The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 50

Wednesday 22 November 2017

Contents

Warning to Humanity
The Sun
Singapore MRT signaling fault injures 29
Straits Times via Richard M Stein
How Level 3's Tiny Error Shut Off the Internet Parts of the US
HighTechForum
A major vulnerability has frozen Ethereum $ hundreds of millions
FlipBoard
$300M cryptocurrency "accidentally killed" after bad software patch
ParityTech
One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week
Christopher Malmo
Cops raid German bloke's house after his Alexa music device held a party on its own—while he was out
Amazon Grace
Russia used 150,000 Twitter accounts to meddle in Brexit
BoingBoing
Facebook admits that Ruskies interfered with UK Brexit vote
Buzzfeed
Russian 'Proof' That the US Is Helping ISIS Is Actually From a Video Game
Gizmodo
Homeland Security team remotely hacked a Boeing 757
CSO
Facebook is asking users to upload nudes to stop revenge porn online
TechWorm
MINIX: Intel's in-chip operating system
ZDnet
USB Exploit Affects Nine Years of Intel Processors
ITProToday
Hacker Erases 30 Million Files From CA Transit System... Took Over Computers, Demanded Ransom
CBS
Eavesdropper Flaw Exposes Millions of Call Texts and Recordings
Hackread
Following Equifax breach, CEO doesn't know if data is encrypted
SearchSecurity
On the Equifax Breach
Bruce Schneier
Senators push to ditch Social Security numbers in light of Equifax hack
TechCrunch
Stuxnet-style code signing is more widespread than anyone thought
Dan Goodin
Pentagon's hacker disclosure program defangs 2,800 security flaws
Joe Uchill
Security Breach and Spilled Secrets Have Shaken the NSA to its Core
The New York Times
Uber drivers in Lagos are using a fake GPS app to inflate rider fares
QZ
Uber Paid Hackers to Delete Stolen Data on 57 Million People
Eric Newcomer
Jailbreaking your connected coffee machine: The idiocy of things
ZDnet
How Are ATMs Exploited? An Update on ATM Malware Methods
Security Intelligence
Remote Unauthenticated DoS in Debut embedded httpd server used by Brother printers
TrustWave
Verizon Asks the Federal Communications Commission to Prohibit States from Protecting User Privacy
EFF
CAST Research on the State of Software Security Reveals Riskiest Applications
GlobeNewsWire
Asus Zenfone 3 botched update
Dan Jacobson
Strings embedded in the web page
Dan Jacobson
Epson is Using its eBay "Trusted Status" to Make Competing Ink Sellers Vanish
EFF
Logitech to shut down service and support for Harmony Link devices in 2018
Ars Technica
Twitter officially expands its character count to 280 starting
Techcrunch via Gabe Goldberg
Re: Even lower chances of winning the lottery
Amos Shapir
Re: Taser Company Ignored SEC Emails ... In a Spam Folder
Mark Kramer
Re: Tasers, Preying on home buyers
Chris Drewe
Info on RISKS (comp.risks)

Warning to Humanity (The Sun)

geoff goodfellow <geoff@iconia.com>
Mon, 13 Nov 2017 18:48:05 -1000
  [Like the extant stock market) Our Planet/Humanity/Society/Civilization is
  BADLY IN NEED of a "correction", er, "consolidation" (AND The Sooner The
  Better)]

https://www.thesun.co.uk/tech/4904635/15000-scientists-sign-warning-to-humanity-letter-detailing-the-grim-future-of-our-planet/

http://washingtonpost.com/news/speaking-of-science/wp/2017/11/13/thousands-of-scientists-issue-bleak-second-notice-to-humanity/


Singapore MRT signaling fault injures 29 (Straits Times)

Richard M STEIN <rmstein@ieee.org>
Thu, 16 Nov 2017 09:34:08 +0800
http://www.straitstimes.com/singapore/transport/signal-fault-to-blame-for-joo-koon-mrt-collision

"Sharing their preliminary findings yesterday, SMRT and LTA said the first
train departed Ulu Pandan depot with a software protection feature, but this
was `inadvertently removed' when it passed a faulty signaling circuit."

One needs to ask Thales if their release qualification process injects
arbitrary/random faults into their simulation environment to assess
problematic responses? Especially to measure viability factor X—Safety,
used to evaluate behavior under fault conditions.

For public safety, stack procurement requires additional vigilance: Inspect
test plan, review test results for the deployed version, examine top-10
defect field escapes and root cause analysis, what's the wall clock needed
to complete qualification for each change. These steps are unlikely to be
pursued for simple consumer items, and are generally above and beyond
consumer comprehension. Hence the increasing importance of a public service
that vets stack publications and rates them for compliance with a simple
"readiness to publish" metric.

