The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 48

Thursday 19 October 2017

Contents

Drone collides with passenger jet
Digital Trends
Airports Worldwide Are Hit by Delays After Software Outage
NYTimes
Medical IoT device woes
Business Insights
DHS and vendor warn on automotive cyberflaws
FCW
WPA2 KRACK: Key Re-installation attACK
PGN
Millions of high-security crypto keys crippled by newly discovered Infineon flaw
Ars Technica
Russia Tried to Use Pokemon Go to Destabilize U.S. Election
Variety
Politico's Morning Cybersecurity on voting machines
PGN
Hacker study: Russia could get into U.S. voting machines
Politico
Yet Another Russian Hack of the NSA, with Kaspersky's Help
Bruce Schneier
Russia Turned Kaspersky Software Into Global Spying Tool
WSJ
Israel hacked Kaspersky, tipped off NSA
WashPo
Russia's Use of Antivirus Software to Spy on the U.S. Shows Why We Need Strong Encryption
Slate
RT, Sputnik, and Russia's New Theory of War
NYTimes
North Korea hacking Sony
NYTimes
HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon
Reuters
More on the Deloitte hack
The Guardian
Wireless Emergency Alert System Nationwide No-Op
WashPo
"The Coming Software Apocalypse"
James Somers
Accenture exposes data to public
SMH
Amazon's Echo Spot is a sneaky way to get a camera into your bedroom
The Verge
Ads don't work so websites are using your electricity to pay the bills
The Guardian
Stolen phones unlocked through a phishing attach
Diomidis Spinellis
Dubai airport's new virtual aquarium tunnel scans your face as you walk through it
The National
Microsoft's Nadella Wants to Help Coders Take a Quantum Leap
WiReD
Informed delivery is stalker's dream
Brian Krebs via Paul Fenimore
Internet Regulator Delays Key Security Feature Update Because of Lazy ISPs
Bleeping Computer via Gabe Goldberg
Use This USB Drive Trick to Secure Your Laptop in Public—or Anywhere Else
MakeUseOf
Google and Facebook Failed Us
The Atlantic
Facebook is introducing new protections for profile pictures for users in India
The Verge via Dan Jacobson
Google builds the Babelfish
QZ via Mark Thorson
How a Fire Alarm Caused a Glitch for Microsoft's Azure Cloud
Fortune
Faulty data center takes out Sourceforge
The Register
Wikipedia deletions: make my day
Dan Jacobson
Google changes the target when you click down
Chromium
Re: Propaganda flowed heavily into battleground states around election
Mark Kramer
Re: Yet another trove of sensitive US voter records leaked
Michael Kohne
Re: UK Banks, etc. to check account-holders' residence eligibility
Michael Bacon
Anthony Youngman
Re: Forget Your Password, Go to Jail
Amos Shapir
Re: 'Game of Thrones' was pirated ...
Kelly Bert Manning
Info on RISKS (comp.risks)

Drone collides with passenger jet (Digital Trends)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 16 Oct 2017 10:25:18 PDT
  [Thanks to Nancy Leveson for this item.  PGN]

https://www.digitaltrends.com/cool-tech/drone-collision-passenger-plane-canada/

A small drone struck a passenger jet in Canada last Thursday in the first
incident of its kind in the country.

The Skyjet aircraft was making preparations to land at Jean Lesage airport
in Quebec City when it collided with what is believed to have been a
drone. The plane suffered minor damage but the incident was deemed so
serious that Transport Minister Marc Garneau felt compelled to issue an
official statement about it: “This is the first time a drone has hit a
commercial aircraft in Canada and I am extremely relieved that the aircraft
only sustained minor damage and was able to land safely,''

The jet, which was carrying eight passengers on the flight from the city of
Rouyn-Noranda, 370 miles north-west of Quebec City, is likely to have been
a King Air 100 or King Air 200 model. Reports suggest it was flying at an
altitude of 1,500 feet (457 meters) when the drone, model unknown, hit the
aircraft. No arrests have yet been made.

The minister noted that while *the vast majority* of drone operators fly
responsibly, anyone tempted to fly their machine near an airport is
“endangering the safety of an aircraft, [which is an] extremely dangerous
and serious offense.''

Growing fears about risky drone flights prompted the Canadian government to
issue a set of interim guidelines in March that imposed strict limitations
on drone operations near people, animals, and buildings, including
airports. Violators could be hit with a $25,000 fine or a prison term. Or
both.
<https://www.digitaltrends.com/cool-tech/canada-drone-rules/>

Garneau said at the time that the potential for a catastrophic accident
involving an airplane is “the kind of nightmare scenario that keeps me up
at night.''  After last week's incident, the minister will be sleeping even
less easily.

Canadian authorities said that so far in 2017, it has received reports of
1,596 drone incidents, with 131 considered to have been of aviation safety
concern.

