The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 46

Monday 11 September 2017

Contents

Equifax Hack May Expose Data of 143 Million Users
Polly Mosendz
More info on Equifax breach
Lauren Weinstein
PSA: no matter what you write, Equifax may tell you you've been impacted by the hack
TechCrunch
Hurricane Harvey Knocked Out Cell Service. Now Calls for Backup Wireless Power Are Rising
Fortune
Fake Russian Facebook Accounts Planted $100,000 in Political Ads
Vindu Goel and Scott Shane
Fake Facebook 'like' networks exploited code flaw to create millions of bogus 'likes'
Elizabeth Weise
Facebook Wins, Democracy Loses
NYTimes
Virginia scraps touchscreen voting machines
Morgan Chalfant
A huge solar flare temporarily knocked out GPS communications
Engadget
Apple and Google Fix Browser Bug. Microsoft Does Not.
Bleeping Computer
Dogwhistle ultrasound returns in a new guise
The Verge
India's Supreme Court ruled that privacy is a constitutional right
Menaka Guruswamy
'Game of Thrones' was pirated more than a billion times—far more than it was watched legally
The Washington Post
10 minutes of silence storms iTunes charts thanks to awful Apple UI
The Register
Info on RISKS (comp.risks)

Equifax Hack May Expose Data of 143 Million Users (Polly Mosendz)

"Peter G. Neumann" <neu...@csl.sri.com>
Fri, 8 Sep 2017 9:41:10 PDT
Polly Mosendz, Bloomberg, 8 Sep 2017
Class action seeking to represent 143 million consumers alleges company
didn't spend enough on protecting data.
https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit

A proposed class-action lawsuit was filed against Equifax Inc. late Thursday
evening, shortly after the company reported that an unprecedented hack had
compromised the private information of about 143 million people.

In the complaint filed in Portland, Ore., federal court, users alleged
Equifax was negligent in failing to protect consumer data, choosing to save
money instead of spending on technical safeguards that could have stopped
the attack. Data revealed included Social Security numbers, addresses,
driver's license data, and birth dates. Some credit card information was
also put at risk.

Equifax first discovered the vulnerability in late July, though it chose not
to announce it publicly until more than a month later. The company was
widely criticized for its customer service approach in the aftermath of the
hack, as users struggled to understand whether their information had been
affected. Others expressed frustration that three senior executives sold
about $1.7 million in stock in the days following the discovery of the
hack. A spokeswoman for Equifax said the men “had no knowledge that an
intrusion had occurred at the time.”

The plaintiffs in the lawsuit are Mary McHill and Brook Reinhard. Both
reside in Oregon and had their personal information stored by Equifax.

“In an attempt to increase profits, Equifax negligently failed to maintain
adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's
information from unauthorized access by hackers,” the complaint
stated. “Equifax knew and should have known that failure to maintain
adequate technological safeguards would eventually result in a massive data
breach. Equifax could have and should have substantially increased the
amount of money it spent to protect against cyberattacks but chose not to.”

The case was filed by the firm Olsen Daines PC along with Geragos & Geragos,
a celebrity law firm known for blockbuster class actions. Ben Meiselas, an
attorney for Geragos, said the class will seek as much as $70 billion in
damages nationally.

  [See also:]
http://www.businessinsider.com/equifax-hackers-may-have-accessed-personal-details-143-million-us-customers-2017-9
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?smprod=nytcore-ipad&smid=nytcore-ipad-share
DF: by using the service, you may be giving up legal rights:
https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/


More info on Equifax breach

Lauren Weinstein <lau...@vortex.com>
Fri, 8 Sep 2017 18:21:50 -0700
There is increasing evidence to suggest that primary impacts of the Equifax
breach involve consumers who interacted directly with (and provided personal
information to) their public facing website. The breach does not appear at
this time to involve their core credit reporting databases.


[SCAM!] PSA: no matter what you write, Equifax may tell you you've been impacted by the hack

Lauren Weinstein <lau...@vortex.com>
Fri, 8 Sep 2017 18:07:44 -0700
via NNSquad
https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?ncid=rss

  What this means is not only are none of the last names tied to your Social
  Security number, but there's no way to tell if you were really impacted.
  It's clear Equifax's goal isn't to protect the consumer or bring them
  vital information.  It's to get you to sign up for its revenue-generating
  product TrustID.