$ ~ V= V(B,F,R,M,I,P,S,T,X,U)

The software stack's or ecosystem's readiness to publish for business
purposes (primarily to capture and realize revenue) can be characterized as:

$ = Revenue or quantifiable utility
V = Viability (publication deployment fitness)
B = Business process (via SOPs & Process flows)
F = Function (via API, protocol, command line, database insert/select
    ops that enable business process fulfillment)
R = Reliability (continuous hours of operation w/o deadlock, crash, or
    data corruption)
M = Resource consumption (absence of memory and/or descriptor leak,
    temp disk)
I = Integration (processing of data sources/sinks, payload delivery,
    message passing)
P = Performance (x/hr or 99.99% successful content delivery, scaling
    under load, etc)
S = Standards compliance (EDI/B2B, FIX, HTTP, RFC, JSON, XML, ANSI/IEEE)
T = Trust (demonstrate a non-repudiated result; immune/hardened against
    surreptitious access or corruption, fuzz evaluation hard, OWASP.org at
    minimum)
X = Safety (behavior under fault conditions, fail-over consistent)
U = Usability (GUI navigation structure, initial brand exposure,
    intuitive usage, psychometrics, a/b test)

Select viability attribute(s) may not be applicable for a software
stack or ecosystem under test.
Each viability attribute is measured by one or more test suites
designed exclusively for this purpose (minimal overlap). Assign a "1"
for each scoped attribute that passes, "0" for non-passing coverage. 
If viability is not achieved per scoped viability factors coverage,
prioritized defect repair is essential with release notes to identify
known issues subject to extent of test coverage findings.
Ideal practice is to publicly disclose test results and known defects
to assist consumer buying decisions and pressure competition.


How Level 3's Tiny Error Shut Off the Internet Parts of the US

geoff goodfellow <geoff@iconia.com>
Tue, 7 Nov 2017 16:48:39 -1000
http://hightechforum.org/level-3s-tiny-error-shut-off-internet-parts-us/


A major vulnerability has frozen Ethereum $ hundreds of millions

"Larry Werring" <lwerring@nrtco.net>
Tue, 7 Nov 2017 19:27:37 -0500
A vulnerability found within a popular wallet has frozen potentially
hundreds of millions of dollars of the crypto currency in a second setback
in recent months.

https://flipboard.com/@flipboard/-a-major-vulnerability-has-frozen-hundre/f-bca53f51bf%2Ftechcrunch.com

  [See also
    https://thehackernews.com/2017/11/parity-ethereum-wallet.html
  PGN]


$300M cryptocurrency "accidentally killed" after bad software patch

Steve Golson <sgolson@trilobyte.com>
Thu, 9 Nov 2017 16:23:53 -0500
https://paritytech.io/blog/security-alert.html

Following the fix for the original multi-sig vulnerability that had been
exploited on 19th of July (function visibility), a new version of the Parity
Wallet library contract was deployed on 20th of July.  Unfortunately, that
code contained another vulnerability which was undiscovered at the time.

And a newbie developer "accidentally" tripped over that vulnerability, and
erased *other* people's wallets.

More here:

https://cointelegraph.com/news/accidentally-killed-it-parity-grapples-with-280-mln-locked-eth

https://motherboard.vice.com/en_us/article/ywbqmg/parity-multi-signature-wallet-vulnerability-300-million-hard-fork

>From that last link:

  When I reached devops199 [the newbie developer] for comment on the
  incident, they replied, "Sorry!  I'm really afraid now can't talk."

RISK 1: Are you sure that patch you are in a hurry to release doesn't
  contain some new flaw?

RISK 2: New technology has all sorts of unexpected failure modes.


One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week (Christopher Malmo)

Henry Baker <hbaker1@pipeline.com>
Mon, Nov 6, 2017 at 3:10 PM
  [From Cryptography, via Dave Farber, long item PGN-truncated]

Christopher Malmo, Motherboard, 1 Nov 2017
One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week
Bitcoin's surge in price has sent its electricity consumption soaring.
https://motherboard.vice.com/en_us/article/ywbbpm/bitcoin-mining-electricity-consumption-ethereum-energy-climate-change

Bitcoin's incredible price run to break over $7,000 this year has sent its
overall electricity consumption soaring, as people worldwide bring more
energy-hungry computers online to mine the digital currency.

An index from cryptocurrency analyst Alex de Vries, aka Digiconomist,
estimates that with prices the way they are now, it would be profitable for
Bitcoin miners to burn through over 24 terawatt-hours of electricity
annually as they compete to solve increasingly difficult cryptographic
puzzles to "mine" more Bitcoins.  That's about as much as Nigeria, a country
of 186 million people, uses in a year.

This averages out to a shocking 215 kilowatt-hours (KWh) of juice used by
miners for each Bitcoin transaction (there are currently about 300,000
transactions per day).  Since the average American household consumes 901
KWh per month, each Bitcoin transfer represents enough energy to run a
comfortable house, and everything in it, for nearly a week.  On a larger
scale, De Vries' index shows that bitcoin miners worldwide could be using
enough electricity to at any given time to power about 2.26 million American
homes.

Expressing Bitcoin's energy use on a per-transaction basis is a useful
abstraction.  Bitcoin uses x energy in total, and this energy
verifies/secures roughly 300k transactions per day.  So this measure shows
the value we get for all that electricity, since the verified transaction
(and our confidence in it) is ultimately the end product.

Since 2015, Bitcoin's electricity consumption has been very high compared to
conventional digital payment methods.  This is because the dollar price of
Bitcoin is directly proportional to the amount of electricity that can
profitably be used to mine it.  As the price rises, miners add more
computing power to chase new Bitcoins and transaction fees. [...]

... at a minimum, worldwide Bitcoin mining could power the daily needs of
821,940 average American homes.  Put another way, global Bitcoin mining
represents a minimum of 77KWh of energy consumed per Bitcoin transaction.
Even as an unrealistic lower boundary, this figure is high: As senior
economist Teunis Brosens from Dutch bank ING wrote, it's enough to power his
own home in the Netherlands for nearly two weeks. [...]


