The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 08

Tuesday 10 January 2017

Contents

Russian Hackers Find Ready Bullhorns in the Media
Max Fischer
France blocks 24,000 cyberattacks amid fears that Russia may try to influence French presidential election
David Chazan
Russia's RT: The Network Implicated in U.S. Election Meddling
Russell Goldman
How to Starve Online Hate
Pagan Kennedy
Disrupting The Business Model of the Fake News Industry
Katherine Haenschen and Paul Ellenbogen
A Chilling PBS Documentary Shows How Mistakes Are Made
Neil Genzlinger
FDA Offers Advice for Hacking Risks With St Jude Cardiac Devices
Arthur Flatau
Vulnerability Disclosure Attitudes and Actions
NTIA
Perhaps a laptop can be too thin?
Henry Baker
Iran's p*rn censorship broke browsers as far away as Hong Kong
The Verge
"Windows security patches crash Active Directory Admin Center"
Woody Leonhard
"More than 10,000 exposed MongoDB databases deleted by ransomware groups"
Lucian Constantin
Re: Cloudflare explains the leap second bug
David E. Ross
Re: "The Real Name Fallacy"
Anon
Re: Russian Hacking
Dick Mills
Re: "TV anchor says live on-air 'Alexa ...',"
Adam Shostack
Jeremy Epstein
Mark Thorson
IoT Home Inspector Challenge
FTC via Alister Wm Macintyre
Info on RISKS (comp.risks)

Russian Hackers Find Ready Bullhorns in the Media (Max Fischer)

Lauren Weinstein <lauren@vortex.com>
Sun, 8 Jan 2017 13:16:17 -0800
Max Fischer, *The New York Times*, 8 Jan 2017
http://www.nytimes.com/2017/01/08/world/europe/russian-hackers-find-ready-bullhorns-in-the-media.html?partner=rss&emc=rss

  But in this case, the source was Russia's military intelligence agency,
  the GRU—operating through shadowy fronts who worked to mask that
  fact—and its agenda was to undermine the American presidential
  election.  By releasing documents that would tarnish Hillary Clinton and
  other American political figures, but whose news value compelled coverage,
  Moscow exploited the very openness that is the basis of a free press.  Its
  tactics have evolved with each such operation, some of which are still
  unfolding.  Thomas Rid, a professor of security studies at King's College
  London who is tracking the Russian influence campaign, said it goes well
  beyond hacking: "It's political engineering, social engineering on a
  strategic level."


France blocks 24,000 cyberattacks amid fears that Russia may try to influence French presidential election (David Chazan)

Monty Solomon <monty@roscom.com>
Sun, 8 Jan 2017 14:52:03 -0500
http://www.telegraph.co.uk/news/2017/01/08/france-blocks-24000-cyber-attacks-amid-fears-russia-may-try/


Russia's RT: The Network Implicated in U.S. Election Meddling (Russell Goldman)

Monty Solomon <monty@roscom.com>
Sun, 8 Jan 2017 15:31:08 -0500
Russell Goldman, *The New York Times*, 8 Jan 2017
http://www.nytimes.com/2017/01/07/world/europe/russias-rt-the-network-implicated-in-us-election-meddling.html

Created by Russia's government to offer “the Russian view on global news,”
RT acted like a Kremlin propaganda operation, an American intelligence
report suggests.


How to Starve Online Hate (Pagan Kennedy)

Monty Solomon <monty@roscom.com>
Sun, 8 Jan 2017 15:45:19 -0500
Many companies don't know that their ads are appearing next to abhorrent
content.  Tell them.
http://www.nytimes.com/2017/01/07/opinion/sunday/how-to-destroy-the-business-model-of-breitbart-and-fake-news.html

  [The same article by Pagan Kennedy is in the hardcopy National Edition of
  *The New York Times* Sunday Review, although with the title in the subject
  line above.  PGN]


Disrupting The Business Model of the Fake News Industry (Katherine Haenschen and Paul Ellenbogen)

Monty Solomon <monty@roscom.com>
Sun, 8 Jan 2017 16:15:03 -0500
https://freedom-to-tinker.com/2016/12/14/disrupting-the-business-model-of-the-fake-news-industry/

In the aftermath of the 2016 election, researchers and media professionals
alike seized on the vast proliferation of so-called *Fake News* on Facebook
as a cause for concern.  An informed citizenry is a necessary condition for
democracy, so it is far from ideal to have millions of people consuming
intentionally misleading information masquerading as hard news.  Now that
Facebook has admitted that it has a problem with Fake News, Mark Zuckerberg
and Co. need to do even more to prevent its spread on the platform.  We
propose one solution: Facebook should block advertising links to Fake News
websites and Fake News pages on the Facebook platform itself.  [...]


