The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 27

Friday 5 May 2017

Contents

Bobby Tables and electoral fraud
Dave Horsfall
Using AI-Enhanced Malware, Researchers Disrupt Algorithms Used in Antimalware
Michael Kassner
Artificial Intelligence Prevails at Predicting Supreme Court Decisions
Matthew Hutson
Critical Level Firmware-level Security Vulnerability in Intel server chips
Bob Gezelter
"Cybercrime group abuses Windows app compatibility feature"
Lucian Constantin
Facebook and Google Were Victims of $100M Payment Scam
Fortune
Russian hackers use OAuth, fake Google apps to phish users
PC World
The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence
IEEE Spectrum
FBI allays some critics with first use of new mass-hacking warrant
Ars Technica
Fitbit Disputes Woman's Claim That Her Flex 2 Tracker Exploded on Its Own
Fortune
The default sharing of you—a data privacy nightmare
Ageinplacetech
Senseless Government Rules Could Cripple the Robo-Car Revolution
Gabe Goldberg
Re: Autonomous vehicle...
Martin Ward
Re: Homographic URLs
John Levine
Re: Antivirus provider Webroot is causing trouble for customers
Amos Shapir
Re: Man gets fined for discovering a flaw
Amos Shapir
Re: For 18 years, she thought someone was stealing her identity.
Martin Ward
Amos Shapir
Re: Two-factor authentication
John Levine
"Lessons from a flight gone wrong"
Bart Perkins
Info on RISKS (comp.risks)

Bobby Tables and electoral fraud

Dave Horsfall <dave@horsfall.org>
Tue, 2 May 2017 12:10:50 +1000 (EST)
The RISKS of online voting are well-known, and need not be covered again;
well, not for a while anyway.  However, there could be a new threat, should
SQL be involved in the counting process.  As usual, it involves
SQL-injection, or the "Bobby Tables attack" (named after the famous XKCD
comic).  Although doubtless meant as a joke, the following URL should make
hairs stand up upon one's neck:

http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden

(Basically it injects a "DROP TABLE" command.)

There seem to be many such examples; another one is if you want to clear
your driving record of speeding tickets:

http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/

(That one drops the entire database.)

It's all a joke right now, of course, but how long will it be before it
becomes for real?


Using AI-Enhanced Malware, Researchers Disrupt Algorithms Used in Antimalware (Michael Kassner)

"ACM TechNews" <technews-editor@acm.org>
Fri, 5 May 2017 12:18:36 -0400 (EDT)
Michael Kassner, TechRepublic, 4 May 2017, via ACM TechNews, 5 May 2017

Researchers at Peking University in China have found machine learning-based
malware-detection algorithms cannot be used in real-world applications if
they are easily bypassed by some adversarial techniques.  The Chinese team
reached this conclusion based on previous Google research demonstrating a
technique to bypass malware-detection algorithms using altered information
that maximized malware classification errors; this made it impossible for
the detection algorithm to spot malware.  The Peking University researchers
built on the Google study by proposing the use of a generative neural
network, called MalGAN, and altering the original samples to make input and
output adversarial examples.  The team trained a MalGAN generator to create
adversarial examples that were capable of deceiving malware detectors.
"Experimental results show that the generated adversarial examples are able
to effectively bypass the malware detector," note Peking University
researchers Weiwei Hu and Ying Tan.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13797x211ba5x072646&


Artificial Intelligence Prevails at Predicting Supreme Court Decisions (Matthew Hutson)

"ACM TechNews" <technews-editor@acm.org>
Fri, 5 May 2017 12:18:36 -0400 (EDT)
Matthew Hutson, *Science*, 2 May 2017, via ACM TechNews, 5 May 2017

A new study led by the Illinois Institute of Technology suggests artificial
intelligence can outperform legal scholars in the prediction of U.S. Supreme
Court rulings.  The researchers built a general prediction algorithm based
on the Supreme Court Database, drawing on 16 elements of each justice's
vote, supplemented with other variables.  For every year from 1816 to 2015,
the team built a machine-learning "random forest" statistical model that
reviewed all prior years and uncovered associations between case elements
and decision outcomes.  The model then examined the features of each case
for that year to anticipate rulings, and was fed data about the rulings so
it could update its approach and move on to the next year.  The algorithm
correctly forecast 70.2 percent of the high court's decisions and 71.9
percent of the justices' votes, while an earlier study found even
knowledgeable legal scholars are only about 66 percent right in comparison.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13797x211badx072646&

