, 13 Dec 2016 http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html An investigation by *The New York Times* reveals missed signals, slow responses and a continuing underestimation of the seriousness of a campaign to disrupt the 2016 presidential election.
In Germany, there is an Internet campaign to bring down political blogs considered to be "right-wing"; its hashtag is #KeinGeldfuerRechts (no money for the right wing). The campaign contacts companies whose advertising is displayed on these websites, and ask them to consider if they really want their names to be displayed on these websites. Some of the blogs that have seen advertising revenues drop dramatically due to this campaign are "Die Achse des Guten" (the Axis of Good, https://www.achgut.com/) and "Tichys Einblick" (Tichy's insight, http://www.tichyseinblick.de/). The campaign is headed by an advertising executive, Gerald Hensel, who works for Scholz & Partners. The company is currently suffering something of a sh..storm for failing to distance itself sufficiently from their executive. In the meantime, the website calling for the advertising boycott, http://davaidavai.com, has been switched to password-only access. The risks? Trying to shut up your political opposition by targeting their advertising funds may work (which is not a pleasant thought), or it may backfire.
Steve Bittenbender, Government Security News, 13 Dec 2016 On the same day Lockheed Martin delivered a two F-35s to Israel, President-elect Donald Trump took the country's largest government contractor to task for its handling of the fighter jet program's finances. The F-35 program and cost is out of control. Billions of dollars can and will be saved on military (and other) purchases after January 20th," Trump posted on Twitter Monday morning. [...] http://gsnmagazine.com/article/47572/trumps_f_35_tweet_sends_lockheed_martin_stock_tail
(Previous item in RISKS-29.63: Ashley Madison Admits It Lured Customers With 70,000 Fake 'Fembots' PGN) Federal Trade Commission https://www.ftc.gov/news-events/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting The operators of the Toronto-based AshleyMadison.com dating site have agreed to settle Federal Trade Commission and state charges that they deceived consumers and failed to protect 36 million users' account and profile information in relation to a massive July 2015 data breach of their network. The site has members from over 46 countries. The settlement requires the defendants to implement a comprehensive data-security program, including third-party assessments. In addition, the operators will pay a total of $1.6 million to settle FTC and state actions. "This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide," said FTC Chairwoman Edith Ramirez. "The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users' personal information from criminal hackers going forward." In addition to the provisions prohibiting the alleged misrepresentations and requiring a comprehensive security program, the proposed federal court order imposes an $8.75 million judgment which will be partially suspended upon payment of $828,500 to the Commission. If the defendants are later found to have misrepresented their financial condition, the full amount will immediately become due. An additional $828,500 will be paid to the 13 states and the District of Columbia.
I have a couple of thoughts on why it might not be fixed yet. I've never done software for aircraft, just for medical devices (so my software has never been able to kill more than one person at a time): 1) I don't know what the lead time on a software release for an aircraft is. I'm betting their review and testing rules are pretty tight and take quite a while. Even if they've got the bug fixed, it may take quite some time to see the fix in the field. 2) We don't know what, exactly, is going on, but assuming it's the signed value as described, it seems likely that it could take quite a while to be sure you've got all the instances where those time values are mis-used. Depending on how use of that value is structured (for instance, the routine that returns time might be returning a signed value), fixing it might end up touching large portions of the system, thereby triggering massive amounts of code review. 3) Even if they fix it, are they sure enough of the fix? I'm sure it's tempting for Boeing to say 'well, we'll roll out the fix, but keep the reboot rule so that if we missed anything we don't get blamed'. 4) Even if there's a fix, the airlines may not have rolled it out. I've no idea what an airline does for software patching a plane, but I'm betting it's a more complex endeavor than just getting the files from Boeing and taking them out to the plane. So there's a lot of reasons why a fix might not be in the field yet.
Ronald Rivest has suggested an interesting analogy between law-enforcement agencies controlling cryptographic techniques and similar controls being imposed on ball bearings. I think this analogy is actually much closer than intended: The specific examples given in the item make ball-bearing controls sound completely nonsensical. However, high-grade ball bearings and related manufacturing equipment *are* in fact quite tightly controlled, and with some good reasons. The US Department of Commerce list of export controls on ball bearings and related technologies runs to some ten pages: https://www.bis.doc.gov/index.php/forms-documents/doc_view/734-ccl2] Similar restrictions are imposed by all countries participating in Wassenaar agreement: http://www.wassenaar.org/wp-content/uploads/2015/08/WA-LIST-15-1-2015-List-of-DU-Goods-and-Technologies-and-Munitions-List.pdf Violating these rules can land you in some serious trouble.
Thanks to Serguei Patchkovskii for the information regarding the controls on the export of ball bearings. I was unaware of the existence of these controls. The controls on ball bearings have to do with their tolerances primarily. The cryptographic analogue would probably be a control on key-size. Since ball bearings are to be part of a manufactured product, while cryptographic schemes are there to defeat and adversarial attack, the restriction of commercial users to 'weak' crypto isn't really a good idea.
Please report problems with the web pages to the maintainer