A Chilling PBS Documentary Shows How Mistakes Are Made (Neil Genzlinger)

Monty Solomon <monty@roscom.com>
Mon, 9 Jan 2017 23:07:31 -0500
Neil Genzlinger, *The New York Times*, 4 Jan 2015
http://www.nytimes.com/2017/01/04/arts/television/a-chilling-pbs-documentary-shows-how-mistakes-are-made.html

*Command and Control* is an *American Experience* episode on PBS on 10 Jan
[tonight].  It recounts a 1980 maintenance blunder at a missile silo in
Arkansas.


FDA Offers Advice for Hacking Risks With St Jude Cardiac Devices

Arthur Flatau <flataua@acm.org>
Mon, 9 Jan 2017 16:36:10 -0600
The US Food and Drug Administration today issued a Safety Communication: to
reduce the risk of patient harm due to cybersecurity vulnerabilities
associated with St Jude Medical's radio-frequency-enabled implantable
cardiac devices and corresponding Merlin@home Transmitter[1].
<http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm?source=govdelivery&utm_medium=email&utm_source=govdelivery>

After months of reviewing information, the FDA confirmed there are
"vulnerabilities" that if exploited could allow an unauthorized user to
"remotely access a patient's RF-enabled implanted cardiac device by altering
the Merlin@home Transmitter."

The FDA said there has been no reports of patient harm related to the
cybersecurity vulnerabilities but that if hacked, the "transmitter could be
used to modify programming commands to the implanted device, which could
result in rapid battery depletion and/or administration of inappropriate
shocks."

http://www.medscape.com/viewarticle/874193


Vulnerability Disclosure Attitudes and Actions (NTIA)

Monty Solomon <monty@roscom.com>
Sun, 8 Jan 2017 15:21:07 -0500
A Research Report from the NTIA Awareness and Adoption Group
https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf


Perhaps a laptop can be too thin?

Henry Baker <hbaker1@pipeline.com>
Sun, 08 Jan 2017 12:02:22 -0800
Perhaps it's time for Apple to bring back the "Titanium" Powerbook?

  [I'll bet Steve Frappier is *really glad* that he wasn't carrying a
  Samsung Galaxy Note 7 in his backpack...  Now if Apple could only make
  bullet-proof software... HB]

MacBook saves man's life during Fort Lauderdale airport shooting
WPLG Miami 7 Jan 2017
http://www.chron.com/news/article/Macbook-saves-man-s-life-Fort-Lauderdale-10842126.php

There were bullets flying at Fort Lauderdale-Hollywood International Airport
when 11 people were shot.  Five of them didn't make it out of the baggage
claim area alive.  And Steve Frappier was lucky.  He credited his Apple
MacBook Pro for saving his life.  The 37-year-old traveler from Atlanta
brought his school-issued lap top, because he was going to an education
conference.  He placed it in his backpack, but didn't think of it when he
felt an impact on his back during the shooting.  Frappier said he saw a man
get shot in the head and heard his wife screaming.

When the bloodshed was over, he said he went to the men's restroom and saw a
bullet hole on the lap top.  He gave it to FBI agents.  And he was in shock
when they found a 9 mm bullet in his backpack.  That was when he realized a
gunman aimed to kill him, but the laptop took the bullet for him.  "If I
didn't have that backpack on, the bullet would have shot me between the
shoulders," Frappier said.


