The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 19

Tuesday 21 March 2017

Contents

Britain's surveillance agency slaps down claim it was involved in Trump 'wiretap'
The WashPo
Justice Department charges Russian spies and criminal hackers in Yahoo intrusion
The WashPo
Inside the Russian hack of Yahoo: How they did it
CSO Online
Facebook just made it harder for you to share fake news
The Telegraph
A Small Table Maker Takes On Alibaba's Flood of Fakes
The NYTimes
"How to Counterfeit Quantum Money"
CORDIS News
Two Dead After T-Mobile 'Ghost Calls' Flood 911 Center in Texas
Gizmodo
"Security breach fears over 26 million NHS patients"
Laura Donnelly
Install this FREE android application and go to jail
tk
Court Orders ISP To Hand Over Identities Behind 5,300 IP Addresses To Copyright Trolls
torrentfreak/slashdot
Man in Trouble Due to Police IP Address Error
*Metro* via Chris Drewe
USAF had their own dataloss going on, recently...
ZDNet
Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam
Krebs
Expert: Apple may have deployed unauthorized patch by mistake
CSO Online
Re: Avast Cybercapture of personal files
Barry Gold
Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking
Notatla
Arthur Flatau
Re: self-checkout at grocery stores
David Lamkin
Re: automation, restaurants, and industrial robots
Kelly Bert Manning
CRISPR assassinations
Gene Spafford
Re: Science
Wendy M. Grossman
Info on RISKS (comp.risks)

Britain's surveillance agency slaps down claim it was involved in Trump 'wiretap'

Lauren Weinstein <lauren@vortex.com>
Fri, 17 Mar 2017 08:11:05 -0700
NNSquad
https://www.washingtonpost.com/news/worldviews/wp/2017/03/17/britains-gchq-breaks-its-silence-to-slap-down-claim-it-was-involved-in-trump-wiretap/

  The Daily Telegraph, a right-leaning British newspaper, said on Friday
  that intelligence sources told the paper that Spicer and Lt. Gen. H.R.
  McMaster, Trump's national security adviser, have apologized for the
  claims.  "The apology came direct from them," a source told the paper.
  There was no immediate comment from the Trump administration.  Meanwhile,
  a spokesman for Theresa May, the British prime minister, did not confirm
  that an apology had been made. But he did say that the White House had
  given assurances—to the British ambassador in Washington and the prime
  minister's national security adviser—that the allegations that GCHQ had
  spied on Trump won't be repeated.  Analysts said that GCHQ's unusual
  reaction was an attempt to distance itself from the raging debate in the
  U.S.  "They really don't want to get drawn into the toxic contest going on
  between the administration and the intelligence agencies in the U.S.,"
  said Ewan Lawson, a senior research fellow at the Royal United Services
  Institute. "They want to put some pretty clear space between them."  He
  noted that the agency's quick, robust statement was unusual, but to stay
  silent "would give space to conspiracy theorists."


Justice Department charges Russian spies and criminal hackers in Yahoo intrusion

Lauren Weinstein <lauren@vortex.com>
Wed, 15 Mar 2017 09:44:14 -0700
https://www.washingtonpost.com/world/national-security/justice-department-charging-russian-spies-and-criminal-hackers-for-yahoo-intrusion/2017/03/15/64b98e32-0911-11e7-93dc-00f9bdd74ed1_story.html

  The Justice Department announced Wednesday the indictments of two Russian
  spies and two criminal hackers in connection with the heist of 500 million
  Yahoo user accounts in 2014, marking the first U.S.  criminal cyber
  charges ever against Russian government officials.  The indictments target
  two members of the Russian intelligence agency FSB, and two hackers hired
  by the Russians.  The charges include hacking, wire fraud, trade secret
  theft and economic espionage, according to officials.  The indictments are
  part of the largest hacking case brought by the United States.


Inside the Russian hack of Yahoo: How they did it

Monty Solomon <monty@roscom.com>
Sun, 19 Mar 2017 12:29:39 -0400
http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html


Facebook just made it harder for you to share fake news

Lauren Weinstein <lauren@vortex.com>
Tue, 21 Mar 2017 12:14:55 -0700
NNSquad
http://www.telegraph.co.uk/technology/2017/03/20/facebook-just-made-harder-share-fake-news/

  Some Facebook users in the United States have reported seeing a pop-up
  window appear when an article is disputed by third-party fact checkers.


A Small Table Maker Takes On Alibaba's Flood of Fakes

Monty Solomon <monty@roscom.com>
Sun, 19 Mar 2017 21:20:05 -0400
http://www.nytimes.com/2017/03/18/business/alibaba-fake-merchandise-e-commerce.html

With his computer and simple software, Greg Hankerson hunts for counterfeits
and seeks other small businesses willing to fight a Chinese e-commerce
giant.