Cops raid German bloke's house after his Alexa music device held a party on its own—while he was out (AMAZON GRACE)

geoff goodfellow <geoff@iconia.com>
Wed, 8 Nov 2017 17:17:44 -1000
Oliver Haberstroh's door was broken down by irate cops after flat after
neighbours complained about deafening music blasting from inside*
https://www.thesun.co.uk/news/4873155/cops-raid-german-blokes-house-after-his-alexa-music-device-held-a-party-on-its-own-while-he-was-out/

A German man has been left with a huge bill after his Amazon Echo tried to
organise a house party while he was away.

Hamburg cops were forced to break into Oliver Haberstroh's flat after
neighbours complained about deafening music blasting from inside—but
found the apartment empty after searching each room for someone to tell off.
Mr Haberstroh claims he walked out of his flat to meet friend on Friday
night after checking that the lights and music were switched off.  He wrote
on Facebook: "While I was relaxed and enjoying a beer, Alexa managed on her
own, without command and without me using my mobile phone, to switch on at
full volume and have her own party in my apartment" "She decided to have it
at a very inconvenient time, between 1.50am and 3.00am. My neighbours called
the police."

After knocking on the door, the officers called an expert to break the lock
open - and refused to hand over keys for the replacement until they'd been
paid for the locksmith.  A police spokesman said the source of the noise was
"a black jukebox which is usually activated by voice control".

It comes just weeks after a mischievous parrot used Alexa to order itself a
set of ten gift boxes while the owner was away. [...]


Russia used 150,000 Twitter accounts to meddle in Brexit

Lauren Weinstein <lauren@vortex.com>
Wed, 15 Nov 2017 09:27:55 -0800
via NNSquad
https://boingboing.net/2017/11/15/russia-used-150000-twitter-ac.html
  Russian Twitter accounts posted more than 45,000 messages about Brexit in
  48 hours during last year's referendum in an apparently co-ordinated
  attempt to sow discord, The Times can reveal.  More than 150,000 accounts
  based in Russia, which had previously confined their posts to subjects
  such as the Ukrainian conflict, switched attention to Brexit in the days
  leading up to last year's vote, according to research for an upcoming
  paper by data scientists at Swansea University and the University of
  California, Berkeley.


Facebook admits that Ruskies interfered with UK Brexit vote

Lauren Weinstein <lauren@vortex.com>
Tue, 14 Nov 2017 09:57:19 -0800
via NNSquad
Facebook Has Finally Opened The Door To Admitting Russia Meddled In Brexit
https://www.buzzfeed.com/markdistefano/facebook-has-finally-opened-the-door-to-admitting-russia?utm_term=.uarW57Empo#.uqg5V2ljro

Facebook has issued a carefully worded statement that appears to admit for
the first time that some Russia-linked accounts may have used the platform
to interfere in the EU referendum.


Russian 'Proof' That the US Is Helping ISIS Is Actually From a Video Game

Lauren Weinstein <lauren@vortex.com>
Tue, 14 Nov 2017 15:07:08 -0800
https://gizmodo.com/russian-proof-that-the-us-is-helping-isis-is-actually-f-1820446490

  Russia's Ministry of Defense released startling visual proof this morning
  that the United States military is assisting ISIS. The only problem with
  Russia's claims? The photographic "evidence" actually came from a video
  game.


Homeland Security team remotely hacked a Boeing 757

Gabe Goldberg <gabe@gabegold.com>
Thu, 16 Nov 2017 14:18:22 -0500
During a keynote address on Nov. 8 at the 2017 CyberSat Summit, a Department
of Homeland Security (DHS) official admitted that he and his team of experts
remotely hacked into a Boeing 757.

This hack was not conducted in a laboratory, but on a 757 parked at the
airport in Atlantic City, N.J. And the actual hack occurred over a year
ago. We are only now hearing about it thanks to a keynote delivered by
Robert Hickey, aviation program manager within the Cyber Security Division
of the DHS Science and Technology (S&T) Directorate.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in
accomplishing a remote, non-cooperative, penetration,'' Hickey said in an
article in Avionics Today.  [That] means I didn't have anybody touching the
airplane; I didn't have an insider threat. I stood off using typical stuff
that could get through security, and we were able to establish a presence on
the systems of the aircraft.''

While the details of the hack are classified, Hickey admitted that his team
of industry experts and academics pulled it off by accessing the 757's radio
frequency communications.

https://www.csoonline.com/article/3236721/security/homeland-security-team-remotely-hacked-a-boeing-757.html


Facebook is asking users to upload nudes to stop revenge porn online

Lauren Weinstein <lauren@vortex.com>
Tue, 7 Nov 2017 14:09:45 -0800
via NNSquad
https://www.techworm.net/2017/11/facebook-asking-users-upload-nudes-stop-revenge-porn-online.html

  Facebook is running a pilot program in Australia in collaboration with
  Office of the eSafety Commissioner that allows the users to use its
  Messenger service to send dirty images in question to themselves to "hash
  it" or create a digital fingerprint of the image. It also blocks the
  leaking out of private pictures, as it will allow the victim to take
  action before their pictures are uploaded or shared privately on Facebook,
  Instagram and Messenger. The technology will soon be tested across the UK,
  US and Canada.

[What could go wrong?] UH NO. OH SO VERY MUCH NO!


MINIX: Intel's in-chip operating system

Gabe Goldberg <gabe@gabegold.com>
Wed, 8 Nov 2017 10:46:33 -0500
Buried deep inside your computer's Intel chip is the MINIX operating system
and a software stack, which includes networking and a web server.  It's
slow, hard to get at, and insecure as insecure can be.

http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/


USB Exploit Affects Nine Years of Intel Processors

Gabe Goldberg <gabe@gabegold.com>
Thu, 16 Nov 2017 13:55:23 -0500
A security firm says that a USB exploit can be used to run unsigned code on
nearly all machines with Intel inside.

