The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 81

Saturday 25 August 2018

Contents

Verizon throttled fire department's unlimited data during California wildfire
Ars Technica
Blowing smoke?
Rob Slade
How social media took us from Tahrir Square to Donald Trump
Zeynep Tufekci
SwissPost invites you to hack a developing online voting system
PGN
Tech Giants Are Becoming Defenders of Democracy. Now What?
WiReD
As Facebook Use Goes Up in Germany, So Do Attacks on Refugees
NYtimes
Researchers Help Close Security Hole in Popular Encryption Software
John Toon
This firm already microchips employees. Could your ailing relative be next?
WashPo
New Attack Recovers RSA Encryption Keys from EM Waves Within Seconds
Bleeping Computer
Software fault discovered—never-tested "race" condition
ProRail
Edge case paralyses train network around Amsterdam
ProRail
Hackers Target Fax Machines
Miranda Moore
Just say no: Wi-Fi-enabled appliance botnet could bring power grid to its knees.
Ars Technica
Hack attempt on DNC voter database was a false alarm.
WashPo
1,464 Western Australian government officials used Password123 as their password
WashPo
Facebook Identifies New Influence Operations Spanning Globe.
NYTimes
Google sued for tracking you, even when 'location history' is off
Liam Tung
As Cars Collect More Data, Companies Try to Move It All Faster
NYTimes
Self-driving cars need to learn how humans drive
NPR.org
Blockchain Security
Rob Slade
Bitcoin and Ether are both down more than two-thirds from their peaks.
Ars Technica
Cellphones, blockchain, Bitcoin ... bingo.
Fortune
Improved keyless entry system could replace car key fob with iPhone
Gabe Goldberg
I just hacked a state election. I'm 17. And I'm not even a very good hacker
River O'Connor
In fight against ISIS's propaganda machine, raids and online trench warfare
WashPo
The Font Which Toppled a Government
Now I Know
Expiration of Major Cybersex Patent Could Set Off Explosive Innovation
Fortune
Watch that browser add-on
Web Informant
Credit-card skimmers now need to fear the Reaper.
Ars Technica
Caring for Aging Parents, With an Eye on the Broker Handling Their Savings
NYTimes
Comments on RISKS-30.79
Chris Drewe
Re: Yet another squirrel incident
Gene Wirchenko
Re: Second-hand Land-Rover data may stay under control of first owner
Genoit Goas
Re: What3words: putting geographical addresses behind a closed API
Eli the Bearded
Re: Child drownings in Germany linked to parents phone fixation
Wendy M. Grossman
Info on RISKS (comp.risks)

Verizon throttled fire department's unlimited data during California wildfire (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Wed, 22 Aug 2018 15:17:29 -0400
The Fire Department had to pay twice as much to lift throttling during
wildfire response.
https://arstechnica.com/tech-policy/2018/08/verizon-throttled-fire-departments-unlimited-data-during-calif-wildfire/

"Verizon representatives confirmed the throttling, but rather than restoring
us to an essential data transfer speed, they indicated that County Fire
would have to switch to a new data plan at more than twice the cost, and
they would only remove throttling after we contacted the Department that
handles billing and switched to the new data plan," Bowden wrote.

"Regardless of the plan emergency responders choose, we have a practice to
remove data speed restrictions when contacted in emergency situations,"
Verizon's statement said. "We have done that many times, including for
emergency personnel responding to these tragic fires. In this situation, we
should have lifted the speed restriction when our customer reached out to
us. This was a customer support mistake. We are reviewing the situation and
will fix any issues going forward."

  Well, a contract is a contract—maybe FD hadn't read fine print? But
  "unlimited" service that throttles to nearly nothing isn't a use of that
  word with which I'm familiar.

  OTOH, Verizon might have shown more sense during the incident, sorted it
  out later. Nice public spirit shown, plus clueless customer support in the
  moment.

    [Also noted by Richard Stein:

    If you don't ask, you won't get. Will emergency services wait until the
    next conflagration, earthquake or other natural disaster to request data
    throttle suspension? Rather than throttling their customer support,
    perhaps Verizon corporate sales policy should be revised to permanently
    waive or preclude data plan throttling for first responders.]


Blowing smoke?

Rob Slade <rmslade@shaw.ca>
Mon, 20 Aug 2018 14:51:03 -0700
Given all the wildfires, as well as a messed up jet stream and a high
pressure area that has been parked here for quite a while, it's smoky here
in the northwest.

A group in Spokane wants to blow the smoke into Canada.
https://keprtv.com/news/offbeat/everyone-turn-your-fan-on-spokane-group-aims-to-blow-wildfire-smoke-back-to-canada
or
https://is.gd/xMSMWH
https://www.facebook.com/events/2049472562029769/

(They say "back" to Canada, but there are some fires in Washington State as
well, some of which have crossed into Canada ...)

They want everyone to get five box fans (from where?), put them on the roof,
and blow ... every fuse in town?

Then there are the life safety issues of people falling off roofs, plus the
fire safety issues of haywire extension cord setups ...  cost-benefit, fire
safety, forethought, life safety, planning, who did these calculations?


