The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 83

Thursday 13 September 2018

Contents

Takeaways from Bruce Schneier's new book
Tim Starks
How to Rig an Election
Victoria Collier - Harpers
John Kerry: 2004 Vote Tampering in Ohio?
PGN
Crypto Wars, Again—and again, and again, and again ...
Rob Slade
MSpy, Which Builds Software To Spy On Phones, Allegedly Leaked Millions Of Records
Gizmodo Australia
Officials unveil new facial recognition system at Dulles International Airport
WashPost
Israel's National Insurance suspends plan for spy system
Haaretz
Your canines' barks may be worse then their bites
DefenseOne
Japan Embraces eVTOL Vision
Mary Grady
"Tesla sued: Woman wants $300k for crashing on Autopilot while reading phone"
Liam Tung
Driver: GPS Made Me Go Wrong Way Onto I-93, Crash
Patch
Wireshark fixes serious security flaws that can crash systems
Charlie Osborne
"Premera Blue Cross accused of destroying evidence in data breach lawsuit"
ZDnet
Vicious Rumors Spread Like Wildfire On WhatsApp—And Destroyed A Village
Buzzfeed
"Vodafone: You used 1234 as your password and were hacked? You cover the cost"
Charlie Osborne
"MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys"
Catalin Cimpanu
Tens of iOS apps caught collecting and selling location data
ZDNet
The EU's copyright plans will let anyone mass-censor the Internet
Boingboing
The story of why Chrome and Firefox will soon block sites with certain SSL certificates
Templarbit
While Cybercriminals Continue To Target Real Estate Transactions, Take These Protective Measures
Forbes
The explosive problem with recycling old electronics
WashPo
Didi Chuxing introduces new safety measures after passenger death
Cyrus Lee
Are Digital Devices Altering Our Brains?
Scientific American
These People Were Just Trying To Get To Maui When They Got On Horrible Flight Where Everything Went Wrong
Buzzfeed
BA Hack Leaves Airline Open to Fines Under Tough Data Rules
Bloomberg
New Home Dream Destroyed: Fraud Victims Fighting Back After Losing $89,000
NBC Bay Area
Google's Doors Hacked Wide Open By Own Employee
Forbes
São Paulo subway operator gets sued for collecting passenger data
Angelica Mari
Frustration and Finger-Pointing as GOP Pulls Out of Deal Talks on Hacked Materials
NYTimes
Huawei busted for cheating over P20, Honor Play performance benchmarks
Liam Tung
A stranger meant to donate $15 to a GoFundMe page. He accidentally gave more than $15,000
WashPost
"'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account"
Charlie Osborne
Logged off: meet the teens who refuse to use social media
The Guardian
Watch: Rascally Rat Jumps and Pulls Fire Alarm at DC Condo
NBC DC
Two Daily WTF Comments
Gene Wirchenko
Re: How FireEye Helped Facebook Spot a Disinformation Campaign
Richard Stein
Re: How do you get people to trust autonomous vehicles?
Martyn Thomas
Re: What3words: putting geographical addresses behind a closed API
Dan Jacobson
Re: Personal domain names
Keith F. Lynch
Re: The Untold Story of NotPetya, the Most Devastating Cyberattack in History
Dan Jacobson
Info on RISKS (comp.risks)

Takeaways from Bruce Schneier's new book (Tim Starks)

"Peter G. Neumann" <Peter.Neumann@sri.com>
Tue, 11 Sep 2018 16:33:12 -0700
Tim Starks, Politico 11 Sep 2018  [Two excerpts]
With help from Mike Farrell, Eric Geller and Martin Matishak
https://www.politico.com/newsletters/morning-cybersecurity/2018/09/11/takeaways-from-bruce-schneiers-new-book-336012

FIX THE INTERNET BEFORE IT FIXES US—Technologist Bruce Schneier is out
with his latest book and his most alarming title yet: "Click Here to Kill
Everybody."  In fact, it's one of the most ominous in the entire
cybersecurity canon.  Even in his introduction, Schneier admits to
hyperbole, yet writes the title isn't without merit since "we're already
living in a world where computer attacks can crash cars and disable power
plants—both actions that can easily result in catastrophic deaths if done
at scale."

So, OK, it's scary.  In this outing, published last week, Schneier digs into
the dangers posed by the rapid spread of Internet connectivity into all our
things. But since he doesn't think the marketing term "Internet of things"
is encompassing enough, he coined his own term: Internet+. If you've
followed Schneier's career or seen his many talks at cybersecurity
conferences, much of what he's writing about won't seem new. And since
that's probably many of you, we're going highlight just a few of his policy
recommendations (there are many more in the book) and predictions (more of
those, too) when it comes to fixing what he calls the "sloppy state of
Internet+ security."

Cybersecurity requires its own government agency. Schneier writes that
government is "by far the most common way we improve our collective
security." So, he's proposing a National Cyber Office that would not have
regulatory power (at least not initially) but would offer advice, direct
research, convene meetings and set policy priorities. "There is significant
historical precedent in the US for this idea," he writes. "New technologies
regularly lead to the formulation of new government agencies. Trains
did. Cars did. Airplanes did. The invention of radio led to the formation of
the Federal Radio Commission, which became the Federal Communications
Commission. ... The value of a single agency is considerable. The
alternative is to craft Internet+ policy ad hoc and piecemeal, in a way that
adds complexity and doesn't counter emerging threats."

Regulation is inevitable. Regulation is problematic. A largely
regulation-free tech industry may soon be a thing of the past, Schneier
writes. And there are lots of reasons why he sees regulation on the
horizon. One reason is that Internet+ security is public safety issue—and
that tends to get governments' attention. But he also worries regulation
will be problematic and could hamper the speed at which tech companies
innovate. "We don't want to—and can't—stop technological progress, but
we can make deliberate choices between technological futures, or speed up or
delay certain technologies with respect to the others."