Uh-oh. More bad news about Intel's Management Engine, the chipmaker's
computer within a computer that runs on its own CPU and operating
system. Sysadmins use it to remotely control and configure networked
machines and it's been on about every CPU Intel has released since 2008.

http://www.itprotoday.com/security/usb-exploit-affects-nine-years-intel-processors


Hacker Erases 30 Million Files From CA Transit System... Took Over Computers, Demanded Ransom (CBS)

geoff goodfellow <geoff@iconia.com>
Tue, 21 Nov 2017 10:38:05 -1000
*Sacramento Regional Transit Systems Hit By Hacker*
http://sacramento.cbslocal.com/2017/11/20/sacramento-regional-transit-systems-hit-by-hacker/

SACRAMENTO (CBS13)—Sacramento Regional Transit is the one being taken for
a ride on this night, by a computer hacker.  That hacker forced RT to halt
its operating systems that take credit card payments, and assigns buses and
trains to their routes.  The local transit agency alerted federal agents
following an attack on their computers that riders may not have noticed
Monday.  “We actually had the hackers get into our system, and
systematically start erasing programs and data,'' Deputy General Manager
Mark Lonergan.

Inside RT's headquarters, computer systems were taken down after the hacker
deleted 30 million files.  The hacker also demanded a ransom in bitcoin, and
a left a message on the RT website reading “I'm sorry to modify the home
page, I'm good hacker, I just want to help you fix these vulnerability.''


Eavesdropper Flaw Exposes Millions of Call Texts and Recordings (Hackread)

"Larry Werring" <lwerring@nrtco.net>
Tue, 14 Nov 2017 10:38:53 -0500
https://www.hackread.com/eavesdropper-flaw-exposes-millions-of-call-texts-and-recordings/


Following Equifax breach, CEO doesn't know if data is encrypted (SearchSecurity)

Gabe Goldberg <gabe@gabegold.com>
Fri, 10 Nov 2017 19:33:02 -0500
"Yes or no, does the data remain unencrypted at rest?"

"I don't know at this stage," Barros responded.

Gardner appeared stunned by Barros' answer and pointed out that a lack of
encryption was essentially what caused this massive Equifax breach.  Smith
attempted to make the situation better.

http://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted

The risk? Ninnies all the way to the top, as a manager of mine once
described the hierarchy above him. Too true then and apparently at Equifax.


On the Equifax Breach

Bruce Schneier <schneier@schneier.com>
Wed, 15 Nov 2017 02:36:23 -0600
  [Please read the entire testimony.  I've just excerpted the main points.
  PGN]

Bruce Schneier, CRYPTO-GRAM, November 15, 2017
schneier@schneier.com  https://www.schneier.com
https://www.schneier.com/crypto-gram.html

Last week, I testified before the House Energy and Commerce committee on the
Equifax hack. A link to the video is at the bottom of this section.  And you
can read my written testimony below.

Testimony and Statement for the Record of Bruce Schneier Fellow and
Lecturer, Belfer Center for Science and International Affairs, Harvard
Kennedy School Fellow, Berkman Center for Internet and Society at Harvard
Law School

Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce"

Before the Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce United States House of Representatives

1 November 2017
2125 Rayburn House Office Building
Washington, DC 20515

1. The Equifax breach was a serious security breach that puts millions of
   Americans at risk.

2. Equifax was solely at fault.

3. There are thousands of data brokers with similarly intimate information,
   similarly at risk. Equifax is more than a credit reporting agency. It's a
   data broker. It collects information about all of us, analyzes it all,
   and then sells those insights. It might be one of the biggest, but there
   are 2,500 to 4,000 other data brokers that are collecting, storing, and
   selling information about us—almost all of them companies you've never
   heard of and have no business relationship with.

4. These data brokers deliberately hide their actions, and make it difficult
   for consumers to learn about or control their data.

5. The existing regulatory structure is inadequate.

6. The market cannot fix this because we are not the customers of data
   brokers.

7. We need effective regulation of data brokers.

8. Resist complaints from the industry that this is "too hard."

9. This has foreign trade implications.

10. This has national security implications.

11. We need to do something about it.

Yes, this breach is a huge black eye and a temporary stock dip for Equifax
-- this month. Soon, another company will have suffered a massive data
breach and few will remember Equifax's problem. Does anyone remember last
year when Yahoo admitted that it exposed personal information of a billion
users in 2013 and another half billion in 2014?

Unless Congress acts to protect consumer information in the digital age,
these breaches will continue.

Hearing:
https://energycommerce.house.gov/hearings/securing-consumers-credit-data-age-digital-commerce

Video of the hearing:
https://www.youtube.com/watch?v=4_ydofXb7mU&amp;feature=youtu.be

  [Lots of references omitted, some of which have already been in RISKS.
  PGN]


Senators push to ditch Social Security numbers in light of Equifax hack

Lauren Weinstein <lauren@vortex.com>
Thu, 9 Nov 2017 07:36:57 -0800
  [Worse than SSN!]

https://techcrunch.com/2017/11/08/are-social-security-numbers-going-away/

  Eyeing more secure alternatives to Social Security numbers, lawmakers in
  the U.S. are looking abroad. Today, the Senate Commerce Committee
  questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer
  Karen Zacharia and both the current and former CEOs of Equifax on how to
  protect consumers against major data breaches. The consensus was that
  Social Security numbers have got to go.  Rounding out the panel, Entrust
  Datacard president and CEO Todd Wilkinson offered some context and insight
  about why the U.S. should indeed move away from Social Security numbers --
  a step that the witnesses unanimously agreed was necessary if not wholly
  sufficient to protect consumers moving forward, in light of the Equifax
  hack.