Hurricane Harvey Knocked Out Cell Service. Now Calls for Backup Wireless Power Are Rising

Lauren Weinstein <lau...@vortex.com>
Mon, 11 Sep 2017 09:35:43 -0700
via NNSquad
http://fortune.com/2017/08/30/hurricane-harvey-cell-backup-power/

  The wireless industry has for years successfully fought regulations that
  would force mobile phone networks to be hardened so they work during
  storms, but it may face renewed demands after Hurricane Harvey knocked out
  seven of 10 cell towers in the hardest-hit counties of Texas.

Depending on cell service during a disaster is a disaster in and of itself.
That's why so many telecom experts hang onto their landlines as lifelines! I
sure as hell do!


Fake Russian Facebook Accounts Planted $100,000 in Political Ads (Vindu Goel and Scott Shane)

"Peter G. Neumann" <neu...@csl.sri.com>
Thu, 7 Sep 2017 9:13:39 PDT
Vindu Goel and Scott Shane, The New York Times, 6 Sep 2017

Providing new evidence of Russian interference in the 2016 election,
Facebook disclosed on Wednesday that it had identified more than $100,000
worth of divisive ads on hot-button issues purchased by a shadowy Russian
company linked to the Kremlin.  The fake accounts were created by a Russian
company called the Internet Research Agency" (which is known for using troll
accounts to post on social media and comment on news websites).


Fake Facebook 'like' networks exploited code flaw to create millions of bogus 'likes' (Elizabeth Weise)

Lauren Weinstein <lau...@vortex.com>
Fri, 8 Sep 2017 10:12:35 -0700
via NNSquad, USA Today
https://www.usatoday.com/story/tech/news/2017/09/07/facebook-fake-likes-scammers-collusion-networks/642446001/

  A thriving ecosystem of websites that allow users to automatically
  generate millions of fake "likes" and comments on Facebook has been
  documented by researchers at the University of Iowa.


Facebook Wins, Democracy Loses (Siva Vaidhyanathan)

<james....@cmu.edu>
Sat, Sep 9, 2017 at 3:36 PM
Siva Vaidhyanathan, The New York Times, 8 Sep 2017 [via Dave Farber]

Wait!

Facebook, unlike Twitter, does not allow puppets, i.e. accounts controlled
by other accounts. I recall Egyptian Spring activists complaining about
this.

Does Facebook allow ads, i.e. something paid for, to masquerade as unpaid
posts? It shouldn't; Google doesn't. Finally, any ad should allow its reader
to learn about who paid for it.

None of these rules would prevent Russian robot trolls from posting evil
ideas, but it would make detecting them easier. A skeptical reader could ask
"Who posted this, and who are their friends?"

> Healthy democracies have transparency in political advertising. That
> doesn't matter to Facebook.
<https://www.nytimes.com/2017/09/08/opinion/facebook-wins-democracy-loses.html>


Virginia scraps touchscreen voting machines (Morgan Chalfant)

Richard Forno <rfo...@infowarrior.org>
Fri, Sep 8, 2017 at 10:28 PM
Morgan Chalfant, *The Hill*, 9 Sep 2017, via Dave Farber
http://thehill.com/business-a-lobbying/349896-virginia-scraps-touchscreen-voting-machines

The Virginia State Board of Elections moved Friday to do away with
touchscreen voting machines in the state by November's election, a move
aimed at boosting security.

The board decided to phase out the machines this year after the Virginia
Department of Elections recommended that the touchscreen voting machines be
decertified. The recommendation came after security experts breached
numerous types of voting machines with ease at the DEF CON cybersecurity
conference in Las Vegas in July, according to The Richmond Times-Dispatch.

The move comes amid heightened concerns over foreign interference in future
elections, in light of the U.S. intelligence community's conclusion that
Russia used cyberattacks and disinformation to interfere in the 2016
presidential election.

Virginia's gubernatorial election will take place in November, meaning that
the move to get rid of the machines would result in 22 localities having to
replace their equipment less than two months before the vote.

The state has already passed a law mandating that the machines be phased
out by 2020. According to the Times-Dispatch, 10 localities have already
started purchasing new equipment. The remaining 12 would need to work
quickly to phase out the old equipment by Nov. 7.

“The security of the election process is always of paramount importance.
The Department is continually vigilant on matters related to security of
voting equipment used in Virginia,'' Edgardo Cortes, the state's election
commissioner, said in a news release Friday.  “The ability to meaningfully
participate in our democracy is one of the most important rights that we
have as citizens, and the Department of Elections is dedicated to
maintaining voters' confidence in the democratic process.''

