The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 54

Saturday 10 February 2018

Contents

Dutch agencies provide crucial intel about Russia's interference in US-elections
volkskrant
DHS exec: Russians penetrated US voter registrations in 2016
NBC
German shock at car exhaust tests on humans and monkeys
bbc.com
"Ten Monkeys and a Bettle: Inside Rigged Diesel Test"
NYTimes
How a single line of computer code put 75,000 innocent Turks in jail
Kelly Bert Manning
Triton Malware Details Show the Dangers of Industrial System Sabotage
WiReD
FBI vs crypto-sanity?
PGN
Waze navigation app sends US driver into lake
The Times of Israel
Eyesight Technologies Will Watch You Drive, and That's a Good Thing
IEEE Spectrum
Self-Driving Cars Have a Secret Weapon: Remote Control
WiReD
Facebook AI spam detector lacks autoreview
Dan Jacobson
Why cops won't need a warrant to pull the data off your autonomous car
Gabe Goldberg
WHATIS Going to Happen With WHOIS?
Motherboard
"How Strava's "anonymized" fitness tracking data spilled government secrets"
Jack Whittaker via Gabe Goldberg
Personal Trackers expose Aggregated Personal and Group Data
Bob Gezelter
"Disney faces privacy complaint over children's apps"
Corinne Reichert
IoT fun—Don't Rely on Your Smart Speaker as Your Only Alarm Clock
Lifehacker
More Than Half of Adult Americans Were Victims of Cybercrime in 2017
TRK via Gabe Goldberg
ICE can now track anyone's car in almost real-time
Think Progress
Terrorists Could Use Teslas to Kill Us
The Weekly Standard
A motorcyclist is suing GM after crashing into its self-driving car
PopSci
robots.txt vs. noindex
Google via Dan Jacobson
"3 leaked NSA exploits work on all Windows versions since Windows 2000"
CSO Online
'Jackpotting' hackers steal over $1 million from ATMs across U.S.
Amos Shapir
Feds drop hammer on massive "carder" ring that caused $530 million in losses
Ars Technica
Blockchain Stocks Collapse by 40% to 90%
Wolfstreet
Bitcoin price manipulation
Charley Kline
Coincheck Says It Lost Crypto Coins Valued at About $400M
Bloomberg
Bitcoin payments used to unmask dark web users
Naked Security
Bitcoin: Dumb Crypto Criminal Botches Kidnapping
Fortune
As Bitcoin Bubble Loses Air, Frauds and Flaws Rise to Surface
NYTimes
Russian nuclear scientists arrested for 'Bitcoin mining plot'
BBC
Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign
Catalin Cimpanu
The Fake-Follower Factory
NYTimes
British Teen Accessed U.S. Middle East Intelligence Ops by Pretending to be CIA Director
Newsweek
Bug Bounty Programs Are Paying Off for Hackers, HackerOne Finds
EWeek
Want to see all data Windows 10 sends Microsoft? There's an app for that
Ars Technica
"Can AI predict when that new hire will quit?"
Terena Bell
First, We Kill All the Lawsuits
Henry Baker
"In spite of military assurances, autonomous weapon research speeds ahead"
Greg Nichols
Ford Patents Autonomous Robocop Police Car That Can Give Out Tickets
Tech Times
British 15-year-old gained intelligence info
The Telegraph
Majority of employees in US unaware of GDPR mandate
DXC
Enter all identifying numbers as single text string without formatting
Dan Jacobson
Exclusive: Mattis seeking to ban cell phones from Pentagon
CNNPolitics
Re: Vehicle Satellite Navigation
Drewe
RISKS-30.53
Not knowing Twitter credentials delayed Hawai'i "all clear"
Lauren Weinstein
HI-EMA 'button pusher' refusing to cooperate with FCC
Star Advertiser
Re: Hawaiian False Missile Alert Command Confirmation Bias Strikes Again
Henry Baker
Re: "LA-Tokyo flight turns back after passenger 'boards with wrong
John Levine
Re: Five copyright claims against youtube video of white noise
John Levine
Info on RISKS (comp.risks)

Dutch agencies provide crucial intel about Russia's interference in US-elections (volkskrant)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 27 Jan 2018 12:59:26 PST
Hackers from the Dutch intelligence service AIVD have provided the FBI
with crucial information about Russian interference with the American
elections. For years, AIVD had access to the infamous Russian hacker
group Cozy Bear. That's what de Volkskrant and Nieuwsuur have uncovered
in their investigation.

https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference

[Googling the subject line also gets you to the Volkskrant article.  Volks
is people in Dutch, so Volkskrant might be The People's Voice or something
like that.]


DHS exec: Russians penetrated US voter registrations in 2016 (NBC)

Richard Forno <rforno@infowarrior.org>
February 7, 2018 at 5:20:16 PM EST
Cynthia McFadden, William M. Arkin and Kevin Monahan, NBC News, 7 Feb 2018,

The U.S. official in charge of protecting American elections from hacking
says the Russians successfully penetrated the voter registration rolls of
several U.S. states prior to the 2016 presidential election.

In an exclusive interview with NBC News, Jeanette Manfra, the head of
cybersecurity at the Department of Homeland Security, said she couldn't talk
about classified information publicly, but in 2016, "We saw a targeting of
21 states and an exceptionally small number of them were actually
successfully penetrated."

Jeh Johnson, who was DHS secretary during the Russian intrusions, said,
"2016 was a wake-up call and now it's incumbent upon states and the Feds to
do something about it before our democracy is attacked again."