Prioritize defense, not offense. Schneier argues that if governments want to
take a leading role in improving cybersecurity, "they need to switch their
thinking and start prioritizing defense." Currently, he says, the U.S. wants
to maintain the Internet for offensive purposes, ensuring that agencies such
as the NSA can eavesdrop on other nations. "With few exceptions, we all use
the same computers and phones, the same operating systems, and the same
applications. We all use the same Internet hardware and software. There is
simply no way to secure US networks while at the same time leaving foreign
networks open to eavesdropping and attack," he writes. But, he says, if the
U.S. shifts its priorities to defense, the Internet will be more secure for
everyone (see below for more on that idea). "We need to recognize that the
security benefits of a secure Internet+ greatly outweigh the security
benefits of a vulnerable one."  [...]

LOTS MORE WORK TO DO—Leading tech companies want the U.S. government and
other major powers to set limits on their exploitation of digital
vulnerabilities for intelligence gathering and disruptive operations.

"To strike an appropriate balance between risks and benefits, governments
should optimize investing in defensive rather than offensive technologies
and develop policies that clearly define how they acquire, retain, and use
vulnerability information," wrote members of the Cybersecurity Tech Accord,
including Microsoft, Facebook, Dell, Cloudflare, Cisco and HP. Specifically,
the companies want every nation to evaluate its stockpile of secretly
identified flaws using a process like the U.S. government's Vulnerabilities
Equities Process [VEP]. It also wants the countries to "make public the
criteria used in determining whether to disclose a vulnerability or not," in
addition to reviewing withholding decisions every six months.

The Trump administration's 2017 VEP update does not do enough, the Tech
Accord members said. For one thing, the new VEP does not explain "its
calculus for assessing the broader economic impact when it discovers or
acquires a vulnerability, including not only how it measures direct impacts
to consumers but also economic security issues related to the resilience and
reliability of the global technology ecosystem." And, the companies added,
the VEP still doesn't address the long-term consequences of an improper
vulnerability disclosure, like the leak of government hacking tools.

"The signatories of the Tech Accord have always believed that protecting the
public interest in cyberspace requires robust collaboration between the
government and private sectors," the companies wrote. "When the government
approach to vulnerabilities favors stockpiling over disclosure, this
critical collaboration is weakened, and we risk losing the public's trust in
cyberspace. For technology companies and for technology developers, to be
effective partners in protecting users, they must be active participants in
the awareness and mitigation of new vulnerabilities."


How to Rig an Election (Victoria Collier, Harpers)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 11 Sep 2018 12:36:53 PDT
  [This item is included as a history lesson for our newer readers, although
  it should be well known to anyone who has worked seriously on election
  integrity.  Surprisingly, this is the first item on the dark side of the
  Urosevich brothers to appear in RISKS, although Bob was quoted in
  RISKS-22.25.  PGN]

The sheer unreliability of this new technology is only half the problem.
The other half is a series of mergers and acquisitions that have further
centralized the voting-machine industry over the past decade or so.
Election Day is now dominated by a handful of secretive corporations with
interlocking ownership, strong partisan ties to the far right, and
executives who revolve among them like beans in a shell game.

Bob and Todd Urosevich are hardly household names. Yet the two brothers have
succeeded in monopolizing American election technology for decades through a
pair of supposedly competing corporations: the Ohio-based Diebold and the
Nebraska-based ES&S. The latter was founded by the Urosevich brothers in
1979 and is headquartered in Omaha... It is also, let us recall, the same
company that may have won Chuck Hagel his Senate seat.

Diebold became the most infamous name in the industry in 2003, when its CEO,
Walden O'Dell, a top fund-raiser for George W. Bush, made a jaw-dropping
public promise to “deliver'' Ohio's electoral votes to Bush.  The following
year, California banned Diebold's touchscreen system, and Secretary of State
Kevin Shelley blasted the company as fraudulent, despicable, and deceitful.
O'Dell stepped down in 2005, right before the filing of a class-action suit
that accused Diebold of fraud, insider trading, and slipshod quality
control.

Concerned about its tarnished brand, the company removed its label from the
front of voting machines. Then Diebold went one step further and changed
the name of its voting-machine division to Premier Election Solutions.

In 2009, Diebold, which makes ATMs and other security systems, got out of
the elections business altogether, selling Premier to ES&S. Here was a
windfall for the Urosevich brothers in more than one sense: Bob had
decamped to Diebold in 2002, when the company bought Global Election
Systems, where he then served as president. Todd, meanwhile, remained at
ES&S. This cozy arrangement was disrupted by a Justice Department antitrust
intervention, which forced ES&S to split ownership of Premier with
Dominion, the next big name in election technology. A month later, the deck
was shuffled once again with Dominion's purchase of Sequoia.*

  *At the time of the purchase, Dominion absorbed some key staffers from
  Sequoia, among them Edwin B. Smith, who now serves as Dominion's vice
  president of certification and compliance. In 2008, Smith threatened legal
  action against two computer scientists hired by an association of New
  Jersey election clerks to examine malfunctioning Sequoia touchscreen
  machines. The following year, in a farcical conflict of interest, he was
  appointed to the EAC's Technical Guidelines Development Committee, which
  helps determine which specific voting machines should be certified for
  use.

Between them, Dominion and ES&S now count the majority of American ballots.
There are, of course, newer technologies in development, including Web-based
voting. This latest innovation is being peddled by the Spanish-owned Scytl,
which named Bob Urosevich managing director of its Americas division in
2006.

One would think (or hope) that a private industry entrusted with America's
votes would require the highest degree of personal integrity from its
employees. As it happens, many of the key staffers behind our major
voting-machine companies have been accused or convicted of a dizzying array
of white-collar crimes, including conspiracy, bribery, bid rigging,
computer fraud, tax fraud, stock fraud, mail fraud, extortion, and drug
trafficking.

In 2001, for example, a grand jury indicted Philip Foster, Sequoia's
southern regional sales manager, for malfeasance and conspiring to launder
money. During the previous decade, he had facilitated a kickback scheme
that funneled payments to a Louisiana elections official, who purchased
Sequoia equipment while winking at millions of dollars in overcharges. The
scheme, which also involved Foster's brother-in-law and fellow Sequoia
employee David Philpot, was hardly an advertisement for the company. Yet
Foster, who gained immunity for his testimony against the elections
official, not only avoided jail time but was promoted to vice president of
sales administration and strategies at Sequoia.