Iran's p*rn censorship broke browsers as far away as Hong Kong (The Verge)

Lauren Weinstein <lauren@vortex.com>
Sun, 8 Jan 2017 20:38:12 -0800
The Verge via NNSquad
http://www.theverge.com/2017/1/7/14195118/iran-porn-block-censorship-overflow-bgp-hijack

  Thursday afternoon, something very unusual happened to super - - - - - - -
  -.com.  That site and 255 others—many of them p*rn sites—suddenly
  began dropping off the web. The servers showed no problems, but users from
  Russia to Hong Kong were typing the URLs into their browsers and getting
  blank pages.  Something on the Internet was getting in the way.

Executive summary: Screwed up BGP ... again.


"Windows security patches crash Active Directory Admin Center" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 09 Jan 2017 09:50:16 -0800
Woody Leonhard, InfoWorld, 6 Jan 2017
The bad December patches include Windows 7 security-only KB 3205394 and
  Windows 10 cumulative updates KB 3206632, KB 3205386
http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html

opening text:

It's been three weeks since Microsoft released its December security
patches, and a bad conflict with the Active Directory Admin Center (and, by
some accounts, SCCM) is only now reaching the mainstream.  Those of you
running Active Directory take note.

The good news: Uninstalling the wayward patch solves the problem. The bad
news: Nobody seems to know exactly which patches trigger the crash.


"More than 10,000 exposed MongoDB databases deleted by ransomware groups" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Mon, 09 Jan 2017 09:53:47 -0800
Lucian Constantin, Romania Correspondent, InfoWorld, 6 Jan 2017
Five groups of attackers are competing to delete as many publicly
accessible MongoDB databases as possible
http://www.infoworld.com/article/3155201/security/more-than-10000-exposed-mongodb-databases-deleted-by-ransomware-groups.html

selected text:

Groups of attackers have adopted a new tactic that involves deleting
publicly exposed MongoDB databases and asking for money to restore them. In
a matter of days, the number of affected databases has risen from hundreds
to more than 10,000.

The issue of misconfigured MongoDB installations, allowing anyone on the
Internet to access sensitive data, is not new.  ... puts their number at
more than 99,000.

On Monday, security researcher Victor Gevers from the GDI Foundation
reported that he found almost 200 instances of publicly exposed MongoDB
databases that had been wiped and held to ransom by an attacker or a group
of attackers named Harak1r1.

The bad news is that most of them don't even bother copying the data before
deleting it, so even if the victims decide to pay, there's a high chance
they won't get their information back.

   [See also Fahmida Y. Rashid, MongoDB ransomware attacks sign criminals
   are going after servers, applications:
http://www.infoworld.com/article/3155435/cyber-crime/mongodb-ransomware-attacks-sign-criminals-are-going-after-servers-applications.html
   PGN, also from Gene]


Re: Cloudflare explains the leap second bug (RISKS-30.07)

"David E. Ross" <david@rossde.com>
Sun, 8 Jan 2017 11:48:03 -0800
There is really no excuse for Cloudflare's problem with the recent
leap-second.  In 1969 and for many years afterward, I worked on computer
software that handled leap-seconds correctly.  All we needed was about 2
month's advance notice that a leap-second would occur; today, such notices
are available much more than 2 months in advance.

The key to proper handling of time is that computer systems should
internally maintain atomic time (TAI, from the French term Temps Atomique
International) instead of universal time (UTC, French Temps universel
coordonné).  TAI and UTC share the same definition of a second, and a TAI
clock ticks its seconds at the exact same instant as a UTC clock.

However, a TAI clock does not tick the same second as a UTC clock.  This is
because TAI never has leap-seconds, which means that it has a growing
failure to align with time computed from the sun.  UTC, on the other hand,
requires leap-seconds to keep its time aligned with sun-time.  Thus, today a
UTC clock might show 11:24:00 while a TAI clock will simultaneously show
11:24:27.