How social media took us from Tahrir Square to Donald Trump (Zeynep Tufekci)

Peter G Neumann <Neumannn@CSL.SRI.COM>
Thu, 23 Aug 2018 18:43:12 -0700
  Zeynep Tufekci, MIT *Technology Review*, 14 Aug 2018
  To understand how digital technologies went from instruments for spreading
  democracy to weapons for attacking it, you have to look beyond the
  technologies themselves.
https://www.technologyreview.com/s/611806/how-social-media-took-us-from-tahrir-square-to-donald-trump/

BoingBoing had a piece on Zeynep's article:
From Tahrir to Trump: How the Internet became the dictators' home turf
http://boingboing.net/2018/08/23/we-didnt-start-the-fire.html

  Zeynep Tufekci (previously) leads Tech Review's politics issue with the
  best overview of the forces that have combined to make the Internet so
  hospitable to totalitarians and racist pigs.  Tufekci describes how
  insurgent, democratic movements were early arrivals to the Internet, and
  how clumsy authoritarians' attempts to fight them by shutting the net down
  only energized their movements. But canny authoritarians mastered the
  platforms, figuring out how to game their automated algorithms to upvote
  their messages, and how to game their moderation policies to banish their
  adversaries.


SwissPost invites you to hack a developing online voting system

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 25 Aug 2018 12:40:04 PDT
Here's a wonderful opportunity for RISKS readers.  The Swiss are developing
on online voting system, which they hope will be ready for testing next
year.  More at swisspost.ch/pit


Tech Giants Are Becoming Defenders of Democracy. Now What? (WiReD)

Lauren Weinstein <lauren@vortex.com>
Wed, 22 Aug 2018 12:21:17 -0700
NNSquad
http://www.wired.com/story/microsoft-facebook-tech-giants-defending-democracy/

  On Tuesday, A trifecta of tech companies announced that they had thwarted
  what appear to be significant cyberattacks from Russia and Iran. First,
  Microsoft CEO Brad Smith announced that the company had caught another
  round of phishing attacks on political groups in the United States, which
  it attributed to the Russian hacking group Fancy Bear.  Then it was
  Facebook's turn. On a call with reporters, CEO Mark Zuckerberg said his
  company had shut down 652 pages, accounts, and groups affiliated primarily
  with Iran, though some had ties to Russia. Twitter almost instantly
  followed suit, saying it too had taken 284 accounts offline, which
  appeared to have originated in Iran.  In Washington, the news was met with
  a mixture of gratitude and anxiety.


As Facebook Use Goes Up in Germany, So Do Attacks on Refugees, Study Suggests. (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 25 Aug 2018 09:09:59 -0400
As Facebook Use Goes Up in Germany, So Do Attacks on Refugees, Study Suggests

A small German town exemplifies a phenomenon long suspected by researchers
who study Facebook: that the platform makes communities more prone to racial
violence.

http://www.nytimes.com%2F2018%2F08%2F21%2Fworld%2Feurope%2Ffacebook-refugee-attacks-germany.html


Researchers Help Close Security Hole in Popular Encryption Software

ACM TechNews <technews-editor@acm.org>
Fri, 17 Aug 2018 12:47:24 -0400
John Toon, Georgia Tech News Center, 9 Aug 2018,
via ACM TechNews, 17 Aug 2018

Georgia Institute of Technology (Georgia Tech) researchers have helped patch
a security flaw that could have enabled the theft of encryption keys from
OpenSSL software by briefly eavesdropping on "side channel" signals from
smartphones.  The hack involved using intercepted electromagnetic signals
from the phones that could be analyzed with a small and inexpensive portable
device that listened in on a single decryption cycle.  Georgia Tech's Milos
Prvulovic and Alenka Zajic eavesdropped on two different Android phones
using probes in close proximity to the devices without any physical contact.
Their hack analyzed signals in a 40-MHz-wide band around the phones'
processor clock frequencies, which are nearly 1 GHz.  Prvulovic says, "Once
we got the attack to work, we were able to suggest a fix for it fairly
quickly.  Programmers need to understand that portions of the code that are
working on secret bits need to be written in a very particular way to avoid
having them leak."

http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1c5bdx216c58x070160%26


This firm already microchips employees. Could your ailing relative be next? (WashPo)

Richard Stein <rmstein@ieee.org>
Thu, 23 Aug 2018 20:07:47 -0700
http://www.washingtonpost.com%2Ftechnology%2F2018%2F08%2F23%2Fthis-firm-already-microchips-employees-could-your-ailing-relative-be-next%2F

Continuous physiological monitoring, location tracking, voice-activation,
baseline medical history comparison capability, and communication
capability. Fueled by harvesting human body heat—thermoelectric generator
(TEG) implanted into the flesh.

If the implant's medical history is enciphered, emergency room access to
active prescriptions, pre-existing conditions, and allergic history is a
no-go, unless the key is readily available. The ER would also require an
implant reader and decoder application. If not enciphered, and an RFID
protocol can read implant content, then confidentiality maintenance issues
materialize.