Earlier this month, a helicopter flying over New York City collided with a
Phantom 4 drone, a popular consumer model made by drone giant DJI. After
landing safely at an airport in New Jersey, parts of the mangled quadcopter
were extracted from the body of the helicopter.

Federal Aviation Administration data compiled between February and September
2016 lists 1,274 possible drone sightings by U.S. air traffic facilities,
compared to 874 for the same period a year earlier.

Rogue drone flights in off-limits locations is a growing headache for the
authorities as the market for consumer machines continues to grow.

The challenge of dealing with rogue drones has spawned a new industry geared
toward developing technology that takes control of the drone from the
operator to remove it from the sky, while the Pentagon recently approved a
policy allowing the U.S. military to shoot down rogue drones flying close to
its military installations across the country.
https://www.digitaltrends.com/cool-tech/battle-innovations-anti-drone-gun/
https://www.digitaltrends.com/cool-tech/drone-restrictions-us-military/


Airports Worldwide Are Hit by Delays After Software Outage (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 29 Sep 2017 04:35:39 -0400
https://www.nytimes.com/2017/09/28/business/airport-check-in-computer.html

A “network issue” affected programs used by several major carriers, delaying
flights and causing other problems for travelers.


Medical IoT device woes

Gabe Goldberg <gabe@gabegold.com>
Tue, 26 Sep 2017 18:36:59 -0400
Medical IoT devices: the security nightmare that keeps CIOs up late at night

A survey by security company ZingBox found that U.S. hospitals on average
have between 10 and 15 connected devices per bed. A large hospital can have
more than 5,000 beds. Every connected device, and the systems managing them,
is a target for hackers and malware—and the devices often aren't
well-protected.

https://insights.hpe.com/content/hpe-nxt/en/articles/2017/09/medical-iot-devices-the-security-nightmare-that-keeps-cios-up-late-at-night.html

U.S. DHS and FDA Face Medical Device Security Woes

While most eyes interested in cybersecurity for the past two weeks have been
focused upon (and for good reason) the Equifax breach, the U.S.  Food and
Drug Administration (FDA) continued its pressure on medical device
manufacturers to build security into product design — just as the
U.S. Department of Homeland Security warned the medical community of eight
vulnerabilities in Smiths medical wireless infusion pumps.

https://businessinsights.bitdefender.com/dhs-fda-security-breach


DHS and vendor warn on automotive cyberflaws (FCW)

Gabe Goldberg <gabe@gabegold.com>
Wed, 4 Oct 2017 23:58:27 -0400
The Homeland Security cybersecurity response team has notified automobile
makers they should take a look at new research illustrating flaws in vehicle
control modules to set the systems up for denial-of-service attacks and
other mischief. ...

Samani said consumers should also bear some of the responsibility by asking
manufacturers about their responses to cybersecurity incidents and
vulnerabilities, as well as how they test products to ensure security.

https://fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx

That will be a fun and enlightening exchange, right?


WPA2 KRACK: Key Re-installation attACK

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 16 Oct 2017 11:29:52 PDT
This could be rather devastating for your wireless.  If you don't want to
read the outstanding Vanhoef-Piessens paper, try Matt Green's take on it, or
some of the other sources.

* Mathy Vanhoef and Frank Piessens (Leuven),
  Key Re-installation Attacks: Forcing Nonce Reuse in WPA2, CCS 2017
    https://papers.mathyvanhoef.com/ccs2017.pdf

* Matthew Green, Falling through the KRACKs,
    https://blog.cryptographyengineering.com

* Forbes: Update Every Device—This KRACK Hack kills your wi-fi privacy

* The Verge: Wi-Fi security has been breached

* The Independent: Krack wi-fi breach means every modern network and device
  is vulnerable

* https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

* https://www.krackattacks.com/

* https://plus.google.com/+LaurenWeinstein/posts/3HPiHw5HjMp

  [Steve Bellovin notes it's a blindingly obvious flaw in the protocol --
  bad things happen if you replay message 3—but it took 13 years to be
  noticed.  Drew Dean commented that the Needham-Schoeder flaw took 18 years
  to be found.  Even then, the Lowe's would-be fix to address
  man-in-the-middle attacks required more time to get right.  PGN]


Millions of high-security crypto keys crippled by newly discovered Infineon flaw (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 16 Oct 2017 11:16:33 -0700
ANOTHER (DIFFERENT!) Security Disaster Today!
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

  A crippling flaw in a widely used code library has fatally undermined the
  security of millions of encryption keys used in some of the highest-stakes
  settings, including national identity cards, software- and
  application-signing, and trusted platform modules protecting government
  and corporate computers. The weakness allows attackers to calculate the
  private portion of any vulnerable key using nothing more than the
  corresponding public portion. Hackers can then use the private key to
  impersonate key owners, decrypt sensitive data, sneak malicious code into
  digitally signed software, and bypass protections that prevent accessing
  or tampering with stolen PCs. The five-year-old flaw is also troubling
  because it's located in code that complies with two internationally
  recognized security certification standards that are binding on many
  governments, contractors, and companies around the world. The code library
  was developed by German chipmaker Infineon and has been generating weak
  keys since 2012 at the latest.