One high achiever actually got his start in prison. Jeffrey Dean's
vote-by-mail software—developed while Dean was serving a sentence for
twenty-three counts of embezzlement—came to dominate the U.S.
absentee-voting market. Once out of prison, Dean launched his own
ballot-printing company with narcotics trafficker John Elder. They later
sold it to Global Election Systems, where, readers will recall, Bob
Urosevich served as president and COO, before the company was sold to
Diebold.

This leads us to a crazy-making realization. Although many felons (and prior
felons) can't cast a ballot in America—an estimated 6 million citizens
will be disenfranchised in 2012 due to felony convictions—these
particular felons are apparently free to design and manage our entire
elections industry.


John Kerry: 2004 Vote Tampering in Ohio?

"Peter G. Neumann" <Peter.Neumann@sri.com>
Tue, 11 Sep 2018 16:19:52 -0700
Politico, 11 Sep 2018
<http://go.politicoemail.com/%3Fqs%3D0d02fbfab9b52d3427d2bdfabbb4c272b9e1e6a54a0fa95781983658d946b5fd8ec7abe830fc569b506961e90df59c26

On Monday, DHS officials such as Secretary Kirstjen Nielsen and Chris Krebs,
undersecretary of DHS's National Protection and Programs Directorate,
pledged their support to local election officials at the conference and
emphasized that the department prioritizes election security. While some
believe the relationship between the federal government and state and local
election officials has improved, Former Secretary of State John Kerry said
there were election irregularities in Ohio during the 2004 presidential race
and suggested tallies had been altered and voting machines were vulnerable
to hackers.
<http://go.politicoemail.com/%3Fqs%3D0d02fbfab9b52d344450307a211e07be70d8be3786f2a9edb227aec6dca12d7b359a0defaf672456f689a5f19d884f80

"We knew that of the provisional votes that were waiting to be counted, or
able to be counted, we didn't have the numbers necessary to have the margin
-- according to what they had decided to count, or the way the machines came
in. The problem for us was we were doubting whether the machines themselves
had been appropriately measured and whether the algorithm was correct," he
said during an interview on WNYC's Brian Lehrer Show.

"We were told by the court that you were not able to get that algorithm, to
check it, because it was proprietary information. And I believed that it was
absolutely incorrect that ... the election for the presidency of the United
States should somehow be the purview of privately owned machines where the
public doesn't have the right to know whether the algorithm's been checked,
or whether they are hackable or not. And we now know they are hackable."

  [In his new book, *Every Day is Extra*, John Kerry mentions Swift-Boating
 —which has been noted previously as an earlier example of the effects of
  disinformation on elections.  PGN]


Crypto Wars, Again—and again, and again, and again ...

Rob Slade <rmslade@shaw.ca>
Tue, 4 Sep 2018 18:21:56 -0700
I lived through the crypto wars, 1990s edition.
https://en.wikipedia.org/wiki/Crypto_Wars
I remember the Clipper Chip, Skipjack, and the LEAF (Law Enforcement Access
Field).  I remember that, after the NSA spent millions of dollars, and years
and years, developing it, it took the crypto community *three weeks* to
figure out that there was a flaw in it.  (And, ironically, the flaw was not
in Skipjack, per se.  As far as anyone knows, Skipjack is still a reasonably
decent medium strength crypto algorithm.  The flaw was in the LEAF, the
whole reason for the project in the first place.  It's trivially easy to
spoof the LEAF.)

But it seems we are going to have this all over again.  LE and the spooks
still think they need access to everything everyone says, all the time.
https://techcrunch.com/2018/09/03/five-eyes-governments-call-on-tech-giants-to-build-encryption-backdoors-or-else/
or https://is.gd/lUftcH

I remember "The Electronic Privacy Papers."
http://victoria.tc.ca/int-grps/books/techrev/bkelprpa.rvw

(Still got a copy of that, too.)  I remember the page that has the results
of a request for info about wiretaps that were impeded by crypto.  Except
for the table frame itself, and the column headings, every piece of info on
it is blacked out.

I remember Dorothy Denning, who was on the LE side at the beginning of the
crypto wars.  But, good scientist that she is, she asked for cases from LE
where they couldn't get a conviction because of crypto.  Nobody could give
her any.

I remember PGP. and the threats to throw Phil Zimmermann in jail because of
ITAR.  And I've got a copy of "PGP: Source Code and Internals" by Phil,
published by MIT Press,
https://www.amazon.ca/PGP-Internals-Philip-R-Zimmermann/dp/0262240394/
and available anywhere in the world because it was a book and therefore
protected by the holy First Amendment.  (For those who don't get the joke it
was simply a printed copy of the PGP source code.)

I also remember that the 1990s version of the crypto wars ended not because
of all of our reasoned arguments about how stupid crypto regulations were,
but because American businesses told the government that non-American
businesses were going to build crypto anyway, and if the regs were in place
Americans couldn't compete in business.  *That* got their attention ...


MSpy, Which Builds Software To Spy On Phones, Allegedly Leaked Millions Of Records (Gizmodo Australia)

Gabe Goldberg <gabe@gabegold.com>
Sat, 8 Sep 2018 20:33:29 -0400
mSpy, a company that sells software designed to let users spy on their
children, partners, or anyone else they want to keep their eye on, left
exposed more than two million records “including software purchases and
iCloud usernames and authentication tokens of devices running mSky [sic*],''
TechCrunch reported.

https://www.gizmodo.com.au/2018/09/mspy-which-builds-software-to-spy-on-phones-allegedly-leaked-millions-of-records/

  [* Spy-in-Sky?  sick transfer glorious Monday?  PGN]


Officials unveil new facial recognition system at Dulles International Airport (WashPost)

Monty Solomon <monty@roscom.com>
Fri, 7 Sep 2018 09:45:18 -0400
Officials say the new system will eliminate the need for old-school boarding
passes.  But the airport's embrace of the technology is raising concern among
privacy advocates.

https://www.washingtonpost.com/transportation/2018/09/06/officials-unveil-new-facial-recognition-system-dulles-international-airport/

    [Identical text submitted by Gabe Goldberg.  PGN]

  [See also *Big Brother in Berlin*, Janosch Delcker, Politico.EU, 13 Sep
  2018, which notes that the Berlin's railway station is now conducting an
  experiment to compare people's faces with a digital database—with
  “mixed results''.  (The item is still not up on his website:
    https://www.politico.eu/staff/janosch-delcker/
  as I write this, many hours later.  PGN)]


Israel's National Insurance suspends plan for spy system (Haaretz)

Amos Shapir <amos083@gmail.com>
Thu, 6 Sep 2018 17:33:17 +0300
Israel's National Insurance Institute (similar to US Social Security) had
announced it is suspending a tender requesting offers for a system designed
to track down people who apply for disability compensation.