New Attack Recovers RSA Encryption Keys from EM Waves Within Seconds (Bleeping Computer)

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Aug 2018 11:10:04 -0400
A research paper presented at the Usenix security conference last week
detailed a new technique for retrieving encryption keys from electronic
devices, a method that is much faster than all previously known techniques.

The approach relies on recording electromagnetic (EM) emanations coming off
a device as it performs an encryption or decryption operation. ...

Attack requires close proximity to the device

The attack's only downside is that it still requires quite a close proximity
to the "sniffed" device.

http://www.bleepingcomputer.com/news/security/new-attack-recovers-rsa-encryption-keys-from-em-waves-within-seconds/


Software fault discovered—never-tested "race" condition (ProRail)

D G Rossiter <cyrus621@telfort.nl>
Thu, 23 Aug 2018 09:30:32 -0400
>From the blog of the Dutch railway infrastructure company ProRail
http:www.prorail.nl/nieuws/oorzaak-computerstoring-treinverkeersleiding-gevonden
(my translation with some [editorial comments])

ProRail has discovered the cause of the computer disruption of 21-August
that caused many trains in the Amsterdam area to be canceled. Due to a
unique set of circumstances a software fault occurred, with the result that
the computer system that manages the trains and tracks could only be
partially used. The problem began around 0630 when a thief being chased by
the police at Schiphol Airport station tried to escape by running into the
train tunners [note: Schiphol Airport has an underground 6-track station
with about 1.5 km tunnel on either side]. Therefore one train that was
planned in the system had to be canceled. The Dynamic Traffic Management
System (DVM) which regulates train service through the Schiphol Airport
station was automatically re-assigning platforms to trains, but at the same
time an operator was entering a manual change in the platform
assignments. This caused a conflict [race condition?] [that had never been
tested] so that the automatic system was automatically disabled in favour of
a partial system where all the very heavy traffic around Schiphol Airport
and Amsterdam had to be managed by hand. This caused many trains to be
canceled or delayed. The fault in the automatic system has now been
repaired, so it will not happen again"


Edge case paralyses train network around Amsterdam (ProRail)

Paul van Keep <paul@vankeep.com>
Thu, 23 Aug 2018 16:33:18 +0200
Yesterday afternoon a shop-lifter at Schiphol airport in the Netherlands was
on the run from the police and tried to get away by running into the train
tunnel that runs underneath the airport. As a safety measure train traffic
control ordered all trains around the tunnel to stop. One of these trains
apparently stopped just when it had received both an automatic and a manual
platform assignment In the minutes that followed those conflicting orders
triggered over 32.000 planning records to be generated in the system
effectively performing a denial of service attack. ProRail, the network
operator, had no other choice than to shut down the entire computer system
responsible for the train network around the Amsterdam area for hours. (The
company says that the event caused a software bug to arise. LOL). Train
traffic is still affected a day later because of scheduling problems as a
result of the shutdown. ProRail stated that the error can no longer occur.
No details were provided, but I hope they didn't just set a maximum to the
number of records that can be generated.

(in Dutch:)
http://www.prorail.nl/nieuws/oorzaak-computerstoring-treinverkeersleiding-gevonden

  [Wow!  Two ProRail items in the same issue.  Dank U wel.]


Hackers Target Fax Machines (Miranda Moore)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 19 Aug 2018 9:33:13 PDT
Miranda Moore, *The Washington Post*
Phone Line Connected To Computer Network Can Offer Access

The fax machine is widely considered to be a dinosaur of inter-office
communications, but it may also present a vulnerable point where hackers can
infiltrate an organization's network, according to a new report from
Israel-based software company Check Point. The company said that the
vulnerability was identified as a result of research intended to discover
potential security risks, and not as the result of any attack.

Hackers can gain access to a network using the phone line connected to a fax
machine, which is often connected to the rest of an organization's network.
By sending an image file that contains malicious software over the phone
line, hackers are able to take control of the device and access the rest of
the network. The researchers were able to do this using only a fax number,
which is often widely distributed by organizations on business cards and
websites.

The report estimates that there are more that 17 million fax machines in use
in the United States alone. The legal and medical fields both continue to
rely heavily on fax machines to conduct business, since they are widely
considered to be a more secure form of transmitting sensitive information
and signatures compared to email. Banking and real estate also frequently
transfer documents containing signatures via fax.

With the advent of all-in-one products that include fax functions as well as
printing and scanning, fax machines may be more prevalent in homes and
office than people realize. This particular vulnerability only applies if
such a machine is connected to a telephone line, however.

The only machines tested were from HP's line of all-in-one printers, but
according to the report, these vulnerabilities are likely to be found in
machines from any manufacturer that use similar technology. HP issued a
patch for its products before the report was published, which is available
for download from its support website.

The report advises that if a fax machine is too old to support a software
update, or if the manufacturer has yet to issue a patch to fix the
vulnerability, fax capabilities should be used only on a segmented part of
the network without access to critical data. The report also advises that
the phone line connected to an all-in-one type machine should be
disconnected if a user or organization does not use the fax functions.


