The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 33

Wednesday 14 June 2017

Contents

Russian cyberhacks on the U.S. electoral system far wider than previously known
Michael Riley on Bloomberg
"Supreme Court to look at mobile privacy. Uh-oh."
Evan Schuman
Microsoft warns of 'destructive cyberattacks, issues new Windows XP patches
ZDNet
Four Ways Your Location Is Being Tracked Everywhere You Go
MakeUseOf
Hackers Hijacking Verified Accounts to Spread Fake News
Gizmodo
Algo stock trading on "fake news"?
John Carney via Henry Baker
WSJ ends Google users' free ride, then falls 44% in search results
Columbian
Turks Click Away, but Wikipedia Is Gone
The New York Times
The tech world is rallying around a young developer who made a huge embarrassing mistake
QZ
Healthcare ransomware and how we can climb out of this mess
Kevin Fu
Re: Software is forever
Arthur T.
Precise Documentation
David Parnas via PGN
Info on RISKS (comp.risks)

Russian cyberhacks on the U.S. electoral system far wider than previously known (Michael Riley on Bloomberg)

Peter G. Neumann <neumann@csl.sri.com>
Tue, 13 Jun 2017 15:05:02 -0700
https://www.bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections

Russia's cyberattack on the U.S. electoral system before Donald Trump's
election was far more widespread than has been publicly revealed, including
incursions into voter databases and software systems in almost twice as many
states as previously reported.

In Illinois, investigators found evidence that cyber intruders tried to
delete or alter voter data. The hackers accessed software designed to be
used by poll workers on Election Day, and in at least one state accessed a
campaign finance database. Details of the wave of attacks, in the summer and
fall of 2016, were provided by three people with direct knowledge of the
U.S. investigation into the matter. In all, the Russian hackers hit systems
in a total of 39 states, one of them said.

The scope and sophistication so concerned Obama administration officials
that they took an unprecedented step—complaining directly to Moscow over
a modern-day red phone.  In October, two of the people said, the White House
contacted the Kremlin on the back channel to offer detailed documents of
what it said was Russia's role in election meddling and to warn that the
attacks risked setting off a broader conflict.

Unwinding the Twists, Turns in Trump-Russia Probe: QuickTake Q&A
<https://www.bloomberg.com/politics/articles/2017-05-09/unwinding-the-twists-turns-in-trump-russia-probe-quicktake-q-a>

The new details, buttressed by a classified National Security Agency
document recently disclosed by the Intercept, show the scope of alleged
hacking that federal investigators are scrutinizing as they look into
whether Trump campaign officials may have colluded in the efforts. But they
also paint a worrisome picture for future elections: The newest portrayal of
potentially deep vulnerabilities in the U.S.'s patchwork of voting
technologies comes less than a week after former FBI Director James Comey
warned Congress that Moscow isn't done meddling.  “They're coming after
America.  They will be back.''

Kremlin Denials

Russian officials have publicly denied any role in cyberattacks connected to
the U.S. elections, including a massive spear-phishing effort that
compromised Hillary Clinton's campaign and the Democratic National
Committee, among hundreds of other groups. President Vladimir Putin said in
recent comments to reporters that criminals inside the country could have
been involved without having been sanctioned by the Russian government.
[...]

  [Truncated for RISKS.  PGN]


"Supreme Court to look at mobile privacy. Uh-oh." (Evan Schuman)

Gene Wirchenko <genew@telus.net>
Tue, 13 Jun 2017 10:36:07 -0700
Evan Schuman, Computerworld, 13 Jun 2017
A criminal-case ruling favoring law enforcement would have implications for
companies facing civil complaints
http://www.computerworld.com/article/3200199/mobile-wireless/supreme-court-to-look-at-mobile-privacy-uh-oh.html

opening text:

Does the prospect of your company's worst enemies getting access to full
tracking information on your employees' mobile phones freak you out? If so,
you'll want to track something yourself: a case the U.S.  Supreme Court just
agreed to consider.

Although the case involves criminal law and the question of whether police
need a court-issued search warrant for intimate mobile records, one former
federal prosecutor points out that the Court's ruling could open the door to
civil discovery and subpoena access. In other words, the ruling could make
such mobile data available to anyone who chooses to sue your company, for
any reason, whether the claim is legitimate or not.