This relates to:
Explaining the Chromebook Security Scare in Plain English: Don't Panic!
https://lauren.vortex.com/2017/10/11/explaining-the-chromebook-security-scare-in-plain-english-dont-panic
My comments in that posting still hold true.


Russia Tried to Use Pokemon Go to Destabilize U.S. Election (Variety)

Lauren Weinstein <lauren@vortex.com>
Thu, 12 Oct 2017 20:56:04 -0700
http://variety.com/2017/digital/news/russia-pokemon-go-1202588702/

  Russian operatives apparently didn't just lean on Facebook and Twitter in
  their attempts to influence the 2016 presidential election. A new report
  from CNN details an effort to also tap into the fan base of Pokemon Go to
  cause unrest.  These efforts were being organized by "Don't Shoot Us," a
  group ostensibly founded to protest police brutality against
  African-Americans. As part of these efforts, the group encouraged its
  followers to make use of a feature that allows users to rename any Pokemon
  that they have captured.  The group instructed Pokemon Go players to
  replace the default Pokemon names for the names of victims of police
  brutality, and then take screenshots of their renamed Pokemons. Game maker
  Niantic Labs told CNN that users can't actually share information in the
  game with each other. "Niantic will consider our response as we learn
  more," it said in a statement.


Politico's Morning Cybersecurity on voting machines

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 27 Sep 2017 22:46:56 PDT
TAKE A HINT - A leading election security expert on Monday urged New Jersey
to decertify paperless electronic voting machines that they say create an
unacceptable risk of vote hacking. "New Jersey needs to ensure its ability
to detect interference is as strong as its other defenses," said Barbara
Simons, a computer scientist who leads the nonprofit Verified Voting, in a
statement. The Garden State will hold a closely watched gubernatorial
election in November to replace term-limited Gov. Chris Christie. Virginia
recently decertified paperless touchscreen voting machines, and Simons urged
New Jersey to do the same. While "election officials take precautions to
ensure that the risk of tampering is as low as possible," she said,
"defending any computer system is not foolproof." New Jersey law defines the
ballot of record as the paper document generated by each vote, but the state
has not enforced that law because it lacks the money to buy new machines
that produce those paper documents.
<http://go.politicoemail.com/?qs=7f927db04f459f0dbd62e5b7095548345bf6e814b42d84122fbbc1ad20a67a35367bba5f7d3a526d098074e45baf4805014f1573920434c2>

Montgomery County, Md. whose county IT services were crippled under a
ransomware attack, paid the ransom to its hackers.
<http://go.politicoemail.com/?qs=7f927db04f459f0df1a4ac12e9ae0e5bca00ca6bef81c55a47721e3a13260ea449b200d6467b3d1a206604f39c4c4dab6495ec24467110bb>.


Hacker study: Russia could get into U.S. voting machines (Politico)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 9 Oct 2017 13:24:05 PDT
Edward-Isaac Dovere, Politico, 9 Oct 2017
<http://go.politicoemail.com/?qs=3D72a51dae38c79e4d50be87cf0f23fd979df36889c45a095dd3a70e0606f552d1daee5442b1092d585679d613dd22dee09201b5c3783908ef>

American voting machines are full of foreign-made hardware and software,
including from China, and a top group of hackers and national security
officials says that means they could have been infiltrated last year and
into the future.

DEFCON, the world's largest hacker conference, will release its findings on
Tuesday, months after hosting a July demonstration in which hackers quickly
broke into 25 different types of voting machines.

The report, to be unveiled at an event at the Atlantic Council, comes as the
investigation continues by four Hill committees, plus Justice Department
special counsel Robert Mueller, into Russian meddling in the 2016 elections,
on top of the firm intelligence community assessments of interference.

Though the report offers no proof of an attack last year, experts involved
with it say they're sure it is possible—and probable—and that the
chances of a bigger attack in the future are high.  From a technological
point of view, this is something that is clearly doable," said Sherri
Ramsay, the former director of the federal Central Security Service Threat
Operations Center, which handles cyber threats for the military and the
National Security Agency. "For us to turn a blind eye to this, I think that
would be very irresponsible on our part."

Often, voting machine companies argue that their supply chain is secure or
that the parts are American-made or that the number of different and
disconnected officials administering elections would make a widespread hack
impossible. The companies also regularly say that since many machines are
not connected to the internet, hackers' ability to get in is limited.

But at the DEFCON event in Las Vegas, hackers took over voting machines,
remotely and exposed personal information in voter files and more.

  [lots more PGN-truncated.]