SSN is bad. This would be worse. Every proposed replacement moves us
directly into the realm of mandatory electronic national ID systems
and cards, which if implemented in our toxic political and law
enforcement environments will inevitably lead to tyranny. Yes, it is
technically *possible* to improve this system without moving in that
direction. But *we* will be incapable of doing it correctly and safely,
and our children will curse us in our graves.

  [Reportedly, the breach cost at least $87M.  PGN
  https://securityledger.wpengine.com/2017/11/equifax-says-breach-cost-87m/
  ]


Stuxnet-style code signing is more widespread than anyone thought (Dan Goodin)

Dewayne Hendricks <dewayne@warpspeed.com>
Sat, Nov 4, 2017 at 4:55 AM
Dan Goodin, Ars Technica, 3 Nov 2017
Stuxnet-style code signing is more widespread than anyone thought.
Forgeries undermine the trust millions of people place in digital
certificates.
<https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/>

One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear
program was its use of legitimate digital certificates, which
cryptographically vouched for the trustworthiness of the software's
publisher.  Following its discovery in 2010, researchers went on to find the
technique was used in a handful of other malware samples both with ties to
nation-sponsored hackers and, later on, with ties to for-profit criminal
enterprises.

Now, researchers have presented proof that digitally signed malware is much
more common than previously believed. What's more, it predated Stuxnet,
with the first known instance occurring in 2003. The researchers said they
found 189 malware samples bearing valid digital signatures that were
created using compromised certificates issued by recognized certificate
authorities and used to sign legitimate software. In total, 109 of those
abused certificates remain valid. The researchers, who presented their
findings Wednesday at the ACM Conference on Computer and Communications
Security, found another 136 malware samples signed by legitimate CA-issued
certificates, although the signatures were malformed.

The results are significant because digitally signed software is often able
to bypass User Account Control and other Windows measures designed to
prevent malicious code from being installed. Forged signatures also
represent a significant breach of trust because certificates provide what's
supposed to be an unassailable assurance to end users that the software was
developed by the company named in the certificate and hasn't been modified
by anyone else. The forgeries also allow malware to evade antivirus
protections. Surprisingly, weaknesses in the majority of available AV
programs prevented them from detecting known malware that was digitally
signed even though the signatures weren't valid.

"Our results show that compromised certificates pose a bigger threat than
we previously believed, as it is not restricted to advanced threats and
that digitally signed malware was common in the wild before Stuxnet," Tudor
Dumitra, one of three professors at the University of Maryland, College
Park, who performed the research, told Ars. "The findings also raise
important concerns about the security of the code signing ecosystem."

Bypassing AV on the cheap

An accompanying research paper, titled Certified Malware: Measuring Breaches
of Trust in the Windows Code-Signing PKI, found that even when a signature
isn't valid because it doesn't match the cryptographic hash of the file
being signed, at least 34 AV programs to some degree failed to identify the
easy-to-spot error. As a result, the AV programs often failed to detect
malware that was known to be malicious. The failure, the paper reported, is
the result of faulty implementations of Microsoft's Authenticode
specification.

To prove the point, the researchers downloaded five unsigned ransomware
samples that AV programs almost universally detected as malicious. The
researchers then took two expired certificates that previously had been used
to sign both legitimate software and malware and used the certificates to
sign each of the five ransomware samples. When analyzing the resulting 10
files, the AV programs to varying degrees failed to detect they were
malicious.  [...]


Pentagon's hacker disclosure program defangs 2,800 security flaws (Joe Uchill)

geoff goodfellow <geoff@iconia.com>
Fri, 10 Nov 2017 10:04:15 -1000
Joe Uchill, The Hill, 10 Nov 2017
http://thehill.com/policy/cybersecurity/359806-pentagons-coordinated-disclosure-program-defangs-2800-security-flaws

Nearly a year after a rule change allowed good Samaritan hackers to notify
the Department of Defense (DOD) about cybersecurity glitches that needed
fixing, the Pentagon has mitigated more than 2,800 security problems.

The Pentagon opened its vulnerability disclosure program on November 21,
2016, inviting anyone who came across a security flaw in one of its
public-facing websites to report it.

The program came on the heels of last year's "Hack the Pentagon" program,
which offered cash rewards for anyone who reported a valid security
problem. The vulnerability disclosure program offers no such incentives.

But even without incentives, the vulnerability disclosure program has netted
valuable information for the Defense Department. Nearly than 650 hackers
from more than 50 countries have submitted security shortcomings to be
repaired.

The DOD operates its disclosure program using the firm HackerOne, which
also ran the Hack the Pentagon program.

More than 100 of the bugs reported through the program were deemed of high
or critical severity, meaning they would allow changes to important data or
allow attackers to execute their own commands. [...]


Security Breach and Spilled Secrets Have Shaken the NSA to its Core

geoff goodfellow <geoff@iconia.com>
Sun, 12 Nov 2017 12:40:35 -1000
Scott Shane, Nicole Perlroth and David E. Sanger, *The New York Times*,
12 Nov 20187

A serial leak of the agency's cyberweapons has damaged morale, slowed
intelligence operations, and resulted in hacking attacks on businesses and
civilians worldwide.

https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

  "Have hackers and leakers made secrecy obsolete?"