"We were able to determine that the scanning and probing of voter
registration databases was coming from the Russian government."

NBC News reported in Sept. 2016 that more than 20 states had been targeted
by the Russians.

There is no evidence that any of the registration rolls were altered in any
fashion, according to U.S. officials.

https://www.nbcnews.com/politics/elections/eric-holder-leads-democrats-war-gerrymandering-n845576


German shock at car exhaust tests on humans and monkeys (bbc.com)

Richard M Stein <rmstein@ieee.org>
Tue, 30 Jan 2018 12:40:50 +0800
http://www.bbc.com/news/world-europe-42858668
  also reported here
https://www.nytimes.com/2018/01/25/world/europe/volkswagen-diesel-emissions-monkeys.html and elsewhere.

The European Research Group on Environment and Health in the Transport
Sector (EUGT), with automaker funding, performed these tests.

>From the BBC article:

    "Were the tests unethical?"

    'The German government thinks so. VW apologised and Daimler said
    "the EUGT's approach contradicts our values and ethical
    principles."'

    "In the end, the EUGT, which was disbanded in 2017, concluded that
    no health effects could be detected. Diesel emits more particulate
    soot than regular gasoline, as well as pollutants such as nitrogen
    dioxide and nitrogen oxides that in the short term, the EPA says,
    can lead to respiratory ailments and exacerbate asthma. 

Industry sponsored research is fine when full disclosure of all
findings are presented, especially those affecting public health and
safety. Often, negative results (or outliers; tail events) are
suppressed to accentuate the positive. Industry-sponsored research
findings from pharmaceuticals, implantable devices, etc. are prime
examples. Takata airbag ignition shrapnel is another. A mighty long
list in this space.

Transportation systems appear as a ripe target for unethical research
practices. Given a historically low air transport fatality rate,
certain organizations might be tempted to "push the envelop" on reduced
qualification efforts to save funds, and justify their effort using one
or more academic studies that sponsor confirmation bias or bury risks.
Another nail in the coffin of public trust.


"Ten Monkeys and a Bettle: Inside Rigged Diesel Test" (NYTimes)

Richard M Stein <rmstein@ieee.org>
Fri, 26 Jan 2018 12:43:10 +0800
(The New York Times)

https://www.nytimes.com/2018/01/25/world/europe/volkswagen-diesel-emissions-monkeys.html

A revealing story of corporate control fraud, industry-sponsored
research, and regulatory capture. Another case of "Profit Without
Honor" (see https://www.amazon.com/Profit-Without-Honor-Looting-America

This digest documents the willful exploitation of problem solving talent,
and a timorous inclination to challenge corporate governance decisions to
build and sell products that weaken public health, safety, and privacy.
Bravery and resilience are rare characteristics practiced by ethical
professionals who denounce fraud. How many IEEE or PMI members actively
abide by the code of conduct these organizations promote? IEEE Code of
Ethics (https://www.ieee.org/about/corporate/governance/p7-8.html
IEEE Code of Ethics for Project Managers
http://www.pmi.org/learning/library/project-managers-code-of-ethics-10343

Legions of professionals apparently treat their codes of ethics with
impunity: impotent declarations, not honorable guides to defend and
practice for public safety, health or privacy benefit. The accelerating
incidence and damage accrued from technologically-enabled, defective
products testifies to this abdication of duty dishonoring professionals
on a global scale.


How a single line of computer code put 75,000 innocent Turks in jail

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Mon, 22 Jan 2018 14:33:28 -0500 (EST)
Every so often I encounter someone who says that their life is an open book,
and that anyone who is concerned about Panoptic government surveillance or
uses encrypted messaging must have something to hide.

My short response is often to express sympathy for them having such boring
lives.

Now we have a real world example of a NATO government persecuting 75,000
innocents as part of a Witch Hunt.

Many thousands of innocent Turks were pursued by their government after
viewing webpages that had a 1x1 1 pixel link to Bylock.net.

Other consequences included loss of jobs and suicidal depression.

  'Beşikçi said it was due to a single line of code, which
  created a window "one pixel high, one pixel wide"—essentially invisible
  to the human eye—to Bylock.net.'

http://www.cbc.ca/news/world/terrifying-how-a-single-line-of-computer-code-put-thousands-of-innocent-turks-in-jail-1.4495021?cmp=rss
https://www.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached
http://beta.latimes.com/world/europe/la-fg-turkey-purge-crackdown-snap-story.html
https://thehackernews.com/2017/09/turkish-coup-bylock-messenger.html

"ByLock was one of the many encrypted messaging apps available to download
for free on Apple's App Store and Google's Play Store and was downloaded
over 600,000 times between April 2014 and April 2016, according to a report
by British computer forensics expert, Thomas K. Moore."

Sometimes what you download or view for free on the Internet is worth every
penny you paid for it. In other cases it has a negative value, compromising
your device or tainting you with false associations.


Triton Malware Details Show the Dangers of Industrial System Sabotage (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 19 Jan 2018 18:12:05 -0500
A recent digital attack on the control systems of an industrial plant has
renewed concerns about the threat hacking poses to critical infrastructure.
And while security researchers offered some analysis last month of the
malware used in the attack, called Triton or Trisis, newly revealed details
of how it works expose just how vulnerable industrial plants--and their
failsafe mechanisms--could be to manipulation.

https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/

...interesting dueling malware vs. detection.


FBI vs crypto-sanity?

