The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 11

Saturday 28 January 2017

Contents

"The missile may have veered ... towards the United States"
AFP via danny burstein
Clip from Schlosser's Command and Control
Ken Knowlton
Russians Charged With Treason Worked in Office Linked to Election Hacking
The NYTimes
United Airlines resumes flights after temporary ground order
CNN via Monty Solomon
Galaxy Note 7 investigation concludes, pair of issues will cost Samsung $5 billion
geoff goodfellow
Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says
The NYTimes
Verizon remotely disables remaining Galaxy Note 7 phones
Kelly Bert Manning
"HP recalls over 100,000 more laptop batteries for fire hazard"
Agam Shah
"Cisco scrambling to fix a remote code execution problem in Webex"
Tim Greene
TOR servers misused for spam
Gerrit Muller
"OpenSSL issues new patches as Heartbleed still lurks"
Fahmida Y. Rashid
White House kills their comment phone line, but a new one appears
Lauren Weinstein
Facebook is changing its Trending section to fight the spread of fake news
Lauren Weinstein
Massive networks of fake accounts found on Twitter
BBC
U.S. Park Service tweets were result of old Twitter passwords
Martyn Williams
Fake news costing advertisers reputation, ad dollars
enterpriseinnovation
Report fake news at alt-facts.net
alt-facts
Finding credibility clues on Twitter
Science Daily
The real reason why Trump using an old Android phone should freak you out
BGR
Donald Trump is using a private gmail account to secure the most powerful Twitter account in the world
Sam Biddle
Republican voter fraud?
PGN
Cellphone dependency
Neil Youngman
Re: CIA unveils new rules for collecting information on Americans
Mark F
Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
Amos Shapir
Re: Leap-seconds
John Levine
Re: Japan testing USB phone charging in public buses
Andrew Duane
Info on RISKS (comp.risks)

"The missile may have veered ... towards the United States"

danny burstein <dannyb@panix.com>
Sun, 22 Jan 2017 19:49:07 -0500 (EST)
[AFP via Yahoo!]

UK govt accused of covering up failed Trident nuclear missile test

London (AFP) - The British government was accused on Sunday of covering up a
failed test of its nuclear weapons deterrent last year, just weeks before
lawmakers voted to renew the system.  [...]

*The Sunday Times* newspaper, citing a senior naval source, claimed that the
Trident II D5 missile failed after being launched from a British submarine
off the coast of Florida in June.

The cause of the failure is top secret but the source suggested the missile
may have veered off in the wrong direction towards the United States.

https://www.yahoo.com/news/uk-govt-accused-covering-failed-trident-nuclear-missile-113729062.html

  [Nothing in the story about what stopped the missile from reaching the US
  or, for that matter, how far it flew


Clip from Schlosser's Command and Control

Ken Knowlton <kcknowlton@aol.com>
Wed, 25 Jan 2017 21:43:23 -0500
Excerpt from Eric Schlosser's "Command and Control," Penguin, 2013, P.475

All of these military computer networks are far more technologically
advanced than the gold telephone that used to connect General LeMay to the
White House. But sometimes they experience a glitch. In October 2010 a
computer failure at F. E. Warren Air Force Base knocked fifty Minuteman III
missiles offline. For almost an hour, launch crews could not communicate
with their missiles. One third of the Minuteman IIIs at the base had been
rendered inoperable. The Air Force denied that the system had been hacked
and later found the cause of the problem: a circuit card was improperly
installed in one of the computers during routine maintenance.  But the
hacking of America's nuclear command-and-control system remains a serious
threat. In January 2013, a report by the Defense Science Board warned that
the system's vulnerability to a large-scale cyber attack had never been
fully assessed. Testifying before Congress, the head of the U.S. Strategic
Command, General C. Robert Kehler, expressed confidence that no "significant
vulnerability" existed. Nevertheless, he said that an "end-to-end
comprehensive review" still needed to be done, that "we don't know what we
don't know," and that the age of the command-and-control system might
inadvertently offer some protection against the latest hacking
techniques. Asked whether Russia and China had the ability to prevent a
cyberattack from launching one of their nuclear missiles, Kehler replied,
"Senator, I don't know."