     [Well, the NSA still needs it.  So do we.  PGN]


Uber drivers in Lagos are using a fake GPS app to inflate rider fares (QZ)

Lauren Weinstein <lauren@vortex.com>
Mon, 13 Nov 2017 17:35:42 -0800
https://qz.com/1127853/uber-drivers-in-lagos-nigeria-use-fake-lockito-app-to-boost-fares/

  In some cases, inflated trips can cost riders more than double the rate
  they should be paying. "It's more like a parasite," says Mohammed, a
  driver for both Uber and Taxify in Lagos. "It sets the false GPS movement
  while allowing the phone also to keep track of its actual movement. The
  Uber app can't tell the difference between both so it just calculates
  both."  When a driver uses Lockito for an Uber trip he or she can have the
  fake GPS running (and calculating a fake fare) from the pickup point to
  the drop off location, before the passenger has even got into the
  car. When the real trip starts, the real GPS starts running and
  calculating the actual fare. But at the end of the journey the fares from
  both trips (real and fake) are tallied up as one fare which the
  unsuspecting rider pays.


Uber Paid Hackers to Delete Stolen Data on 57 Million People

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 21 Nov 2017 16:31:46 PST
Eric Newcomer, Bloomberg, 21 Nov 2017

 * Company paid hackers $100,000 to delete info, keep quiet
 * Chief Security Officer Joe Sullivan and another exec ousted

Hackers stole the personal data of 57 million customers and drivers from
Uber Technologies Inc., a massive breach that the company concealed for more
than a year. This week, the ride-hailing firm ousted its chief security
officer and one of his deputies for their roles in keeping the hack under
wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email
addresses and phone numbers of 50 million Uber riders around the world, the
company told Bloomberg on Tuesday. The personal information of about 7
million drivers was accessed as well, including some 600,000 U.S. drivers'
license numbers. No Social Security numbers, credit card information, trip
location details or other data were taken, Uber said.

https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data


Jailbreaking your connected coffee machine: The idiocy of things

Gabe Goldberg <gabe@gabegold.com>
Fri, 10 Nov 2017 18:29:10 -0500
How many more of these IoT devices that use DRM technology to validate the
use of proprietary refills do we have to endure?

http://www.zdnet.com/article/jailbreaking-your-coffee-machine-the-idiocy-of-things/

The risk? Besides those noted in article, extraneous complexity leading to
fragility, frustration, and failure.


How Are ATMs Exploited? An Update on ATM Malware Methods (Security Intelligence)

Gabe Goldberg <gabe@gabegold.com>
Thu, 16 Nov 2017 14:07:16 -0500
How simple life was three years ago when we last wrote about ATM
malware. Back then, security researchers classified ATM attacks into two
broad categories: ones that used skimming hardware devices attached to the
outside of card readers, and ones that used various techniques to open ATMs'
cabinets and cash drawers. The skimmers were crude but effective in
collecting credit and debit card numbers from customers.  The latter methods
exploited vulnerabilities created by the ATMs' outdated operating systems
(OS) and their functionality. In one case, some criminals blew up the ATMs
themselves, as The Daily Mirror reported. Crude, but certainly effective.

https://securityintelligence.com/how-are-atms-exploited-an-update-on-atm-malware-methods/


Remote Unauthenticated DoS in Debut embedded httpd server used by Brother printers

Gabe Goldberg <gabe@gabegold.com>
Thu, 16 Nov 2017 16:47:11 -0500
Trustwave SpiderLabs Security Advisory TWSL2017-017:
Remote Unauthenticated DoS in Debut embedded httpd server used by
Brother printers

Published: 11/02/2017
Version: 1.0

Vendor: Brother (http://www.brother-usa.com)
Product: Debut embedded httpd
Version affected: <= 1.20

Product description:
Brother printers are network connected consumer and business
multi-function printers. These printers utilize the Debut embedded httpd
server to host their web interfaces.

Finding 1: Remote unauthenticated denial of service
Credit: z00n (@0xz00n) of Trustwave
CVE: CVE-2017-16249

The Debut embedded http server contains a remotely exploitable denial of
service where a single malformed HTTP request can cause the server to
hang until eventually replying with an HTTP 500 error.  While the
server is hung, print jobs over the network are blocked and the web
interface is inaccessible. An attacker can continuously send this
malformed request to keep the device inaccessible to legitimate traffic.

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211


Verizon Asks the Federal Communications Commission to Prohibit States from Protecting User Privacy

Gabe Goldberg <gabe@gabegold.com>
Sat, 11 Nov 2017 18:56:53 -0500
After lobbying Congress to repeal consumer privacy protections over ISPs,
Verizon wants the Federal Communications Commission (FCC) to do it a favor
and preempt states from restoring their privacy rights. While Congress
repealed the previous FCC's privacy rule, it left the underlying Section 222
intact. As a result, dozens of state bills were then introduced to restore
broadband privacy, mirroring Section 222 of the Communications Act.

https://www.eff.org/deeplinks/2017/11/verizon-asks-federal-communications-commission-prohibit-states-protecting-user

  Long item, and unless I missed it here, no argument quoted from Verizon
  WHY this should be done—just claiming that FCC can do it. Maybe there's
  implication that protecting privacy would (implausibly) impede something
  good... broadband rollout, kittens and rainbows, etc.