"How to Counterfeit Quantum Money"

"ACM TechNews" <technews-editor@acm.org>
Fri, 17 Mar 2017 12:13:55 -0400 (EDT)
CORDIS News (16 Mar 2017) via ACM TechNews, 17 Mar 2017

Researchers in Poland and the Czech Republic have theoretically shown that
ultrasecure currency designed using quantum mechanics can be forged by
exploiting a serious security flaw.  The quantum money was minted
photonically, with a series of photons transmitted to a bank using their
polarizations to encode information.  Criminals intercepting the photons
would find accurate counterfeiting impossible because duplicating quantum
data is imperfect.  However, because individual photons can be missed or
distorted in transmission, banks accept partial quantum bills, which gives
crooks an opening to make imperfect forgeries that are still similar enough
for banks to verify them.  Using an optimal cloner, the researchers
demonstrated a bank would accept forged quantum currency if the standard for
accuracy was not sufficiently high.  They say an effective standard for
acceptance would require the received photons' polarizations to be more than
approximately 84-percent identical to the original.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-12fadx211524x072322&


Two Dead After T-Mobile 'Ghost Calls' Flood 911 Center in Texas

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Mar 2017 09:50:09 -0700
NNSquad
http://gizmodo.com/two-dead-after-t-mobile-ghost-calls-flood-911-center-in-1793332222

  T-Mobile is just the latest mobile carrier to deal with problematic 911
  calls, but this time, the problems are bad.  Like so bad, people are
  dying. This month, numerous "ghost calls" from T-Mobile numbers flooded
  911 call centers in Texas and have been linked to two deaths.  And
  although the calls originated from T-Mobile devices, people using all
  carriers were unable to reach 911 dispatchers during the incidents.
  Scarier still, nobody knows what's causing them.

  [Also noted by Mark Braderd, who asks Why Only One City?:
    T-Mobile bug blamed for deaths of 911 callers in Dallas
http://www.washingtonpost.com/news/morning-mix/wp/2017/03/16/t-mobile-ghost-calls-clog-dallas-911-families-blame-backlog-for-deaths/
  ]


"Security breach fears over 26 million NHS patients".

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 19 Mar 2017 22:40:09 +0000
Laura Donnelly, Health Editor, *The Telegraph*, 17 Mar 2017
 <http://www.telegraph.co.uk/authors/laura-donnelly/>,
http://www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/

The medical records of 26 million patients are embroiled in a major security
breach amid warnings that the IT system used by thousands of GPs is not
secure.

The investigation centres on one of the most popular computer systems used
by GPs.

Unbeknown to doctors, switching on "enhanced data sharing"—so records
could be seen by the local hospital—meant they can also be accessed by
hundreds of thousands of workers across the country.

It means receptionists, clerical staff, healthcare assistants and medics
working in pharmacies, hospitals, GP surgeries, care homes and prisons can
look up sensitive information about individuals - even if there is no
medical reason to do so.

Patients would not have been told their records were available in this way,
and information could be accessed for malicious reasons, or fall in to
criminal hands, privacy experts warned.


Install this FREE android application and go to jail

tk <tkalama1@gmail.com>
Thu, 16 Mar 2017 09:18:25 +0300
In Turkey, the intelligence community is searching and arresting anyone that
has downloaded a free android application called "Bylock".

Hundreds of people that have used this program were arrested after the
ruling party AKP declared that it was the means of communication of the
members of the Gulen sect. Gulen was once a partner of the AKP regime, but
they have since had a falling out with Erdogan, presumably because to the
control of loot, er, funds of Turkey.

Latest development was the arrest of 25 people that were found to have used
this program (in Turkish):

http://www.cumhuriyet.com.tr/haber/turkiye/699620/25_ilde__ByLock__operasyonu__52_tutuklama.html


Court Orders ISP To Hand Over Identities Behind 5,300 IP Addresses To Copyright Trolls (torrentfreak/slashdot)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Thu, 16 Mar 2017 19:40:27 -0500
Sweden's new Patent and Market Court, that was formed last year to handle
specialist copyright complaints, handed down a ruling on Friday. It grants
Njord and its partners the right to force ISP Telia to hand over the
personal details of subscribers behind thousands of IP addresses, despite
the ISP's objections. [...]

claims that each unlawfully downloaded and shared a range of movie titles
including CELL, IT, London Has Fallen, Mechanic: Resurrection, Criminal and
September of Shiraz. [...]

https://yro.slashdot.org/story/17/03/15/209256/court-orders-isp-to-hand-identities-behind-5300-ip-addresses-to-copyright-trolls


Man in Trouble Due to Police IP Address Error

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 18 Mar 2017 17:49:39 +0000
There was a small item in the 'Metro' giveaway newspaper for March 14th
(can't find it on-line but http://metro.co.uk/) about a guy from Sheffield,
England, who was arrested and bailed under strict conditions by the police
in July 2011 suspected of illegally downloading images of child abuse.  It
turned out that the police's request to the ISP had erroneously had an extra
digit added to the IP address, so he was mistakenly put under investigation.
After a long legal battle he won a significant sum in compensation, though
the suspicion remains forever.

