The RISKS Digest
Volume 30 Issue 45

Tuesday, 5th September 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

West Air CRJ accident involved two different causes
PGN
Kaspersky: The Cyber Insecurity Company
Jeanne Shaheen
Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny
Nicole Perlroth et al.
How Russian & Alt-Right Twitter Accounts Worked Together to Skew the Narrative About Berkeley
Caroline O.
Ice-cold Kaspersky shows the industry how to handle patent trolls
The Register
Open-source voting in San Francisco?
Dominic Fracassa
Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak
Gizmodo
Internet Censorship Bill Would Spell Disaster for Speech and Innovation
EFF
Hacking Retail Gift Cards Remains Scarily Easy
WiReD
Radio Hacker Interrupts Police Chase in Australia
Bleeping Computer
US government: We can jail you indefinitely for not decrypting your data
The Register
Risks of biometrics: man with no arms refused by bank demanding fingerprints
NBC News
Re: Wisconsin Company to Implant Microchips In Employees
Richard A. O'Keefe
Re: Microchipping employees
John Levine
Re: Cracked screen => cracked security?
Richard Bos
Re: Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie?
Michael Bacon
Password: hint: birthday
Dan Jacobson
Info on RISKS (comp.risks)

West Air CRJ accident involved two different causes

"Peter G. Neumann" <neu...@csl.sri.com>
Sat, 2 Sep 2017 9:59:46 PDT
https://fearoflanding.com/accidents/accident-reports/when-both-your-mind-and-your-instruments-are-lying/


Kaspersky: The Cyber Insecurity Company (Jeanne Shaheen)

"Peter G. Neumann" <neu...@csl.sri.com>
Tue, 5 Sep 2017 8:04:59 PDT
Jeanne Shaheen (U.S. Senator from New Hampshire (Dem))
Kaspersky Lab is too close to the Kremlin to trust its software
Op-Ed in today's issue of *The New York Times*
https://www.nytimes.com/2017/09/04/opinion/kapersky-russia-cybersecurity.html

  Kaspersky Lab, the cybersecurity company, is close to Putin's government.
  So why is the U.S. government using its software?

[This op-ed is a rather comprehensive warning.
See previous related items in RISKS-30.10, 30.34, 30.37.  PGN]


Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny (Nicole Perlroth et al.)

"Peter G. Neumann" <neu...@csl.sri.com>
Fri, 1 Sep 2017 21:00:05 PDT
Nicole Perlroth, Michael Wines, and Matthew Rosenberg
*The New York Times*, 1 Sep 2017

https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html

“The more places we looked, the worse things looked.  In fact, we
discovered that VR Systems was not the only back-end supplier of election
services that was hacked by Russians ahead of Election Day.  Two more
vendors that provide critical election services were also hacked.''

   See also
https://www.nytimes.com/2017/09/01/insider/in-election-interference-its-what-reporters-didnt-find-that-matters.html?_r=0


How Russian & Alt-Right Twitter Accounts Worked Together to Skew the Narrative About Berkeley (Caroline O.)

Dewayne Hendricks <dew...@warpspeed.com>
September 2, 2017 at 2:53:05 AM EDT
#Antifa and #Berkeley were hot topics last weekend in America and in Russia.
Caroline O., Medium, 1 Sep 2017
https://medium.com/@RVAwonk/how-russian-alt-right-twitter-accounts-worked-together-to-skew-the-narrative-about-berkeley-f03a3d04ac5d

Social media [sic] has an important role in shaping perceptions of current
events, as well as influencing mainstream news coverage of those events.
Platforms like Twitter provide real-time access to events going on around
the world, allowing anyone to get a front-row seat for breaking news.  But
as much as it has opened up new channels of information, social media has
also open ed up new avenues for manipulating perceptions of reality.
Misinformation and disinformation often spread faster than the truth, and by
the time the narrative is corrected, social media has already moved on to
the next big thing.