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 25 Jan 2018 9:26:40 PST
1. Senator Demands FBI Director Explain His Encryption Backdoor Bull...
   U.S. Senator Ron Wyden is calling out the director of the FBI for pushing
   the moronic notion that there is somehow a good way to add backdoors to
   encryption used to protect devices like Apple's iPhone.
https://gizmodo.com/senator-demands-fbi-director-explain-his-encryption-bac-1822400040

2. Strong encryption is vital to our future in tech (The Hill)
http://thehill.com/opinion/cybersecurity/370574-strong-encryption-is-vital-to-our-future-in-tech


Waze navigation app sends US driver into lake (The Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Thu, 25 Jan 2018 13:37:44 -0500
Jeep in Vermont directed onto boat ramp and onto ice-covered Lake Champlain,
where it eventually sinks; driver and passengers unharmed.
https://www.timesofisrael.com/waze-sends-us-driver-into-lake/

Google, the Internet giant that bought Waze from the Israeli firm that
developed it, could not explain how the app directed the driver into the
lake.  Waze maps are updated with millions of edits to adapt to real time
road conditions daily, often making them the most accurate available,
Google spokesperson Julie Mossler told *USA Today*.

Mossler sagely advised drivers to keep their eyes on the road and use all
environmental information available to them to make the best decisions as
they drive.

GPS needs the useful Hill Street Blues exhortation, "Let's be careful out
there".


Eyesight Technologies Will Watch You Drive, and That's a Good Thing (IEEE Spectrum)

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Feb 2018 20:28:42 -0500
https://spectrum.ieee.org/cars-that-think/transportation/self-driving/eyesight-will-watch-you-drive-and-thats-a-good-thing

The risk? My car thinks it knows what I'm thinking.


Self-Driving Cars Have a Secret Weapon: Remote Control (WiReD

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Feb 2018 20:34:46 -0500
Usually we don't do this during rush hour, says Ben Shukman. He's driving a
Lincoln MKZ sedan, trying to exit a gas station driveway and cross four
lanes of traffic so he can make a left at the light 20 yards ahead. It's 5pm
in Palo Alto, and Silicon Valley commuters are crawling home, leaving few
gaps between the cars. Finally, the car in the closest lane stops, leaving a
space for him. The car in the next lane over does too. Shukman slides in and
makes the left.

Good job, Ben, says Shai Magzimof, giving a wave of thanks to those gracious
humans. He's sitting in the driver's seat, while, in a garage miles away,
Shukman controls the Lincoln from the kind of setup you'd find in the
bedroom of a too-serious fan of racing video games. And he's showing off the
type of remote-control capability that every major player in the nascent
world of robotic driving will end up relying on (at least for now) in some
form or other.

https://www.wired.com/story/phantom-teleops/

The risk? Outsourcing and offshoring remote control to third-world call
centers.


Facebook AI spam detector lacks autoreview

Dan Jacobson <jidanni@jidanni.org>
Fri, 26 Jan 2018 11:30:15 +0800
11:16:00 We removed this post because it looks like spam to us. If you
did post this and don't believe it's spam, you can let us know.

11:16:10 Thanks for letting us know about this post. We'll try to take
another look to check if it goes against our Community Standards and
send you a message here in your Support Inbox if we have an update.

11:16:11 Thanks again for letting us know about this post. We took
another look and found it doesn't go against our Community Standards, so
we've restored your post. We're sorry for the trouble and appreciate you
taking the time to get in touch with us so that we could correct this.

11:16:12 How was this experience?

Bad.

11:16:13 What went wrong? How could it be better?

Why not have the AI program autoreview it itself? Then it wouldn't even
need to bother the user.


Why cops won't need a warrant to pull the data off your autonomous car

Gabe Goldberg <gabe@gabegold.com>
Sun, 4 Feb 2018 12:57:47 -0500
I've been saying for ages. Even beyond the remote control capabilities that
law enforcement and governments will demand, the video and other data
collected by robocars are already making law enforcement salivate. It's not
just Waymo that doesn't like talking about these aspects of robocars. Nobody
in the industry wants the public thinking about these aspects.


WHATIS Going to Happen With WHOIS? (Motherboard)

Lauren Weinstein <lauren@vortex.com>
Sat, 3 Feb 2018 11:07:25 -0800
via NNSquad
https://motherboard.vice.com/en_us/article/vbpgga/whois-gdpr-europe-icann-registrar

  In May, the European Union's General Data Protection Regulation (GDPR)
  will officially go into effect. The GDPR is ostensibly a law to protect
  the privacy of European citizens when it comes to how Internet
  megacorporations like Google and Facebook handle their data. But the
  privacy regulations also come with some secondary effects whose influence
  extends far beyond the borders of the EU and ironically may actually serve
  to undermine the security of Internet users, rather than protect them.

This situation is total bull. You want a domain name? You should be publicly
and fully identified, unless you can present some compelling case of why
doing so would be dangerous to you. Otherwise, it should be like a business
license or other public record. I'm tired of spammers, phishers, and other
goddamned crooks hiding under the hypocrisy of "privacy"—and the EU is
now complicit in those crimes.


"How Strava's "anonymized" fitness tracking data spilled government secrets" (Jack Whittaker)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jan 2018 13:00:48 -0800
Jack Whittaker for Zero Day, 29 Jan 2018
http://www.zdnet.com/article/strava-anonymized-fitness-tracking-data-government-opsec/
How Strava's "anonymized" fitness tracking data spilled government secrets
Analysis: Strava may "anonymize" the user, but that isn't helpful when that
user inadvertently reveals the location of sensitive government facilities.

opening text:

Remember when you said you have "nothing to hide?"

It turns out you do. If it's not an affair you're hiding from your spouse,
it's your highly classified place of work that's now painted in precise
detail on a map for anyone to see.