Russians Charged With Treason Worked in Office Linked to Election Hacking (The NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 28 Jan 2017 7:22:01 PST
Scott Shane, David E. Sanger and Andrew E. Kramerjan.
  *The New York Times*, 27 Jan 2017
http://www.nytimes.com/2017/01/27/world/europe/russia-hacking-us-election.html?smprod=nytcore-iphone&smid=nytcore-iphone-share

Two Russian intelligence officers who worked on cyberoperations and a
Russian computer security expert have been arrested and charged with treason
for providing information to the United States, according to multiple
Russian news reports.

As in most espionage cases, the details made public so far are incomplete,
and some rumors in Moscow suggest that those arrested may be scapegoats in
an internal power struggle over the hacking. Russian media reports link the
charges to the disclosure of the Russian role in attacking state election
boards, including the scanning of voter rolls in Arizona and Illinois, and
do not mention the parallel attacks on the D.N.C. and the email of John
Podesta, Mrs. Clinton's campaign chairman.

But one current and one former United States official, speaking about the
classified recruitments on condition of anonymity, confirmed that human
sources in Russia did play a crucial role in proving who was responsible for
the hacking.  [...]


United Airlines resumes flights after temporary ground order

Monty Solomon <monty@roscom.com>
Mon, 23 Jan 2017 04:07:48 -0500
http://www.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/index.html

  [An outage for 3-plus hours attributed to an "IT problems".


Galaxy Note 7 investigation concludes, pair of issues will cost Samsung $5 billion

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 23 Jan 2017 10:26:57 -1000
Samsung has concluded its investigation involving the 2016 Galaxy Note 7
fires, and has determined that two different flaws resulted in the
conflagrations in the failing devices, with one creeping in after a
too-quick investigation:

http://appleinsider.com/articles/17/01/22/galaxy-note-7-investigation-concludes-pair-of-issues-will-cost-samsung-5-billion


Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says

Monty Solomon <monty@roscom.com>
Mon, 23 Jan 2017 10:08:48 -0500
https://www.nytimes.com/2017/01/22/business/samsung-galaxy-note-7-battery-fires-report.html

See also
http://arstechnica.com/gadgets/2017/01/galaxy-note-7-investigation-blames-small-battery-cases-poor-welding/


Verizon remotely disables remaining Galaxy Note 7 phones

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Thu, 26 Jan 2017 13:17:16 -0500 (EST)
How much true value is there in an expensive product that becomes useless
when the original battery needs replacement or is found to be unsafe to use?

Normally having a battery is a good thing even if you run on utility power
most of the time. I've used employer-supplied laptops with dialup VPN
connections to carry on work from during power outages. I also bought a
personal use XP laptop with a dead battery, but it still runs with Tails OS,
connected to a wall plug, when I travel or have to use a wireless or
untrustworthy wired connection during local conferences.

The Phoebus Cartel might be considered a historical anomaly but for the Auto
Industry Planned Obsolescence was a high priority corporate goal long before
Apple began persuading people to purchase and discard electronic gimcracks
every year or two. Now we see firmware becoming an integral part of
expensive consumer purchases for big ticket Internet connected things such
as cars, clothes washers and refrigerators. The VW emissions firmware
scandal shows that we should not trust corporations.

The right of consumers and consumer protective organizations to analyze
firmware and to block unwanted updates should be given legal protection, not
restricted. If it isn't we will never know whether our car or clothes washer
stopped working because it was worn out, or because the maker told it to
stop working.


"HP recalls over 100,000 more laptop batteries for fire hazard" (Agam Shah)

Gene Wirchenko <genew@telus.net>
Thu, 26 Jan 2017 09:07:39 -0800
Agam Shah, InfoWorld, 24 Jan 2017
The move expands a recall that was first announced last year
http://www.infoworld.com/article/3161135/computers/hp-recalls-over-100000-more-laptop-batteries-for-fire-hazard.html

opening text:

HP is expanding its recall of laptop batteries with overheating issues that
can cause computer damage and even fire.