  [Whether this is this statistically significant may be less important than
  whether the justices would trust the results.  If they did, then they
  might start using this AI analysis to resolve difficult cases where they
  were deadlocked 4-4-1!  PGN]


Critical Level Firmware-level Security Vulnerability in Intel server chips

"Bob Gezelter" <gezelter@rlgsc.com>
Tue, 02 May 2017 04:02:49 -0700
CVE-2017-5689, reports vulnerabilities in the implementation of remote
management features on Intel chips

Intel has reported a set of vulnerabilities in the remote management of its
business-grade processors (consumer-grade processors are reported not to be
affected). The vulnerabilities permit non-authorized access to Intel's
Active Management Technology, Intel Standard Manageability, or Intel Small
Business Technology.

The Intel chips contain a separate management processor with access to the
integrated Ethernet. Intel's advisory notes that AMT and ISM are exploitable
from the network; all three are vulnerable locally. The Register's article
notes that the remote management processor uses "network port 16992"
(unclear whether TCP or UDP; from context, probably TCP). Since this is a
feature of the management firmware, it is below all OS and VM-level
firewalls.

* From The Register:

  "In March 2017 a security researcher identified and reported to Intel a
  critical firmware vulnerability in business PCs and devices that utilize
  Intel Active Management Technology (AMT), Intel Standard Manageability
  (ISM), or Intel Small Business Technology (SBT)," an Intel spokesperson
  told The Register.

Intel is providing a signed firmware update by way of manufacturers.  The
Intel bulletin also includes interim mitigations.

The Intel warning is at:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

An extensive article also appeared in The Register at:

http://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

- Bob Gezelter, http://www.rlgsc.com


"Cybercrime group abuses Windows app compatibility feature" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 04 May 2017 17:35:45 -0700
Lucian Constantin, Computerworld, 4 May 2017
The FIN7/Carbanak gang deploys fake application compatibility patches
to inject malicious code into other processes
http://www.computerworld.com/article/3194587/security/cybercrime-group-abuses-windows-app-compatibility-feature.html

selected text:

When Microsoft made it possible for enterprises to quickly resolve
incompatibilities between their applications and new Windows versions, it
didn't intend to help malware authors as well. Yet, this feature is now
abused by cybercriminals for stealthy and persistent malware infections.

Security researchers from FireEye have recently seen the shim technique used
by a group of financially motivated cybercriminals known in the security
industry as FIN7 or Carbanak. Since 2015, this group has stolen between $500
million and $1 billion from hundreds of financial organizations worldwide.


Facebook and Google Were Victims of $100M Payment Scam (Fortune)

Monty Solomon <monty@roscom.com>
Wed, 3 May 2017 21:00:17 -0400
http://fortune.com/2017/04/27/facebook-google-rimasauskas/


Russian hackers use OAuth, fake Google apps to phish users

Monty Solomon <monty@roscom.com>
Wed, 3 May 2017 21:02:37 -0400
http://www.pcworld.com/article/3192484/security/russian-hackers-use-oauth-fake-google-apps-to-phish-users.html


The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum)

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 May 2017 17:10:46 -0400

Studios invested heavily in magnetic-tape storage for film archiving but now
struggle to keep up with the technology

Digital technology has also radically altered the way that movies are
preserved for posterity, but here the effect has been far less salutary.
These days, the major studios and film archives largely rely on a magnetic
tape storage technology known as LTO, or linear tape-open to preserve motion
pictures. When the format first emerged in the late 1990s, it seemed like a
great solution. The first generation of cartridges held an impressive 100
gigabytes of uncompressed data; the latest, LTO-7, can hold 6 terabytes
uncompressed and 15 TB compressed. Housed properly, the tapes can have a
shelf life of 30 to 50 years. While LTO is not as long-lived as polyester
film stock, which can last for a century or more in a cold, dry environment,
it's still pretty good.

