Prev

RISKS Digest 30.19

Tuesday 21 March 2017

Britain's surveillance agency slaps down claim it was involved in Trump 'wiretap'

The WashPo <lauren@vortex.com>

Date: Fri, 17 Mar 2017 08:11:05 -0700

NNSquad https://www.washingtonpost.com/news/worldviews/wp/2017/03/17/britains-gchq-breaks-its-silence-to-slap-down-claim-it-was-involved-in-trump-wiretap/

The Daily Telegraph, a right-leaning British newspaper, said on Friday that intelligence sources told the paper that Spicer and Lt. Gen. H.R. McMaster, Trump's national security adviser, have apologized for the claims. "The apology came direct from them," a source told the paper. There was no immediate comment from the Trump administration. Meanwhile, a spokesman for Theresa May, the British prime minister, did not confirm that an apology had been made. But he did say that the White House had given assurances—to the British ambassador in Washington and the prime minister's national security adviser—that the allegations that GCHQ had spied on Trump won't be repeated. Analysts said that GCHQ's unusual reaction was an attempt to distance itself from the raging debate in the U.S. "They really don't want to get drawn into the toxic contest going on between the administration and the intelligence agencies in the U.S.," said Ewan Lawson, a senior research fellow at the Royal United Services Institute. "They want to put some pretty clear space between them." He noted that the agency's quick, robust statement was unusual, but to stay silent "would give space to conspiracy theorists."

Justice Department charges Russian spies and criminal hackers in Yahoo intrusion

The WashPo <lauren@vortex.com>

Date: Wed, 15 Mar 2017 09:44:14 -0700

https://www.washingtonpost.com/world/national-security/justice-department-charging-russian-spies-and-criminal-hackers-for-yahoo-intrusion/2017/03/15/64b98e32-0911-11e7-93dc-00f9bdd74ed1_story.html

The Justice Department announced Wednesday the indictments of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first U.S. criminal cyber charges ever against Russian government officials. The indictments target two members of the Russian intelligence agency FSB, and two hackers hired by the Russians. The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials. The indictments are part of the largest hacking case brought by the United States.

Inside the Russian hack of Yahoo: How they did it

CSO Online <monty@roscom.com>

Date: Sun, 19 Mar 2017 12:29:39 -0400

http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html

Facebook just made it harder for you to share fake news

The Telegraph <lauren@vortex.com>

Date: Tue, 21 Mar 2017 12:14:55 -0700

NNSquad http://www.telegraph.co.uk/technology/2017/03/20/facebook-just-made-harder-share-fake-news/

Some Facebook users in the United States have reported seeing a pop-up window appear when an article is disputed by third-party fact checkers.

A Small Table Maker Takes On Alibaba's Flood of Fakes

The NYTimes <monty@roscom.com>

Date: Sun, 19 Mar 2017 21:20:05 -0400

http://www.nytimes.com/2017/03/18/business/alibaba-fake-merchandise-e-commerce.html

With his computer and simple software, Greg Hankerson hunts for counterfeits and seeks other small businesses willing to fight a Chinese e-commerce giant.

"How to Counterfeit Quantum Money"

CORDIS News <technews-editor@acm.org>

Date: Fri, 17 Mar 2017 12:13:55 -0400 (EDT)

CORDIS News (16 Mar 2017) via ACM TechNews, 17 Mar 2017

Researchers in Poland and the Czech Republic have theoretically shown that ultrasecure currency designed using quantum mechanics can be forged by exploiting a serious security flaw. The quantum money was minted photonically, with a series of photons transmitted to a bank using their polarizations to encode information. Criminals intercepting the photons would find accurate counterfeiting impossible because duplicating quantum data is imperfect. However, because individual photons can be missed or distorted in transmission, banks accept partial quantum bills, which gives crooks an opening to make imperfect forgeries that are still similar enough for banks to verify them. Using an optimal cloner, the researchers demonstrated a bank would accept forged quantum currency if the standard for accuracy was not sufficiently high. They say an effective standard for acceptance would require the received photons' polarizations to be more than approximately 84-percent identical to the original. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-12fadx211524x072322&