The company is recalling an additional 101,000 batteries in some laptops
sold between March 2013 through October 2016. This is an expansion of the
recall initiated in June 2016, which involved HP recalling 41,000 batteries.

The batteries are in laptop brands including HP, Compaq, ProBook, Envy,
Compaq Presario, and Pavilion laptops. Battery packs sold separately are
also affected.


"Cisco scrambling to fix a remote code execution problem in Webex" (Tim Greene)

Gene Wirchenko <genew@telus.net>
Thu, 26 Jan 2017 09:11:44 -0800
Tim Greene, Network World, 25 Jan 2017
http://www.infoworld.com/article/3161515/security/cisco-scrambling-to-fix-a-remote-code-execution-problem-in-webex.html

There's no workaround and no final patch for a critical bug that can
open up users' computers to remote code execution attacks

opening text:

Cisco's Webex Browser Extension contain a critical bug that can open up
customers' entire computers to remote code execution attacks if the browsers
visit websites containing specially crafted malicious code.

The company says it is in the process of correcting the problem, and has
apparently made a few initial steps toward a permanent fix. It says there is
no workaround available.


TOR servers misused for spam

Gerrit Muller <gerrit.muller@gmail.com>
Tue, 24 Jan 2017 16:31:30 +0100
I am running a simple website with a number of CGI-based forms for client
input or feedback. In these years, I have been blocking Spammers using
.htaccess, denying access to IP addresses that spam.  Since about one month,
the amount of spam via this website has increased an order of magnitude, if
not more.

A significant increase of spam messages come from Urkraine, Kazachstan,
Russia, and other (former) Soviet or East European countries.

However, I also see an increase of sites where you wouldn't expect such bad
behavior, such as Microsoft and MIT. The response of the abuse departments
is that they cannot block them, since these are TOR-based servers. The
answer from MIT is copied below:

  ----start response---
  Hello.

  Thank you for the report.

  The IP address in question is a Tor exit node.
  https://www.torproject.org/overview.html

  There is little we can do to trace this matter further. As can be seen
  from the overview page, the Tor network is designed to make tracing of
  users impossible. The Tor network is run by some 5000 volunteers who use
  the free software provided by the Tor Project to run Tor routers.  Client
  connections are routed through multiple relays, and are multiplexed
  together on the connections between relays. The system does not record
  logs of client connections or previous hops.

  The Tor project does provide an automated DNSRBL for you to query to flag
  requests from Tor nodes as requiring special treatment:
  https://www.torproject.org/tordnsel/

  Regards,
  Security Operations, Massachusetts Institute of Technology
  IS&T | Operations & Infrastructure | Security Operations, security@mit.edu
  http://ist.mit.edu/secure
  ---end response---

The risk is that TOR servers with its good intent to help protect anonymity
will pollute regular Internet traffic.

Gerrit Muller, professor systems engineering, USN-NISE, Kongsberg, Norway


"OpenSSL issues new patches as Heartbleed still lurks" (Fahmida Y. Rashid)

Gene Wirchenko <genew@telus.net>
Fri, 27 Jan 2017 15:39:19 -0800
Fahmida Y. Rashid, InfoWorld, 27 Jan 2017
OpenSSL issues new patches as Heartbleed still lurks
The latest OpenSSL update may only address moderate-severity
vulnerabilities, but admins shouldn't get lax about staying current
with the patches
http://www.infoworld.com/article/3162426/security/openssl-issues-new-patches-as-heartbleed-still-lurks.html

selected text:

The OpenSSL Project has addressed some moderate-severity security flaws, and
administrators should be particularly diligent about applying the patches
since there are still 200,000 systems vulnerable to the Heartbleed flaw.

A disproportionate number of systems on this list were servers hosted on
Amazon Web Services. That may have more to do with the fact that it's easy
for anyone to spin up new AWS instances, than with an actual issue in
AWS. With IT security out of the loop, there's no one enforcing security
controls on what types of software to install when setting up the server,
which means there's nothing stopping the server owner from adding the
vulnerable version of OpenSSL to the stack. Some of the virtual servers may
be abandoned and forgotten, and since they were created outside of the IT
process, no one knows to look for them to check the OpenSSL version.

