The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 12

Wednesday 1 February 2017

Contents

Network-enabled ICBMs for the USAF?
John Dallman
Quantum Computers Versus Hackers, Round One
WiReD via Werner U
Hackers Use New Tactic at Austrian Hotel: Locking the Doors
Dan Bilefsky
Hotels and electronics
Benoit Goas
Hackers hit DC CCTV's Jan. 12-15, 2017
Clarence Williams via Henry Baker
Everything I Need to Know about Russia's Internet Interference I Learned Through College Pranks
Sean Havey
"FBI request for Twitter account data may have overstepped legal guidelines"
Dustin Volz
Severe vulnerability in Cisco's WebEx extension for Chrome leaves PCs open to easy attack
PC World
Voter fraud?
PGN
The future of fake news is real-time video manipulation
Nick Bilton
Intentionally or not, big brands help fund fake news
Star Tribune
alt-facts.net site
Arthur T.
Re: "The missile may have veered ... towards the US"
Chris Drewe
Re: United Airlines resumes flights after temporary ground order
Mark
Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
Wols
John Levine
Data Privacy Day: know the risks of Amazon Alexa and Google Home
Naked Security
Info on RISKS (comp.risks)

Network-enabled ICBMs for the USAF?

"John Dallman" <jgd@cix.co.uk>
Sat, 28 Jan 2017 19:32 +0000 (GMT Standard Time)
"The fact that future nuclear weapons will be far more networked (though not
necessarily to the open Internet) will create better safety and oversight,
and allow for more coordinated operations. But more connectivity also
introduces new potential vulnerabilities and dangers."

https://www.theatlantic.com/amp/article/511904/

The idea that connectivity to the Internet wasn't rejected out of hand seems
to indicate that the Air Force Scientific Advisory Board needs replacing
very firmly.

A blogger at the US Naval Institute certainly thinks so:

<https://blog.usni.org/2017/01/04/there-are-bad-ideas-and-then-there-is-this-bad-idea>

"Some support systems? Sure, but command, control, mission loading, arming,
and launch must be contained in a robust, hardened, isolated & closed
system. Simple, almost primitive, with multiple physical human interfaces
required. To be even thinking of network access to the weapons systems
themselves is the height of irresponsibility; even more irresponsible than a
reliance on GPS or satellite systems as a point of failure between
authorization, launch, and "servicing the target." Ahem."

ICBMs as part of the IoT is, I'm pretty sure, the worst idea I've seen on
the Internet since I started using it in 1992.


Quantum Computers Versus Hackers, Round One (WiReD)

Werner U <werneru@gmail.com>
Tue, 31 Jan 2017 09:36:54 +0100
(WiReD, 27 Jan 2017)

  [Peter, I'm feeling ambivalent about calling attention to this article,
  'popular' in tone, but it does a decent enough job of explaining the
  basics...  and while there is 'business hype' in the name-dropping and
  describing the possibilities, the author also is fair in pointing out the
  difficult and uncertain blessings of the technology...  take a look-see
  and decide if and how you want to use it.]

Quantum Computers Versus Hackers, Round One. Fight!
https://www.wired.com/2017/01/quantum-computers-versus-hackers-round-one-fight/

Lily Hay Newman, *WiReD*, 27 Jan 2017

This week D-Wave, a leader in the nascent field of quantum computing,
unveiled its latest machine, D-Wave 2000Q, as well as its first customer: a
cybersecurity firm called Temporal Defense Systems.  It's the first time
quantum has been used to fight cybercrime, and if it works, it could reshape
how security analysts protect their networks from harm.

[...] D-Wave's customers for earlier models range from Lockheed Martin to
Google to Los Alamos National Laboratory.  Now TDS, a cybersecurity company
that builds hardware and software security products, will be the first
private security business to seek improved results through next-generation
computing. [...]  Quantum computing is far from a proven tool at this point,
and it's just one of a handful of next-generation computing solution being
applied to thorny cybersecurity issues. The more opportunities it has to
transform the world, though, the better the chance that it eventually will.