CAST Research on the State of Software Security Reveals Riskiest Applications (GlobeNewsWire)

Gabe Goldberg <gabe@gabegold.com>
Thu, 16 Nov 2017 16:49:17 -0500
NEW YORK, Nov. 13, 2017 (GLOBE NEWSWIRE)—CAST, the leader in software
intelligence, today announced the findings from its global benchmarking
report on the state of software security. The CRASH Report on Application
Security reveals software that is vulnerable to exploit based on an
application's Common Weakness Enumeration (CWE) density. CWE is a
community-developed list of common software security weaknesses that serves
as a baseline for identification, mitigation and prevention efforts.

https://globenewswire.com/news-release/2017/11/13/1185210/0/en/CAST-Research-on-the-State-of-Software-Security-Reveals-Riskiest-Applications.html

Sigh; I always discount self-designated "...the leader..." references.


Asus Zenfone 3 botched update

Dan Jacobson <jidanni@jidanni.org>
Thu, 16 Nov 2017 00:47:29 +0800
It was a lazy autumn day that fateful afternoon when my Asus Zenfone 3
beeped and told me another occasional FOTA update was ready, "Estimated
time: 10 minutes." I pushed "accept."

Then the reboot ... loading ... reboot ... loading cycles began.  (I don't
remember the exact words. It was a month ago and I only now have regained my
composure to write about it.)  Holding down the power button forever didn't
help, and one cannot just take out the battery anymore. It was my first
cellphone mid-life crisis.

Normally geographically astute me got on the wrong bus but at least in the
right direction, got off at this big river on the map that was easy to
follow no matter what mental state, and finally made it to the Asus Royal
Service Center or whatever it is called, in Taichung, TW.

I agreed they could wipe everything off my phone and indeed they fixed
it. Yes it was still under warranty and no I didn't "root" it.

Moral of story: from now on I will only check for updates when I am nearby
their service center and not expecting any important calls, etc.

(I see the version it happened with,
https://www.asus.com/zentalk/forum.php?mod=viewthread&tid=184831
was not recalled, meaning the problem only affected me.)


Strings embedded in the web page

Dan Jacobson <jidanni@jidanni.org>
Sun, 12 Nov 2017 14:41:51 +0800
I was fooling around one day in the lab when,

$ wget https://www.couchsurfing.com/ -O - | perl -MJSON ...

Host Feature Test
[Dashboard] - Does different messaging on the side-bar verification CTA improve verification rates?
[Dashboard] - Showcase Video Content for Host Conversion
[Dashboard] - Verification Upsell Placement (new_user=true)
[Dashoard] Verification Upsell Placement
[Hangouts] - Can we improve app downloads by making "text me link" more prominent?
[Host Search] - Do people send more requests when we remove empty profiles from search?
[Landing Page] - Can we increase sign-ups when we change the header image?
[Mobile Web] - Improve "install app" CTA (Android)
[Mobile Web] - Improve "install app" CTA (IOS)
[New User Dashboard] - Showcase Video Content
[New User Experience]: Send half of new users to their local city page
[Profile] Introduction Modal Changes
[Rate Limiting] - Can we increase the conversion rate of RL upsell with clearer language?
[Rate Limiting] - Does changing our rate limiting modal increase conversion?
[Verification Confirmation Page] - Will member buys travel insurance post-purchase?
[Verification Page] - Can we increase the conversion rate by reducing content for mobile web users?
[Verification Page] - Can we increase the conversion rate of RL upsell with clearer language?
[Verification Page] - Can we increase the conversion rate with copy edits?
[Verification Page] - Do female members convert better when we change the header image?
[Verification Page] - Do male members convert better when we change the header image?
[Verification Page] - Do we reduce refunds by being more transparent about pricing?
[Verification Page] - Does different messaging of verification better resonate with members?
[Verification Page] - Does different order and content layout affect conversion rate?
[Verification Page] - Does more focus on finding hosts faster improve verification rates?
[Verification Page] - Does shorter content convert better on mobile?

I will tell staff to ask the programming team if they really want these
embedded in web page.


Epson is Using its eBay "Trusted Status" to Make Competing Ink Sellers Vanish

Gabe Goldberg <gabe@gabegold.com>
Sat, 11 Nov 2017 18:58:24 -0500
It's been just over a year since HP got caught using dirty tricks to force
its customers to use its official, high-priced ink, and now it's Epson's
turn to get in on the act.

Epson claims that ink-cartridges that are compatible with its printers
violate a nonspecific patent or patents in nonspecific ways, and on the
strength of those vague assertions, they have convinced eBay to remove many
third-party ink sellers' products, without any scrutiny by eBay.

That's because Epson is part of eBay's VeRO program, through which trusted
vendors can have listings removed without anyone checking to see whether
they have a valid claim, contrary to eBay's normal procedure. As the company
has said in another context, "eBay believes that removing listings based on
allegations of infringement would be unfair to buyers and the accused
sellers."

https://www.eff.org/deeplinks/2017/10/epson-using-its-ebay-trusted-status-make-competing-ink-sellers-vanish


Logitech to shut down service and support for Harmony Link devices in 2018

Gabe Goldberg <gabe@gabegold.com>
Wed, 8 Nov 2017 15:29:27 -0500
Essentially bricking the otherwise functional smart remote devices.

Logitech customers are not happy, as they recently found out that the
company would be discontinuing service for its popular Harmony Link remote
system. The device and its cloud-based system allow users to control home
theater and sound equipment from a mobile app. Customers received an e-mail
explaining that Logitech will "discontinue service and support" for the
Harmony Link as of March 16, 2018, adding that Harmony Link devices "will no
longer function after this date."