Yet Another Russian Hack of the NSA, with Kaspersky's Help

Bruce Schneier <schneier@schneier.com>
Sun, 15 Oct 2017 01:28:02 -0500
  PGN excerpted from Bruce Schneier's CRYPTO-GRAM, October 15, 2017,
  schneier@schneier.com,  https://www.schneier.com
  https://www.schneier.com/crypto-gram.html

Yet Another Russian Hack of the NSA—This Time with Kaspersky's Help

The *Wall Street Journal* has a bombshell of a story. Yet another NSA
contractor took classified documents home with him. Yet another Russian
intelligence operation stole copies of those documents. The twist this time
is that the Russians identified the documents because the contractor had
Kaspersky Labs anti-virus installed on his home computer.

This is either an example of the Russians subverting a perfectly reasonable
security feature in Kaspersky's products, or Kaspersky adding a plausible
feature at the request of Russian intelligence. In the latter case, it's a
nicely deniable Russian information operation. In either case, it's an
impressive Russian information operation.

This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal
article contains no evidence, only unnamed sources. But I am having trouble
seeing how the already embattled Kaspersky Labs survives this.

What's getting a lot less press is yet another NSA contractor stealing
top-secret cyberattack software. What is it with the NSA's inability to keep
anything secret anymore?

And it seems that Israeli intelligence penetrated the Kaspersky network and
noticed the operation.

https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108
(link behind paywall)
https://www.wsj.com/articles/kaspersky-says-it-is-pawn-in-u-s-russia-conflict-1507285528
(link behind paywall)

https://arstechnica.com/information-technology/2017/10/the-cases-for-and-against-claims-kaspersky-helped-steal-secret-nsa-secrets/
https://www.nytimes.com/2017/10/05/us/politics/russia-nsa-hackers-kaspersky.html
https://www.wired.com/story/nsa-contractors-hacking-tools/
http://www.slate.com/blogs/future_tense/2017/10/05/another_nsa_contractor_stole_documents_and_now_the_russians_have_more_u.html
https://motherboard.vice.com/en_us/article/kz755a/ex-nsa-hackers-are-not-surprised-by-bombshell-kaspersky-report

Israel's involvement:
https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html
https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html


Russia Turned Kaspersky Software Into Global Spying Tool (WSJ)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 11 Oct 2017 16:23:15 PDT
<http://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874?mod=djemalertNEWS>

The Russian government used a popular antivirus software to secretly scan
computers around the world for classified U.S. government documents and
top-secret information, modifying the program to turn it into an espionage
tool, according to current and former U.S. officials with knowledge of the
matter.

The software, made by the Moscow-based company Kaspersky Lab, routinely
scans files of computers on which it is installed looking for viruses and
other malicious software. But in an adjustment to its normal operations that
the officials say could only have been made with the company's knowledge,
the program searched for terms as broad as "top secret," which may be
written on classified government documents, as well as the classified code
names of U.S. government programs, these people said. [...]


Israel hacked Kaspersky, tipped off NSA (WashPo)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 11 Oct 2017 11:52:45 PDT
https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html?utm_term=.65e27fd7f291


Russia's Use of Antivirus Software to Spy on the U.S. Shows Why We Need Strong Encryption (Slate)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 13 Oct 2017 10:17:30 PDT
“Even worse, any technology that allows U.S. agencies to lawfully access
data will present an irresistible target for hackers and foreign
intelligence services. The idea that such data will remain safe is laughable
in a world where foreign intelligence services have openly leveraged
cyberweapons against corporate and political targets.''

http://www.slate.com/blogs/future_tense/2017/10/12/russia_used_kaspersky_software_to_spy_on_the_u_s_that_s_why_we_need_encryption.html


RT, Sputnik, and Russia's New Theory of War (NYTimes)

"Dave Farber" <farber@gmail.com>
Mon, 9 Oct 2017 21:53:23 -0400
https://www.nytimes.com/2017/09/13/magazine/rt-sputnik-and-russias-new-theory-of-war.html?smprod=nytcore-ipad&smid=nytcore-ipad-share

How the Kremlin built one of the most powerful information weapons of the
21st century — and why it may be impossible to stop.


North Korea hacking Sony (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 15 Oct 2017 20:57:01 -0400
https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html

While the world is fixated on its nuclear missiles, North Korea has also
developed a cyberattack program that is stealing millions and unleashing
havoc.


HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon (Reuters)

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
2 Oct 2017 13:26:38 -0400
Joel Schectman, Dustin Volz and Jack Stubbs (Reuters)

"Hewlett Packard Enterprise allowed a Russian defense agency to review the
inner workings of cyber defense software used by the Pentagon to guard its
computer networks, according to Russian regulatory records and interviews
with people with direct knowledge of the issue.