Microsoft warns of 'destructive cyberattacks, issues new Windows XP patches (ZDNet)

Lauren Weinstein <lauren@vortex.com>
Tue, 13 Jun 2017 11:03:12 -0700
via NNSquad
http://www.zdnet.com/article/microsoft-warns-of-destructive-cyberattacks-issues-new-windows-xp-patches/

  Citing an "elevated risk for destructive cyberattacks," Microsoft today
  released an assortment of security updates designed to block attacks
  similar to those responsible for the devastating WannaCry/WannaCrypt
  ransomware outbreak last month.  Today's critical security updates are in
  addition to the normal Patch Tuesday releases, Microsoft said.  They'll be
  delivered automatically through Windows Update to devices running
  supported versions, including Windows 10, Windows 8.1, Windows 7, and
  post-2008 Windows Server releases.  But in an unprecedented move,
  Microsoft announced that it was also making the patches available
  simultaneously for manual download and installation on unsupported
  versions, including Windows XP and Windows Server 2003.  Both of those
  operating systems are still deployed by significant numbers of business
  customers years after their official support lifecycles ended.


Four Ways Your Location Is Being Tracked Everywhere You Go

Gabe Goldberg <gabe@gabegold.com>
Tue, 13 Jun 2017 19:06:11 -0400
These days, it's common knowledge that your phone and computer are tracking
your location. Most people don't appear to care. They think the benefits of
location tracking outweigh the security and privacy implications.

You can make the argument they're right. Services such as Cortana and Google
Search are not as powerful if they can't monitor your movements.  However,
you might be less aware of other ways some companies are tracking your
location. Often, they use underhand tactics and collate information without
you knowing. They are tracking you purely for self-interest.

Here are a few ways you probably don't realize your whereabouts are being
tracked.

http://www.makeuseof.com/tag/location-tracking/


Hackers Hijacking Verified Accounts to Spread Fake News (Gizmodo)

Lauren Weinstein <lauren@vortex.com>
Sun, 11 Jun 2017 10:13:45 -0700
NNSquad
http://gizmodo.com/hackers-hijacking-verified-accounts-to-spread-fake-news-1795997941
https://www.accessnow.org/doubleswitch-attack/

  Security research group Access Now has discovered a clever attack being
  used against influential social media users as a means of disseminating
  fake news. The "Doubleswitch" not only involves hijacking verified
  accounts but makes it extremely difficult for the legitimate owner to
  regain control of their handle.


Algo stock trading on "fake news"?

Henry Baker <hbaker1@pipeline.com>
Wed, 14 Jun 2017 07:12:38 -0700
Lemme see.

Computer algorithms read company SEC reports, company press releases, etc.,
and automatically generate "human"-readable news stories.  Other computer
algorithms read company SEC reports, twitter feeds, company press releases,
and "human-readable" news stories and—before any human interaction --
near-instantaneously execute trades on various exchanges as a result.  If
some news story really is "news"—i.e., it contains new information that
could affect the price of one or more stocks—then whichever algorithmic
trader can process it fastest and place trades earliest can reap enormous
rewards.

What could possibly go wrong?

"A lie can travel halfway round the world while the truth is putting on its
shoes."—attributed to Mark Twain

"Buy the rumor, sell the news"

If someone can manufacture a fake news story and get it onto some social
media—e.g., Twitter—these "AI" traders will have traded tens of
millions of dollars worth of stock on this fake information during the
milliseconds, seconds, minutes or hours it will take for the truth to catch
up.

What are the chances that this sort of thing is going on right now?  What
are the chances that some measurable fraction of the trading volume is
generated in this manner?

To cheat is human; to commit major fraud requires a fast computer.  --
apologies to Bill Vaughan

http://www.cnbc.com/2017/06/13/death-of-the-human-investor-just-10-percent-of-trading-is-regular-stock-picking-jpmorgan-estimates.html

Just 10% of trading is regular stock picking, JPMorgan estimates

'Quantitative investing based on computer formulas and trading by machines
directly are leaving the traditional stock picker in the dust and now
dominating the equity markets, according to a new report from JPMorgan.'