The narrative surrounding last weekend's protests in Berkeley took shape on
social media and was picked up, at least in part, by mainstream news
outlets.  The result was a skewed presentation of events that was almost
entirely devoid of the context in which they took place. Even more
troubling: that narrative was influenced by pro-Russian social media
networks, including state-sponsored propaganda outlets, botnets, cyborgs,
and individual users.

In the case study below, I describe how the narrative surrounding Berkeley
was picked up and shaped by Russian-linked influence networks, which saw a
chance to drive a wedge in American society and ran with it. Next, I look at
the individual accounts and users that were identified as top influencers on
Twitter, and explore what they were posting, how they worked together to
craft a narrative, and the methods they used to amplify their message.
Finally, I look at how news coverage of the events in Berkeley was shaped by
the skewed narrative that emerged on social media.

This is just a single case study in a larger story, but it serves as an
important reminder that Russia is still exploiting social media to harm
U.S. interests—and that plenty of Americans are willing to join in on the
effort.

The Russian Connection

Russian-linked influence networks and propaganda arms quickly took interest
in the Berkeley protests last weekend. On Sunday afternoon, the top story on
the front page of Russian propaganda outlet RT was about the events in
Berkeley.  (Note that this was the main landing page, not the America
section).

RT tweeted stories about the protests throughout the day Sunday (and some on
Saturday), posting dramatic images and using trending hashtags to maximize
their reach. Many of these tweets were retweeted by the semi-automated
pro-Kremlin account @TeamTrumpRussia [...,] which spent much of the day
amplifying the hashtags #Berkeley and #Antifa.

On Twitter, the hashtag #Berkeley was amplified by Russian-linked influence
networks, as evidenced by the output of the Hamilton 68 dashboard, a project
of the Alliance for Securing Democracy, which tracks the activity of 600
Twitter accounts linked to Russian influence operations. These include
state-sponsored propaganda outlets like Sputnik and RT, as well as
individual users, automated accounts (bots), and cyborgs (accounts that
produce automated content some of the time, but are human-controlled at
other times) that actively and frequently amplify Kremlin propaganda
(knowingly, and in some cases, potentially unknowingly).


Ice-cold Kaspersky shows the industry how to handle patent trolls (The Register)

Monty Solomon <mo...@roscom.com>
Fri, 1 Sep 2017 08:58:18 -0400
https://www.theregister.co.uk/2017/08/31/kaspersky_handles_patent_trolls/


Open-source voting in San Francisco? (Dominic Fracassa)

"Peter G. Neumann" <neu...@csl.sri.com>
Mon, 4 Sep 2017 17:35:13 PDT
Dominic Fracassa, San Francisco considers open-source voting system
San Francisco Chronicle, 4 Sep 2017
http://www.sfchronicle.com/politics/article/San-Francisco-could-become-first-local-government-12170869.php&cmpid=twitter-premium

  [Open-source voting systems could be a major step forward compared
  with outsourced proprietary systems with no accountability.  However,
  please remember that everything else in the election process is still
  a potential source of risks.  PGN]


Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak (Gizmodo)

Lauren Weinstein <lau...@vortex.com>
Fri, 1 Sep 2017 12:43:15 -0700
via NNSquad
http://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579

  The files, more than 600GB in size, were discovered on August 24 by the
  Kromtech Security Center while its researchers were investigating an
  unrelated data breach at World Wrestling Entertainment. Two Amazon S3
  buckets were eventually found and linked to BroadSoft, a global
  communications company that partners with service providers, including
  AT&T and TWC. The 4 million TWC records are not all tied to unique
  customers, meaning 4 million individual people were not exposed by the
  breach. Due to the sheer size of the cache, it was not immediately clear
  precisely how subscribers were affected. The leaked data included
  usernames, emails addresses, MAC addresses, device serial numbers, and
  financial transaction information--though it does not appear that any
  Social Security numbers or credit card information was exposed. Time
  Warner Cable was purchased by Charter Communications last year and is now
  called Spectrum, though the leaked records date back from this year to at
  least 2010.