"The HPE system, called ArcSight, serves as a cybersecurity nerve center for
much of the U.S. military, alerting analysts when it detects that computer
systems may have come under attack. ArcSight is also widely used in the
private sector. The Russian review of ArcSight's source code, the closely
guarded internal instructions of the software, was part of HPE's effort to
win the certification required to sell the product to Russia's public
sector, according to the regulatory records seen by Reuters and confirmed by
a company spokeswoman."

https://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M


More on the Deloitte hack (RISKS-30.47)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 10 Oct 2017 13:41:41 PDT
"The hack into the accountancy giant Deloitte compromised a server that
contained the emails of an estimated 350 clients, including four US
government departments, the United Nations and some of the world's biggest
multinationals, the Guardian has been told."

https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government


Wireless Emergency Alert System Nationwide No-Op

Richard M Stein <rmstein@ieee.org>
Fri, 13 Oct 2017 19:46:32 -0700
https://www.washingtonpost.com/investigations/the-only-california-county-that-sent-a-warning-to-residents-cellphones-has-no-reported-fatalities/2017/10/13/b28b5af4-b01f-11e7-a908-a3470754bbb9_story.html

  "More than 65 percent of the nation's 3,500 counties do not have
  agreements in place with FEMA to send alerts through the Wireless
  Emergency Alert system, as it is known, the agency said."


"The Coming Software Apocalypse" (James Somers)

ACM TechNews <technews-editor@acm.org>
Fri, 29 Sep 2017 12:05:25 -0400 (EDT)
James Somers, *The Atlantic*, 26 Sep 2017 via ACM TechNews, 29 Sep 2017

The growing complexity and connectivity of software and the fact that its
foundational requirements can lead to serious and potentially disastrous
consequences has prompted a group of coders to combat the abstract approach
to programming.  The Communications Design Group's Bret Victor says thinking
about software systems via code is difficult, which plays directly into
their high incidence of bugs.  His solution is a
what-you-see-is-what-you-get interface to enable programmers to write and
revise code and see the immediate effects of those changes on the
application under development.  Some programming experts are following
Victor's lead, with Microsoft's Chris Granger having built a prototype
coding environment designed to provide instant feedback to developers on
software behavior.  Also gaining favor is a model-based approach that is
still sufficiently unambiguous for computers to comprehend, while of
paramount importance is the creation of a program to convert the models into
actual code that can be proven to function correctly all the time.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-171ddx213192x077133&


Accenture exposes data to public (SMH)

Dave Horsfall <dave@horsfall.org>
Thu, 12 Oct 2017 15:21:36 +1100 (EST)
http://www.smh.com.au/technology/consumer-security/corporate-tech-giant-leaves-secret-data-exposed-to-public-internet-20171011-gyyijb.html

  “A world-leading corporate consultancy and technology outsourcer left at
  least four cloud-based storage servers unsecured and publicly
  downloadable, exposing secret data, authentication credentials,
  certificates, decryption keys, customer information, and more data that
  could have been used to attack both the provider and its thousands of
  clients.

  Fairfax Media can reveal that Accenture – one of the world's largest
  corporate consulting and management firms that has offices across
  Australia, and is also behind the national e-health record system –
  inadvertently allowed files belonging to its clients to be publicly
  available.''

It seems that the exposed data was actually test data for a trial run, but
nonetheless was accurate; there was no evidence that Australia's e-health
system was compromised (but how would they know?).

I guess one message here is that test data had better be just that...


Amazon's Echo Spot is a sneaky way to get a camera into your bedroom (The Verge)

Monty Solomon <monty@roscom.com>
Fri, 29 Sep 2017 08:03:01 -0400
https://www.theverge.com/2017/9/28/16378472/amazons-echo-spot-camera-in-your-bedroom


Ads don't work so websites are using your electricity to pay the bills (The Guardian)

Gabe Goldberg <gabe@gabegold.com>
Sun, 1 Oct 2017 00:01:54 -0400
Pirate Bay and Showtime turned to forcing unknowing visitors to mine
cryptocurrency, using computers rather than eyeballs on ads to generate
money.

https://www.theguardian.com/technology/2017/sep/27/pirate-bay-showtime-ads-websites-electricity-pay-bills-cryptocurrency-bitcoin


Stolen phones unlocked through a phishing attach

Diomidis Spinellis <dds@aueb.gr>
Mon, 16 Oct 2017 23:23:15 +0300
The e-crime unit of the Hellenic Police identified 15 individuals involved
in the unlocking of stolen smartphones.  According to an issued press
statement [1] the perpetrators would send a targeted phishing message to the
owners of stolen smartphones that had enabled the device's tracking
feature. The message, purporting to come from the device's manufacturer,
would direct them to a phishing site made to look like the site of the
phone's manufacturer.  The site prompted the owners wishing to find out
their phone's location to enter their iCloud credentials required to unlock
the phone.  Through these the perpetrators could unlock the phone, access
its user's data, and reset the phone so that they could resell it.
Apparently, local phone shops outsourced the phishing operation to
accomplices with a global presence.