That's exactly what happened when Strava, a widely used app for tracking
activity and exercise, released an "anonymized" heatmap of all its global
data in November. The map only came to light this weekend after Australian
student Nathan Ruser started digging into the data.  With over 3 trillion
coordinates at the street level from over 27 million fitness device users,
like Fitbit and Jawbone, the GPS tracking company mapped out its aggregated
data over the past two years of activity to reveal some of the most visited
areas.  Predictably, high population areas—like most of the US and Europe
-- are brightly lit up.

That same data also illuminated a scattering of little-known locations in
war zones, where US secret facilities and military bases have operations and
personnel—presumably because soldiers and staff are unknowingly uploading
their fitness tracking data to Strava.

The news has prompted US-led coalition forces to reevaluate their use of
fitness trackers, amid fears that enemy forces could use the data to locate
troops on the ground, according to a statement obtained by the Washington
Post.


Personal Trackers expose Aggregated Personal and Group Data

Bob Gezelter <gezelter@rlgsc.com>
Mon, 29 Jan 2018 05:28:00 -0700
Several years ago, I took note in my blog (article at
http://www.rlgsc.com/blog/ruminations/micro-blogging-and-personal-information.html of the potential security hazards of micro-blogging details about one's
life. MSN and the Washington Post have reported that the use of personal
trackers by military personnel is disclosing information about their
presence and life patterns, including information about sensitive
locations.

This is a serious security hazard, and not just for military personnel.
Detailed information about life patterns is of use to a wide range of
actors, more than a few of which are not friends.

The report has appeared on MSN at:
https://www.msn.com/en-au/news/world/us-soldiers-are-revealing-sensitive-and-dangerous-information-by-jogging/ar-BBImwt5

The Washington Post published a similar article.


"Disney faces privacy complaint over children's apps" (Corinne Reichert)

Gene Wirchenko <genew@telus.net>
Wed, 07 Feb 2018 09:26:32 -0800
Corinne Reichert, ZDnet, 10 Aug 2017
http://www.zdnet.com/article/disney-faces-privacy-complaint-over-childrens-apps/

The class-action complaint alleges Disney's smartphone game apps have been
collecting personally identifiable information about young users without the
consent of their parents for the purpose of targeted advertising.

opening text:

A United States class action complaint against the Walt Disney Company has
alleged that it is collecting personally identifying information via a
series of children's smartphone apps "for future commercial exploitation" in
contravention of the Children's Online Privacy Protection Act (COPPA).


IoT fun—Don't Rely on Your Smart Speaker as Your Only Alarm Clock (Lifehacker)

Gabe Goldberg <gabe@gabegold.com>
Mon, 22 Jan 2018 20:44:24 -0500
https://lifehacker.com/dont-rely-on-your-smart-speaker-as-your-only-alarm-cloc-1822238074

Alarm clock relying on network connectivity—what could go wrong? Who
cares, let's connect everything...


More Than Half of Adult Americans Were Victims of Cybercrime in 2017 (TRK)

Gabe Goldberg <gabe@gabegold.com>
Tue, 23 Jan 2018 14:59:48 -0500
Mountain View CA.  More than half the U.S. adult population was a victim of
cybercrime last year, according to a new study by *Norton*.  All told, 143
million Americans lost a total of $19.4 billion , as well as an average of
19.8 hours dealing with the aftermath. Globally, cybercrime victims tended
to use the same password across multiple accounts or share it with
others. What's more, 39% of victims said they gained trust in their ability
to protect their data and personal information from future attacks, and 33%
believed they had a low risk of becoming a cybercrime victim.  Despite a
steady stream of cybercrime sprees reported by media, too many people appear
to feel invincible and skip taking even basic precautions to protect
themselves, said *Fran Rosch*, the executive vice president of Symantec's
consumer business unit.  This disconnect highlights the need for consumer
digital safety and the urgency for consumers to get back to basics when it
comes to doing their part to prevent cybercrime. Forty-six percent of U.S.
cybercrime victims owned a smart device for streaming content, compared with
about one quarter of non-victims. They were also three times as likely to
own a connected home device.

<http://trk.cp20.com/click/m8rxu-dcnhra-7fgw0x85/>
<http://trk.cp20.com/click/m8rxu-dcnhrb-7fgw0x86/> (Full report)

*Fuzzy numbers, fuzzy math? I didn't read full report, but buried in last
graf:*

How We Define Cybercrime

The definition of cybercrime continues to evolve as avenues open up that
allow cybercriminals to target consumers in new ways. Each year, we will
evaluate current cybercrime trends and update the report's methodology as
needed, to ensure the Norton Cyber Security Insights Report provides an
accurate snapshot of the impact of cybercrime as it stands today. In the
2017 Norton Cyber Security Insights Report, a cybercrime is defined as, but
not limited to, a number of specific actions, including identity theft,
credit card fraud or having your account password compromised.  For the
purposes of this report, a cybercrime victim is a survey respondent who
confirmed one or more of these incidents took place.  Visit
https://www.symantec.com/about/newsroom/press-kits to learn more.