The problem with LTO is obsolescence. Since the beginning, the technology
has been on a Moore's Law-like march that has resulted in a doubling in tape
storage densities every 18 to 24 months.  As each new generation of LTO
comes to market, an older generation of LTO becomes obsolete. LTO
manufacturers guarantee at most two generations of backward compatibility.
What that means for film archivists with perhaps tens of thousands of LTO
tapes on hand is that every few years they must invest millions of dollars
in the latest format of tapes and drives and then migrate all the data on
their older tapes—or risk losing access to the information altogether.

http://spectrum.ieee.org/computing/it/the-lost-picture-show-hollywood-archivists-cant-outpace-obsolescence
<http://www.baseline-data.com/Resources/Blog/ID/25/The-History-of-LTO>
<https://www.theregister.co.uk/2015/09/16/lto_has_15tb_gen_7_tape_format/>
<http://www.enterprisestorageforum.com/continuity/features/article.php/3933731/Tape-Migration-Its-Not-Your-Grandfathers-Tape-Migration-Anymore.htm>


FBI allays some critics with first use of new mass-hacking warrant (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 30 Apr 2017 17:18:35 -0400
https://arstechnica.com/tech-policy/2017/04/fbi-allays-some-critics-with-first-use-of-new-mass-hacking-warrant/


Fitbit Disputes Woman's Claim That Her Flex 2 Tracker Exploded on Its Own (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Mon, 1 May 2017 19:10:51 -0400
http://fortune.com/2017/04/29/dina-mitchell-fitbit-flex-explosion/

The risk? Explosive trendy IoT devices?  Or old-fashioned scams?  Fortune
reports.  You decide.


The default sharing of you—a data privacy nightmare

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 May 2017 17:04:00 -0400
*You go, business pro, and so goes your privacy.

*[Rant on] You loved your phone but one day a useful part of it breaks—a
sad day all around—amazingly right at the end of the 2-year contract with
a carrier
<http://www.city-data.com/forum/cell-phones-smartphones/1899178-need-phone-finish-out-2-year.html>.
We'll just call that a coincidence. Today that time period is referred to as
a payment plan [and one has the option of paying for the phone in full.] But
that is not the topic for today—nor is the topic about the default on
Chrome that can no longer be switched off which automatically plays
<https://www.nytimes.com/2017/03/20/technology/personaltech/stopping-video-autoplay-on-google-chrome.html?_r=0>
videos. Advertisers must and will find you. No, today's rant is about that
other torment, shall we say, the Tyranny of the Default
<https://pagefair.com/blog/2015/the-tyranny-of-the-default/>—which made
an unwelcome appearance, in every sense of the word, on my new phone. That
bit of psychology is what is built in to new versions of software—it is
both condescending and malevolent at the same time.

*How many apps are there in the out-of-box experience? *Well, we're talking
about the operating system of the device and every single application that
is installed on it.  And the list of applications is a default set --
shipping with the product.  Sometimes, as with Chrome, one might want to
reset to the defaults.
<http://www.thewindowsclub.com/reset-chrome-settings> For smartphone users
who use the average of 27
<http://www.businessinsider.com/average-number-of-apps-vs-time-spent-2016-5>
(yup, that's 27!!) apps, a new phone could present a bit of a challenge.
Easy—make the unneeded shortcuts disappear. More work—uninstall the
unwanted. More work, select (from some source) the wanted apps.  Maybe you
started out with 35 out of the iPhone box
<ttps://www.apple.com/iphone-7/specs/>, or maybe 50 pre-installed apps for
the new Galaxy S8 <https://support.t-mobile.com/docs/DOC-34273>.

*The problem: the defaults are all about sharing YOU. *Whether it is
Facebook <https://support.t-mobile.com/docs/DOC-34273> privacy rules and
disastrous live sharing
<https://www.nytimes.com/2017/04/17/technology/facebook-live-murder-broadcast.html>,
consider GoogleHangouts
<http://www.androidcentral.com/what-you-need-know-about-new-google-hangouts-and-google-voice>
“ a charming multi-device app
<https://gsuiteupdates.googleblog.com/2017/02/google-hangouts-temporary-issues-with-firefox.html>,
right? But if you have a brand new Galaxy S8, the default for Hangouts is to
enable permissions to access the phone's Camera, Contacts, Location,
Microphone, Phone, SMS and Storage, each of which must individually have App
Permissions set to Off—because the defaults are set to On
<http://www.androidcentral.com/run-permissions-why-change-android-60-may-make-you-repeat-yourself>.
So let's say this phone sells between 25 million or more
<http://www.androidauthority.com/galaxy-s8-pre-orders-us-766770/>.  Let's
say that 42% of those buyers are 65+.
<http://www.pewinternet.org/fact-sheet/mobile/> Conservative guess is that
10 million seniors globally will buy this new phone. Examining the
permissions, setting the defaults to Off in individual apps
<http://www.androidcentral.com/run-permissions-why-change-android-60-may-make-you-repeat-yourself>,
like Hangouts “ only the determined (or crazy) will bother, no matter what
age—as okayed by Congress for ISPs in March
<http://www.pcworld.com/article/3185880/privacy/us-house-votes-to-undo-broadband-privacy-rules.html>.
But that vote was a meaningless discussion about closing the barn door after
powerful marketer inhabitants (like Google and Facebook) have long
departed. [Rant off]