Just say no: Wi-Fi-enabled appliance botnet could bring power grid to its knees. (Ars Technica)

Monty Solomon <monty@roscom.com>
Mon, 20 Aug 2018 12:50:14 -0400
Princeton researchers find army of high-wattage IoT devices could cripple
electric grid.

https://arstechnica.com/information-technology/2018/08/just-say-no-wi-fi-enabled-appliance-botnet-could-bring-power-grid-to-its-knees/


Hack attempt on DNC voter database was a false alarm. (WashPo)

Monty Solomon <monty@roscom.com>
Thu, 23 Aug 2018 09:04:40 -0400
The Democratic National Committee had alerted the FBI to an apparent
attempted hack of its voter database earlier this week. A security firm
discovered that a fake DNC log-in page had been created to trick people into
giving up their usernames and passwords, a Democratic official said.  A
person familiar with the incident said this.

http://www.washingtonpost.com/news/politics/wp/2018/08/23/hack-attempt-on-dnc-voter-database-was-a-false-alarm-the-national-committee-says/

And here is the previous day's item in *The New York Times*:
http://www.nytimes.com/2018/08/22/technology/democratic-party-says-it-has-thwarted-attempted-hack-of-voter-database.html


1,464 Western Australian government officials used Password123 as their password (WashPo)

David Lesher <wb8foz@panix.com>
Thu, 23 Aug 2018 01:41:48 -0400
http://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Somewhere in Western Australia, a government IT employee is probably
laughing or crying or pulling their hair out (or maybe all of the above). A
security audit of the Western Australian government released by the state's
auditor general this week found that 26 percent of its officials had weak,
common passwords—including more than 5,000 including the word `password'
out of 234,000 in 17 government agencies.

Yikes.

The legions of lazy passwords were exactly what you—or a thrilled hacker
-- would expect: 1,464 people went for `Password123; and 813 used
`password1'.  Nearly 200 individuals used password'—maybe they never
changed it to begin with?

Almost 13,000 used variations of the date and season, and almost 7,000
included versions of `123'.  [...]


Facebook Identifies New Influence Operations Spanning Globe. (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 22 Aug 2018 19:41:26 -0400
http://www.nytimes.com/2018/08/21/technology/facebook-political-influence-midterms.html

The social network removed hundreds of fake accounts and pages targeting
people in different countries and regions that originated in Iran and
Russia.


Google sued for tracking you, even when 'location history' is off (Liam Tung)

Gene Wirchenko <genew@telus.net>
Wed, 22 Aug 2018 18:01:26 -0700
Liam Tung, ZDNet, 21 Aug 2018
http://www.zdnet.com/article/google-sued-for-tracking-you-even-when-location-history-is-off/
Google sued for tracking you, even when 'location history' is off
A lawsuit accuses Google of tracking a man against his wishes and
disguising what 'location history off' means.

opening text:

Google now faces a potential class action lawsuit over the revelation that
it continues to store users' location data even if they turn off Location
History.

The lawsuit was filed on Friday, the day Google updated its help page to
clarify that with Location History off it still stores some location data in
other services such as Google Search and Maps.

Until then, Google's help page on Location History stated that "with
Location History off, the places you go are no longer stored".  However, a
report by the Associated Press found this statement wasn't true.

The lawsuit accuses Google of falsely representing what 'History Location
off' means to its millions of iPhone and Android users and seeks a class
action status consisting of an Android Class and an iPhone Class.


As Cars Collect More Data, Companies Try to Move It All Faster (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Sun, 19 Aug 2018 15:57:59 -0400
Cars need to get faster—not on the road, but on the inside.

Speed has always been part of the mystique of the automotive business.  But
cars have been notoriously slow when it comes to handling information. It is
a problem that has only become more pressing as the era of autonomous
vehicles looms, with competing interests racing to be the first with a
solution.

Cars have long relied on a relatively simple network standard called the CAN
or Controller Area Network bus. The CAN bus coordinates all the
microprocessors and electronic control units, or E.C.U.s, that need to trade
engine, powertrain, and diagnostic information, transmitting details like
transmission status and fluid levels. As more electronics like window and
seat controls were added to cars, the CAN bus was tweaked over the years
with additional local interconnection networks, or LINs, to handle the
swelling communications load.

But the CAN bus, which was originally developed by Bosch more than 33 years
ago, is showing its age.

https://www.nytimes.com/2018/08/16/business/cars-internal-data-networks.html


Self-driving cars need to learn how humans drive (NPR.org)

Richard M Stein <rmstein@ieee.org>
Tue, 21 Aug 2018 05:27:17 -0700
http://www.npr.org/2018/08/21/639646651/watch-self-driving-cars-need-to-learn-how-humans-drive

Hope these lessons include simulating drivers experiencing some or all these
scenarios, preferably simultaneously:

1) A bee in the vehicle;
2) Cosmetic application, especially lipstick and eyeliner;
3) Cat escape from transport carrier;
4) Coffee or slurpee spill;
5) The all important chili cheeseburger drip mess;


Blockchain Security

Rob Slade <rmslade@shaw.ca>
Fri, 17 Aug 2018 10:42:22 -0700
The ISC2 "community" has had a bunch of queries about blockchain in recent
months.  One person started a fairly active thread asking for a kind of a
cheat sheet for blockchain security.

