Ellen Nakashima, Karoun Demirjian and Philip Rucker, *The Washington Post, 5 Jan 2017, via NNSquad https://www.washingtonpost.com/world/national-security/top-us-cyber-officials-russia-poses-a-major-threat-to-the-countrys-infrastructure-and-networks/2017/01/05/36a60b42-d34c-11e6-9cb0-54ab630851e8_story.html The country's top intelligence official said Thursday that Russia's meddling in the 2016 election consisted of hacking, as well as the spreading of traditional propaganda and "fake news." "That's classical tradecraft that the Russians have long used," said Director of National Intelligence James R. Clapper Jr, testifying before the Senate Armed Services Committee on foreign cyber threats, and especially Russian hacking and interference in the election ... A classified report on Russian intelligence interference in the election has been prepared for President Obama, who is due to receive it Thursday. Clapper said that intelligence officials "plan to brief the congress and release an unclassified version of this report to the public early next week." [The original unclassified FBI-DHS Summary Technical Report on Russian Hacking is here: https://assets.documentcloud.org/documents/3248260/DHS-FBI-analysis-of-Russian-hackers.pdf
Here's the unclassified backup report. https://www.dni.gov/files/documents/ICA_2017_01.pdf Background to "Assessing Russian Activities and Intentions in Recent US Elections": The Analytic Process and Cyber-Incident Attribution
David E. Sanger, *The New York Times*, 6 Jan 2017 http://www.nytimes.com/2017/01/06/us/politics/russia-hack-report.html Intelligence Report on Russian Hacking http://www.nytimes.com/interactive/2017/01/06/us/politics/document-russia-hacking-report-intelligence-agencies.html
via NNSquad http://thehill.com/policy/cybersecurity/313002-wikileaks-opposed-to-cia-leaking-report-info-to-nbc An NBC report last night touted "An exclusive, inside look" at the report connecting the Russian government to breaches of Democratic National Convention and other servers during election season sourced to two intelligence community sources. The NBC broadcast included claims that Russia attacked the White House and that Russian had dual motives in the attack of disrupting the campaign and revenge on the Obama administration for delegitimizing Russian President Vladimir Putin throughout his administration.
*USA Today* via NNSquad http://www.usatoday.com/story/tech/news/2017/01/06/wikileaks-threatens-publish-twitter-users-personal-info/96254138/ WikiLeaks is taking heat for saying it wants to publish the private information of hundreds of thousands of verified Twitter users. A Twitter account associated with the group said an online database would include such sensitive details as family relationships and finances.
https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical [RISKS goes back to volume 1 number 1 on this topic!]
Buzzfeed via NNSquad https://www.buzzfeed.com/josephbernstein/donald-trumps-twitter-account-is-a-security-disaster-waiting?utm_term=.jbj22Q3K3#.gh944d3v3 The most powerful publication in the world today is Donald Trump's personal Twitter account. In the past six weeks, it has moved markets, conducted shadow foreign policy, and reshaped the focus of media around the world. Just today, it caused Toyota's stock to drop. It is also shockingly insecure. That insecurity was acceptable when @realDonaldTrump concerned itself with Kristen Stewart cheating on Robert Pattinson and how thin people don't drink Diet Coke. And yet Trump's newfound influence -- combined with the unpredictability of his tweets—makes the president-elect's account a particularly tempting target for hackers. That's especially true because there is a large fortune that could be made in a single 140-character message. If someone were able to gain access to Trump's Twitter, they could tweet approvingly or disapprovingly about a company (as Trump has done) and play the stock market accordingly—or cause others to do so. A market-tracking app called Trigger has already set up an alert that responds whenever Trump tweets about publicly traded companies.
http://www.newyorker.com/humor/borowitz-report/intel-chiefs-say-trumps-twitter-account-was-hacked-by-four-year-old?mbid=nl_010617%20Borowitz%20Newsletter%20(1)&CNDID=24465181&spMailingID=10182061&spUserID=MTMzMTgyNDk2NzI1S0&spJobID=1080489435&spReportId=MTA4MDQ4OTQzNQS2 [This is not "Fake News", as it is clearly designated as "humor". PGN]
Andrew E. Kramer, *The New York Times*, 31 Dec 2016 http://www.nytimes.com/2016/12/31/world/europe/russia-hacking-alisa-shevchenko.html The United States' sanctions list includes the company of a minor celebrity hacker who was once recognized by the American government for her work helping companies fight cybercrime.