Now that much criminal evidence is increasingly based on computer records --
not just web surfing and e-mail traffic details but also utility bills,
telephone usage, and such like—one wonders how this sort of RISK can be
handled.  On one hand, there's the chance of genuine errors causing innocent
people to be caught up as shown above, while on the other hand it may be
easier to fabricate 'evidence' to maliciously get people into trouble.  How
easy is it to challenge this sort of thing in court?  After all, most
Internet users probably wouldn't know what their IP address is, or even what
an IP address is.


USAF had their own dataloss going on, recently... (ZDNet)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 17 Mar 2017 12:13:55 PDT
ZDNet
http://www.zdnet.com/article/leaked-us-military-files-exposed/

NEW YORK—A unsecured backup drive has exposed thousands of US Air Force
documents, including highly sensitive personnel files on senior and
high-ranking officers.

Security researchers found that the gigabytes of files were accessible to
anyone because the Internet-connected backup drive was not password
protected.

The files, reviewed by ZDNet, contained a range of personal information,
such as names and addresses, ranks, and Social Security numbers of more than
4,000 officers. Another file lists the security clearance levels of hundreds
of other officers, some of whom possess "top secret" clearance, and access
to sensitive compartmented information and codeword-level clearance.

Phone numbers and contact information of staff and their spouses, as well as
other sensitive and private personal information, were found in several
other spreadsheets.


Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam

Monty Solomon <monty@roscom.com>
Sun, 19 Mar 2017 11:42:01 -0400
https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/

  On Thursday, March 16, the CEO of Defense Point Security, LLC—a
  Virginia company that bills itself as "the choice provider of cyber
  security services to the federal government"—told all employees that
  their W-2 tax data was handed directly to fraudsters after someone inside
  the company got caught in a phisher's net.

Also,

  More than 120,000 affected by W-2 Phishing scams this tax season
http://www.csoonline.com/article/3180684/security/more-than-120-000-affected-by-w-2-phishing-scams-this-tax-season.html


Expert: Apple may have deployed unauthorized patch by mistake

Monty Solomon <monty@roscom.com>
Sun, 19 Mar 2017 11:28:14 -0400
http://www.csoonline.com/article/3181488/data-center/expert-apple-may-have-deployed-unauthorized-patch-by-mistake.html


Re: Avast Cybercapture of personal files (Goas, RISKS-30.18)

Barry Gold <barrydgold@ca.rr.com>
Wed, 15 Mar 2017 16:40:01 -0700
Benoit Goas wrote:
> I just downloaded a set of (obviously personal) medical images from an
> imaging lab, which allows downloads only as executable zip file (their
> website runs only with silverlight, but that's not the main issue).

Goas's message highlights another problem: encapsulating images in
executable files.

I ran into this recently. I was rear-ended and sought treatment for the
resulting whiplash injury. I started with an orthopedist, who took x-rays
and found no skeletal problems. He prescribed chiropractic and/or physical
therapy, and gave me my images on a CD (or DVD).

I brought the DVD to a chiropractor's office, and they viewed the images --
by running an EXECUTABLE file on the CD/DVD.

Apparently there is no standardized format (or formats) for medical images,
so instead of just sending an image it is "normal" to send the image in an
executable that will display it—assuming that the recipient is running an
OS that can run that executable.

What happens if the recipient has a Mac instead of a PC/Windows? Or a Linux
system? Or some more esoteric OS?

But worse yet, the recipient is running an .exe file from an outside source.
Suppose my orthopedist's office has been infected by malware?  Then the
chiropractor's computer is now _also_ infected with that malware. Any
professional I see about this problem will want to see those images, and
will promptly be infected with the malware.

What a mess!


Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Flatau, R-30-18)

<lists@notatla.org.uk>
Thu, 16 Mar 2017 09:55:28 +0000
Assuming someone ahead of you has bought chicken during the shift
of the current cashier that might not be the only reason to
use self-checkout.

Food standards officials discovered that 40 per cent of packets of chicken
in a range of supermarkets, convenience stores and butchers were covered
with bacteria on the outside.

Of 20 packets of chicken studied, eight had food poisoning bacteria on their
wrapping ...