According to leaked documents, the system's expressed purpose is to prevent
fraud, but the request specified that the system should have the ability to
track people in all social media, including closed groups, private sites,
and hidden locations (a.k.a. "the Dark Net).

Source (in Hebrew, I couldn't locate an English version):
https://www.haaretz.co.il/captain/net/.premium-1.6455812


Your canines' barks may be worse then their bites (DefenseOne)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 11 Sep 2018 9:08:52 PDT
https://www.defenseone.com/technology/2018/09/military-now-has-tooth-mics-invisible-hands-free-radio-calls/151145/


Japan Embraces eVTOL Vision (Mary Grady)

Gabe Goldberg <gabe@gabegold.com>
Fri, 7 Sep 2018 15:47:55 -0400
https://cdn.avweb.com/media/newspics/325/p1cmii9e8kmm13pd9jq14bestu6.png

Uber Elevate held its first Asia Pacific Expo last week, in Tokyo, where
government officials said they are on board with the vision of creating
urban transport systems with autonomous eVTOLs. “We see much potential in
flying cars,'' said Daisaku Hiraki, a vice-minister with Japan's Ministry of
Economy, Trade and Industry. “I believe public and private sectors,
including companies outside of Japan, should work collaboratively to develop
this new technology.'' Uber Elevate also named five finalists for the first
international city to launch Uber Air services, and announced it will
experiment with drone delivery.

Uber already has said it is working to test its aerial taxi service in
Dallas and Los Angeles by 2020. The short list for the first international
test site includes Japan, India, Australia, Brazil and France. Uber also is
exploring the use of drones for its Uber Eats service, which provides quick
home delivery of takeout meals. “Uber sees a compelling opportunity to
bring the same benefits that urban aviation will bring its ride-sharing
business to its food-delivery business,'' according to the company's news
release. “By taking to the air, Eats will be able to offer faster, farther
reaching, more affordable, and more reliable deliveries to more customers
and restaurants across the world.''

  [With respect to the subject line of this item, we hope that the vision of
  autonomous flying vehicles is far better than the vision of the government
  officials.  However, the likelihood of trustworthy autonomous flying
  e-VTOLs must also be significantly greater than that of flying pigs.  PGN]


"Tesla sued: Woman wants $300k for crashing on Autopilot while reading phone" (Liam Tung)

Gene Wirchenko <genew@telus.net>
Mon, 10 Sep 2018 10:58:44 -0700
  I think that Tesla's attempts to thin the herd are not working very well.

https://www.zdnet.com/article/tesla-sued-woman-wants-300k-for-crashing-on-autopilot-while-reading-phone/

Liam Tung | 7 Sep 2018
Tesla accused of negligence for selling a car, in this case a Model S, that
failed to function as advertised.

opening text:

A Utah woman who crashed her Model S into a stationary firetruck in May is
suing Tesla for damages, claiming she was informed that in Autopilot mode
the car would automatically brake if it detected an obstacle in its path.
The woman, Heather Lommatzsch, has alleged that Tesla salespeople told her
this when she bought the Model S in 2016, but that before the crash the
Tesla "failed to engage as advertised".  In an interview with South Jordan
police after the crash, Lommatzsch admitted she was looking at her phone
before the collision, and witnesses said the Tesla didn't brake or attempt
to avoid the crash.


Driver: GPS Made Me Go Wrong Way Onto I-93, Crash (Patch)

Gabe Goldberg <gabe@gabegold.com>
Sat, 8 Sep 2018 16:13:21 -0400
https://patch.com/virginia/fairfaxcity/s/gi9p9/nh-driver-gps-made-me-go-wrong-way-i-93-crash

How many signs and other visual clues must have been ignored. "GPS made
me..."

GPS 1; Common Sense, 0


Wireshark fixes serious security flaws that can crash systems (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 04 Sep 2018 17:57:43 -0700
Charlie Osborne for Zero Day | 3 Sep 2018
Wireshark fixes serious security flaws that can crash systems through DoS
Proof-of-concept code detailing related exploits has been released to the
public.
https://www.zdnet.com/article/wireshark-fixes-serious-security-flaws-that-can-crash-the-system-cause-dos/


"Premera Blue Cross accused of destroying evidence in data breach lawsuit" (ZDnet)

Gene Wirchenko <genew@telus.net>
Tue, 04 Sep 2018 18:02:36 -0700
Catalin Cimpanu for Zero Day | 3 Sep 2018
https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/
Class-action lawsuit plaintiffs claim US health insurer Premera Blue
Cross intentionally destroyed evidence despite ongoing litigation.

selected text:

The plaintiffs of a class-action lawsuit against health insurance provider
Premera Blue Cross are accusing the organization of "willfully destroying"
evidence that was crucial for establishing accurate details in a security
breach incident.

In court documents filed last week obtained by ZDNet, plaintiffs claim that
Premera intentionally destroyed a computer that was in a key position to
reveal more details about the breach, but also software logs from a security
product that may have shown evidence of data exfiltration.

Establishing if hackers stole data from Premera's systems is crucial for the
legal case. Breach victims part of the class-action will be to claim a right
for monetary compensation, while Premera may argue that since hackers did
not steal data from its servers, there is no tangible harm to victims.