While Logitech is offering a one-time, 35-percent discount on its Harmony
Hub to affected customers that are out of warranty, that's not enough for
Harmony Link users who are expressing their dissatisfaction on Logitech
support forums and Reddit. Users have not experienced major problems with
the Harmony Link system that would indicate they are approaching end of
life. Harmony Link customers do not pay a subscription or service fee to use
the device, either.

The only reason provided comes from a Logitech employee with the username
Logi_WillWong, who explains in a response post from September 8, 2017 that
Logitech will not be renewing a "technology certificate license" that
expires in March. No details were provided about how this certificate
license allows the Harmony Link to function, but it appears that without it,
those devices will not work as promised. "The certificate will not be
renewed as we are focusing resources on our current app-based remote, the
Harmony Hub," Logi_WillWong added, which seems to indicate that the shutting
down of the Harmony Link system is a way to get more customers on the newer
Harmony Hub system.

https://arstechnica.com/gadgets/2017/11/logitech-to-shut-down-service-and-support-for-harmony-link-devices-in-2018/

The risk? Maybe technology economics, since "Harmony Link customers do not
pay a subscription or service fee to use the device, either."


Twitter officially expands its character count to 280 starting

Gabe Goldberg <gabe@gabegold.com>
Wed, 8 Nov 2017 15:25:55 -0500
Twitter's expansion to 280 characters is rolling out publicly today to all
users in supported languages, including English. The company had first
announced the controversial plan to move beyond its traditional 140
characters back in September, noting at the time how a longer character
count allowed users to express more of their thoughts without running out of
room to tweet.

https://techcrunch.com/2017/11/07/twitter-officially-expands-its-character-count-to-280-starting-today/

The risk? People mistaking this for news?


Re: Even lower chances of winning the lottery (RISKS-30.49)

Amos Shapir <amos083@gmail.com>
Thu, 9 Nov 2017 17:36:19 +0200
> Although the normal odds of winning the lottery are near-zero, reducing
them to actual zero is a (microscopically small) RISK.
>   [microscopic? Not if anyone who actually had the winning combination
    tried to sue the state—and won!]

The way I understand the bug, it allows anyone to buy tickets that cannot
have a winning combination, so this situation could never happen; they could
sue for the $2 they paid for the ticket, though...

  [I wouldn't bet on it!  PGN]


Re: Taser Company Ignored SEC Emails ... In a Spam Folder

Mark Kramer <c28f62@theworld.com>
Wed, 8 Nov 2017 17:19:32 -0500
Lauren Weinstein <lauren@vortex.com> wrote:

      The fundamental problem with spam folders, of course, is that they
      tend to be ignored by recipients,

This is a symptom. The fundamental problem is that people assume that email
is a reliable communications medium.

There are simply too many, often vigilante, email systems and anti-spam
techniques, to ever again believe that sending an email is equivalent to
someone getting it. Often, these systems are employed by the ISPs who don't
let you opt out and don't tell you that you were opted in, and don't tell
you when the rules change. And even more often the senders are never
notified that their email was accepted for delivery and then discarded, so
they don't know it didn't get through.

The failure here is on the SEC who thinks that legal notices or requests
are valid when sent by email instead of registered letter.


Re: Tasers, Preying on home buyers (RISKS-30.49)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 09 Nov 2017 21:13:42 +0000
> Taser Company Ignored SEC Emails Because They Were In a Spam Folder

I use Yahoo! e-mail with POP3/SMTP and a mail application, with no spam
filter as I only receive a few messages each day, so easy to filter
manually; I often go for days without receiving any 'proper' messages, and
as another poster here once said, at least the spam gives confidence that
the system is working OK.  Early this year I suddenly stopped getting any
messages at all, which worried me, so I tried the web access and found that
there is now a spam folder, while 'proper' messages still get through as
usual.  There doesn't seem to be an option for 'download ALL messages', so I
have to periodically use the web access (quite a rigmarole, especially if
2-factor authentication is requested), with the problems described above.
(One reason for using a mail application is that I read incoming messages
off-line, thus senders don't get an indication that they've been read, as
well as reducing the chances of downloading something nasty.)  Ironically, I
had very few spam messages until I started posting to RISKS, which is the
only place where my e-mail address is (intentionally) shown in public...
:o)

> Hackers prey on home buyers, with hundreds of millions of dollars at
> stake (WashPo)

Reportedly this is becoming a problem in the UK—fraudulently getting
people to pay into the wrong account, typically when houses change hands.
Just before the transaction is completed, a fraudster manages to send an
e-mail purportedly from the seller to the buyer or the solicitor handling
the sale, notifying a (fictitious) change of the seller's bank details.  The
money is sent off, then later it's not appeared in the seller's account, and
on checking with the bank, it's found to have gone to the fraudster's
account which has since been emptied and closed—this is known as "Friday
afternoon fraud", because house sales are usually completed on a Friday, and
banks' anti-fraud departments are closed over the weekend so it's well into
next week before an investigation gets under way, by which time the
fraudster has well and truly gone.  (Obviously it can happen whenever large
payments are made on a one-off basis; for instance, when building work has
been done, a fraudster notifies the customer of a fake change of the
builder's bank details so the bill payment is made to the fraudster.)  The
banks are blamed for this but respond that they're only acting on customers'
instructions.

Please report problems with the web pages to the maintainer

Top