Shoppers are now being warned to wash their hands after handling chicken
cartons to combat the risk of catching the campylobacter ...

http://www.microbeworld.org/component/jlibrary/?view=article&id=5827


Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Notatla, RISKS-30.19)

Arthur Flatau <flataua@acm.org>
Fri, 17 Mar 2017 09:55:42 -0500
No doubt this has little to do with computers.  This might actually be
another reason to use a human staffed checkout lane.  I have seen cashiers
in the store I most often buy groceries from clean the conveyor belt with
(what I assume is) some anti-bacterial spray.  I don't recall seeing that in
self-checkout lane.  Of course, bacteria from chicken are of little concern
at the home improvement stores.


Re: self-checkout at grocery stores (RISKS-30.18)

David Lamkin <drl@metanate.com>
Fri, 17 Mar 2017 08:10:10 +0000
If the store trusts its customers, as in the UK store Waitrose (admittedly a
well heeled lot given its margins), self checkout can be much more
convenient. They provide a scanner you use as you pick & 'checkout' becomes
payment only:

<https://www.waitrose.com/home/about_waitrose/quick_check.html>

Interestingly the availability of this excellent feature doesn't stop the
queues at the staffed or self service checkouts!

Metanate Limited. Station Court, Great Shelford, Cambridge CB22 5NE, UK
www.metanate.com (Consultancy) www.schemus.com (Data synchronisation)


Re: automation, restaurants, and industrial robots

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Fri, 17 Mar 2017 21:50:37 -0400 (EDT)
The 2017 March 15 RISKS items about automation, fast-food service, and
Dangerous industrial robots brought back a memory of "Intent to Deceive" by
Larry Niven. Note the title.

It is always interesting to hear from Dr. Leveson. My father started working
life in his early teens as an early 1940s whistle punk at a coastal BC
logging camp. Her high pressure steam analogy of the state of software
safety had a personal resonance for me. Steam punk has taken on a different
meaning these days.

https://books.google.ca/books?id=IBDAL13yLAUC&pg=PA34&dq=whistle+punk&hl=en&sa=X&ved=0ahUKEwistfKC9N7SAhVUVWMKHcj6AzcQ6AEIHDAA#v=onepage&q=whistle%20punk&f=false

http://www.obooksbooks.com/2015/3984_2.html#

  "And then I remember that he went into a fully automated kitchen, through
  a door that wasn't built for humans.  That kitchen machinery could handle
  full-sized sides of beef. Dreamer obviously wasn't a robot. What would the
  kitchen machinery take him for?"

Science Fiction writer Frederick Pohl also anticipated a number of potential
future risks when he was working as an advertising executive during the day
while writing science fiction during his spare time. With the move to
displays in cars and Internet connections we might have to be wary of
situations were advertisements could distract drivers in cars, although not
yet with our aircars.

https://books.google.ca/books?id=JCVbAAAAMAAJ&focus=searchwithinvolume&q=safety+cranks

  "They listened to the safety cranks and stopped us from projecting our
  messages on aircar windows--but we bounced back. ... soon we'll be testing
  a system that projects direct on the retina"

Science Fiction has a long history of portraying "Mad Men in Space".

http://www.sf-encyclopedia.com/entry/advertising

If you think this is far fetched consider why ad blockers are so popular,
and recall that at least one Internet home firewall maker decided to
interrupt browser sessions periodically by redirecting browsers to one of
their corporate web sites. Why worry about your network equipment being
hacked with corporations behaving like that?

Pohl's novel divides the population into two classes, executives and
everybody else. Other science fiction stories view automation as leading to
divisions such as taxpayers and citizens.

As Analog Magazine told us in 1990, Future Shock is the sense of
bewilderment felt by those who were not paying attention. (volume 110, page
67)


CRISPR assassinations (RISKS-30.17)

Gene Spafford <spaf@purdue.edu>
Wed, 15 Mar 2017 15:29:40 -0400
In 1982, Frank Herbert wrote The White Plague, a novel about how a person
creates a genetically-engineered disease that targets only women.  He
intends it to only affect Ireland, but of course it gets out and sweeps the
world.  The novel describes some of the consequences.  Although not as
compelling as Dune, Herbert manages to conjure up a believable set of
consequences of a species threatened with extinction.

I remember reading it and thinking it was implausible (at the time), but
that the difficulty in targeting a particular subset of the population is
likely to be a problem.  Given some of the genetic diversity and
distribution we don't fully understand, and the ability of many pathogens to
undergo change, any targeted microbe might well end up killing far more than
the attacker intends.

Bugs in the bug could well spell our doom.


Re: Science (Muller, RISKS-30.18)

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Thu, 16 Mar 2017 16:30:12 +0000
> What is really worrisome is that academics do not question these rules and
> apparently prefer a false sense of objectivity.

Time to revive the Underground Grammarian, who wrote a wonderful article
about the passive voice back in the 1980s.

Please report problems with the web pages to the maintainer

Top