At the very beginning of 1 January 2017, while a TAI clock kept ticking
60-second minutes, a UTC clock ticked a 61-second minute.  This is how it
looked, allowing for the fact that, before then, the two were already 26
seconds misaligned:

UTC                     TAI
31 Dec 16 23:59:58      1 Jan 17 00:00:24
31 Dec 16 23:59:59      1 Jan 17 00:00:25
31 Dec 16 23:59:60      1 Jan 17 00:00:26  <= the leap-second
 1 Jan 16 00:00:00	1 Jan 17 00:00:27
 1 Jan 17 00:00:01	1 Jan 17 00:00:28

For user interfaces, a simple routine in the software on which I worked
converted internal TAI to external UTC for displays and reports and
converted external UTC to internal TAI for user input.  A more complex
software routine handled the fact that the earth's rotation exhibits annual
and semi-annual fluctuations and thus the earth's current rotational
position and velocity.  All this was necessary because the software was used
to operate earth-orbiting space satellites.  Accurate time is needed to
determine what spot on the rotating earth was directly beneath a satellite
while giving the human users data in terms of "wall clock" time (UTC).

Cloudflare is not alone in having software developed by individuals who have
little knowledge about the dynamics of time.  The problem of careless
(ignorant?) programmers is even promoting plans to eliminate leap-seconds,
which would mean a gradual (but generally unnoticeable in a human lifetime)
shift in the times of sunrise, sunset, and tides.


Re: "The Real Name Fallacy"

<>
Mon, Jan 9, 2017 at 3:52 AM
The only thing the requirement for real names in social networks produces is
an enormous chilling effect on the writing by exactly the category of people
we would all want to read and learn from: smart, aware of the realities of
life, having opinions of their own, and desiring to talk about things which
actually matter rather than engage in verbal mutual grooming.

Smart - because smart people are interested in big and often controversial
issues. Meaningless chatter about celebrity antics and greatness of Burning
Man is for dullards.

Only a person totally oblivious to how corporate business works uses his
real name to discuss anything remotely politically sensitive on-line. The
rest of us understands very well that the first thing an HR dept does upon
receiving a qualified resume is on-line search to see any dirt (in the eyes
of the HR drone) which may justify tossing the resume into trash can.  In
many cases this "vetting" could be totally illegal, but the law is also
totally unenforceable here. Besides "I was rejected because lady in HR
disliked my joke about cats" isn't going to impress the judge. Same goes for
the people searching dirt on their opponents in corporate political games,
etc. No one who has any awareness of the reality would want to conflate
personal with professional.

Now, the mindless parrots merely regurgitating approved blabber from the
mainstream press are probably reasonably safe. They also are absolutely
boring. Thank you, I can read WaPo myself. The only interesting speech is by
those who have to say something new or different and have mind of their own.

Finally... nobody cares about pictures of cats, vacation photos, or stories
about how great the last party was. It's content-free, it is nothing more
than mutual grooming. I like yours, you like mine. Nothing wrong with that,
but, please, I have a mind which needs something more complicated than
simian camaraderie.

The obvious and observable result is terrifying dullness of social networks
- and willing and widespread disrespect of the "real names only" policies by
virtually everyone whose words I may be interested in reading (and who
haven't yet secured an unassailable position of a tenured professor or a
housewife).

And, yes, I'm one of those who got banned by Facebook for not using my real
name. I consider it beneath myself to use Photoshop to bypass the
idiotically easy identity check FB requires, so I'm not coming back to that
platform, ever.


Re: Russian Hacking

Dick Mills <dickandlibbymills@gmail.com>
Mon, 9 Jan 2017 10:41:29 -0500
In RISKS-30.06, PGN said:
  "Nevertheless, nation-state hacking into other nations' systems is
  reprehensible."

That would carry a lot more moral authority if it was preceded by a pledge
by the US government to forswear hacking other nation's systems.  But we
openly talk about US Cybercommand whose mission is to do exactly that.

As discussed in RISKS-30.04, *The Washington Post)* told of the USA's long
history of interfering in other nation's elections or promoting regime
change.  But in today's bizarre political debate, hacking another nation's
systems may be deemed more reprehensible than assassination or bombing their
capitol city.


Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)

Adam Shostack <adam@shostack.org>
Mon, 9 Jan 2017 11:43:23 -0500
PGN notes that there's a history of these attacks documented in RISKS.
There was also a talk at Blackhat this summer which summarized, modeled, and
presented security guidance and privacy guidance for voice driven products.
It will be interesting to see how well they did at predicting the problems
which emerge.

http://www.ewf-usa.com/page/voiceprivacy
https://www.blackhat.com/us-16/briefings.html#building-trust-and-enabling-innovation-for-voice-enabled-iot


Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sun, 8 Jan 2017 18:49:21 -0500
This really shouldn't be much of a surprise.  When voice commands were just
beginning, there was the (likely apocryphal) story that during an early
demo, someone yelled from the back of the room "format c:", at which point
the system did as instructed.