Hackers Use New Tactic at Austrian Hotel: Locking the Doors (Dan Bilefsky)

geoff goodfellow <geoff@iconia.com>
Mon, 30 Jan 2017 16:40:02 -1000
Dan Bilefsky, *The New York Times*, 30 Jan 2017
https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html

The ransom demand arrived one recent morning by email, after about a dozen
guests were locked out of their rooms at the lakeside Alpine hotel in
Austria.  (The hotel was at maximum capacity.)

The electronic key system at the picturesque Romantik Seehotel Jaegerwirt
had been infiltrated, and the hotel was locked out of its own computer
system, leaving guests stranded in the lobby, causing confusion and panic.

“Good morning!'' the email began, according to the hotel's managing
director, Christoph Brandstaetter. It went on to demand a ransom of two
Bitcoins, or about $1,800, and warned that the cost would double if the
hotel did not comply with the demand by the end of the day, 22 Jan.
Mr. Brandstaetter said the email included details of a Bitcoin wallet, the
account in which to deposit the money—and ended with the words, “Have a
nice day!''

With the 111-year-old hotel brimming with eager skiers, hikers and
vacationers, some having paid about $530 for a suite with a panoramic view
and sauna, Mr. Brandstaetter said he decided to cave in.

Guests had already complained that their electronic room keys were not
working, and receptionists' efforts to create new ones had proved futile.
Bashing down the doors was not an option.

Security experts said the attack on the hotel appeared to be a novel example
of an increasingly malicious and prevalent type of modern-day piracy.

The weapon? A type of software known as ransomware...

  [Jim Reisert AD1C noted another article,
  Hotel ransomed by hackers as guests locked in rooms (Chris Summers)
http://www.dailymail.co.uk/news/article-4163886/Alpine-hotel-brings-locks-cyber-hacking.html
  Benoit Goas noted
    https://www.theregister.co.uk/2017/01/30/austrian_hotel_ransomware_attack/
  ]


Hotels and electronics

Benoit Goas <goasben@hawk.iit.edu>
Tue, 31 Jan 2017 23:01:18 +0100
I recently was in a brand new hotel (around a week old), and their computer
systems crashed the day I checked in, preventing them to know which room got
cleaned or not. The room I was first given indeed wasn't made, but at least
nobody else was in... Not sure if they could know that!  They also had a big
computer screen to display the next bus hours, which at one point later
displayed only a pop-up screen with "your 7 day anti-virus trial version
expired".

Nothing really dangerous (as long as you don't need electronic keys to
exit the rooms), but it can be more reliable to keep older technology!


Hackers hit DC CCTV's Jan. 12-15, 2017

Henry Baker <hbaker1@pipeline.com>
Sat, 28 Jan 2017 16:34:36 -0800
  [I wonder if this hack is related to any of the other recent high-profile
  Internet-wide CCTV hacks.]

Here's a non-sequitur:

"the intrusion was confined to the police CCTV cameras that monitor public
areas"

"the safety of the public or protectees was never jeopardized"

If this conclusion were really true, then a "security theater" camera would
be just as effective as a real camera, and they needn't have bothered fixing
the cameras !

Clarence Williams, *The Washington Post*, 27 Jan 2017
Hackers hit D.C. police closed-circuit camera network, city officials disclose
https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html

Hackers infected 70 percent of storage devices that record data from
D.C. police surveillance cameras eight days before President Trump's
inauguration, forcing major citywide reinstallation efforts, according to
the police and the city's technology office.

City officials said ransomware left police cameras unable to record between
Jan. 12 and Jan. 15.  The cyberattack affected 123 of 187 network video
recorders in a closed-circuit TV system for public spaces across the city,
the officials said late Friday.

Secret Service spokesman Brian Ebert said the safety of the public or
protectees was never jeopardized.

Archana Vemulapalli, the city's Chief Technology Officer, said the city paid
no ransom and resolved the problem by taking the devices offline, removing
all software and restarting the system at each site.

An investigation into the source of the hack continues, said Vemulapalli,
who said the intrusion was confined to the police CCTV cameras that monitor
public areas and did not extend deeper into D.C. computer networks.  [...]


Everything I Need to Know about Russia's Internet Interference I Learned Through College Pranks

"dfarber" <dfarber@me.com>
Sat, 28 Jan 2017 18:26:57 -0500
http://www.defenseone.com/ideas/2017/01/everything-i-need-know-about-russias-internet-interference-i-learned-through-college-pranks/134953/?oref=d-river

Sean Havey
It's not terribly difficult to inject fake news into conversation.