Two Dead After T-Mobile 'Ghost Calls' Flood 911 Center in Texas

Gizmodo <lauren@vortex.com>

Date: Thu, 16 Mar 2017 09:50:09 -0700

NNSquad http://gizmodo.com/two-dead-after-t-mobile-ghost-calls-flood-911-center-in-1793332222

T-Mobile is just the latest mobile carrier to deal with problematic 911 calls, but this time, the problems are bad. Like so bad, people are dying. This month, numerous "ghost calls" from T-Mobile numbers flooded 911 call centers in Texas and have been linked to two deaths. And although the calls originated from T-Mobile devices, people using all carriers were unable to reach 911 dispatchers during the incidents. Scarier still, nobody knows what's causing them.

[Also noted by Mark Braderd, who asks Why Only One City?: T-Mobile bug blamed for deaths of 911 callers in Dallas http://www.washingtonpost.com/news/morning-mix/wp/2017/03/16/t-mobile-ghost-calls-clog-dallas-911-families-blame-backlog-for-deaths/ ]

"Security breach fears over 26 million NHS patients"

Laura Donnelly <e767pmk@yahoo.co.uk>

Date: Sun, 19 Mar 2017 22:40:09 +0000

Laura Donnelly, Health Editor, *The Telegraph*, 17 Mar 2017 <http://www.telegraph.co.uk/authors/laura-donnelly/>, http://www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/

The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure.

The investigation centres on one of the most popular computer systems used by GPs.

Unbeknown to doctors, switching on "enhanced data sharing"—so records could be seen by the local hospital—meant they can also be accessed by hundreds of thousands of workers across the country.

It means receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons can look up sensitive information about individuals - even if there is no medical reason to do so.

Patients would not have been told their records were available in this way, and information could be accessed for malicious reasons, or fall in to criminal hands, privacy experts warned.

Install this FREE android application and go to jail

tk <tkalama1@gmail.com>

Date: Thu, 16 Mar 2017 09:18:25 +0300

In Turkey, the intelligence community is searching and arresting anyone that has downloaded a free android application called "Bylock".

Hundreds of people that have used this program were arrested after the ruling party AKP declared that it was the means of communication of the members of the Gulen sect. Gulen was once a partner of the AKP regime, but they have since had a falling out with Erdogan, presumably because to the control of loot, er, funds of Turkey.

Latest development was the arrest of 25 people that were found to have used this program (in Turkish):

http://www.cumhuriyet.com.tr/haber/turkiye/699620/25_ilde__ByLock__operasyonu__52_tutuklama.html

Court Orders ISP To Hand Over Identities Behind 5,300 IP Addresses To Copyright Trolls

torrentfreak/slashdot <macwheel99@wowway.com>

Date: Thu, 16 Mar 2017 19:40:27 -0500

Sweden's new Patent and Market Court, that was formed last year to handle specialist copyright complaints, handed down a ruling on Friday. It grants Njord and its partners the right to force ISP Telia to hand over the personal details of subscribers behind thousands of IP addresses, despite the ISP's objections. [...]

claims that each unlawfully downloaded and shared a range of movie titles including CELL, IT, London Has Fallen, Mechanic: Resurrection, Criminal and September of Shiraz. [...]

https://yro.slashdot.org/story/17/03/15/209256/court-orders-isp-to-hand-identities-behind-5300-ip-addresses-to-copyright-trolls

Man in Trouble Due to Police IP Address Error

*Metro* via Chris Drewe <e767pmk@yahoo.co.uk>

Date: Sat, 18 Mar 2017 17:49:39 +0000

There was a small item in the 'Metro' giveaway newspaper for March 14th (can't find it on-line but http://metro.co.uk/) about a guy from Sheffield, England, who was arrested and bailed under strict conditions by the police in July 2011 suspected of illegally downloading images of child abuse. It turned out that the police's request to the ISP had erroneously had an extra digit added to the IP address, so he was mistakenly put under investigation. After a long legal battle he won a significant sum in compensation, though the suspicion remains forever.