Vicious Rumors Spread Like Wildfire On WhatsApp—And Destroyed A Village (Buzzfeed)

Gabe Goldberg <gabe@gabegold.com>
Mon, 10 Sep 2018 16:19:17 -0400
https://www.buzzfeednews.com/article/pranavdixit/whatsapp-destroyed-village-lynchings-rainpada-india


"Vodafone: You used 1234 as your password and were hacked? You cover the cost"

Gene Wirchenko <genew@telus.net>
Thu, 06 Sep 2018 10:41:27 -0700
Charlie Osborne for Zero Day | 6 Sep 2018
https://www.zdnet.com/article/vodafone-you-used-1234-as-your-password-and-were-hacked-you-cover-the-cost/
Vodafone: You used 1234 as your password and were hacked? You cover the cost
Hackers are behind bars for stealing $30,000 from accounts, but
Vodafone wants their victims to pay the tab.

selected text:

If you use a simple, easy-to-guess password such as "QWERTY" or "1234," you
might pay for your mistake by having someone access your online accounts
without permission—and you may also find yourself paying out for
subsequent damages and lost funds.

That is, if Vodafone reportedly has its way.

According to local media idnes.cz, two men were able to access customer
accounts by testing out "1234" as a password, enabling them to order new SIM
cards without permission which were picked up at local branches.

These SIM cards were activated and used in mobile phones without any further
authentication, as the attackers already knew the phone number and name
associated with each compromised account.

According to idnes.cz, Vodafone has argued the customers are at fault as
they are responsible for the strength of their password.

A Vodafone spokesperson told the publication that the default, weak password
was not an automatic element; but rather, employees were able to set up an
account with "1234" if customers could not decide on their password choice
in-store—but they would have been warned to change it to something
stronger later.

The publication reports that some account holders impacted by the scheme
have received debt collectors at their door to recoup lost funds.

"If the account was misused by an unknown offender, the correct procedure is
that the customer will report the situation to the Czech police and file a
criminal complaint," the Vodafone spokesperson said. "Unfortunately, we
cannot compensate for the charged amount."

Jiri Kropac, the head of Threat Detection Labs at ESET, tested the portal on
behalf of Bleeping Computer and confirmed that the portal's inherent
security is poor as a password can only consist of four to six numbers. This
is not difficult to brute-force attack.


"MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Thu, 06 Sep 2018 10:56:39 -0700
Catalin Cimpanu for Zero Day | 4 Sep 2018

https://www.zdnet.com/article/mega-nz-chrome-extension-caught-stealing-passwords-cryptocurrency-private-keys/

MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private
keys Tainted extension caught stealing passwords for Google, Microsoft,
GitHub and Amazon accounts, but also Monero and Ethereum private keys.

opening text:

The official Chrome extension for the MEGA.nz file sharing service has been
compromised with malicious code that steals usernames and passwords, but
also private keys for cryptocurrency accounts, ZDNet has learned.

The malicious behavior was found in the source code of the MEGA.nz Chrome
extension version 3.39.4, released as an update earlier today.

Google engineers have already intervened and removed the extension from the
official Chrome Web Store, and also disabled the extension for existing
users.


Tens of iOS apps caught collecting and selling location data (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Mon, 10 Sep 2018 17:21:52 -0400
https://www.zdnet.com/article/tens-of-ios-apps-caught-collecting-and-selling-location-data/

  [See also a WiReD/Ars Technica report:
  iOS apps are secretly sharing location data for profit.
https://www.theatlantic.com/magazine/archive/2008/07/is-google-making-us-stupid/6868
  PGN]


The EU's copyright plans will let anyone mass-censor the Internet (

Lauren Weinstein <lauren@vortex.com>
Tue, 11 Sep 2018 09:45:33 -0700
via NNSquad

If the Article 11 "link tax" passes, European news sources are going to find
themselves delisted from search engines (and most other sites) that have a
European point of presence so fast that their heads will spin. Their search
traffic will plummet. Hardly anyone will be willing to pay extortion to keep
listing them. Bye bye! And if Article 13 content filtering passes, not only
will there be massive blacklisting of European users from access to major
sites (sorry, you are not permitted to use this site!), but I predict the
new enforcement engines will be continually inundated with massive amounts
of fake claims that will melt them all into smoldering slag in nothing flat.
Did I say bye bye already? Yep, bye bye again! - L

https://boingboing.net/2018/09/11/free-expression-v-big-content.html

  Combine these facts—anyone can add anything to the blacklists, new
  blacklist entries can be added in bulk, the new entries are in effect the
  instant they're added—and it's easy to see how malicious and
  unscrupulous actors will be able to censor the web with impunity.  Any
  politician who commits a gaffe just before an election; any celeb or
  billionaire caught saying or doing something cruel; any fringe group
  wanting to suppress evidence of their harassment or violent deeds will be
  able to send bots to submit copyright claims to the major platforms faster
  than the human staff at the platforms could remove them, suppressing
  evidence of wrongdoing at crucial junctures.  There's not really any way
  around this. If you're going to filter billions of works that anyone can
  submit, and if the filters have to kick in as soon as works are added,
  then abusers will always have the advantage.  That said, it's important to
  note that the advocates for this plan rejected all proposals to punish
  people who fraudulently claimed copyright in works they didn't own:
  measures from fines to being excluded from making future copyright claims
  were rejected out of hand.


The story of why Chrome and Firefox will soon block sites with certain SSL certificates (Templarbit)

Gabe Goldberg <gabe@gabegold.com>
Mon, 10 Sep 2018 17:25:27 -0400
In the near future, Google Chrome and Mozilla Firefox will begin distrusting
SSL certificates from Symantec, GeoTrust, Thawte, VeriSign, Equifax, and
RapidSSL. This change will take effect when Chrome 70 beta and Firefox 63
beta are released in early September. The stable public release of Chrome 70
and Firefox 63 is slated for October.

https://www.templarbit.com/blog/2018/09/07/the-story-of-why-chrome-and-firefox-will-soon-block-sites-with-certain-ssl-certificates/


While Cybercriminals Continue To Target Real Estate Transactions, Take These Protective Measures (Forbes)

Monty Solomon <monty@roscom.com>
Thu, 6 Sep 2018 16:23:07 -0400
https://www.forbes.com/sites/forbesrealestatecouncil/2018/07/11/while-cyber-criminals-continue-to-target-real-estate-transactions-take-these-protective-measures/