[Third world, meet first world...] Ellen Barry, *The New York Times*, 3 Jan 2017 Thane, India—Betsy Broder, who tracks international fraud at the Federal Trade Commission, was in her office in Washington last summer when she got a call from two Indian teenagers. Calling from a high-rise building in a suburb of Mumbai, they told her, in tones that were alternately earnest and melodramatic, that they wanted to share the details of a sprawling criminal operation targeting Americans. Ms. Broder, who was no stranger to whistle-blowers, pressed the young men for details. “He said his name was Adam,'' she said, referring to one of the pair. I said, “Your name is not Adam. What does your grandmother call you?'' He said, “Babu.'' Babu was Jayesh Dubey, a skinny 19-year-old with hair gelled into vertical bristles, a little like a chimney brush. He told her that he was working in a seven-story building and that everyone there was engaged in the same activity: impersonating Internal Revenue Service officials and threatening Americans, demanding immediate payment to cover back taxes. http://www.nytimes.com/2017/01/03/world/asia/india-call-centers-fraud-americans.html Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Kevin Carey, *The New York Times*, 29 Dec 2016 http://www.nytimes.com/2016/12/29/upshot/fake-academe-looking-much-like-the-real-thing.html?partner=rss&emc=rss OMICS is also in the less well-known business of what might be called conference fraud, which is what led to the call from John. Both schemes exploit a fundamental weakness of modern higher education: Academics need to publish in order to advance professionally, get better jobs or secure tenure. Even within the halls of respectable academia, the difference between legitimate and fake publications and conferences is far blurrier than scholars would like to admit.
NNSquad https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/ According to the ESET researchers, the way the KillDisk ransomware version work on Windows and Linux is completely different, with the biggest issue being that on Linux, KillDisk doesn't save the encryption key anywhere on disk or online. Normally, this would mean that victims would never be able to recover files since the encryption key would be lost immediately after the encryption process ends. The good news is that ESET researchers say they've uncovered a flaw in the Linux variant that permits them to recover the encrypted files. The same weakness does not exist in the version that targets Windows PCs. [Various sources indicate that ransomware took a huge leap in 2016, perhaps quadrupling in frequency, with estimated profits on the order of a billion dollars. For example, see www.fedscoop.com/ransomware-attacks-up-300-percent-in-first-quarter-of-2016 PGN]
[but of course... AWESOME!] Shaun Nichols, *The Register*, 7 Jan 2017 TV anchor says live on-air 'Alexa, order me a dollhouse'—guess what happens next? Story on accidental order begets story on accidental order begets accidental order Jan 7 2017 http://www.theregister.co.uk/2017/01/07/tv_anchor_says_alexa_buy_me_a_dollhouse_and_she_does/ A San Diego TV station sparked complaints this week—after an on-air report about a girl who ordered a dollhouse via her parents' Amazon Echo caused Echoes in viewers' homes to also attempt to order dollhouses. Telly station CW-6 said the blunder happened during a Thursday morning news package about a Texan six-year-old who racked up big charges while talking to an Echo gadget in her home. According to her parents' Amazon account, their daughter said: "Can you play dollhouse with me and get me a dollhouse?" Next thing they knew, a $160 KidKraft Sparkle Mansion dollhouse and four pounds of sugar cookies arrived on their doorstep. During that story's segment, a CW-6 news presenter remarked: "I love the little girl, saying 'Alexa ordered me a dollhouse'." That, apparently, was enough to set off Alexa-powered Echo boxes around San Diego on their own shopping sprees. The California station admitted plenty of viewers complained that the TV broadcast caused their voice-controlled personal assistants to try to place orders for dollhouses on Amazon. We'll take this opportunity to point out that voice-command purchasing is enabled by default on Alexa devices. [...] http://geoff.livejournal.com [Also noted by Gabe Goldberg. PGN] [We have had numerous items on the risks of spurious or malicious voice inputs (such as what might happen if someone in my office were to ask "I wonder what would happen if someone says `rm *'") over the past years (even before an item on risks of voice input to Word in RISKS-19.25 from 20 years ago). Here's an interesting website that seems to have had similar interests in collecting incidents and problems: http://www.hiddenvoicecommands.com/ Also, see http://news.bbc.co.uk/2/hi/technology/6320865.stm for a decade-old item. PGN]
Federal regulators have accused D-Link, a manufacturer of popular networking and smart-home products, of leaving its routers and webcam devices vulnerable to hackers. A lawsuit, filed this morning in a U.S. District Court in San Francisco by the Federal Trade Commission, alleges that China-based D-Link and its U.S. partner “failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.'' The FTC contends that D-Link chose to not secure these devices against flaws that have been considered critical for nearly a decade. These vulnerabilities, alleges the complaint, are easily preventable but can also be easily taken advantage of if left unfixed. In addition to leaving devices open to hacking, the lawsuit claims that D-Link elected to not secure users' mobile app login credentials, but “instead have stored those credentials in clear, readable text on a user's mobile device.'' https://consumerist.com/2017/01/05/feds-accuse-d-link-of-failing-to-properly-secure-routers-webcams/ Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Kathryn Haun and Eric J. Topoljan. *The New York Times*, 2 Dec 2017 http://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html We can't access our records. But hackers can get to them easily.