The real issue is that, however it started out, blockchain has now become
kind of a marketing term: it means whatever the vendor selling it to you
thinks it means.  (Which is not necessarily what you need it to mean.)
Essentially, by now it's pretty meaningless.

At base, it is an amalgamation of two ideas.  Digital signing of
transactions, and a distributed database of those transactions and
signatures.

Beyond that, we have implementation details.  And those, as always, are
where the problems arise.

Are you really serious about the signatures?  Are you doing confidentiality,
or just the authentication?  How serious is your signature algorithm?  What
about key management?  Have you got all the bits you need for a full PKI?
Are you using a hierarchical model or web of trust?

And these are only the beginning of the questions.  On the signature side.

How are you going to distribute the transaction ledger?  Is it going to be
full everywhere?  Is it going to be full *any*where?  How can it be accessed
and checked?  Will a complete examination of the register identify an
individual even if a single transaction doesn't?

So, ultimately, the answer to your question is "no."  There isn't any
nugget.  There isn't any cheat sheet.  The hygiene depends upon what you
build or buy.

And that's why BLOCKCHAIN IS NOT THE ANSWER.

(Blockchain isn't even the question.  Even if the answer *is* "no.")

(Sorry.  As the dictionary guy I always get kind of bitter when a term that
*might* have had a meaning or use gets abused to the point of being
meaningless ...)


Bitcoin and Ether are both down more than two-thirds from their peaks. (Ars Technica)

Monty Solomon <monty@roscom.com>
Mon, 20 Aug 2018 19:39:25 -0400
The value of ether has fallen 9 percent over the last 24 hours.

http://arstechnica.com/tech-policy/2018/08/bitcoin-and-ether-are-both-down-more-than-two-thirds-from-their-peaks/

Earlier:

The number of people who bought virtual currencies more than doubled last
winter. For people who got in late, the bust has been disastrous.
https://www.nytimes.com/2018/08/20/technology/cryptocurrency-investor-losses.html


Cellphones, blockchain, Bitcoin ... bingo. (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sun, 19 Aug 2018 16:02:17 -0400
*From Fortune magazine email:*

*Game of telephones.* A man in California is suing AT&T
https://click.email.fortune.com/%3Fqs%3D855aded26e1f3607aaf38868b35c5d2989f00592a9ea8c4d2cfd2d6d4ab82fbf45357d610f28a94006a2ccce70fd55e848a2569843531ce9
to the tune of $224 million for allegedly enabling a thief to steal $24
million worth of his cryptocurrency. (The other $200 million is for punitive
damages.) The plaintiff, one Michael Terpin, says that AT&T gave the culprit
access to his phone number without authorization, thus enabling the bandit
to break into Terpin's digital accounts. AT&T said it disputes the
allegations.

https://www.cnbc.com/2018/08/15/cryptocurrency-investor-sues-att-for-224-million-over-loss-of-digita.html


Improved keyless entry system could replace car key fob with iPhone

Gabe Goldberg <gabe@gabegold.com>
Fri, 17 Aug 2018 23:28:55 -0400
Apple wants iPhone owners to be able to use their mobile devices as
alternatives to a keyless entry system for their car, with a proposal that
would let users unlock and start a vehicle simply by bringing their mobile
device with them to the driving seat. ...

Apple proposes the use of both magnetic antennas and radio frequency
antennas to determine range, including analyzing the RF received signal
strength indicator, time-f-flight value, and other signal properties.  This
would allow for an unlocking system to detect at a far longer range than
available at present.

https://appleinsider.com/articles/18/08/16/improved-keyless-entry-system-could-replace-car-key-fob-with-iphone

Longer range—what could go wrong with that?

Great comment on article:

Awesome! iPhone thieves will now get a free car as a bonus! And if they ask
Siri to navigate home they can have all my stuff too.

It currently takes *three* different thieves to pull this off, but thanks to
technological progress that will soon be accomplished by just one.


I just hacked a state election. I'm 17. And I'm not even a very good hacker. (River O'Connor)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 21 Aug 2018 9:45:19 PDT
River O'Connor, Politico

http://www.politico.com/magazine/story/2018/08/21/i-just-hacked-a-state-election-17-not-a-good-hacker-219374

It took me around 10 minutes to crash the upcoming midterm elections. Once I
accessed the shockingly simple and vulnerable set of tables that make up the
state election board's database, I was able to shut down the website that
would tally the votes, bringing the election to a screeching halt. The data
were lost completely. And just like that, tens of thousands of votes
vanished into thin air, throwing an entire election, and potentially control
of the House or Senate—not to mention our already shaky confidence in the
democratic process itself—into even more confusion, doubt and
finger-pointing.

I'm 17. And I'm not even a very good hacker.

I've attended the hacking convention DEF CON in Las Vegas for over five
years now, since I was 11 years old. While I have a good conceptual
understanding of how cyberspace and the Internet work, I've taken only a
single Python programming class in middle school. When I found out that the
DNC was hosting a security competition for kids and teens, however, my
interest in politics fed into curiosity about how easy it might be to mess
with a U.S. election. Despite that limited experience, I understood
immediately when I got to Las Vegas this year why the professionals tend to
refer to state election security as "child's play."