  Also,
  Homebuyers, Beware: Hackers Targeting Real Estate Transactions
https://www.nbcbayarea.com/news/local/Homebuyers-Beware-Hackers-Targeting-Real-Estate-Transactions-486870901.html

  Experts: Virtually All CA Real Estate Transactions Targeted By Hackers
https://www.nbcbayarea.com/news/local/Experts-Virtually-All-CA-Real-Estate-Transactions-Targeted-By-Hackers-487165181.html


The explosive problem with recycling old electronics (WashPo)

Richard Stein <rmstein@ieee.org>
Tue, 11 Sep 2018 13:07:18 -0700
https://www.washingtonpost.com/video/business/technology/the-explosive-problem-with-recycling-old-electronics/2018/09/11/5720df5c-b566-11e8-ae4f-2c1439c96d79_video.html

Thermal events (a.k.a. fires) from lithium-ion batteries (especially from
older generation iPADs) arise during the recycling process. Device design
problems complicate disassembly—too much time consumed reduce recycling
profits.


Didi Chuxing introduces new safety measures after passenger death (Cyrus Lee)

Gene Wirchenko <genew@telus.net>
Mon, 10 Sep 2018 11:10:45 -0700
Cyrus Lee, ZDNet
https://www.zdnet.com/article/didi-chuxing-introduces-new-safety-measures-after-passenger-death/

Didi Chuxing's enhanced safety measures follow the suspension of its Hitch
ride-sharing service in late August due to a brutal case in China where a
female passenger was raped and killed by her driver in a Hitch ride.

opening text:

Chinese car-hailing platform Didi Chuxing on Saturday introduced a
whole-ride recording function as a trial and suspended late-night services
for a week, as the largest mobile ride-hailing platform kicks off an
overhaul of its safety practices following the deaths of two passengers in
less than 100 days.

 From September 8, Didi launched trials to record audio during rides across
the ride-hailing services available on its platforms in mainland China. Didi
platforms will also be suspended between 11 pm and 5 am from September 8 to
15, a Sina news report has said.

   I wonder if these two things will cause more trouble than they solve.


Are Digital Devices Altering Our Brains? (Scientific American)

Richard Stein <rmstein@ieee.org>
Tue, 11 Sep 2018 13:27:21 -0700
https://www.scientificamerican.com/article/are-digital-devices-altering-our-brains/

A follow on to Nicholas G. Carr's Atlantic article
entitled, "Is Google Making Us Stupid?"

"Some say our gadgets and computers can help improve intelligence.  Others
say they make us stupid and violent. Which is it?"

"Stupid is as stupid does."—Forrest Gump
(https://www.moviequotesandmore.com/forrest-gump-quotes/

"Violence is the last refuge of the incompetent."—Isaac Asimov,
Foundation (https://www.goodreads.com/work/quotes/1783981-foundation


These People Were Just Trying To Get To Maui When They Got On A Horrible Flight Where Everything Went Wrong (Buzzfeed)

Gabe Goldberg <gabe@gabegold.com>
Wed, 5 Sep 2018 01:02:27 -0400
Hawaiian Airlines Flight 23 was originally set to take off Friday morning
and was already taxiing when multiple passengers alerted the crew that they
had received a horrifying photo of what appeared to be a dead child facedown
in a crime scene with numerical markers.

At least 15 passengers were sent the gruesome photo, Alameda County Sgt.
Ray Kelly told Buzzfeed News.  The crew showed the images to the pilot, who
made the decision to return to the gate.

It turned out that the photo came from a 15-year-old girl who was trying to
send an image from her high school medical-biology class to her mother, who
was sitting next to her, but accidentally AirDropped the photo to the other
passengers around her. AirDrop allows the instant transfer of files among
supported Apple devices, like iPhones and iPads, as long as the option is
turned on. The "dead" child in the image was actually a mannequin.

"She was telling her mom about the class, and her mom supposedly just got a
new iPhone," Kelly said. "People were a little alarmed by it."

The girl and her mother were not allowed to continue on the flight and were
rebooked on a flight Saturday, Kelly said. They were questioned by officers
from the Alameda County Sheriff's Office, who determined that there was no
actual crime.

https://www.buzzfeednews.com/article/mbvd/these-people-were-just-trying-to-get-to-maui-when-they-got


BA Hack Leaves Airline Open to Fines Under Tough Data Rules (Bloomberg)

Monty Solomon <monty@roscom.com>
Sat, 8 Sep 2018 00:54:59 -0400
https://www.bloomberg.com/news/articles/2018-09-07/ba-hacking-leaves-airline-open-to-fines-under-tough-data-rules


New Home Dream Destroyed: Fraud Victims Fighting Back After Losing $89,000

Monty Solomon <monty@roscom.com>
Thu, 6 Sep 2018 16:24:41 -0400
https://www.nbcbayarea.com/news/local/Fraud-Victims-Demand-Answers-After-Losing-89000-488680331.html


Google's Doors Hacked Wide Open By Own Employee (Forbes)

Monty Solomon <monty@roscom.com>
Fri, 7 Sep 2018 10:15:03 -0400
https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/


Gene Wirchenko <genew@telus.net>
Fri, 07 Sep 2018 10:59:36 -0700
Angelica Mari for Brazil Tech | 6 Sep 2018

https://www.zdnet.com/article/sao-paulo-subway-operator-gets-sued-for-collecting-passenger-data/

Gathering data on public transport users is illegal as it's unauthorized and
people have no choice in the matter, says local consumer rights institute.

selected text:

The Brazilian Institute of Consumer Protection (IDEC) has launched a civil
lawsuit against São Paulo subway operator ViaQuatro around the collection
of passenger data.

The marketing technology launched in April consists of four sets of doors
with screens where customer information is displayed as well as
advertisements, with sensors collecting data on passengers standing in front
of the doors such as emotions, approximate age and gender.

In the civil lawsuit, it is argued that the initiative is illegal, given
that public transport users did not authorize the collection of data - and
had no choice in the matter, given the sensors are placed on the train
doors.