Now that much criminal evidence is increasingly based on computer records -- not just web surfing and e-mail traffic details but also utility bills, telephone usage, and such like—one wonders how this sort of RISK can be handled. On one hand, there's the chance of genuine errors causing innocent people to be caught up as shown above, while on the other hand it may be easier to fabricate 'evidence' to maliciously get people into trouble. How easy is it to challenge this sort of thing in court? After all, most Internet users probably wouldn't know what their IP address is, or even what an IP address is.

USAF had their own dataloss going on, recently...

ZDNet <neumann@csl.sri.com>

Date: Fri, 17 Mar 2017 12:13:55 PDT

ZDNet http://www.zdnet.com/article/leaked-us-military-files-exposed/

NEW YORK—A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers.

Security researchers found that the gigabytes of files were accessible to anyone because the Internet-connected backup drive was not password protected.

The files, reviewed by ZDNet, contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers. Another file lists the security clearance levels of hundreds of other officers, some of whom possess "top secret" clearance, and access to sensitive compartmented information and codeword-level clearance.

Phone numbers and contact information of staff and their spouses, as well as other sensitive and private personal information, were found in several other spreadsheets.

Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam

Krebs <monty@roscom.com>

Date: Sun, 19 Mar 2017 11:42:01 -0400

https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/

On Thursday, March 16, the CEO of Defense Point Security, LLC—a Virginia company that bills itself as "the choice provider of cyber security services to the federal government"—told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher's net.

Also,

More than 120,000 affected by W-2 Phishing scams this tax season http://www.csoonline.com/article/3180684/security/more-than-120-000-affected-by-w-2-phishing-scams-this-tax-season.html

Expert: Apple may have deployed unauthorized patch by mistake

CSO Online <monty@roscom.com>

Date: Sun, 19 Mar 2017 11:28:14 -0400

http://www.csoonline.com/article/3181488/data-center/expert-apple-may-have-deployed-unauthorized-patch-by-mistake.html

Re: Avast Cybercapture of personal files

Barry Gold <barrydgold@ca.rr.com>

Date: Wed, 15 Mar 2017 16:40:01 -0700

Benoit Goas wrote: > I just downloaded a set of (obviously personal) medical images from an > imaging lab, which allows downloads only as executable zip file (their > website runs only with silverlight, but that's not the main issue).

Goas's message highlights another problem: encapsulating images in executable files.

I ran into this recently. I was rear-ended and sought treatment for the resulting whiplash injury. I started with an orthopedist, who took x-rays and found no skeletal problems. He prescribed chiropractic and/or physical therapy, and gave me my images on a CD (or DVD).

I brought the DVD to a chiropractor's office, and they viewed the images -- by running an EXECUTABLE file on the CD/DVD.

Apparently there is no standardized format (or formats) for medical images, so instead of just sending an image it is "normal" to send the image in an executable that will display it—assuming that the recipient is running an OS that can run that executable.

What happens if the recipient has a Mac instead of a PC/Windows? Or a Linux system? Or some more esoteric OS?

But worse yet, the recipient is running an .exe file from an outside source. Suppose my orthopedist's office has been infected by malware? Then the chiropractor's computer is now _also_ infected with that malware. Any professional I see about this problem will want to see those images, and will promptly be infected with the malware.

What a mess!

Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking

Notatla <lists@notatla.org.uk>

Date: Thu, 16 Mar 2017 09:55:28 +0000

Assuming someone ahead of you has bought chicken during the shift of the current cashier that might not be the only reason to use self-checkout.

Food standards officials discovered that 40 per cent of packets of chicken in a range of supermarkets, convenience stores and butchers were covered with bacteria on the outside.

Of 20 packets of chicken studied, eight had food poisoning bacteria on their wrapping ...

Shoppers are now being warned to wash their hands after handling chicken cartons to combat the risk of catching the campylobacter ...

http://www.microbeworld.org/component/jlibrary/?view=article&id=5827

Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking

Arthur Flatau <flataua@acm.org>

Date: Fri, 17 Mar 2017 09:55:42 -0500

No doubt this has little to do with computers. This might actually be another reason to use a human staffed checkout lane. I have seen cashiers in the store I most often buy groceries from clean the conveyor belt with (what I assume is) some anti-bacterial spray. I don't recall seeing that in self-checkout lane. Of course, bacteria from chicken are of little concern at the home improvement stores.