https://www.ageinplacetech.com/blog/default-sharing-you-data-privacy-nightmare


Senseless Government Rules Could Cripple the Robo-Car Revolution

Gabe Goldberg <gabe@gabegold.com>
Tue, 2 May 2017 11:53:20 -0400
Few technological advancements bring to mind the American spirit of
innovation like Henry Ford and his Model T. In the wake of his
transportation innovation, the horse and buggy became an anachronism as the
mass-produced automobile reshaped our cities, led to the emergence (for
better or worse) of the suburbs, and revolutionized how we move goods and
people.

Now, there's little doubt that autonomous vehicles are the next frontier of
transportation. These vehicles are projected to make our roads safer,
potentially reducing fatalities by orders of magnitude. Along the way,
however, there are a number of roadblocks to surmount: infrastructure
issues, restrictive state licensing policies, driver education,
cybersecurity and privacy vulnerabilities, and more. For innovators,
regulators, and policymakers, solving these problems will involve a long
to-do list, but a pointless regulatory scuffle over technology standards
should not be on it.

So why is the federal agency responsible for our road safety looking to
introduce a totally avoidable roadblock to automotive innovation by
mandating a severely flawed technological standard for vehicle
communications?

Here's the debate: Autonomous vehicles of the future will need to
communicate with each other and the infrastructure around them, signaling to
avoid collisions and informing other cars about traffic and road
conditions. Cars will need to sense pedestrians and wildlife, and generally
become better drivers than we are. There are two leading contenders for how
this communication will happen: Dedicated Short Range Communications (DSRC)
and next-generation wireless 5G networks.

https://www.wired.com/2017/05/senseless-government-rules-cripple-robo-car-revolution/

The risk? Not answering the question the article poses: So why is the
federal agency responsible for our road safety looking to introduce a
totally avoidable roadblock to automotive innovation by mandating a severely
flawed technological standard for vehicle communications?


Re: Autonomous vehicle... (Shapir, RISKS-30.25)

Martin Ward <martin@gkc.org.uk>
Mon, 1 May 2017 10:36:13 +0100
I would hope that an autonomous vehicle would act more like an intelligent
driver than a really stupid driver.

An autonomous vehicle should detect the fact that it is approaching a
junction, check the visibility of the other roads into the junction and
approach at a safe speed given the visibility and seen and potential unseen
traffic.

The autonomous vehicle should also detect the road markings that are usually
present along with a stop sign.

An autonomous vehicle that dangerously "blows through" a junction because it
did not detect the stop sign is dangerous in many other situations: a blind
junction without a stop sign, a junction with the road markings but no stop
sign, a junction where the stop sign has fallen down or been obscured by a
tree, and so on.


Re: Homographic URLs (PGN)

"John Levine" <johnl@iecc.com>
1 May 2017 15:25:39 -0000
This is a fairly difficult problem.  For example, "apple" is in fact five
Cyrillic characters that happen to look like Latin characters.  TLDs forbade
mixed-script names a long time ago, but it's going to be a challenge to
identify strings entirely written in one script that happen to look like
other strings entirely written in another unrelated script and somehow
outlaw one or the other.

As far as I know, only Cyrillic and Latin have this problem, but I don't
claim to be a linguist.


Re: Antivirus provider Webroot is causing trouble for customers (RISKS-30.26)

Amos Shapir <amos083@gmail.com>
Mon, 1 May 2017 14:46:37 +0300
This reminds me of an anti-virus application that ran on early Windows
systems.  When Windows 95 was introduced, it came up with the message "Your
computer is infected with Windows 95", and offered to remove it.

  [Sounded like a good idea at the time.  Now there are more recent versions
  that Microsoft might like to remove, such as all the unpatched zombie
  systems in China.  PGN]


Re: Man gets fined for discovering a flaw (RISKS-30.26)

Amos Shapir <amos083@gmail.com>
Mon, 1 May 2017 14:40:53 +0300
I'm a software engineer working in Israel, where this activity does not
require licensing.  I have presented myself as such, and discussed software
engineering matters on previous RISKS issues.