via NNSquad https://plus.google.com/+LaurenWeinstein/posts/jbxMAemqrRp?sfc=true 2017 will be the year that major search engines and social media firms take serious responsibility for appropriately dealing with fake news and false propaganda leveraging their systems for monetization and political purposes. Otherwise, 2017 will go down in history as the year that these firms effectively began committing suicide by leaving themselves vulnerable to draconian government censorship efforts. Their choice, and ours.
An individual gained access to confidential information (name/address/SSN) on as many as 15,000 recipients of state social services, using a computer in the library of the state psychiatric hospital, while he was a patient there. This information (which did not include information from the hospital's own files) was later posted online. News reports do not indicate the mechanisms of access, but security was tightened on the "public" library computers after the patient was observed accessing non-confidential hospital information. New Hampshire IT officials describe the computer skills used to access the data as "average", and note that it was due to a subtly misconfigured computer. HIPAA Journal story: http://www.hipaajournal.com/patient-posts-phi-new-hampshire-state-psychiatric-hospital-patients-online-8624/ NH1 story: http://www.nh1.com/news/it-officials-data-breach-at-nh-dhhs-required-average-computer-skills-/
[via Dave Farber] Here's a fascinating article about "Information Warfare"—in this case as practiced and analyzed in Serbia, but I think the principles apply more widely. [...] https://labs.rs/en/mapping-and-quantifying-political-information-warfare/ Politics of Hidden Internet Interventionism As framed by the media theorist Manuel Castells, we should not overlook the oldest and most direct form of media politics: propaganda and control. This is: (a) the fabrication and diffusion of messages that distort facts and induce misinformation for the purpose of advancing government interests; and (b) the censorship of any message deemed to undermine these interests, if necessary by criminalizing unhindered communication and prosecuting the messenger. [...]
Security measure to be implemented starting in May. http://www.straitstimes.com/singapore/singapore-public-servants-computers-to-have-no-internet-access-from-may-next-year
Why must everything be "smart"—aka "spying"—aka "hackable" ? What really galls me is the fact that the Public Utilities Commissions (PUC's) can force us all to pay for this crap, so these dimwits at the electric utilities can put another notch in their LinkedIn resume belts (i.e., something else that I have failed at: "cybersecurity"). I'd much rather have the money spent on *rooftop solar* and *distributed battery systems*, which would vastly improve resilience over the existing centralized single-point-of-failure grid system. https://www.theguardian.com/technology/2016/dec/29/smart-electricity-meters-dangerously-insecure-hackers Smart electricity meters can be dangerously insecure, warns expert Hackers can cause fraud, explosions and house fires, and utility companies should do more to protect consumers, conference told Alex Hern in Hamburg, 29 Dec 2016 (modified 30 Dec 2016) Smart electricity meters, of which there are more than 100m installed around the world, are frequently "dangerously insecure", a security expert has said. The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra. "Reclaim your home," Rubin told a conference of hackers and security experts, "or someone else will." If a hacker took control of a smart meter they would be able to know "exactly when and how much electricity you're using", Rubin told the 33rd Chaos Communications Congress in Hamburg. An attacker could also see whether a home had any expensive electronics. "He can do billing fraud, setting your bill to whatever he likes ... The scary thing is if you think about the power they have over your electricity. He will have power over all of your smart devices connected to the electricity. This will have more severe consequences: imagine you woke up to find you'd been robbed by a burglar who didn't have to break in. "But even if you don't have smart devices, you are still at risk. An attacker who controls the meter also controls the meter's software, allowing him to cause it to literally explode." Rubin said many of the warnings were not hypothetical. In 2009 Puerto Rican smart meters were hacked en masse, leading to widespread billing fraud, and in 2015 a house fire in Ontario was traced back to a faulty smart meter, although