Whether or not this is true (and I heard it at least a couple decades ago),
it's unfortunate that the Alexa designers didn't consider the known risks...

[In the process of trying to figure out when I heard about disk formatting
first, I ran across a Dilbert cartoon from 1994 demonstrating this risk:
http://dilbert.com/strip/1994-04-24]


Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)

Mark Thorson <eee@sonic.net>
Sun, 8 Jan 2017 17:56:47 -0800
  [Alexa, subscribe me to the Risks Digest!]

This presents opportunities for calling talk radio stations and giving Alexa
commands.


IoT Home Inspector Challenge (FTC)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Mon, 9 Jan 2017 09:48:46 -0600
If you can come up with a tool that keeps zombie botnets from taking over
your connected hairbrush, refrigerator, or nanny cam, the US Federal Trade
Commission (FTC) wants to pay you $25,000.00, assuming you are the first to
contact the FTC with a best solution in the FTC "IoT Home Inspector
Challenge."  There are also awards of $3,000.00 each for honorable mention
winners.

The winning tool needs to be able to resolve the problems of "smart" and
"IoT" devices that have out-of-date or inadequate security.

Submissions will be accepted, starting in March 2017, with final deadline
May 22.  Winners shall be announced around 2017 July 27.
https://www.ftc.gov/iot-home-inspector-challenge
https://www.ftc.gov/news-events/blogs/business-blog/2017/01/25000-prize-winner-internet-things-home-inspector-challenge
https://www.consumer.ftc.gov/blog/announcing-internet-things-home-inspector-challenge

Rules, such as who owns the solution.
https://www.ftc.gov/news-events/contests/iot-rules

and FAQ https://www.ftc.gov/iot/faqs
How to participate in the contest: https://www.ftc.gov/node/1010513

I have not read the complete contents of all the above links, just their
summary statements and abstracts. I suggest people, interested in
participating in the contest, ought to do so.

Not mentioned in the challenge requirements, but important to me:

* Provide to our home, car, work place, etc. services similar to that of a
  Firewall, where we have the option of telling which "smart" or "IoT"
  services may operate in which modes, like OFF, require a Yes/No from
  operator, which actions to perform, do 100% spying on us, accept as valid
  commands, anything we hear on radio, TV, other background noise.

* Identify "smart" and "IoT" connected gadgets in the home, or affecting the
  home, such as neighbor wifi, smart utility company meters, which have the
  capability of messing with electronics in the home, and/or have capability
  of harming the home.

* Identify any purchased items whose internal "RFID" was not turned off,
  when we purchased it.

* Provide aids to backing up current config, then obtaining latest security
patches, if any are available.

* Scan all these "smart" and IoT home connections, identify which of them
  have what viruses, remove them.  Have option to setup an automated
  schedule of scans, like we have on most computers.

* Offer a log of hack attempts into your home's connected devices, and a way
  to share that log with security organizations, similar to DShield of
  Firewall logs, and KNUJON for spam e-mail.

* Offer a log, on incidents of smart devices sending info from our home,
  which we can sort to see which devices are most prolific in doing so.

* Plug & Play alert the moment another "smart" or "IoT" or other similar
  technology device is introduced into the household.

* Develop a hand held device to carry around to locate the spies which have
  Internet connections.

For  connected devices in which it is impossible to fix their cyber
security, offer information links, which collectively provide:

* Brand names of competitor products, which provide similar services,
  with vastly superior cyber security;

* How to disconnect the "smart" or "IoT" hardware, making it impossible for
  that device to be a continuing threat.

* Legal site opinion on whether it is against the law in your nation, city,
  province, etc. to disconnect this threat, what the penalties can be if you
  do so, and are caught.

* While we may own devices for specific purposes, but illegal for us to use
  them for other purposes, who can we sue, when those devices act against
  our best interests?

Please report problems with the web pages to the maintainer

Top