  ...which doesn't say what sort of account password had to be compromised
  to be a cybercrime. I've been alerted that some accounts were likely
  compromised but since they were inconsequential and didn't share passwords
  with anything else, I needed and took no corrective action. So I might be
  counted as a victim, I didn't spend a second—let alone the alleged 19.8
  hours—doing repairs. And summary doesn't explain how they reached
  conclusion of $172B losses.  **


ICE can now track anyone's car in almost real-time (Think Progress)

Gabe Goldberg <gabe@gabegold.com>
Fri, 26 Jan 2018 15:11:22 -0500
The system raises serious questions about civil liberties, not just for
undocumented immigrants but for all Americans.

https://thinkprogress.org/license-plate-tracking-ice-system-bd76f18f676e/


Terrorists Could Use Teslas to Kill Us (The Weekly Standard)

Gabe Goldberg <gabe@gabegold.com>
Tue, 23 Jan 2018 18:05:21 -0500
Long, interesting.

http://www.weeklystandard.com/terrorists-could-use-teslas-to-kill-us/article/2011171

  Scariest I heard on this topic was at an industry meeting, automotive
  manufacturers happily looking forward to pushing software updates/patches
  overnight to parked cars. I asked whether they'd ever had a bad PC patch
  cause problems. Yes, but...


A motorcyclist is suing GM after crashing into its self-driving car (PopSci)

Amos Shapir <amos083@gmail.com>
Thu, 1 Feb 2018 10:03:50 +0200
https://www.popsci.com/self-driving-car-crashes-blame-game

Again, a self-driving car gets into a situation any human driver could (and
should) deal with without causing an accident.

The automaton was following all the rules, and it seems that in this case
the motorcyclist was a bit out of line; this may satisfy the lawyers, but
engineers should be expected to build systems which work in the real world.

The bottom line is: Are we really sure automatic cars are already able to be
let out on the road on their own?


robots.txt vs. noindex (Google)

Dan Jacobson <jidanni@jidanni.org>
Thu, 01 Feb 2018 10:26:42 +0800
https://support.google.com/webmasters/answer/93710

"Important! For the noindex meta tag to be effective, the page must not
be blocked by a robots.txt file. If the page is blocked by a robots.txt
file, the crawler will never see the noindex tag, and the page can still
appear in search results, for example if other pages link to it."

  I wonder what an analogy in human terms might be.

  "If you put a Do Not Disturb sign on your door, you still have to leave it
  open so I can ask you if I can disturb you." Something like that.


"3 leaked NSA exploits work on all Windows versions since Windows 2000" (CSO Online)

Gene Wirchenko <genew@telus.net>
Wed, 07 Feb 2018 09:09:58 -0800
https://www.csoonline.com/article/3253247/security/3-leaked-nsa-exploits-work-on-all-windows-versions-since-windows-2000.html

Ms. Smith [pseudonym], CSO,  5 Feb 2018
The EternalSynergy, EternalRomance, and EternalChampion exploits have been
reworked to work on all vulnerable Windows versions: Windows 2000—Server
2016.

[selected text]

Oh, good, three NSA exploits previously leaked by The Shadow Brokers have
been tweaked so they now work on all vulnerable Windows 2000 through Server
2016 targets, as well as standard and workstation counterparts.

The reworked NSA exploits work on all unpatched versions, 32-bit and 64-bit
architectures, of Windows since 2000. Dillon included this list of supported
versions of Windows that can be exploited: [snipped list of 43 items]


'Jackpotting' hackers steal over $1 million from ATMs across U.S. (Reuters)

Amos Shapir <amos083@gmail.com>
Tue, 30 Jan 2018 18:42:15 +0200
https://www.reuters.com/article/us-usa-cyber-atm/jackpotting-hackers-steal-over-1-million-from-atms-across-u-s-secret-service-id

I'm not sure this is real and/or current; they mention that many ATM's
still run Windows XP, and the Secret Service recommends to *upgrade *to
Windows 7!


Feds drop hammer on massive "carder" ring that caused $530 million in losses (Ars Technica)

Monty Solomon <monty@roscom.com>
Thu, 8 Feb 2018 10:17:47 -0500
Infraud is the biggest online fraud enterprise ever prosecuted by US
prosecutors.

https://arstechnica.com/information-technology/2018/02/feds-drop-hammer-on-massive-carder-ring-that-caused-530-million-in-losses/


Blockchain Stocks Collapse by 40% to 90% (Wolfstreet)

Richard Forno <rforno@infowarrior.org>
January 25, 2018 at 7:43:06 PM EST
The music is slowing down on this stock manipulation scam....

https://wolfstreet.com/2018/01/25/the-40-to-90-collapse-of-blockchain-stocks/


Bitcoin price manipulation (TechCrunch)

Charley Kline <csk@mail.com>
Thu, Jan 25, 2018 at 12:46 PM
Researchers find that one person likely drove Bitcoin from $150 to $1,000.
https://techcrunch.com/2018/01/15/researchers-finds-that-one-person-likely-drove-bitcoin-from-150-to-1000/

Researchers Neil Gandal, JT Hamrick, Tyler Moore, and Tali Oberman have
written a fascinating paper on Bitcoin price manipulation. Entitled Price
Manipulation in the Bitcoin Ecosystem, and appearing in the recent issue of
the Journal of Monetary Economics the paper describes to what degree the
Bitcoin ecosystem is controlled by bad actors.

See also:

http://www.tetherreport.com/

* Author's opinion - it is highly unlikely that Tether is growing
through any organic business process, rather that they are printing in
response to market conditions.
* Tether printing moves the market appreciably; 48.8% of BTC's price
rise in the period studied occurred in the two-hour periods following
the arrival of 91 different Tether grants to the Bitfinex wallet.
* Bitfinex withdrawal/deposit statistics are unusual and would give rise
to further scrutiny in a typical accounting environment.
* If there is questionable activity, the author believes a 30-80%
reduction in BTC price could be forecast.