hacking was not implicated in that. The problems at the heart of the insecurity stem from outdated protocols, half-hearted implementations and weak design principles. While the physical security of smart meters is strong—"trust me, I tried" to hack in that way, Rubin said—the wireless protocols many of them use are problematic. To communicate with the utility company, most smart meters use GSM, the 2G mobile standard. That has a fairly well-known weakness whereby an attacker with a fake mobile tower can cause devices to "hand over" to the fake version from the real tower, simply by providing a strong signal. In GSM, devices have to authenticate with towers, but not the other way round, allowing the fake mast to send its own commands to the meter. Worse still, said Rubin, all the meters from one utility used the same hardcoded credentials. "If an attacker gains access to one meter, it gains access to them all. It is the one key to rule them all." Inside the home, too, the communications are rendered insecure by outdated standards and bad implementation. Almost all smart meters use the Zigbee standard to speak to other smart devices in the home. Zigbee, which dates from 2003, is a popular home automation standard, used for controlling everything from lightbulbs to air conditioners. But it is so convoluted, due to the vast array of devices supported, that it is almost better to think of it as 15 different standards, each of which vendors can choose to implement as they see fit. "This unique situation is so difficult to implement, vendors actually choose what they want to implement. And when they choose what to support, they more often than not skip security," Rubin said. Other weak security decisions made by vendors include: * Encryption keys derived from short (often just six-character) device names. * Pairing standards with no authentication required, allowing an attacker to simply ask the smart meter to join the network and receive keys in return. * Hardcoded credentials, allowing administrator access with passwords as simple and guessable as the vendor's name. * Code simplified to work on low-power devices skipping important checks, allowing nothing more than a long communication to crash the device. "These security problems are not going to just go away," Rubin said. "On the contrary, we are going to see a sharp increase in hacking attempts. Yet most utilities are not even monitoring their network, let alone the smart meters. Utilities have to understand that with great power comes great responsibility." Smart meters come with benefits, allowing utilities to more efficiently allocate energy production, and enabling micro-generation that can boost the uptake of renewable energy. For those reasons and more, the European Union has a goal of replacing 80% of meters with smart meters by 2020. A spokesperson for the UK government's department of Business, Energy and Industrial Strategy said: "Robust security controls are in place across the end to end smart metering system and all devices must be independently assessed by an expert security organisation, irrespective of their country of origin."
Tristan Harris believes Silicon Valley is addicting us to our phones. He's determined to make it stop. https://www.theatlantic.com/magazine/archive/2016/11/the-binge-breaker/501122/
If you don't have this yet, you need it: https://blog.cloudflare.com/how-and-why-the-leap-second-affected-cloudflare-dns/ [The Cloudflare item was also noted by Chuck Weinstock. Goodness Gracious! Leap-seconds continue to prompt RISKS items. See Alan Wexelblat's note in RISKS-6.7 in Jan 1988, a bunch of items in volume 17, Rob Seaman on abolishing leap-seconds (RISKS-17.71), and many subsequent items. PGN]
Laptops are da bomb! Again. Bob Brown, Network World, 5 Jan 2017 U.S. Consumer Product Safety Commission issued an alert warning of laptop battery packs that can overheat, melt http://www.infoworld.com/article/3154932/laptop-computers/toshiba-expands-recall-of-laptop-battery-packs-due-to-burnfire-risk.html opening text: The U.S. Consumer Product Safety Commission has issued an alert that Toshiba on Wednesday has greatly expanded its recall of laptop computer battery packs due to burn and fire hazards. More specifically, these are Panasonic lithium-ion battery packs that have been found susceptible to overheating in 41 models of the Toshiba Satellite laptop, which runs Windows. The firm has received five reports of the battery pack overheating and melting, including one additional report since the first recall announcement; no injuries have been reported.