As I see it, the scam's effectiveness is based on two factors and
corresponding risks.  First, it targets phone owners who are distraught,
because their phone has been stolen.  These will most probably have their
defenses lowered.  Second, it involves the phone owners in an operation with
which they are not familiar; most phone owners seldom use their phone's
location tracking feature.

[1] http://www.astynomia.gr/index.php?option=ozo_content&lang=%27..%27&perform=view&id=74803&Itemid=1961&lang


Dubai airport's new virtual aquarium tunnel scans your face as you walk through it (The National)

Gabe Goldberg <gabe@gabegold.com>
Wed, 11 Oct 2017 00:26:04 -0400
Passengers will no longer have to wait in line at security counters or pass
through e-gates, instead walking through a tunnel that scans people’s faces.
https://www.thenational.ae/uae/transport/dubai-airport-s-new-virtual-aquarium-tunnel-scans-your-face-as-you-walk-through-it-1.665406#5


Microsoft's Nadella Wants to Help Coders Take a Quantum Leap

Gabe Goldberg <gabe@gabegold.com>
Tue, 26 Sep 2017 10:54:06 -0400
No one has built a quantum computer large enough to be useful because the
delicate quantum effects qubits rely on also make them prone to errors.

https://www.wired.com/story/microsofts-nadella-wants-to-help-coders-take-a-quantum-leap

Blindingly fast but error-prone computing, what could go wrong?


Informed delivery is stalker's dream (Brian Krebs)

Paul Fenimore <fenimore@swcp.com>
Mon, 2 Oct 2017 18:15:51 -0600
Brian Krebs notes the risks of poor authentication in the US Post Office's
latest on-line convenience service: mail covers/images for most in-coming
mail delivered to you via email ...

<https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/>


Internet Regulator Delays Key Security Feature Update Because of Lazy ISPs

Gabe Goldberg <gabe@gabegold.com>
Tue, 3 Oct 2017 00:12:52 -0400
Inattentive ISPs and technical faults have led the Internet Corporation for
Assigned Names and Numbers (ICANN) to delay the KSK Rollover for next year.

KSK stands for the key signing key, a special cryptographic key used by core
Internet DNS servers. The KSK is part of the Domain Name System Security
Extensions (DNSSEC) protocol, a more secure version of the classic DNS
protocol.

https://www.bleepingcomputer.com/news/security/internet-regulator-delays-key-security-feature-update-because-of-lazy-isps/


Use This USB Drive Trick to Secure Your Laptop in Public—or Anywhere Else (MakeUseOf)

Gabe Goldberg <gabe@gabegold.com>
Tue, 3 Oct 2017 00:22:10 -0400
Obviously, it can't stop someone picking up your machine and walking away
with it (unless the USB stick is made of lead), but it can stop prying eyes
from having a quick look at your personal documents while you're stood up
ordering your next iced frappe-latte-mocha-chino.

Sounds great, but how can you make this magic happen? It's all thanks to a
wonderful little app called Predator.

The Predator app lets you lock and unlock your PC by removing or inserting a
USB flash drive. You can use any USB stick, so you don't have to remember to
take the same one with you every time you leave the house. As long as you
have a USB stick on your person, it will work.

The app works by generating a security code and placing it on the USB
stick. Every few seconds, it checks to see whether the code—and by
extension, the stick—is still present.

http://www.makeuseof.com/tag/usb-stick-secure-computer-public/

Really?


Google and Facebook Failed Us (The Atlantic)

Lauren Weinstein <lauren@vortex.com>
Tue, 3 Oct 2017 08:20:47 -0700
https://www.theatlantic.com/technology/archive/2017/10/google-and-facebook-have-failed-us/541794/

  In the crucial early hours after the Las Vegas mass shooting, it happened
  again: Hoaxes, completely unverified rumors, failed witch hunts, and
  blatant falsehoods spread across the internet.  But they did not do so by
  themselves: They used the infrastructure that Google and Facebook and
  YouTube have built to achieve wide distribution.  These companies are the
  most powerful information gatekeepers that the world has ever known, and
  yet they refuse to take responsibility for their active role in damaging
  the quality of information reaching the public.  BuzzFeed's Ryan Broderick
  found that Google's "top stories" results surfaced 4chan forum posts about
  a man that right-wing amateur sleuths had incorrectly identified as the
  Las Vegas shooter.  4chan is a known source not just of racism, but hoaxes
  and deliberate misinformation. In any list a human might make of sites to
  exclude from being labeled as "news," 4chan would be near the very top.