One February, as a snowstorm headed for the Carolinas, a Raleigh television
station debuted a Web form meant to allow local schools and businesses to
send cancellations and snow delays straight to the live TV feed.  Someone
posted the URL to an unofficial university message board, and within
minutes, mayhem erupted in the margins of the nightly news:
<http://www.thewolfweb.com/message_topic.aspx?topic=180137&page=2>
<https://www.youtube.com/watch?v=WcO3pyge-8w>

But while our antics caused little damage aside from a few embarrassed faces
in the newsroom, not everyone uses fake news for lulz. As recent events
show, sinister actors use the same tricks to spread misinformation and
deception—with potentially disastrous consequences.


"FBI request for Twitter account data may have overstepped legal guidelines" (Dustin Volz)

Gene Wirchenko <genew@telus.net>
Mon, 30 Jan 2017 09:25:39 -0800
Dustin Volz, Reuters, 27 Jan 2017
http://www.businessinsider.com/r-fbi-request-for-twitter-account-data-may-have-overstepped-legal-guidelines-2017-1

selected text:

WASHINGTON, Jan 27 (Reuters) - The FBI appeared to go beyond the scope of
existing legal guidance in seeking certain kinds of Internet records from
Twitter as recently as last year, legal experts said, citing two warrantless
surveillance orders the social media company published on Friday.

Twitter said its disclosures were the first time the company had been
allowed to publicly reveal the secretive orders, which were delivered with
gag orders when they were issued in 2015 and 2016.

In doing so, the orders bolster the belief among privacy advocates that the
FBI has routinely used NSLs to seek Internet records beyond the limitations
set down in a 2008 Justice Department legal memo, which concluded such
orders should be constrained to phone billing records.

The FBI did not immediately respond to a request for comment. An FBI
inspector general report from 2014 indicated that it disagreed with the
memo's guidance.


Severe vulnerability in Cisco's WebEx extension for Chrome leaves PCs open to easy attack

Monty Solomon <monty@roscom.com>
Sat, 28 Jan 2017 11:28:07 -0500
http://www.pcworld.com/article/3160836/software/severe-vulnerability-in-ciscos-webex-extension-for-chrome-leaves-pcs-open-to-easy-attack.html


Voter fraud?

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 28 Jan 2017 16:32:30 PST
Several highly visible Republicans (including Tiffany Trump, Steve Bannon,
Steven Mnuchin) are registered in more than one state.  That's not illegal,
although Bannon apparently never lived in the house in Florida at which he
was registered.  That's illegal.  (R 30 12)

http://www.usnews.com/news/national-news/articles/2017-01-25/tiffany-trump-steve-bannon-steve-mnuchin-registered-to-vote-in-multiple-states

  [Additional names seem to be cropping up as well.]


The future of fake news is real-time video manipulation (Nick Bilton)

Lauren Weinstein <lauren@vortex.com>
Tue, 31 Jan 2017 21:15:12 -0800
Nick Bilton, BoingBoing via NNSquad
http://boingboing.net/2017/01/31/the-future-of-fake-news-is-rea.html

  Nick Bilton reports on the next round of fake news tools that allow users
  to manipulate audio and video to change what's being said, a sort of
  real-time Photoshop for moving images and audio. Want to make it look like
  a celebrity used a taboo word, or misquote a politician?  No problem.


Intentionally or not, big brands help fund fake news

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Jan 2017 08:53:12 -0800
AP via NNSquad
http://m.startribune.com/intentionally-or-not-big-brands-help-fund-fake-news/412040223/?section=nation

  Wittingly or not, major global corporations are helping fund sites that
  traffic in fake news by advertising on them.  Take, for instance, a story
  that falsely claimed former President Barack Obama had banned Christmas
  cards to overseas military personnel. Despite debunking by The Associated
  Press and other fact-checking outlets, that article lives on at "Fox News
  The FB Page," which has no connection to the news channel although its
  bears a replica of its logo.  And until recently, the story was often
  flanked by ads from big brands such as the insurer Geico, the
  business-news outlet Financial Times, and the beauty-products maker
  Revlon.  This situation isn't remotely an isolated case, although major
  companies generally say they have no intention of bankrolling purveyors of
  fake news with their ad dollars.  Because many of their ads are placed on
  websites by computer algorithms, it's not always easy for these companies
  to steer them away from sites they find objectionable.