PS - Tether printed another $100M yesterday, adding to this record:

https://twitter.com/Silver_Watchdog/status/955327588284612608

"Tether Net Annual Issuance

2014 $100
2015 $951,550
2016 $9,000,000
2017 $1,405,047,515
2018 $750,000,000"

PPS - Nicholas Weaver tweets:
https://twitter.com/ncweaver/status/954033664601473026

"At current prices, net new Bitcoin requires $18M of net new $ flowing
in to maintain the price. Yet there is a net $100M/day of fake $s in the
form of Tethers... If that Tether printing press ever breaks, there will
be a true bloodbath on the cryptocurrency prices. Good."

Nouriel Roubini responds:
https://twitter.com/Nouriel/status/956482056254455809

"Indeed Tether/USDT used to manipulate Bitcoin prices. Without this scam
Bitcoin price would collapse by 80%. Regulators asleep at the wheel
while $2 billion of fake $ created via this scam, half of it since
December. Not even North Korea created so many fake $ backed by nothing"


Coincheck Says It Lost Crypto Coins Valued at About $400M (Bloomberg)

Lauren Weinstein <lauren@vortex.com>
Sat, 27 Jan 2018 12:44:51 -0800
Via NNSquad
https://www.bloomberg.com/news/articles/2018-01-26/cryptocurrencies-drop-after-japanese-exchange-halts-withdrawals

  The disclosure that one of Japan's biggest cryptocurrency exchanges lost
  about $400 million in NEM tokens is spooking investors in a country still
  wary of such venues four years after the collapse of Mt. Gox.


Bitcoin payments used to unmask dark web users (Naked Security)

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Feb 2018 20:20:37 -0500
Researchers have discovered a way of identifying those who bought or sold
goods on the dark web, by forensically connecting them to Bitcoin
transactions.

https://nakedsecurity.sophos.com/2018/01/31/bitcoin-payments-used-to-unmask-dark-web-users/

Mmmm, tasty data.


Bitcoin: Dumb Crypto Criminal Botches Kidnapping (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 3 Feb 2018 12:15:58 -0500
It was a high tech caper, involving a fake Uber and a $1.8 million digital
currency heist, but it was old-fashioned stupidity that led Louis Meza to
get caught. Meza not only bungled a kidnapping but made a major mistake that
helped cops recover the loot.

http://fortune.com/2018/02/01/bitcoin-kidnapping-cryptocurrenccy/

Risks? Bragging about assets. Letting a "business associate" insistently
arrange your travel. Being an idiot crook (high-tech version of writing bank
robbery note on your own deposit slip).


As Bitcoin Bubble Loses Air, Frauds and Flaws Rise to Surface (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 7 Feb 2018 23:01:01 -0500
https://www.nytimes.com/2018/02/05/technology/virtual-currency-regulation.html

Hackers draining online exchanges. Ponzi schemes. Regulators unable to keep
up with heightened interest in virtual currencies. A young industry's
problems have become clearer in recent weeks.


Russian nuclear scientists arrested for 'Bitcoin mining plot' (BBC)

Li Gong <li.gong@sri.com>
Fri, 9 Feb 2018 23:27:07 +0000
http://www.bbc.com/news/world-europe-43003740


Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign (Catalin Cimpanu)

Lauren Weinstein <lauren@vortex.com>
Fri, 26 Jan 2018 17:34:03 -0800
Catalin Cimpanu, Bleeping Computer, 26 Jan 2018
https://www.bleepingcomputer.com/news/security/crooks-created-28-fake-ad-agencies-to-disguise-massive-malvertising-campaign/

  A group of cyber-criminals created 28 fake ad agencies and bought over 1
  billion ad views in 2017, which they used to deliver malicious ads that
  redirected unsuspecting users to tech support scams or sneaky pages
  peddling malware-laden software updates or software installers.  The
  entire operation --codenamed Zirconium-- appears to have started in
  February 2017, when the group started creating the fake ad agencies which
  later bought ad views from larger ad platforms.


The Fake-Follower Factory (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Sat, 27 Jan 2018 11:39:40 -0800
via NNSquad
https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html

  Celebrities, athletes, pundits and politicians are buying millions of fake
  followers.


British Teen Accessed U.S. Middle East Intelligence Ops by Pretending to be CIA Director (Newsweek)

Lauren Weinstein <lauren@vortex.com>
Sat, 27 Jan 2018 10:52:09 -0800
via NNSquad

http://www.newsweek.com/british-teen-accessed-top-secret-us-middle-east-ops-pretending-be-cia-director-786031

  A British teenager managed to obtain access to sensitive U.S.  plans about
  intelligence operations in different Middle East countries by acting as
  former CIA Director John Brennan, a court heard on Friday.  Kane Gamble,
  18, researched Brennan and used the information he gathered to speak to an
  Internet company and persuade call handlers to give him access to the spy
  chief's email inbox in 2015.  He pretended to be both a Verizon employee
  and Brennan to access Brennan's Internet account.

    [Also spotted by Gabe Goldberg.  PGN]


Bug Bounty Programs Are Paying Off for Hackers, HackerOne Finds (EWeek)

Gabe Goldberg <gabe@gabegold.com>
Fri, 26 Jan 2018 12:40:53 -0500
http://www.eweek.com/security/bug-bounty-hackers-make-more-money-than-average-salaries-report-finds

The risk? Material like this presented as annoying slide shows people won't
bother reading.


