Prev Next

RISKS Digest 30.45

Tuesday 5 September 2017

West Air CRJ accident involved two different causes

PGN <>

Date: Sat, 2 Sep 2017 9:59:46 PDT

Kaspersky: The Cyber Insecurity Company

Jeanne Shaheen <>

Date: Tue, 5 Sep 2017 8:04:59 PDT

Jeanne Shaheen (U.S. Senator from New Hampshire (Dem)) Kaspersky Lab is too close to the Kremlin to trust its software Op-Ed in today's issue of *The New York Times*

Kaspersky Lab, the cybersecurity company, is close to Putin's government. So why is the U.S. government using its software?

[This op-ed is a rather comprehensive warning. See previous related items in RISKS-30.10, 30.34, 30.37. PGN]

Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny

Nicole Perlroth et al. <>

Date: Fri, 1 Sep 2017 21:00:05 PDT

Nicole Perlroth, Michael Wines, and Matthew Rosenberg
*The New York Times*, 1 Sep 2017

“The more places we looked, the worse things looked. In fact, we discovered that VR Systems was not the only back-end supplier of election services that was hacked by Russians ahead of Election Day. Two more vendors that provide critical election services were also hacked.''

See also

How Russian & Alt-Right Twitter Accounts Worked Together to Skew the Narrative About Berkeley

Caroline O. <>

Date: September 2, 2017 at 2:53:05 AM EDT

#Antifa and #Berkeley were hot topics last weekend in America and in Russia. Caroline O., Medium, 1 Sep 2017

Social media [sic] has an important role in shaping perceptions of current events, as well as influencing mainstream news coverage of those events. Platforms like Twitter provide real-time access to events going on around the world, allowing anyone to get a front-row seat for breaking news. But as much as it has opened up new channels of information, social media has also open ed up new avenues for manipulating perceptions of reality. Misinformation and disinformation often spread faster than the truth, and by the time the narrative is corrected, social media has already moved on to the next big thing.

The narrative surrounding last weekend's protests in Berkeley took shape on social media and was picked up, at least in part, by mainstream news outlets. The result was a skewed presentation of events that was almost entirely devoid of the context in which they took place. Even more troubling: that narrative was influenced by pro-Russian social media networks, including state-sponsored propaganda outlets, botnets, cyborgs, and individual users.

In the case study below, I describe how the narrative surrounding Berkeley was picked up and shaped by Russian-linked influence networks, which saw a chance to drive a wedge in American society and ran with it. Next, I look at the individual accounts and users that were identified as top influencers on Twitter, and explore what they were posting, how they worked together to craft a narrative, and the methods they used to amplify their message. Finally, I look at how news coverage of the events in Berkeley was shaped by the skewed narrative that emerged on social media.

This is just a single case study in a larger story, but it serves as an important reminder that Russia is still exploiting social media to harm U.S. interests—and that plenty of Americans are willing to join in on the effort.

The Russian Connection

Russian-linked influence networks and propaganda arms quickly took interest in the Berkeley protests last weekend. On Sunday afternoon, the top story on the front page of Russian propaganda outlet RT was about the events in Berkeley. (Note that this was the main landing page, not the America section).

RT tweeted stories about the protests throughout the day Sunday (and some on Saturday), posting dramatic images and using trending hashtags to maximize their reach. Many of these tweets were retweeted by the semi-automated pro-Kremlin account @TeamTrumpRussia [...,] which spent much of the day amplifying the hashtags #Berkeley and #Antifa.

On Twitter, the hashtag #Berkeley was amplified by Russian-linked influence networks, as evidenced by the output of the Hamilton 68 dashboard, a project of the Alliance for Securing Democracy, which tracks the activity of 600 Twitter accounts linked to Russian influence operations. These include state-sponsored propaganda outlets like Sputnik and RT, as well as individual users, automated accounts (bots), and cyborgs (accounts that produce automated content some of the time, but are human-controlled at other times) that actively and frequently amplify Kremlin propaganda (knowingly, and in some cases, potentially unknowingly).

Ice-cold Kaspersky shows the industry how to handle patent trolls

The Register <>

Date: Fri, 1 Sep 2017 08:58:18 -0400

Open-source voting in San Francisco?

Dominic Fracassa <>

Date: Mon, 4 Sep 2017 17:35:13 PDT

Dominic Fracassa, San Francisco considers open-source voting system San Francisco Chronicle, 4 Sep 2017

[Open-source voting systems could be a major step forward compared with outsourced proprietary systems with no accountability. However, please remember that everything else in the election process is still a potential source of risks. PGN]

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Gizmodo <>

Date: Fri, 1 Sep 2017 12:43:15 -0700

via NNSquad

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC. The 4 million TWC records are not all tied to unique customers, meaning 4 million individual people were not exposed by the breach. Due to the sheer size of the cache, it was not immediately clear precisely how subscribers were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information--though it does not appear that any Social Security numbers or credit card information was exposed. Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.

[TWC could be an abbreviation for TrustWorthy Computing or Time Warner Cable, but not both at the same time! PGN]

Internet Censorship Bill Would Spell Disaster for Speech and Innovation

EFF <>

Date: Sun, 3 Sep 2017 10:45:58 -0700


There's a new bill in Congress that would threaten your right to free expression online. If that weren't enough, it could also put small Internet businesses in danger of catastrophic litigation.

Hacking Retail Gift Cards Remains Scarily Easy

WiReD <>

Date: Fri, 1 Sep 2017 12:13:39 -0400

In November of 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind. He decided to drive to the local branch of the restaurant in Chico, California. While there, still in the mindset of testing the restaurant's security, he noticed a tray of unactivated gift cards sitting on the counter. So he grabbed them all—the cashier didn't mind, since customers can load them with a credit card from home via the web—and sat down at a table, examining the stack as he ate his vegetarian burrito.