"The case is of overwhelming magnitude. Users have no right to choose:
either they accept the collection of their data, or they have to look for
another way of getting around in the city," says IDEC lawyer and digital
rights expert, Rafael Zanatta.

Zanatta adds the initiative is abusive, since public transport is an
essential service and also violates the Constitution in addition to various
federal laws.


Frustration and Finger-Pointing as GOP Pulls Out of Deal Talks on Hacked Materials (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 7 Sep 2018 10:12:06 -0400
Leaders of the campaign arms for House Republicans and Democrats had labored
for much of the summer over rules that would have governed how the
committees and their candidates treated such material.

https://www.nytimes.com/2018/09/06/us/politics/house-hacked-materials.html

Petty Republican excuse for abandoning important deal.


Huawei busted for cheating over P20, Honor Play performance benchmarks (Liam Tung)

Gene Wirchenko <genew@telus.net>
Fri, 07 Sep 2018 11:03:05 -0700
Liam Tung | 7 Sep 2018
Our rivals do it, so we had no choice but to follow suit, argues Huawei.

https://www.zdnet.com/article/huawei-busted-for-cheating-over-p20-honor-play-performance-benchmarks/

selected text:

Huawei has been caught tweaking several of its high-end phones, including
the P20 and P20 Pro, to outdo rivals in benchmark tests.  Huawei justified
the technique on the grounds that rivals were doing the same thing and it
had no option but to respond.

Huawei explained that when its software detects a benchmarking app, it goes
into Performance Mode. The company is planning to give users access to this
app too, which at present is hidden.


A stranger meant to donate $15 to a GoFundMe page. He accidentally gave more than $15,000.

Gabe Goldberg <gabe@gabegold.com>
Sat, 8 Sep 2018 20:32:16 -0400
*The Washington Post*
https://www.washingtonpost.com/local/a-stranger-meant-to-donate-15-to-a-gofundme-page-he-accidentally-gave-more-than-15000/2018/09/08/6a3de272-b2bb-11e8-aed9-001309990777_story.html

No plausibility check, no "Are you really sure?" for huge amounts, powerless
and hard to reach "Customer Happiness Team"? Nice.


"'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account" (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 11 Sep 2018 10:51:04 -0700
Charlie Osborne for Zero Day | 11 Sep 2018

https://www.zdnet.com/article/new-father-of-zeus-kronos-malware-variant-exploits-office-bug-to-hijack-your-bank-account/

'Father of Zeus' Kronos malware exploits Office bug to hijack your bank
account The $7000 malware shows there is serious money to be made in the
banking Trojan market.


Logged off: meet the teens who refuse to use social media (The Guardian)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 6 Sep 2018 10:34:02 -0600
https://www.theguardian.com/society/2018/aug/29/teens-desert-social-media

Excerpt:

  As the first generation to grow up online, Gen Z never had to learn social
  media, or at least not exactly. They glided through every iteration:
  Facebook (2004), Twitter (2006), Instagram (2010) Snapchat (2011) in real
  time, effortlessly adopting each one. But a life lived in pixels from your
  earliest age is no easy thing.

  "You start doing things that are dishonest," says Amanuel, who quit social
  media aged 16. "Like Instagram: I was presenting this dishonest version of
  myself, on a platform where most people were presenting dishonest versions
  of themselves."

  Like Amanuel, Jeremiah Johnson, 18, from Luton, grew weary of the
  pressures of sustaining an online persona. "It's a competition for who can
  appear the happiest," he says. "And if you're not happy and want to vent
  about it on social media, you're attention-seeking."

  After being "bugged" by his friends to get Instagram (he had stopped using
  Facebook aged 16), Johnson joined. He lasted six months. "If you're having
  a bad day and scrolling through it, you're constantly bombarded with
  pictures of people going to parties. Even if that's not an accurate
  portrayal of their lives, that's what you see. So I stopped using it. It
  became depressing. It was this competition of who's the happiest." He
  pauses. "Participating in that is not something I'm interested in."


Watch: Rascally Rat Jumps and Pulls Fire Alarm at DC Condo (NBC DC)

Gabe Goldberg <gabe@gabegold.com>
Mon, 10 Sep 2018 17:42:25 -0400
https://www.nbcwashington.com/entertainment/Watch_-Rascally-Rat-Jumps-and-Pulls-Fire-Alarm-at-DC-Condo_Washington-DC-492773051.html

The risk, besides rats? Too easy to trigger alarms.


Two Daily WTF Comments

Gene Wirchenko <genew@telus.net>
Thu, 06 Sep 2018 10:10:47 -0700
Yes, I know this is not a computer-related risk, but it is not that far off
one.  As technology changes, so do risks.  Some new risks are simply old
ones repackaged.  For example, chain E-mails were originally chain letters.
Be aware.

Here are two comments that were posted at thedailywtf.com to the article
"Classic WTF: Security By Letterhead":

Comment 1:

  My wife tried to move our Cable TV account to a new address.
  This from the company advertising how easy it is.

  Problem is, she isn't officially on the account. They demand that only I
  can make the changes. She has all my info, but they still want to speak to
  me, to make sure I'm ok with it.

  So... they ask if they can call me at home. She's calling from the home
  #. So they ask for my cell number. She gives them my #.

  They call me, ask me if I'm BobbyTables, I say I am, they ask if I will
  allow my wife to change the account. I agree.

  Now she has full access.

  I nearly questioned them when they called me, on how they were sure it was
  really me, but my wife would have killed me.

Comment 2:

  I have had something similar happen to me. I rent an apartment through a
  letting agency who (it turns out really did) change their bank, as a
  result my rent payments would need to go into a new bank account.

  I come home one day to find a letter on the doormat which tells me "Stop
  paying large amounts of money into this bank account, pay it into this
  other one instead!" which obviously, I looked upon suspiciously as not
  only could this be a scam but one that could have me threatened with
  eviction.

  Natural I get in touch with the letting agency and the conversation went
  something like this:

  Spoad: "Hello I've received a letter claiming to be from you stating that
  you have changed your bank account for rent payments, is this correct?"
  Estate monkey: "Well what are you calling me for?"  Spoad: "Well I just
  wanted to check that it was indeed the case."  Estate monkey: "Duh, of
  course it is that is why we sent you a letter!" Spoad: "Okay then I will
  redirect my payments immediately, I just wanted to check the letter was
  actually from you." Estate monkey: "Well of course it was, it was on our
  letterhead wasn't it?"