Want to see all data Windows 10 sends Microsoft? There's an app for that (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Fri, 26 Jan 2018 15:09:30 -0500
Following the publication last year of the data collected by Windows 10's
built-in telemetry and diagnostic tracking, Microsoft today announced that
the next major Windows 10 update, due around March or April, will support a
new app, the Windows Diagnostic Data Viewer, that will allow Windows users
to browse and inspect the data that the system has collected.

Windows 10 has two settings for its data collection, "basic" and "full."
The documentation last year described all the data collected in the "basic"
setting but only gave a broad outline of the kinds of things that the "full"
setting collected. The new app will show users precisely what the full
setting entails and a comparison with what would be sent with the basic
setting.

https://arstechnica.com/gadgets/2018/01/want-to-see-all-data-windows-10-sends-microsoft-theres-an-app-for-that/


"Can AI predict when that new hire will quit?" (Terena Bell)

Gene Wirchenko <genew@telus.net>
Wed, 24 Jan 2018 14:27:20 -0800
Terena Bell, CIA.COM
https://www.cio.com/article/3249746/hiring-and-staffing/can-ai-predict-when-that-new-hire-will-quit.html
New pattern matching tech takes aim at predicting how long new hires will
stay, potentially saving employers billions per year. But has AI really
cracked the code on employee retention?

CIO, 24 Jan 2018

interesting quote:

Polli says, "Maybe 50 years ago, jobs were more similar across different
companies. Potentially, the world was less complex. But I think nowadays
there's just so much variability in what someone would call any given role
that I think it's hard to just say, 'Oh, look for these three things and
you're all set.'"

But looking for key traits is exactly what her company does. When this
reporter took Pymetrics' tests, I scored high in "risk preference for high
risks," "risk preference for low risks," and "planning speed." My results
listed these as negative traits for an entrepreneur, predicting I only had a
6 percent chance of making it as one for more than a year: I'm a two-time
tech founder who sold her first company for a multiple of revenue after
running it nine years.  And speaking as a tech founder, these so-called
negative traits helped me do my job.

  I can see all too easily questionable models being used in hiring.  I
  already see questionnaires when applying for some jobs that have many
  ambiguous questions and when I have asked, I have been told to fill it out
  the best I can.  Turning AI loose in the area has the potential to be much
  worse.


First, We Kill All the Lawsuits

Henry Baker <hbaker1@pipeline.com>
Thu, 18 Jan 2018 15:02:48 -0800
"First, we kill all the lawsuits."
-- Apologies to W. Shakespeare

States—including California—are falling all over one another to lead
the country in boosting autonomous vehicles, perhaps to prove that they
welcome investments in building factories.

But the first order of business—other than obtaining financial subsidies
-- seems to be securing "safe harbors" against "frivolous" lawsuits that
might arise out of unpleasantness caused by less-than-optimal autonomous
vehicle behaviors.

Now I'm not a big fan of class-action ambulance chasers, but in the
application of a new technology, tort law may be the only protection society
has against egregious and negligent behavior by greedy "unicorns".

Unfortunately, we are systematically disconnecting the backup system of
tort law BEFORE the primary system of regulation has been installed and
activated.

Not that this behavior is at all new.  Theodore Vail—as CEO of ATT --
made a deal with society that ATT would be shielded from all kinds of
lawsuits in return for being heavily regulated as a monopoly.

More recently, the drug industry is shielded from litigation, as
responsibility was shifted to the FDA for drug regulation.  But we must not
put the hearse before the autonomous cart.

https://www.wired.com/story/california-self-driving-car-laws/
http://beta.latimes.com/politics/la-pol-ca-new-driverless-car-regulations-20171114-story.html

https://www.nytimes.com/2017/05/21/technology/pittsburgh-ubers-driverless-car-experiment.html

PITTSBURGH—When Uber picked this former Rust Belt town as the inaugural
city for its driverless car experiment, Pittsburgh played the consummate
host.  "You can either put up red tape or roll out the red carpet," Bill
Peduto, the mayor of Pittsburgh, said in September. "If you want to be a
21st-century laboratory for technology, you put out the carpet."


"In spite of military assurances, autonomous weapon research speeds ahead" (Greg Nichols)

Gene Wirchenko <genew@telus.net>
Tue, 06 Feb 2018 09:54:04 -0800
Greg Nichols for Robotics, ZDnet, 6 Feb 2018
http://www.zdnet.com/article/in-spite-of-military-assurances-autonomous-weapon-research-speeds-ahead/

In spite of military assurances, autonomous weapon research speeds ahead
The US Army has successfully paired autonomous vehicles with robotic weapons.

Autonomous vehicles are coming to roads near you. If the US Army has its
way, battlefields will be next.

Under a program nicknamed "Wingman," the Army just announced it is range
testing autonomous vehicles equipped with robotic weapons systems. So far,
engineers have managed to successfully destroy targets with a self-driving
Humvee equipped with an onboard autonomous 7.62 mm weapon system.

The three-year program officially began last year, and it seems to be
progressing quickly.

"You're not going to have these systems go out there like in 'The
Terminator'," Thomas B. Udvare, deputy chief of the program, told the Army
News Service. "For the foreseeable future, you will always have a Soldier in
the loop."

Nice to hear. But there's something a little spooky about the Army insisting
humans will remain in the loop while engineers are rushing ahead with
weapons systems clearly designed for autonomous use.


Ford Patents Autonomous Robocop Police Car That Can Give Out Tickets (Tech Times)

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Feb 2018 20:46:58 -0500
Ford has filed a patent for an autonomous Robocop police car, which aims to
catch traffic law violators. Ford's autonomous police car will use machine
learning tools to take action and catch those who break the speed limit or
run red lights and issue tickets remotely.