"If there are servers that are vulnerable, then it's because people aren't
aware they have them," said Mike Pittenger, vice president of strategy for
Black Duck Software.


White House kills their comment phone line, but a new one appears

Lauren Weinstein <lauren@vortex.com>
Fri, 27 Jan 2017 17:10:14 -0800
via NNSquad
It appears that the new administration has killed the traditional White
House public phone number for citizen comments at (202) 456-1111—now it
just tells you to hang up and use Facebook instead. But a new comment line
has appeared at a New York City number, which seems somehow appropriate:
(347) 781-4664.


Facebook is changing its Trending section to fight the spread of fake news

Lauren Weinstein <lauren@vortex.com>
Wed, 25 Jan 2017 13:00:51 -0800
  [Note: The term "fake news" (originally used to refer what is now
  sometimes called "alternative news") has also been pre-empted, and used
  to misrepresent "real news" by those to whom it is unpleasant.  PGN]

NNSquad

Facebook is changing its Trending section to fight the spread of fake news
https://www.recode.net/2017/1/25/14376734/facebook-trending-topics-update-fake-news

  Facebook is updating Trending, the section of the service that highlights
  popular topics being discussed on Facebook, to better prevent fake news
  stories from appearing there.  As part of the update, Facebook says it's
  going to stop pulling in trending topics that surface based off a single
  news report. Instead, it'll feature topics that have been covered by a
  number of media outlets, an attempt to avoid one-off fake news stories
  that get lots of people talking but haven't been vetted by other media
  organizations.  "We think it'll help [minimize] cases where maybe one
  specific story goes viral even if there might not be something real going
  on in the world about that story," said Will Cathcart, a VP of product
  management at Facebook.

Facebook continues to be in the lead fighting fake news, while Google lags
behind.


Massive networks of fake accounts found on Twitter (BBC)

Lauren Weinstein <lauren@vortex.com>
Fri, 27 Jan 2017 08:28:35 -0800
Via NNSquad
http://www.bbc.com/news/technology-38724082

  The largest network ties together more than 350,000 accounts and further
  work suggests others may be even bigger.  UK researchers accidentally
  uncovered the lurking networks while probing Twitter to see how people use
  it.  Some of the accounts have been used to fake follower numbers, send
  spam and boost interest in trending topics.


U.S. Park Service tweets were result of old Twitter passwords (Martyn Williams)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 25 Jan 2017 16:13:32 -0700
Martyn Williams, PC World, 25 Jan 2017
http://www.pcworld.com/article/3161718/government/us-park-service-tweets-were-result-of-old-twitter-passwords.html

Two instances of tweets from U.S. National Park Service accounts that became
political hot potatoes in the last few days were the result of bad password
management, according to officials.

"An unauthorized user had an old password in the San Francisco office and
went in and started retweeting things that were in violation of their
policy," [Sean Spicer] said of Saturday's incident.


Fake news costing advertisers reputation, ad dollars

Lauren Weinstein <lauren@vortex.com>
Fri, 27 Jan 2017 17:30:27 -0800
via NNSquad
Fake news costing advertisers reputation, ad dollars
http://www.enterpriseinnovation.net/article/fake-news-costing-advertisers-reputation-ad-dollars-2009959187

  Fake new is news today. Since the US presidential began in the US last
  year, fake news took center stage.  However, a new report from Forrester
  titled "Fake News: More Proof That Advertisers Must Choose Quality Over
  Quantity" noted that the real targets are advertisers and their purse
  strings—not the readers.  It is also creating a massive headache as ads
  are running into danger of being placed alongside news that can hurt brand
  reputations and even derail well-thought out ad campaigns.