  So yeah, it seems in the world of the bureaucratic dullard, letterheads
  really are considered totally secure.

  What worries me more (although I should have lower hopes for humanity
  after working in IT for so long) is the agent's tone and response implying
  that I was the idiot for phoning, implies that no-one else did.... So
  presumably if I sent a similar letter to all my neighbours with my bank
  details on, they would just give me their rent money without so much as
  raising an eyebrow... because you know, letterheads are secure!


Re: How FireEye Helped Facebook Spot a Disinformation Campaign

Richard Stein <rmstein@ieee.org>
Thu, 6 Sep 2018 11:21:32 -0700
Which is the greater risk:

1) FireEye performing an apparent public service, or is this business merely
   serving their contractual (government) masters to advance a specific
   political agenda?

2) The general public's gullibility and inability to independently
   discriminate and avoid incendiary and/or specious information which
   threatens status quo political interests?

Propaganda existed well before the Internet and social media. What did our
predecessors do when faced with lies (e.g., Senator Joseph McCarthy and The
Red Scare)? McCarthy was censured by the Senate and voted out of office
after exposure by the press—a more resilient and trustworthy information
source that proved his mendacity.

Social media platforms apparently require a 'Big Brother' capability, or a
social credit score, to continuously authenticate and vet content viability
and sources. Picking "fly poop from the pepper pile" is an editorial act
best performed by unbiased, objective reviewers. Though costly to operate
with carbon-based wisdom, a silicon-based equivalent represents a good game
target for bots to play. Silicon-based editorial judgment can be bought by
the highest bidder, or most prolific disinformation botnet, when algorithms
can be arbitrarily tuned for bias.

Quis custodiet ipsos custodes? (Who guards the guardians) of social media
content publication? What are their ethics? Are regulation and oversight
required to ensure bias-free, editorial review and publication? How will
these regulations be fairly enforced?

Education systems need to update curricula to include instruction on how to
discern disinformation, and how to ask questions that vet published
sources. "Lies My Teacher Told Me: Everything Your American History Textbook
Got Wrong" by James W. Loewen is a good candidate for addition to the US
syllabus.


Re: How do you get people to trust autonomous vehicles? (Stein, RISKS-30.82)

Martyn Thomas <martyn@thomas-associates.co.uk>
Thu, 6 Sep 2018 17:54:54 +0100
> When silicon-driven vehicles equivalence or over-achieve (meaning greater
> than 1.18) this fatality rate, then public trust will have reached a
> justifiable tipping point favoring autonomous vehicles.

I think that should have been "less than 1.18" fatalities per 100 million
vehicle miles. But even then, I disagree with the sentence.  While there are
still human road users, their behaviour will be affected by the presence of
autonomous vehicles and the overall fatality rate is more important than the
fatality rate attributed to autonomous vehicles alone. Furthermore,
autonomous vehicles may be far better than human drivers in some road and
weather conditions and far worse in others.  They may kill fewer pedestrians
but more cyclists, or (choosing a provocative example to illustrate the
general point) fewer white females and more black males. I believe that the
criteria for favouring autonomous vehicles need to be more detailed than
just counting the directly-attributed fatalities.


Re: What3words: putting geographical addresses behind a closed API (Shapir, RISKS-30.82)

Dan Jacobson <jidanni@jidanni.org>
Sun, 09 Sep 2018 18:46:17 +0800
AS> if I get to 221 Baker st. by mistake instead of 223 Baker st., it's
AS> easy to look around.

Ah, but not 222, at least not here in Taiwan.

http://jidanni.org/geo/house_numbering/four.html

And don't even dream of 224.


Re: Personal domain names (Ross, RISKS-30.82)

"Keith F. Lynch" <kfl@KeithLynch.net>
Sun, 9 Sep 2018 17:51:06 -0400
I've had a personal domain for 18 years, for the same reason, and because it
allows unlimited email addresses.

One major downside, however, is that spammers forge random addresses on my
domain while posting from elsewhere.  This not only causes large numbers of
bounce messages to be sent to me, as many of their spams are sent to bogus
addresses elsewhere, but causes other spammers to harvest those fake
addresses on my domain from the spams that forged them, and start spamming
those addresses.  And every address on my domain gets through to me.

For instance, perhaps someone in China sends millions of spams forged to be
from ludendorff@keithlynch.net.  I get thousands of bounce messages, out of
office messages, death threats, etc., from the spam victims.  And a few
weeks later I start getting spams from Brazil and elsewhere sent to
ludendorff@keithlynch.net, and to countless other fake addresses on my
domain.


Re: The Untold Story of NotPetya, the Most Devastating Cyberattack in History (WiReD)

Dan Jacobson <jidanni@jidanni.org>
Mon, 10 Sep 2018 11:17:18 +0800
My favorite part:

After a frantic search that entailed calling hundreds of IT admins in data
centers around the world, Maersk's desperate administrators finally found
one lone surviving domain controller in a remote office-in Ghana.  At some
point before NotPetya struck, a blackout had knocked the Ghanaian machine
offline, and the computer remained disconnected from the network. It thus
contained the singular known copy of the company's domain controller data
left untouched by the malware-all thanks to a power outage. "There were a
lot of joyous whoops in the office when we found it," a Maersk administrator
says.

When the tense engineers in Maidenhead set up a connection to the Ghana
office, however, they found its bandwidth was so thin that it would take
days to transmit the several-hundred-gigabyte domain controller backup to
the UK. Their next idea: put a Ghanaian staffer on the next plane to
London. But none of the West African office's employees had a British visa.

So the Maidenhead operation arranged for a kind of relay race: One staffer
from the Ghana office flew to Nigeria to meet another Maersk employee in the
airport to hand off the very precious hard drive. That staffer then boarded
the six-and-a-half-hour flight to Heathrow, carrying the keystone of
Maersk's entire recovery process.

Please report problems with the web pages to the maintainer

Top