Since the RISKS list may be read in Oregon too, I hereby request all
citizens of Oregon to remove my articles from any RISKS issues that they may
have stored within the State of Oregon, or else I might also be fined by the
Oregon State Board of Examiners for Engineering and Land Surveying for
practicing engineering without license.

  [Amos, Might you ever move to Oregon?  PGN]


Re: For 18 years, she thought someone was stealing her identity.

Martin Ward <martin@gkc.org.uk>
Mon, 1 May 2017 10:16:35 +0100
Perhaps the US Government could set up some kind of national registry where
every citizen and resident could be issued with a unique number. They could
call it a "social security number".

Then, all you have to do is persuade the cops to check this number.

According to the "birthday problem" you only need 23 "John Smiths"
for there to be a >50% probability that two share the same birthday.
According to whitepages.com there are 1,791 John Smiths in New York.

  [Sarcasm does not overcome the problem.  We have had cases in RISKS where
  two people with the same birthdate and name actually had the same SSN,
  unbeknownst to each other.  There are cases where many people (e.g.,
  migrant fruit pickers?) shared a single SSN (for the convenience of their
  employer?).  And then there are people with multiple identities and
  multiple SSNs (for nefarious purposes?).  PGN]


Re: For 18 years, she thought someone was stealing her identity

Amos Shapir <amos083@gmail.com>
Mon, 1 May 2017 15:03:51 +0300
It seems that the team that designed the DMV's system did not include a
Catholic or Anglican person.  Many churches keep a calendar of saints, where
each day of the year commemorates a certain saint; newborn babies are often
given the name of the saint on whose day they were born.

This custom greatly increases the odds that people born on the same date
would also have the same first name, especially if that name is rare.

  [I suspect there are indeed even folks named Scholastica (10 Feb),
  Turibius (23 Mar), and Dung Lac (24 Nov).  PGN]


Re: Two-factor authentication (Maziuk)

"John Levine" <johnl@iecc.com>
1 May 2017 15:25:23 -0000
It's in the nature of two factor authentication that if you lose the second
factor, or it breaks, you're out of luck.  One time I unwisely clicked a
link on my mobile carrier's web site, and changed my phone number.  All the
2FA tied to my old number stopped working even though it was the same phone.
Oops.

Another time I lost my phone, and even though the new phone had the same
number, I lost the settings my bank uses to generate 2FA codes in their app,
and the TOTP seeds in the Google Authenticator app.  Oops.  (For the latter,
when I reset the accounts I scanned the seeds both on my phone and on my
tablet, hoping not to lose them both at once.)

I've also had the battery die in keyfob code generators.  Oops.

2FA is a useful defense against some kinds of password stealing attacks, but
it definitely has its own failure modes.

  > (I can actually call the 1-800 number via skype as I have WiFi but if
  > skype for mobile has a "dial a number" option I'm unable to find it.

  In the Skype app, tap the handset icon at the upper right; the plus
  sign at the bottom should turn into a keypad icon.  Tap that.


"Lessons from a flight gone wrong" (Bart Perkins)

Gene Wirchenko <genew@telus.net>
Wed, 03 May 2017 11:00:12 -0700
  [Yet another reminder that the world is rather connected these days!]

Bart Perkins, Computerworld, 2 May 2017
United Airlines' mishandling of Flight 3411
provides powerful lessons on how to avoid creating a crisis
http://www.computerworld.com/article/3193764/it-management/lessons-from-a-flight-gone-wrong.html

opening text:

It's the stuff corporate nightmares are made of.  The video of Dr. David Dao
being dragged off United Express Flight 3411 on April 9, 2017, his face
bloodied, quickly went viral. People (read: potential customers) questioned
why a passenger who was already seated and held a proper boarding pass would
be forcibly removed to make space for an airline employee.

Social media feeds were swamped with bitter commentary.  Ad parodies
included the taglines such as “We beat our competitors—not our
customers'' and “The only things we pull out of the plane are your two free
checked bags.'' Jimmy Kimmel, Ellen DeGeneres and other entertainers had a
field day.  Down the road, the incident is likely to become a business
school case study about how to turn a routine situation into a crisis.

That's because what happened over the next few days amounted to a textbook
case of how not to handle a public-relations disaster.

Please report problems with the web pages to the maintainer

Top