The Voting Machine Village at DEF CON, where attendees tackled
vulnerabilities in state voting machines and databases, raised plenty of
eyebrows among election boards and voting machine manufacturers alike. It's
a hard pill to swallow for the public, too: No one wants to believe that --
after waiting in a lengthy line, taking time off from work or finding a
babysitter in order to vote—their ballot could be thrown away, or even
worse, altered.

Consequently, people started to take notice as reports came in from both the
intelligence community and organizations like the DNC, a co-sponsor of the
Voting Village, about the ease with which a foreign power could potentially
do such a thing. Since electronic voting was introduced in the early 2000s,
leaders in Washington and our state capitals have repeatedly failed to keep
up with rapid advances in information technology and cybersecurity.

The replica state election websites used in this year's competition were
built on MySQL, a database management system that stores data in simple
tables containing columns and rows. By inputting a command into the search
bar to see all the website's tables, I could then see all its data,
including vote tallies, candidate names and tables of basic website
functions. Once someone has that kind of access, they can do plenty of
damage. The organizers instructed us to double candidates' vote tallies, for
starters. Then, with the assistance of volunteers, some of us easily changed
the names of candidates or even their parties, or inflated the vote tallies
to ridiculously high, Putin-esque numbers.

The entirety of the hacking came down to entering no more than two lines of
code: the first to display all columns and rows for the site and the second
to alter the vote tally. Of the few dozen participants, most completed the
very simple hack assigned by the instructors. About a quarter figured out
how to rename or delete other candidates and their parties from the list.

But even after doing something as relatively tame, from a computer science
perspective, as messing around with a few numbers, I wanted to see how much
damage I could do *without* the competition's instructions or staff
assistance. First, I wrote down the IP address of the server hosting the
competition, no different than the first step a foreign agent would take.
Then, I accessed the DEF CON website from a secure Wi-Fi spot and Googled a
list of common MySQL commands. The whole thing, from search to shutdown,
took me less than five minutes.

To take down the entire website, all I needed to do was enter a command to
drop the table—to remove it from the database entirely, in other words.
This caused the page to return an execution error, which took a reset of the
website's host server to fix. Essentially, I had crashed the website,
similar to the denial-of-service attacks more familiar to the public, but
more direct and even more effective.

This is where the staff got a little bit confused, as the competition's
instructions had told us only how to change the number of votes. I had to
crash the website again, right in front of them, before they believed I had
anything to do with it.

The fact that someone as untrained as myself could bring an election to a
screeching halt with nothing but a quick Google search should be a wake-up
call. While inflating Gary Johnson's vote tally to over 90 billion is good
for a laugh, a more malicious agent—not to mention a team of well-funded
and highly skilled hackers—could do real damage. A close congressional
race could be flipped by the addition of a few hundred extra votes, the
installation of malware, stolen security credentials or the shutdown of a
website during the final tally, like my DEF CON escapade last week. The
possibility, or even the likelihood, of such an event is precisely why the
chief security officer of the DNC, Bob Lord, interviewed me and my fellow
competition participants to see what kind of defense those without
experience could potentially develop.

I didn't quite know what to expect when I started the competition, but I
know it shouldn't have been that easy. Someone with my skills wouldn't have
stood a chance against a professionally protected website. Anyone with a
Wi-Fi-enabled device could theoretically have done what I did to the mock
election database.

Unfortunately, the people who have the power to do something about this
issue are in denial. But that doesn't change the facts on the ground.
America is supposed to set a world standard for free and open elections --
the idea of "one person, one vote" is part of our identity. The failure to
address such a widespread and well-documented effort by foreign powers to
compromise that principle puts our democracy, and our position of
leadership, at risk.

I'm still not particularly interested in a tech career, but one day I hope
to be in a position to prevent something like this from happening in real
life. After the competition, both the staff and the competitors agreed—we
need a tech-literate government with the resources and the will to secure
our elections. Or at least one that can stop a 17-year-old with basic
command line skills and 10 free minutes between classes from electing Gary
Johnson president-for-life.

*River O'Connor is a senior at the Ocean Research College Academy in
Everett, Wash.*


In fight against ISIS's propaganda machine, raids and online trench warfare. (WashPo)

Monty Solomon <monty@roscom.com>
Mon, 20 Aug 2018 09:22:50 -0400
Targeted in police action, ISIS's news agency “went down fast,'' but it
came back again and again.

https://www.washingtonpost.com/world/national-security/in-fight-against-isiss-propaganda-machine-raids-and-online-trench-warfare/2018/08/19/379d4da4-9f46-11e8-8e87-c869fe70a721_story.html


The Font Which Toppled a Government (Now I Know)

Gabe Goldberg <gabe@gabegold.com>
Mon, 20 Aug 2018 14:05:49 -0400
Nawaz Sharif was Pakistan's Prime Minister three times—from late 1990
until July 1993, then from February of 1997 into the fall of 1999, and
finally against from June 2013 until his ouster in July of 2017.  Currently,
he's in prison—and Calibri is partially responsible for that.

http://nowiknow.com/the-font-which-toppled-a-government/


Expiration of Major Cybersex Patent Could Set Off Explosive Innovation (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Mon, 20 Aug 2018 13:48:54 -0400
Friday marked a major milestone for the more than $15-billion adult toy
industry, with the expiration of a longstanding patent.  The basic idea
behind the expiring patent is almost as old as the Internet—that two
users might sexually stimulate each other using devices controlled over the
Internet.

http://fortune.com/2018/08/18/cybersex-patent-expiration-teledildonics/

Let the good times roll...