alt-facts.net site (RISKS-30.11)

"Arthur T." <Risks201701.10.atsjbt@xoxy.net>
Sat, 28 Jan 2017 14:13:16 -0500
That, in turn, links to a Google Groups Form, which requires active
scripting and cookies. Given that Risks readers know the Risks of active
scripting (and the privacy implications of anything hosted by Google), I'm
surprised he thought it worthwhile to announce this here. Or is it just a
test to see how many of us will browse unsafely just to submit a fake news
site?

  [Intriguingly, Lindsay Marshall's newcastle site that houses the official
  searchable RISKS archive barfed on this item, blocking it perhaps because
  the website was brand new.  PGN]


Re: "The missile may have veered ... towards the US" (RISKS-30.05)

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 29 Jan 2017 19:26:12 +0000
1. This story rumbled on over several days last week.  As I understand it,
   the missile was unarmed and officially the test was to check the
   submarine's launch capability rather than the missile itself.  The main
   news interest was who knew what and when, fueled by conflicting reports
   from UK and US commentators and governments, UK Prime Minister Theresa
   May evasively not answering questions about it in a TV interview, "we
   don't comment on security matters", etc.  Presumably 'UK Unintentionally
   Launches Missile Attack On US' makes a better headline than 'Problem
   Found During Routine Test Firing'...  :o)

http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/

2. Maybe I'm missing something, but I find the recent posts in
   RISKS on "fake news", "alternative news", "real news", and so
   forth rather ridiculous—can news reports be definitively
   graded as 'true' or not!??!

The Royal Society has this on their web site, which seems right to me:

> The Royal Society's motto 'Nullius in verba' is taken to mean 'take
> nobody's word for it'.

https://royalsociety.org/about-us/

Tediously long article at
http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/


Re: United Airlines resumes flights after temporary ground order (RISKS-30.11)

Mark <gumpfs@gmail.com>
Sun, 29 Jan 2017 10:15:26 -0800
The link to ACARS went down, resulting in an inability for the company to
send weight and balance information or communicate with aircraft via
datalink.  I don't know what specific part of the system failed.


Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Shapir, RISKS-30.11)

Wols Lists <antlists@youngman.org.uk>
Sat, 28 Jan 2017 17:01:26 +0000
> While ease of development may be in the eye of the developer, I certainly
> wouldn't commend for readability a language in which a blank in the wrong
> place might completely change the meaning of a routine!

This is an old chestnut. How many people remember PL/1? That was intended to
be the ultimate programming language, iirc, and I found it a nice language,
but it had a similar reputation.

A misplaced parenthesis ran a serious risk of still leaving you with a valid
program, but one that did something completely different from what you
intended. Caused by the massive overloading of the meaning of said
character.


Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (RISKS-30.10,11)

"John Levine" <johnl@iecc.com>
28 Jan 2017 20:25:00 -0000
I spent decades programming in languages like C and perl that marked
grouping with { braces } and now mostly use python which uses indentation.
While it took a little while to get used to it, now I find the python way
works at least as well.  Compilers remember the open levels of indentation
so they can diagnose spacing typos where you return to an indentation level
that was never opened, something C and perl can't do since all braces look
the same.

It also avoids a whole category of hard to find bugs in C programs where the
indentation suggests one thing but the braces say something else.

I think the moral here is that just because something is unfamiliar doesn't
mean it's worse.  I'm reminded of a famous article Don Norman wrote in 1981
about how awful the UNIX shell language (which at that time was the user
interface) was. One of the UNIX guys pointed out that commands he complained
weren't "natural" were because they weren't like the PDP-10 he was used to.


Data Privacy Day: know the risks of Amazon Alexa and Google Home (Naked Security)

Monty Solomon <monty@roscom.com>
Sat, 28 Jan 2017 11:25:36 -0500
https://nakedsecurity.sophos.com/2017/01/27/data-privacy-day-know-the-risks-of-amazon-alexa-and-google-home/

Please report problems with the web pages to the maintainer