    [TWC could be an abbreviation for TrustWorthy Computing or
    Time Warner Cable, but not both at the same time!  PGN]


Internet Censorship Bill Would Spell Disaster for Speech and Innovation (EFF)

Lauren Weinstein <lau...@vortex.com>
Sun, 3 Sep 2017 10:45:58 -0700
NNSquad
https://www.eff.org/deeplinks/2017/08/internet-censorship-bill-would-spell-disaster-speech-and-innovation

  There's a new bill in Congress that would threaten your right to free
  expression online. If that weren't enough, it could also put small
  Internet businesses in danger of catastrophic litigation.


Hacking Retail Gift Cards Remains Scarily Easy (WiReD)

Gabe Goldberg <ga...@gabegold.com>
Fri, 1 Sep 2017 12:13:39 -0400
In November of 2015, Will Caput worked for a security firm assigned to a
penetration test of a major Mexican restaurant chain, scouring its websites
for hackable vulnerabilities. So when 40-year-old Caput took a lunch break,
he had beans and guacamole on his mind. He decided to drive to the local
branch of the restaurant in Chico, California. While there, still in the
mindset of testing the restaurant's security, he noticed a tray of
unactivated gift cards sitting on the counter. So he grabbed them all—the
cashier didn't mind, since customers can load them with a credit card from
home via the web—and sat down at a table, examining the stack as he ate
his vegetarian burrito.

As he flipped through the gift cards, he noticed a pattern. While the final
four digits of the cards seemed to vary randomly, the rest remained constant
except one digit that appeared to increase by one with every card he
examined, neatly ticking up like a poker straight. By the time he finished
his burrito, he had a plan to defraud the system.

https://www.wired.com/story/gift-card-hacks


Radio Hacker Interrupts Police Chase in Australia

Monty Solomon <mo...@roscom.com>
Mon, 4 Sep 2017 16:01:10 -0400
https://www.bleepingcomputer.com/news/security/radio-hacker-interrupts-police-chase-in-australia/


US government: We can jail you indefinitely for not decrypting your data (The Register)

Monty Solomon <mo...@roscom.com>
Fri, 1 Sep 2017 08:43:41 -0400
https://www.theregister.co.uk/2017/08/30/ex_cop_jailed_for_not_decrypting_data/


Risks of biometrics: man with no arms refused by bank demanding fingerprints (NBC News)

John Utteridge <j...@wireless-solutions.ltd.uk>
Tue, 5 Sep 2017 09:37:28 +0100
http://www.nbcnews.com/id/32675980/ns/us_news-weird_news/t/banks-thumbprint-rule-irks-man-no-arms/

John Utteridge, Software Engineer - Wireless Solutions Ltd., Station House,
50 North St., Havant, Hants. PO9 1QU http://www.wireless-solutions.ltd.uk

  [There also seem to be older people with sufficiently worn-down fingers
  that are not recognizable on some fingerprinting devices.  PGN]


Re: Wisconsin Company to Implant Microchips In Employees (R-30.40)

"Richard A. O'Keefe" <o...@cs.otago.ac.nz>
Fri, 1 Sep 2017 16:50:31 +1200
It looks to me as if fingerprint scanners would be just as convenient to use
as waving an embedded chip, offer better affordance (you can see what to put
where), and are a *lot* cheaper than embedded chips.  Near as I can make out
from the IT Professionals NZ code of ethics, this is unethical.

As for the security claims, try these cartoons:
http://www.gocomics.com/brewsterrockit/2017/08/29
http://www.gocomics.com/brewsterrockit/2017/08/30
http://www.gocomics.com/brewsterrockit/2017/08/31

  [Groan.  See the previous item from John Utteridge. PGN]


Re: Microchipping employees (RISKS-30.40)

"John Levine" <jo...@iecc.com>
1 Sep 2017 11:28:25 -0000
> ... It will be trivial to design a microchip that not only reports the
> current id, but can be reprogrammed to a new id from a simple
> device. Secondly, it will be fairly easy to build a scanner that picks up
> the ids of anyone nearby. Quick scan and reprogram and I am a new person
> with your credit limit.

While I agree that chipping yourself is a bad idea, this is not why.