  [Monty Solomon noted this in Ars Technica:

    Cybersex toy industry heats up as infamous "teledildonics" patent
    climaxes.  EFF lawyer: "At least startups in the space won't immediately
    get sued."
    https://arstechnica.com/tech-policy/2018/08/cybersex-toy-industry-heats-up-as-infamous-teledildonics-patent-climaxes/
    PGN]


Watch that browser add-on (Web Informant)

David Strom via WebInformant <webinformant@list.webinformant.tv>
Mon, 20 Aug 2018 10:45:19 -0500
Web Informant, Aug 20, 2018 (via Gabe Goldberg)

This is a story about how hard it is for normal folks to keep their
computers secure. It is a depressing but instructive one. Most of us take
for granted that when we bring up our web browser and go to a particular
site, we are safe and we know what we see is malware-free.  However, that
isn't always the case, and is getting harder.

<http://blog.strom.com/wp/wp-content/uploads/2018/08/ext.png>

Many of you make use of browser add-ons for various things: Right now I am
running a bunch of them from Google, to view online documents and launch
apps. One extension that I rely on is my password manager. I used to have a
lot of other ones but found that after the initial excitement (or whatever
you want to call it, I know I live a sheltered life) wears off, I don't
really take advantage of them.

So my story today is about an add-on called Web Security. It is oddly named,
because it does anything but what it says. And this is the challenge for all
of us: many add-ons or smartphone apps have misleading names, because their
authors want you to think they are benign.  Initially, Mozilla wrote a
recommendation for this add-on earlier this month. Then they started getting
complaints from users and security researchers. Turns out that they made a
big mistake. Web Security tries to track what you are doing in your browsing
around the Internet, and could compromise your computer. When Mozilla add-on
analyst (that is his real job) Rob Wu looked into this further, he found
some very nasty behavior that made it finally clear to him that the add-on
was hiding malicious code. Mozilla basically turned off the extension for
the hundreds of thousands of users that had installed it and would have been
vulnerable. This story on Bleeping Computer provides more details.
https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/

In the process of researching this one add-on's behavior, Wu found 22 other
add-ons that did something similar, and they were also disabled and removed
from the add-on store. More than half a million Firefox users had at least
one of them add-ons installed.

So what can we learn from this tale of woe? One thing is the sobering
thought when security experts have trouble identifying badly behaving
programs. Granted, this one was found and fixed quickly. But it does give me
(and probably you too) pause.

Here are some suggestions. First off, *take a look at your extensions*.
Each browser does this slightly differently. Cisco has a great post here
http://umbrella.cisco.com/blog/2016/06/16/finding-browser-extensions-find-evil/
to help you track them down in Chrome and IEv11. Make sure you don't have
anything more than you really need to get your work done. Second, *keep your
browser version updated*. Most of the modern browsers will warn you when it
time for an update, and don't tarry when you see that warning. Finally, *be
aware of anything odd *when you bring up a web page: look closely at the URL
and any popups that are displayed.  Granted, this can get tedious, but you
are ultimately safer.


Credit-card skimmers now need to fear the Reaper. (Ars Technica)

Monty Solomon <monty@roscom.com>
Mon, 20 Aug 2018 12:52:08 -0400
SkimReaper, subject of a USENIX Security paper, detects most common card
skimmers.

https://arstechnica.com/information-technology/2018/08/researchers-develop-device-to-aid-in-hunt-for-stealthy-atm-card-skimmers/


Caring for Aging Parents, With an Eye on the Broker Handling Their Savings. (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 25 Aug 2018 09:44:38 -0400
How one woman discovered excessive and unauthorized trading in a fund meant
to support her mother and father in their later years.  Their money manager
was ripping them off, making large numbers of small trades and pocketing the
fee.  [PGN-ed]

https://www.nytimes.com/2018/08/24/business/brokers-excessive-trading-retirement.html


Comments on RISKS-30.79

Chris Drewe <e767pmk@yahoo.co.uk>
Tue, 21 Aug 2018 22:40:39 +0100
1. Traceability (Vint Cerf)

In recent months in the UK there's been a campaign in some sections of the
media for social networking sites to have a legally-mandated duty of care,
mainly aimed at protecting children and young people (under-18s in this
context), e.g.: https://www.telegraph.co.uk/duty-of-care-campaign/ (Some of
it behind paywall.)  Also, the EU is becoming involved:
http://www.dailymail.co.uk/news/article-6079547/Web-giants-ordered-delete-extremist-material-hour-face-fines.html

Many of the demands for age-related controls are quite specific, such as
parental controls, hours-per-day limits (even a curfew) and barring of
sexually-explicit material, and then there's the usual concerns about
bullying, grooming, suicide, etc. and of course the "billions of $$$$s in
profits made by the social media giants".