As he flipped through the gift cards, he noticed a pattern. While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. By the time he finished his burrito, he had a plan to defraud the system.

Radio Hacker Interrupts Police Chase in Australia

Bleeping Computer <>

Date: Mon, 4 Sep 2017 16:01:10 -0400

US government: We can jail you indefinitely for not decrypting your data

The Register <>

Date: Fri, 1 Sep 2017 08:43:41 -0400

Risks of biometrics: man with no arms refused by bank demanding fingerprints

NBC News <>

Date: Tue, 5 Sep 2017 09:37:28 +0100

John Utteridge, Software Engineer - Wireless Solutions Ltd., Station House, 50 North St., Havant, Hants. PO9 1QU

[There also seem to be older people with sufficiently worn-down fingers that are not recognizable on some fingerprinting devices. PGN]

Re: Wisconsin Company to Implant Microchips In Employees

Richard A. O'Keefe <>

Date: Fri, 1 Sep 2017 16:50:31 +1200

It looks to me as if fingerprint scanners would be just as convenient to use as waving an embedded chip, offer better affordance (you can see what to put where), and are a *lot* cheaper than embedded chips. Near as I can make out from the IT Professionals NZ code of ethics, this is unethical.

As for the security claims, try these cartoons:

[Groan. See the previous item from John Utteridge. PGN]

Re: Microchipping employees

John Levine <>

Date: 1 Sep 2017 11:28:25 -0000

> ... It will be trivial to design a microchip that not only reports the > current id, but can be reprogrammed to a new id from a simple > device. Secondly, it will be fairly easy to build a scanner that picks up > the ids of anyone nearby. Quick scan and reprogram and I am a new person > with your credit limit.

While I agree that chipping yourself is a bad idea, this is not why.

Chips used for financial transactions don't just broadcast an account number, they sign transactions. Hence a spy can replay a transaction but it can't create new ones. Contact and contactless EMV chips have worked this way for 20 years. Banks can certainly be stupid but they're not quite
*that* stupid.

Re: Cracked screen => cracked security?

Richard Bos <>

Date: Sun, 03 Sep 2017 09:22:53 GMT

> People with cracked touch screens or similar smartphone maladies have a new > headache to consider: the possibility the replacement parts installed by > repair shops contain secret hardware that completely hijacks the security of > the device. [...]

> On the other hand, these stories play right into the hands of those trying > to kill "the right to repair" supported by the EFF.

On the contrary. If you have the right to repair your device on your own initiative, you can always choose to go to a repair shop *you* trust, or even do it yourself. If you do not have that right, you *must* go to the official dealer—who may not be trustworthy.

Right To Repair is not only important to cheapskates, researchers, hobbyists and mafiosi in the Western world, but also to "terrorists" (read: non-conformists) in more dictatorial countries. Those may not be right to assume that an official Apple repair shop in *cough*Insert Undemocratic Country Apple Has Close Ties With Here*cough* will supply the same, spyware-free* replacement part that we get in Europe. And that may happen with or without Apple's support, or even knowledge.

* I was about to insert a question mark here, but let's not be that cynical - yet.

Re: Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie?

Michael Bacon <>

Date: Fri, 1 Sep 2017 14:32:43 +0100

I am afraid that Amos Shapir is in error when he refers to the wording on British one pound banknotes, or indeed any British banknote issued by the Bank of England since 1853.

The wording was just: "I promise to pay the bearer on demand the sum of ...". There was no mention of the means by which that would be achieved.

It is possible that wording which included the means of payment might have appeared on bank notes issued by other than the "Old Lady of Threadneedle Street", but the last notes issued by a private bank in England and Wales were b y Fox, Fowler and Co in 1921, and their notes did not carry such wording.

Further, since 1694 although with some breaks, and until 1931 when Britain left the "Gold Standard" and the notes became backed by securities, the means of settlement was gold, not silver; in the form of a gold sovereign.

The gold sovereign began circulation in 1489 as the "English gold sovereign" , but which was last minted in 1604. The 'modern' gold sovereign was minted from 1817 until withdrawal in 1932.

Guinea coins were also issued - a "guinea" being one pound and one shilling (one pound and five pence in decimal coinage) - but not guinea notes. The guinea was last minted in 1816, but the reference value is still used in horse racing (the "Two Thousand Guineas Stakes" run at Newmarket in April/May) and d in the market sale of sheep.

I would add for RISKS readers' further information, that "sterling" derives from the silver pennies introduced after 1066 by the Norman invaders (from one of whom, Grimbaldus, I am descended). Then, 240 sterlings weighed one pound, hence 240 (later, copper) pennies to the "pound". The shilling, of which there were 20 in a pound (and therefore 12 pennies to the shilling) was also introduced by William the Conquerer. There's logic behind our old currency.

Of course, gold and silver coins would wear away with handling, and since their value was based on weight, they were not really practical as a coinage in common and frequent use, and so were replaced by cupronickel and other alloy facsimiles.

Password: hint: birthday

Dan Jacobson <>

Date: Tue, 05 Sep 2017 01:28:49 +0800

password: hint: birthday: 4/17/1992 04/17/1992 1992/4/17 1992/04/17 4/17 birthday 0417 April 17 April 17, 1992 04.17 Error: Too many attempts. Locked out.

[1992.04.17? or 17.04.1992? Maybe even just "Friday", since all it wants is a birth *day*, not a birth date! Then you would need a max of seven tries. PGN]