'Kolanovic [global head of quantitative and derivatives research at
JPMorgan] estimates "fundamental discretionary traders" account for only
about 10 percent of trading volume in stocks.  Passive and quantitative
investing accounts for about 60 percent, more than double the share a decade
ago, he said.'

'A subset of quantitative trading known as high-frequency trading accounted
for 52 percent of May's average daily trading volume of about 6.73 billion
shares, Tabb said.  During the peak levels of high-frequency trading in
2009, about 61 percent of 9.8 billion of average daily shares traded were
executed by high-frequency traders.'

John Carney, CNBC, 23 Apr 2013
The Trading Robots Really Are Reading Twitter
http://www.cnbc.com/id/100666302

Let's call it the Twitter Skitter.

When the market briefly skidded after a hacked AP Twitter account reported
explosions at the White House, we saw the first real-time demonstration of
robo-trading riding on the back of social media.

The plunge in the market was so quick that it obviously was not the result
of individuals reading the phony news and deciding what action to take.
Computers were making the trades­or, more precisely, ending the trades. ...

The Twitter data stream has been available to high frequency traders since
at least 2009.

https://en.wikipedia.org/wiki/Algorithmic_trading

'"Computers are now being used to generate news stories about company
earnings results or economic statistics as they are released. And this
almost instantaneous information forms a direct feed into other computers
which trade on the news."'

'"Increasingly, people are looking at all forms of news and building their
own indicators around it in a semi-structured way," as they constantly seek
out new trading advantages said Rob Passarella, global director of strategy
at Dow Jones Enterprise Media Group.  His firm provides both a low latency
news feed and news analytics for traders.  Passarella also pointed to new
academic research being conducted on the degree to which frequent Google
searches on various stocks can serve as trading indicators, the potential
impact of various phrases and words that may appear in Securities and
Exchange Commission statements and the latest wave of online communities
devoted to stock trading topics.'


WSJ ends Google users' free ride, then falls 44% in search results (Columbian)

Lauren Weinstein <lauren@vortex.com>
Wed, 14 Jun 2017 09:53:38 -0700
http://www.columbian.com/news/2017/jun/11/wsj-ends-google-users-free-ride-then-falls-44-in-search-results/
  After blocking Google users from reading free articles in February, the
  Wall Street Journal's subscription business soared, with a fourfold
  increase in the rate of visitors converting into paying customers. But
  there was a trade-off: Traffic from Google plummeted 44 percent.  The
  reason: Google search results are based on an algorithm that scans the
  Internet for free content. After the Journal's free articles went behind a
  paywall, Google's bot only saw the first few paragraphs and started
  ranking them lower, limiting the Journal's viewership.  Executives at the
  Journal, owned by Rupert Murdoch's News Corp., argue that Google's policy
  is unfairly punishing them for trying to attract more digital
  subscribers. They want Google to treat their articles equally in search
  rankings, despite being behind a paywall.

The ranking change is exactly what should have happened. A paywalled
article is less useful to the average Google search user than a free
article, so it's completely reasonable that this differential is
reflected in search results rankings. Sorry, WSJ, I'm playing the
world's tiniest violin for you.


Turks Click Away, but Wikipedia Is Gone (The New York Times)

Lauren Weinstein <lauren@vortex.com>
Sat, 10 Jun 2017 16:50:24 -0700
NNSquad
https://www.nytimes.com/2017/06/10/world/europe/turkey-wikipedia-ban-recep-tayyip-erdogan.html?partner=rss&emc=rss

  But beyond the problems it has created for the curious, Turkey's Wikipedia
  ban is a reminder of something darker, government critics say: a wholesale
  crackdown on free expression and access to information, amid wider
  oppression of most forms of opposition.  Wikipedia is just one of 127,000
  websites blocked in Turkey, estimated Professor Akdeniz, who has led legal
  challenges against the Wikipedia ban and other web restrictions. An
  additional 95,000 pages, like social media accounts, blog posts and
  articles, are blocked on websites that are not otherwise restricted,
  Mr. Akdeniz said.  Some of these sites are pornographic. But many contain
  information and reporting that the government finds embarrassing. Sendika,
  an independent news outlet, is now on the 45th iteration of its website.
  The previous 44 were blocked.