Facebook is introducing new protections for profile pictures for users in India

Dan Jacobson <jidanni@jidanni.org>
Sat, 07 Oct 2017 11:50:18 +0800
https://www.theverge.com/2017/6/22/15851662/facebook-profile-picture-protection-india

"Facebook is introducing new protections for profile pictures for users in
India, in a bid to stop people from copying, sharing, or otherwise misusing
their images. Users who elect to guard their profile through the new system
will ensure that others can't send, share, or download their picture, and
will keep strangers from tagging themselves in the image."

But all one has to do is in e.g., Chromium, CTRL+S Save Webpage Complete,
and voila...


Google builds the Babelfish (QZ)

Mark Thorson <eee@dialup4less.com>
Thu, 5 Oct 2017 09:45:33 -0700
First they track your browsing, then they read your e-mail, and now they
will eavesdrop on your conversations.

https://qz.com/1094638/google-goog-built-earbuds-that-translate-40-languages-in-real-time-like-the-hitchhikers-guides-babel-fish/

I'm sure it's to give you targeted ads to improve your user experience.


How a Fire Alarm Caused a Glitch for Microsoft's Azure Cloud (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Fri, 6 Oct 2017 12:55:43 -0400
Microsoft has apologized to users of its Azure cloud in Europe who could not
access some services for seven hours late last month.

The reason for the snafu? An errant fire alarm. Or, as the Microsoft Azure
status report put it: “During a routine periodic fire suppression system
maintenance, an unexpected release of inert fire suppression agent
occurred.”

At that point, the data center’s air handling units shut down automatically,
as they are supposed to, while the conditions were assessed. Some Microsoft
Azure cloud services were difficult or impossible to access between 1:27
p.m. and 8:15 p.m. local time on September 29, 2017, according to the status
report which tech news site The Register picked up.

http://fortune.com/2017/10/04/microsoft-azure-cloud-europe/

The risk? Same as on-premises equipment. Just larger consequences.


Faulty data center takes out Sourceforge (The Register)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 27 Sep 2017 16:00:09 PDT
http://www.theregister.co.uk/2017/09/27/faulty_data_center_takes_out_sourceforge/


Wikipedia deletions: make my day

Dan Jacobson <jidanni@jidanni.org>
Mon, 09 Oct 2017 11:21:04 +0800
I mentioned to my Mom about the endless deletion attempts on Wikipedia,
https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Peace_and_World_Affairs_Center_of_Evanston

So she said something that made my day:

So is Wikipedia really a disappointment? That's good to know because since I
haven't contributed to them yet, I was thinking of adding a thousand dollars
for them in my will. If you say so, I won't do it.  Please advise.

I told her:
Dear Mom, consider instead https://archive.org/donate/ ,
which stores all the Wikipedia articles that have been deleted.

They even tired to delete
https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Triscuit


Google changes the target when you click down

Dan Jacobson <jidanni@jidanni.org>
Tue, 10 Oct 2017 15:20:58 +0800
https://bugs.chromium.org/p/chromium/issues/detail?id=772914#c3

"The link status text has never been a security surface.  Because of onclick
handlers, sites can navigate anywhere (or do anything else) when you click a
link.  Because the halting problem is not solvable, browsers cannot tell you
ahead of time what the site is going to do.

Therefore, in all browsers, this text is simply a best-effort attempt to
show what will happen; it's not a reliable one (and cannot be made to be).

In the particular case of Google, the site completely changes the link's
target when you click down, which is why you see the preview change at that
point.  The browser can't know in advance that's what will happen."


Re: Propaganda flowed heavily into battleground states around election

Mark Kramer <c28f62@theworld.com>
Mon, 2 Oct 2017 18:34:53 -0400
Yes, I think everyone knows that battleground states get most of the
attention from everyone involved in political campaigns. Everyone makes a
coordinated effort to target pivotal voters in those states. That's where
the cost/benefit ratio is best. They *all* propagate their agendas (the
original definition of "propaganda") where they can sway the most votes.
Why waste money on voters in a state that you know you either are going to
win or cannot win?

How is this news? How is this even a risk? Who is paying these Oxford
"researchers" to produce such obvious results?

Clinton didn't spend a lot on states she knew she had sewn up; Trump
likewise. I live in a state that was going to go to HRC and I didn't see any
ads from either one. I kind of like that. It makes watching TV or listening
to the radio much more pleasant.

By the way, the more recent derogatory usage for an inherently neutral word
is more concerning than the fact that campaigns actually go where they can
influence the most voters. It's always the other guy's agenda being
propagated that becomes "propaganda", never one's own.

And don't get me started on how it is a sudden epiphany to so many people
that the Internet is filled with misinformation. It has been that way since
long before the Eternal September, back when USENET was UUCP.  Suddenly it's
front page news that the front page of so many news sources on the Internet
might not contain 100% fact. Something must be done! Why isn't the
Government saving us?