Cyber-experts have raised alarm over the touchscreen devices, called
direct-recording electronic, or DRE, voting machines, because they yield no
paper records that can be checked with the electronic records to make sure
votes are tallied accurately.

More than 100 cyber- and voting experts penned a letter to Congress in June
urging them to take steps to secure future elections, including a
recommendation to phase out DRE voting machines and others that do not
produce a voter-verified paper ballot.

“While there has been encouraging progress to improve election security in
recent years, too many polling stations across the nation are still equipped
with electronic machines that do not produce voter-verified paper ballots,
Many jurisdictions are also inadequately prepared to deal with rising
cybersecurity risks.''

The letter was sent the day that Department of Homeland Security officials
testified of evidence that Russia targeted election-related systems in 21
states ahead of the 2016 presidential election.

While officials maintain that the systems targeted were not involved in vote
tallying, Moscow's interference campaign has nevertheless stoked fears about
the possibility that foreign actors could attempt to use hacking to affect
vote counts in the future.

   See also
Today's Washington Post: DefCon 2017 contributed to Virginia dumping DREs
https://www.washingtonpost.com/local/virginia-politics/virginia-scraps-touch-screen-voting-machines-as-election-for-governor-looms/2017/09/08/e266ead6-94fe-11e7-89fa-bb822a46da5b_story.html?utm_term=3D.6fb49dcd9b08#comments


A huge solar flare temporarily knocked out GPS communications (Engadget)

Gabe Goldberg <ga...@gabegold.com>
Thu, 7 Sep 2017 16:17:51 -0400
The sun did its biggest burp in 12 years.  On the morning of 6 September the
sun let out two pretty sizable burps of radiation. Both were considered
X-class—the strongest type of solar flare—with one of them proving to
be the most powerful since 2005. If a solar flare is directed at Earth,
which these ones were, it can generate a radiation storm that interferes
with radio and GPS signals. The biggest flare ever recorded, in 2003, was so
strong it even knocked out NASA's solar measurement equipment. These recent
belches weren't quite on par with that, but they were enough to jam high
frequency radios and interfere with GPS systems for about an hour on the
side of the Earth facing the sun. Put your hand over your mouth, sun! Rude!

https://www.engadget.com/2017/09/07/a-huge-solar-flare-temporarily-knocked-out-gps-communications/

Sextant, chronometer, compass, maps, oh my...


Apple and Google Fix Browser Bug. Microsoft Does Not.

Lauren Weinstein <lau...@vortex.com>
Fri, 8 Sep 2017 15:44:18 -0700
via NNSquad
https://www.bleepingcomputer.com/news/security/apple-and-google-fix-browser-bug-microsoft-does-not-/

  Microsoft has declined to patch a security bug Cisco Talos researchers
  discovered in the Edge browser, claiming the reported issue is by
  design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419)
  and Chrome (CVE-2017-5033), respectively.


Dogwhistle ultrasound returns in a new guise

"Peter G. Neumann" <neu...@csl.sri.com>
Thu, 7 Sep 2017 21:17:17 PDT
Dolphin attack uses high-frequency sound against voice-based assistants such
as Siri.

https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google
https://techcrunch.com/2017/09/06/hackers-send-silent-commands-to-speech-recognition-systems-with-ultrasound/


India's Supreme Court ruled that privacy is a constitutional right

"Peter G. Neumann" <neu...@csl.sri.com>
Mon, 11 Sep 2017 15:02:23 PDT
https://www.nytimes.com/2017/09/10/opinion/indias-supreme-court-expands-freedom.html


'Game of Thrones' was pirated more than a billion times—far more than it was watched legally

Monty Solomon <mo...@roscom.com>
Fri, 8 Sep 2017 23:36:25 -0400
https://www.washingtonpost.com/news/morning-mix/wp/2017/09/08/game-of-thrones-was-pirated-more-than-a-billion-times-far-more-than-it-was-watched-legally/


10 minutes of silence storms iTunes charts thanks to awful Apple UI

Mark Brader
Tue, 5 Sep 2017 21:06:48 -0400 (EDT)
"A a a a Very Good Song" is A a a a simple workaround.
http://www.theregister.co.uk/2017/08/16/silent_track_bug_fix_itunes/

Please report problems with the web pages to the maintainer

Top