The tech world is rallying around a young developer who made a huge embarrassing mistake

Gabe Goldberg <gabe@gabegold.com>
Sun, 11 Jun 2017 12:29:15 -0400
“How screwed am I?'' asked a recent user on Reddit, before sharing a
mortifying story.  On the first day as a junior software developer at a
first salaried job out of college, his or her copy-and-paste error
inadvertently erased all data from the company's production database.

https://qz.com/999495/the-tech-world-is-rallying-around-a-young-developer-who-made-a-huge-embarrassing-mistake/

  [Even more embarrassing for the company if there were no backups!  PGN]


Healthcare ransomware and how we can climb out of this mess

Kevin Fu <kevinfu@umich.edu>
Mon, 12 Jun 2017 15:39:52 -0400
Prof. Thimbleby and I shared our thoughts on how hospitals can climb out of
the ransomware mess.  Ransomware is just a symptom. Resolve the key root
causes within the healthcare delivery supply chain: manufacturing,
procurement, regulation, training, and governance.

http://www.healthcareitnews.com/blog/ransomware%E2%80%A8-how-we-can-climb-out-mess

Kevin Fu, Associate Professor, EECS Department, The University of Michigan
kevinfu@umich.edu     web.eecs.umich.edu/~kevinfu/	Twitter @DrKevinFu


Re: Software is forever (Paul Edwards, Risks 30.32)

"Arthur T." <Risks201706.10.atsjbt@xoxy.net>
Sun, 11 Jun 2017 01:34:21 -0400
> It's scary how many applications will not work on anything more modern
> than Windows XP, or rely on appallingly out-of-date and deprecated
> versions of Java.

The problem is not the application software.

There are programs written, compiled, and linked in the 1960s which can
still be run on the most modern of IBM's mainframes with the most current
operating system and program products installed.

The problem is that, unlike IBM mainframes, operating systems and important
products for PCs are not upwards compatible. This problem is not limited to
Windows. I find the fact that some programs required "appallingly
out-of-date" versions of Java to be a condemnation of current versions of
Java.


Precise Documentation (David Parnas)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 12 Jun 2017 10:57:26 PDT
  [Dave Parnas has long been an advocate of better software.  This article
  makes a strong case for the role of precise documentation in trying to
  attain better software.  I consider this mandatory reading for designers
  and implementers.  PGN]

  David L. Parnas, Precise Documentation: The Key to Better Software, in
  *The Future of Software Engineering*, S. Nanz, (ed), Springer Berlin
  Heidelberg, 2010, pp. 125--148,
    DOI: 10.1007/978-3-642-15187-3_8
    ISBN 978-3-642-15186-6 (Print)
    ISBN 978-3-642-15187-3 (Online)

Abstract.  The prime cause of the sorry `state of the art' in software
development is our failure to produce good design documentation.  Poor
documentation is the cause of many errors and reduces efficiency in every
phase of a software product's development and use.  Most software developers
believe that `documentation' refers to a collection of wordy, unstructured,
introductory descriptions, thousands of pages that nobody wanted to write
and nobody trusts.  In contrast, Engineers in more traditional disciplines
think of precise blueprints, circuit diagrams, and mathematical
specifications of component properties.  Software developers do not know how
to produce precise documents for software.  Software developments also think
that documentation is something written after the software has been
developed.  In other fields of Engineering much of the documentation is
written before and during the development.  It represents forethought not
afterthought.  Among the benefits of better documentation would be: easier
reuse of old designs, better communication about requirements, more useful
design reviews, easier integration of separately written modules, more
effective code inspection, more effective testing, and more efficient
corrections and improvements.  This paper explains how to produce and use
precise software documentation and illustrate the methods with several
examples.

Here's another useful reference as well:

  Carl Landwehr, J. Ludewig, R. Meersman, D.L. Parnas, P, Shoval, Y. Wand,
  D. Weiss, and E. Weyuker, Software Systems Engineering programmes: a
  capability approach, in Journal of Systems and Software, Vol. 125, March
  2017, pp. 354--364, Article: JSS9898.
    DOI: 10.1016/j.jss.2016.12.016

Please report problems with the web pages to the maintainer

Top