Re: Yet another trove of sensitive US voter records leaked (ZDNet)

Michael Kohne <mhkohne@kohne.org>
Sun, 1 Oct 2017 20:00:56 -0400
> "To be clear, TargetSmart's database and systems are secure and have not
> been breached. TargetSmart imposes strict contractual obligations on its
> clients regarding how TargetSmart data must be stored and secured, and takes
> these obligations seriously," Bonier added.

But not seriously enough to actually get the third party to secure things
properly.

Contractual obligations are nice for placing blame after it all goes wrong,
but they generally don't serve to, you know, actually secure anything. That
has to be done by people who actually give a damn, every day.

Apparently that wasn't in the contract.


Re: UK Banks, etc. to check account-holders' residence eligibility (RISKS-30.47)

Michael Bacon - Grimbaldus <michael.bacon@grimbaldus.com>
Sat, 30 Sep 2017 14:14:17 +0100
It is doubtful whether this measure will have the desired effect.  If indeed
illegal immigrants have bank accounts, despite setting up an account in the
UK seemingly requiring much in the way of ID including inside leg
measurement, they will simply close these accounts and drop off the grid.


Re: UK Banks, etc. to check account-holders' residence eligibility (RISKS-30.47)

Anthony Youngman <antlists@youngman.org.uk>
Sat, 30 Sep 2017 22:52:14 +0100
It seems worse than that ... I recently had a letter from my bank telling me
that for several years they have to check new customers residential
status. But now they are required retrospectively to check the status of all
existing account holders.

Don't forget - the UK is one the few (the only?) countries that has no form
of identity card system. What proof do they want of resident status? I have
no idea where my birth certificate is (it's only valid as proof if the date
of issue is within six weeks of the date of birth - copies are easily
obtained but are also easily identified by the date of issue). I no longer
have a valid passport. National Insurance numbers and driving licences are
handed out willy-nilly and are meaningless for national identity purposes.
...

I'm probably not alone - an awful lot of people will have no ID to prove
their rights. This has long been a problem - I remember something like this
maybe 30 years ago, when there was a big storm about the number of women who
would be affected because they were asking for a whole bunch of id that
typically the husband would have eg household bills. How does a woman prove
her address when all the paperwork is in her husband's name?

It would not surprise me in the least if the Government has learned
absolutely nothing in the intervening years ... (I think that if I'm forced
to apply for a new passport, I'll try and get a German one.  :-)


Re: Forget Your Password, Go to Jail (RISKS-30.47)

Amos Shapir <amos083@gmail.com>
Wed, 11 Oct 2017 09:31:18 +0300
This seemed a bit far-fetched, so I looked it up (I always follow links,
they tell a different story than headlines, often contradictory).

Two facts not mentioned in this post are first, that this guy had already
been sentenced to more than 15 years for other offenses (which he'll start
to serve once this issue is resolved), that's why no one is in a hurry to
get him out of prison; and second, more important, that he was not ordered
to reveal his password, (and so never claimed he forgot it), only to produce
a decrypted version of the hard drive.

If I understand the points of law correctly (IANAL), he was not convicted,
only held in contempt, so *habeas corpus *is not applicable (as one judge
said, he "keeps punishing himself" by refusing to comply); and OTOH since he
was ordered to *do *something rather than *say *something, the fifth
amendment protection does not apply either.

The important and ominous fact is, a person may be held indefinitely in jail
without being convicted, for refusing to criminalize himself.

The relevance to RISKS is that technology provides the cracks that such a
monstrosity can slip through.


Re: 'Game of Thrones' was pirated ... (RISKS-30.46)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Wed, 4 Oct 2017 17:08:14 -0400 (EDT)
Perhaps the real risk here is taking the claims of paid lobbyists seriously
without fact checking.

This brings to mind the scandal where the Conference Board of Canada,
supposedly an independent Research Group, presented 3 reports portraying
Canada as a top international hot bed of "file swapping". Those reports got
a lot of traction with news reporters and politicians, until a text
comparison showed them to contain masses of text copied in whole from press
releases of an industry group seeking draconian regulations about monitoring
personal internet activity. At least one of the paid Researchers whose name
appeared on the final version of a report asked the Conference Board to
remove his name from a report that no longer bore any resemblance to the one
he prepared.

http://www.michaelgeist.ca/2009/05/conference-board-ip-reports/

"The role of the Ontario government obviously raises questions about
taxpayer dollars being used to pay for a report that simply recycles the
language of a U.S. lobby group paper."

http://www.michaelgeist.ca/2009/05/conference-board-recalls-reports/

http://www.cbc.ca/news/technology/conference-board-report-on-copyright-draws-criticism-1.818091

I understand that Game of Thrones appeals to many people. Clearly it serves
a purpose of amusing them. For me George R. R. Martin's shtick of killing
off characters got old long ago, when I read stories such as "After the
Festival" in Analog magazine. I said exactly that when TELUS told me that
someone had accused me of illegally downloading an episode and watching it.

Please report problems with the web pages to the maintainer

Top