Re: self-checkout at grocery stores

David Lamkin <drl@metanate.com>

Date: Fri, 17 Mar 2017 08:10:10 +0000

If the store trusts its customers, as in the UK store Waitrose (admittedly a well heeled lot given its margins), self checkout can be much more convenient. They provide a scanner you use as you pick & 'checkout' becomes payment only:

<https://www.waitrose.com/home/about_waitrose/quick_check.html>

Interestingly the availability of this excellent feature doesn't stop the queues at the staffed or self service checkouts!

Metanate Limited. Station Court, Great Shelford, Cambridge CB22 5NE, UK www.metanate.com (Consultancy) www.schemus.com (Data synchronisation)

Re: automation, restaurants, and industrial robots

Kelly Bert Manning <Kelly.Manning@ncf.ca>

Date: Fri, 17 Mar 2017 21:50:37 -0400 (EDT)

The 2017 March 15 RISKS items about automation, fast-food service, and Dangerous industrial robots brought back a memory of "Intent to Deceive" by Larry Niven. Note the title.

It is always interesting to hear from Dr. Leveson. My father started working life in his early teens as an early 1940s whistle punk at a coastal BC logging camp. Her high pressure steam analogy of the state of software safety had a personal resonance for me. Steam punk has taken on a different meaning these days.

https://books.google.ca/books?id=IBDAL13yLAUC&pg=PA34&dq=whistle+punk&hl=en&sa=X&ved=0ahUKEwistfKC9N7SAhVUVWMKHcj6AzcQ6AEIHDAA#v=onepage&q=whistle%20punk&f=false

http://www.obooksbooks.com/2015/3984_2.html#

"And then I remember that he went into a fully automated kitchen, through a door that wasn't built for humans. That kitchen machinery could handle full-sized sides of beef. Dreamer obviously wasn't a robot. What would the kitchen machinery take him for?"

Science Fiction writer Frederick Pohl also anticipated a number of potential future risks when he was working as an advertising executive during the day while writing science fiction during his spare time. With the move to displays in cars and Internet connections we might have to be wary of situations were advertisements could distract drivers in cars, although not yet with our aircars.

https://books.google.ca/books?id=JCVbAAAAMAAJ&focus=searchwithinvolume&q=safety+cranks

"They listened to the safety cranks and stopped us from projecting our messages on aircar windows--but we bounced back. ... soon we'll be testing a system that projects direct on the retina"

Science Fiction has a long history of portraying "Mad Men in Space".

http://www.sf-encyclopedia.com/entry/advertising

If you think this is far fetched consider why ad blockers are so popular, and recall that at least one Internet home firewall maker decided to interrupt browser sessions periodically by redirecting browsers to one of their corporate web sites. Why worry about your network equipment being hacked with corporations behaving like that?

Pohl's novel divides the population into two classes, executives and everybody else. Other science fiction stories view automation as leading to divisions such as taxpayers and citizens.

As Analog Magazine told us in 1990, Future Shock is the sense of bewilderment felt by those who were not paying attention. (volume 110, page 67)

CRISPR assassinations

Gene Spafford <spaf@purdue.edu>

Date: Wed, 15 Mar 2017 15:29:40 -0400

In 1982, Frank Herbert wrote The White Plague, a novel about how a person creates a genetically-engineered disease that targets only women. He intends it to only affect Ireland, but of course it gets out and sweeps the world. The novel describes some of the consequences. Although not as compelling as Dune, Herbert manages to conjure up a believable set of consequences of a species threatened with extinction.

I remember reading it and thinking it was implausible (at the time), but that the difficulty in targeting a particular subset of the population is likely to be a problem. Given some of the genetic diversity and distribution we don't fully understand, and the ability of many pathogens to undergo change, any targeted microbe might well end up killing far more than the attacker intends.

Bugs in the bug could well spell our doom.

Re: Science

Wendy M. Grossman <wendyg@pelicancrossing.net>

Date: Thu, 16 Mar 2017 16:30:12 +0000

> What is really worrisome is that academics do not question these rules and > apparently prefer a false sense of objectivity.

Time to revive the Underground Grammarian, who wrote a wonderful article about the passive voice back in the 1980s.