Taking in information, the robot car can determine what law was violated
and take action.

http://www.techtimes.com/articles/219756/20180130/ford-patents-autonomous-robocop-police-car-that-can-give-out-tickets.htm

The risk? Taking this seriously?


British 15-year-old gained intelligence info (The Telegraph)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 20 Jan 2018 11:31:48 PST
http://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/


Majority of employees in US unaware of GDPR mandate (DXC)

Gabe Goldberg <gabe@gabegold.com>
Mon, 22 Jan 2018 23:11:39 -0500
https://blogs.dxc.technology/2018/01/22/majority-of-employees-in-us-unaware-of-gdpr-mandates/


Enter all identifying numbers as single text string without formatting

Dan Jacobson <jidanni@jidanni.org>
Sun, 28 Jan 2018 02:34:56 +0800
FinancialCrimes EnforcementNetwork: BSA Electronic Filing Requirements For
Report of Foreign Bank and Financial Accounts (FinCEN Form 114):

  "Identifying numbers: Enter all identifying numbers as a single text
  string without formatting or special characters such as hyphens or
  periods. An identifying number in the format NNNNN- NNNN would be entered
  as NNNNNNNNN."

OK, but sometimes 123-45 is different than 12-345...


Exclusive: Mattis seeking to ban cell phones from Pentagon (CNNPolitics)

Gabe Goldberg <gabe@gabegold.com>
Wed, 31 Jan 2018 14:43:30 -0500
https://www.cnn.com/2018/01/31/politics/mattis-pentagon-cellphone-ban/index.html

The risk? Too big a hammer hitting the wrong nail?


Re: Vehicle Satellite Navigation (Drewe, RISKS-30.53)

Wols Lists <antlists@youngman.org.uk>
Thu, 18 Jan 2018 20:43:14 +0000
I suspect I know that flyover ...

But I got bit by a very similar sort of issue. The Embankment in London was
closed by roadworks a few days ago. So Google, detecting no traffic, thought
it was the perfect route and was directing people to use it.  Unfortunately,
as the name implies, this runs alongside the Thames, so drivers' options for
a diversion once they realised they were in a jam were extremely limited. I
ended up going back to Westminster Bridge (I think it took me an hour to
travel a net zero metres) before crossing south of the river and heading to
my destination that way.

Surely it's not beyond the wit of computer to realise that if ALL the
vehicles you are directing down a certain road all divert off, that there's
something wrong? Rather than, as at present, you send even more traffic that
way to turn a jam into gridlock.


Not knowing Twitter credentials delayed Hawai'i "all clear"

Lauren Weinstein <lauren@vortex.com>
Mon, 22 Jan 2018 21:34:54 -0800
The Governor of Hawaii is declaring that the long delay in his sending out
the "false alarm" message after an incoming missile alarm was triggered in
error, was due to his not knowing his own Twitter credentials. He had to
find his public communications spokesperson—who normally ran his Twitter
account—in order to get an "all clear" note out on Twitter. Supposedly he
now knows his own username and password. I wonder if he has 2-factor
enabled?


HI-EMA 'button pusher' refusing to cooperate with FCC, internal investigators (Star Advertiser)

Lauren Weinstein <lauren@vortex.com>
Thu, 25 Jan 2018 17:59:52 -0800
via NNSquad
http://www.staradvertiser.com/2018/01/24/breaking-news/schatz-to-lead-hearing-on-alert-systems-in-wake-of-hawaii-blunder/

  The Hawaii Emergency Management Agency "button pusher" who sent a bogus
  missile alert that triggered panic across the islands on Jan. 13 is not
  cooperating with either a Federal Communications Commission investigation
  nor two internal investigations.


Re: Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (Gezelter, RISKS-30.53)

Henry Baker <hbaker1@pipeline.com>
Thu, 18 Jan 2018 14:00:21 -0800
One wonders if the President's nuclear football has a similar
"Are you sure you want to destroy mankind? (y/n)" UX?

Perhaps 2-factor authentication is warranted?

  "A numeric code has been sent via SMS to the cellphone buried in First Lady
  Melania's thoracic cavity.  Please enter that 6 digit numeric code here
  ------ in order to proceed."

Apologies to Roger Fisher:
https://en.wikipedia.org/wiki/Roger_Fisher_(academic)#Preventing_nuclear_war


Re: "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" (BBC)

"John Levine" <johnl@iecc.com>
18 Jan 2018 17:01:53 -0500
They're more than counters—when they scan my boarding pass I can see that
it shows my name and my seat number.

Apparently the passenger did have a boarding pass for another flight so the
obvious question is whether each scanner is supposed to accept bp's for a
single flight, or all the scanners in the airport are the same and they'll
all accept bp's for any flight and the staff are supposed to check that it's
showing the right flight number.


Re: Five copyright claims against youtube video of white noise

"John Levine" <johnl@iecc.com>
18 Jan 2018 16:01:12 -0500
Ahem.  Patent and copyright are not the same thing.  Independent creation,
i.e., I made my white noise all by myself and not by listening to your white
noise, is a complete defense to claims of copyright infringement.

  [Absolutely.  TNX.  PGN]

By the way, the actual answer to the question about the prime number is no,
since there is case law saying that copyright requires creativity, and the
amount of work involved doesn't matter.  The case involved copying
phone-book white pages (remember them?) listings.

  [Incidentally, in that courts have ruled we cannot copyright our own
  genomes, "creativity" cannot be the sole factor.  Cheers! PGN]

Please report problems with the web pages to the maintainer

Top