NNSquad https://blog.coralproject.net/the-real-name-fallacy/ People often say that online behavior would improve if every comment system forced people to use their real names. It sounds like it should be true - surely nobody would say mean things if they faced consequences for their actions? Yet the balance of experimental evidence over the past thirty years suggests that this is not the case. Not only would removing anonymity fail to consistently improve online community behavior - forcing real names in online communities could also increase discrimination and worsen harassment. We need to change our entire approach to the question. Our concerns about anonymity are overly-simplistic; system design can't solve social problems without actual social change.
Here's a quick update on an item I shared in RISKS-27.72 in Jan 2014 . The risk was about *name collisions* in the Domain Name System (DNS). Name collisions can occur when a domain name assumed to be reserved for internal use within a home or corporate network—a name like "printer.corp" -- becomes available for registration and external use within the global Internet. When such a collision occurs, an internal system, rather than sending traffic to an internal resource as intended, may unknowingly send it instead to a new external resource with the same name. If a malicious user controls that external resource, the malicious user may be able to acquire sensitive data and even inject false responses - all without ever breaching internal network defenses. The risk of name collisions increased dramatically with the launch of ICANN's New Generic Top-Level Domains (gTLD) Program, which has just recently added its 1,000th new top-level domain (TLD) to the global DNS . As Verisign Labs showed in research reports  starting in 2013, many of the potential new TLDs overlapped with established internal-use names. This research motivated additional analysis within the New gTLD Program, as well as further research within the Internet community on both the prevalence of the problem and potential solutions (including the workshop I mentioned in my previous post - see IETF RFC 8023  for a summary). On the positive side, there's now much more awareness of the risk within the research community. ICANN now requires that a top-level domain pass through a new risk mitigation process called "controlled interruption" before it can be added to the global DNS. But on the negative side, name collisions are indeed occurring. Researchers at University of Michigan and Verisign Labs showed in an IEEE Security and Privacy paper  that an increasing number of externally registered names overlap with internal names employed in the Web Proxy Auto-Discovery (WPAD) protocol. As reported in this forum last May , an adversary could potentially exploit such a collision to launch a Man in the Middle (MiTM) attack. US-CERT issued an alert  with advice on how users and network administrators can reduce the risk. It will be interesting to see how all this plays out, especially in terms of mitigations.  http://catless.ncl.ac.uk/Risks/27/72#subj16.1  https://www.icann.org/news/blog/a-grand-milestone-new-gtld-program-reaches-1-000th-delegation  https://www.verisign.com/assets/gtld-ssr-v2.1-final.pdf  https://www.rfc-editor.org/info/rfc8023  https://www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf  http://catless.ncl.ac.uk/Risks/29/54#subj44.1  https://www.us-cert.gov/ncas/alerts/TA16-144A
It's not just local authorities, it's also tax collectors, according to *The Telegraph* today: http://www.telegraph.co.uk/tax/return/taxman-unleashes-snooper-computer-information-does-have/ Taxman unleashes its 'snooper computer': what information does it have on you? HM Revenue & Customs has spent years and £100m or more on a super-computer designed to identify those who may have paid too little tax. The Connect system crunches data from Airbnb, the rental platform, for instance, or eBay. It can also access Land Registry records to see houses purchased and ensure the correct tax has been paid. From there, further sources enable it to determine if properties are being rented out and whether that income has been declared. It can also determine if someone is likely to be able to afford such properties, or whether they are suspected of having used previously undeclared income or savings. HMRC gains anonymised information on all Visa and Mastercard transactions, enabling it to identify areas of likely underpayments which it can then target further, seeking details of individuals' transactions where necessary. HMRC will also be one of the government bodies to gain access to information under new laws known commonly as the *snoopers' charter*. The legislation means telecom providers store customers' web browsing and email records for at least a year; it can then be accessed by the Government. Rather obvious RISKS of getting in trouble for routine mistakes and mess-ups, plus drawing the wrong inferences from multiple data sources. Looks like us Brits should be prepared to just hand ourselves in...
Please report problems with the web pages to the maintainer