More generally, there are suggestions that ISPs, search engines, and
suchlike should have legal responsibilities as publishers ("they can't keep
hiding behind the feeble excuse of just being communications channels"), and
thus be required to prevent trolling, fake news, the transmission of
undesirable material, such as terrorist information, attempting to
influence countries' elections, and so forth.  Reportedly, the UK government
is putting together a new Data Communications Act with a view to making it
law in late 2019.

Other RISKS readers will know more than me here, but I'm not sure how
practical all of this is.  It appears that anybody offering Internet access
will have to verify the identity and age of any under-18 users, *and* who is
their legal parent or guardian who can set whatever access controls are
needed (lots of data-protection issues), *and* ensure that they can't set up
illicit duplicate accounts under different identities, *and* do this for all
countries, unless we have Chinese-style firewalls, which is where Vint
Cerf's traceability may come in.

For the 'publisher' issues, there must be billions of web sites out there
and millions of them are added or changed every day, so much of the Internet
could be unreachable if we're only allowed to look at sites which have been
carefully editorially screened and fact-checked.  Then there are the age-old
debates about what actually is fake news and how one person's freedom of
expression is another person's hate crime; who decides, and who pays the
legal bills?

Complying with all of these requirements must increase the operating costs
of ISPs, search engines, social networking sites, and so forth, and may well
reduce their traffic and advertising revenues, so how will they make up for
this?  (As I've posted here before, billing customers is quite a costly
business.)

As ever, it's a bit difficult to distinguish legitimate concerns which
should be addressed and virtue-signalling with different groups of
campaigners competing to see who can be toughest and most uncompromising,
but I hope that we don't end up with North Korea looking like a beacon of
freedom...

2. Re: The Ordinary License Plate's Days May Be Numbered (Shapir, RISKS-30.78)

This is connected with another risk.  When Internet access and e-mail at
home were becoming popular 15-20 years ago, it seemed (at least in the UK)
as if everybody and his dog was offering a service, not only tech companies
but some other household names like supermarkets, presumably to be seen to
be keeping up with the times (with the actual service provided on a
white-label basis by regular ISPs).

In recent years many of these have closed down, including long-established
providers like Orange and O2 (cellphone companies), Freeserve, Wanadoo, and
Tesco.net (a supermarket, due to close its Internet service in October this
year), which means that their e-mail addresses no longer work.  Of course
notifying regular contacts with a change of e-mail address is a chore, but
there's the risk of forgetting less-often used ones such as insurance
companies who may only be contacted once a year or so, leading to the sort
of problems mentioned above.

Some people set up their own domains so can transfer their e-mail address
between ISPs—fine for businesses, but I'm not sure how practicable it is
for individuals.


Re: Yet another squirrel incident (Thorson, RISKS-30.80)

Gene Wirchenko <genew@telus.net>
Tue, 21 Aug 2018 15:10:50 -0700
I have a partial solution.  Wrap live electrical lines around the
fiber-optic cables.  That might help knock hacker squirrels out of the gene
pool.


Re: Second-hand Land-Rover data may stay under control of first owner

Benoit Goas <goasben@hawk.iit.edu>
Sun, 19 Aug 2018 21:50:07 +0200
There is a follow-up story at
https://www.theregister.co.uk/2018/08/09/connected_car_legal/ In comments,
they also add risks with the car media center, especially for rental cars
(why uploading your phone contacts there? And not delete them when
selling/giving back the car), and with driving fees like highway fees (the
Dartford Crossing charges as the specific example), when they are based on
the unchanged license plate number.


Re: What3words: putting geographical addresses behind a closed API

Eli the Bearded <*@eli.users.panix.com>
Mon, 20 Aug 2018 20:12:48 -0400
Dan Jacobson pointed out the issues of closed APIs to co-ordinate
systems by pointing to the criticism of what3words here:
> http://wiki.openstreetmap.org/wiki/What3words

But this a more significant flaw I believe in that system. Their own *about*
page says:

https://what3words.com/about/
    To avoid confusion, similar sounding addresses are also placed as
    far from each other as possible.

It accompanies that with a map showing table.chair.lamps and
table.chair.lamp being on different continents. But it didn't take
long to find a simple transposition for which both spots are very
close on a global scale.

Consider this, which is in Singapore:

https://map.what3words.com/slower.linen.live

If you transpose the last two words of the first triplet, that's in
Michigan, a respectable distance away:

https://map.what3words.com/slower.live.linen

But transpose the first two and you're less than 50km away, and still
in Singapore:

https://map.what3words.com/linen.slower.live

I think that's far too close to pass a "similar sounding addresses
are far apart" test. And how many other near misses lurk within this
system? There's no easy way to find out.


Re: Child drownings in Germany linked to parents phone fixation (RISKS-30.80)

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Fri, 24 Aug 2018 21:38:31 +0100
However, note that the article ends by saying that a related problem is that
parents working two jobs no longer have time to take their kids to swimming
lessons and as a result many fewer people in Germany know how to swim.

Might this not be the more important cause?

Please report problems with the web pages to the maintainer

Top