Chips used for financial transactions don't just broadcast an account
number, they sign transactions.  Hence a spy can replay a transaction but it
can't create new ones.  Contact and contactless EMV chips have worked this
way for 20 years.  Banks can certainly be stupid but they're not quite
*that* stupid.


Re: Cracked screen => cracked security? (Baker, R-30.44)

Richard Bos
Sun, 03 Sep 2017 09:22:53 GMT
> People with cracked touch screens or similar smartphone maladies have a new
> headache to consider: the possibility the replacement parts installed by
> repair shops contain secret hardware that completely hijacks the security of
> the device. [...]

> On the other hand, these stories play right into the hands of those trying
> to kill "the right to repair" supported by the EFF.

On the contrary. If you have the right to repair your device on your own
initiative, you can always choose to go to a repair shop *you* trust, or
even do it yourself. If you do not have that right, you *must* go to the
official dealer—who may not be trustworthy.

Right To Repair is not only important to cheapskates, researchers, hobbyists
and mafiosi in the Western world, but also to "terrorists" (read:
non-conformists) in more dictatorial countries. Those may not be right to
assume that an official Apple repair shop in *cough*Insert Undemocratic
Country Apple Has Close Ties With Here*cough* will supply the same,
spyware-free* replacement part that we get in Europe. And that may happen
with or without Apple's support, or even knowledge.

* I was about to insert a question mark here, but let's not be that
cynical - yet.


Re: Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie? (Shapir, RISKS-30.44)

Michael Bacon - Grimbaldus <michae...@grimbaldus.com>
Fri, 1 Sep 2017 14:32:43 +0100
I am afraid that Amos Shapir is in error when he refers to the wording on
British one pound banknotes, or indeed any British banknote issued by the
Bank of England since 1853.

The wording was just: "I promise to pay the bearer on demand the sum of
...". There was no mention of the means by which that would be achieved.

It is possible that wording which included the means of payment might have
appeared on bank notes issued by other than the "Old Lady of Threadneedle
Street", but the last notes issued by a private bank in England and Wales
were b y Fox, Fowler and Co in 1921, and their notes did not carry such
wording.

Further, since 1694 although with some breaks, and until 1931 when Britain
left the "Gold Standard" and the notes became backed by securities, the
means of settlement was gold, not silver; in the form of a gold sovereign.

The gold sovereign began circulation in 1489 as the "English gold sovereign"
, but which was last minted in 1604.  The 'modern' gold sovereign was minted
from 1817 until withdrawal in 1932.

Guinea coins were also issued - a "guinea" being one pound and one shilling
(one pound and five pence in decimal coinage) - but not guinea notes.  The
guinea was last minted in 1816, but the reference value is still used in
horse racing (the "Two Thousand Guineas Stakes" run at Newmarket in
April/May) and d in the market sale of sheep.

I would add for RISKS readers' further information, that "sterling" derives
from the silver pennies introduced after 1066 by the Norman invaders (from
one of whom, Grimbaldus, I am descended).  Then, 240 sterlings weighed one
pound, hence 240 (later, copper) pennies to the "pound".  The shilling, of
which there were 20 in a pound (and therefore 12 pennies to the shilling)
was also introduced by William the Conquerer.  There's logic behind our old
currency.

Of course, gold and silver coins would wear away with handling, and since
their value was based on weight, they were not really practical as a coinage
in common and frequent use, and so were replaced by cupronickel and other
alloy facsimiles.


Password: hint: birthday

Dan Jacobson <jid...@jidanni.org>
Tue, 05 Sep 2017 01:28:49 +0800
password: hint: birthday:
4/17/1992
04/17/1992
1992/4/17
1992/04/17
4/17
birthday
0417
April 17
April 17, 1992
04.17
Error: Too many attempts. Locked out.

  [1992.04.17? or 17.04.1992?
  Maybe even just "Friday", since all it wants is a birth *day*,
  not a birth date!  Then you would need a max of seven tries.  PGN]

Please report problems with the web pages to the maintainer

x
Top