Report fake news at alt-facts.net

Lauren Weinstein <lauren@vortex.com>
Sun, 22 Jan 2017 16:22:12 -0800
NNSquad
In honor of the new "alternative facts" White House, you can now
report fake news at:
  https://alt-facts.net


Finding credibility clues on Twitter

Lauren Weinstein <lauren@vortex.com>
Fri, 27 Jan 2017 12:14:29 -0800
NNSquad
https://www.sciencedaily.com/releases/2017/01/170127131306.htm

  By scanning 66 million tweets linked to nearly 1,400 real-world events,
  researchers have built a language model that identifies words and phrases
  that lead to strong or weak perceived levels of credibility on
  Twitter. Their findings suggest that the words of millions of people on
  social media have considerable information about an event's credibility --
  even when an event is still ongoing.


The real reason why Trump using an old Android phone should freak you out (BGR)

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
26 Jan 2017 22:23:29 -0500
http://bgr.com/2017/01/26/donald-trumps-android-phone-security/


Donald Trump is using a private gmail account to secure the most powerful Twitter account in the world (Sam Biddle)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 26 Jan 2017 13:43:29 PST
January 26 2017, 12:54 p.m.
https://goo.gl/MYseKG

Trump's account is an obviously juicy target for such an attack,
representing what BuzzFeed's Joe Bernstein described as “a national
security disaster waiting to happen.''  An unauthorized declaration of, say,
imminent hostilities or economic sanctions coming from the president'99s
official account could destabilize the entire world.  [The rest is fairly
scary.  PGN]


Voter fraud?

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 26 Jan 2017 16:44:12 PST
Steve Doocy (Fox News Co-host of Fox & Friends) apparently voted twice in
the Republican primaries.

https://twitter.com/tbonier/status/824702199678787584


Cellphone dependency

Neil Youngman <neil.youngman@googlemail.com>
Mon, 23 Jan 2017 13:41:57 +0000
The first article in RISKS-30.09 was about a Tesla driver being stranded
because he he was out of cellphone coverage.  It was immediately followed by
Nissan's "solution" for situations that are too complex for self-driving
cars, which relies on their being able to contact a call centre.

We seem to be at risk of making our cars cellphone dependent.

Regular readers of RISKS will be aware of the limitations of cell phone
technology, not just in terms of coverage, but also in their vulnerability
to overloading and power loss particularly in crisis scenarios.


Re: CIA unveils new rules for collecting information on Americans (RISKS-30.10)

Mark F <mark49607@gmail.com>
Mon, 23 Jan 2017 08:19:53 -0500
I think this link should be included:

 "Central Intelligence Agency Intelligence Activities: Procedures Approved
  by the Attorney General Pursuant to Executive Order 12333"
https://www.cia.gov/about-cia/privacy-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf


Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (RISKS-30.10)

Amos Shapir <amos083@gmail.com>
Mon, 23 Jan 2017 11:45:50 +0200
While ease of development may be in the eye of the developer, I certainly
wouldn't commend for readability a language in which a blank in the wrong
place might completely change the meaning of a routine!


Re: Leap-seconds (Frankston, RISKS-30.09)

"John Levine" <johnl@iecc.com>
23 Jan 2017 02:17:58 -0000
> It's so weird to me that people **** all over leap seconds, but are fine
> with leap years and arbitrary timezone changes.

They're not at all the same.  Leap years are perfectly regular and
predictable, and timezones only affect the presentation of time, not the
calculations.

The problem with leap seconds is that they do affect the calculations, and
they're irregular and unpredictable.


Re: Japan testing USB phone charging in public buses (Baker, RISKS-30.10)

Andrew Duane <e91.waggin@gmail.com>
Mon, 23 Jan 2017 09:09:36 -0500
> What could possibly go wrong?  It is well known that the NSA—as well as
> other nation-state actors—place malicious USB chargers in public places
> that can infect computers and phones that are attached.

As someone who travels a lot for business, sometimes to relatively unknown
places for me, this is exactly why I carry such a "condom". It's simply a
couple of clearly marked USB cables that don't have any data lines in them.
They are power-only. Now I don't have to care what USB port I plug in to,
whether it's a public charging station or a friendly stranger's laptop.

OK, the problem of a high-voltage USB killer isn't solved by this, but
that's not my threat model (yet).
http://www.theregister.co.uk/2015/10/14/sneaky_220v_usb_fries_laptops/

Please report problems with the web pages to the maintainer