RISKS Digest 29.59

Tuesday 28 June 2016

Petition for second EU referendum may have been manipulated

Nicola Slawson via Henry Baker <>

Date: Sun, 26 Jun 2016 07:04:07 -0700

FYI—This particular type of voting fraud is only one of the most obvious risks of online voting.

"over 39,000 residents of Vatican City [pop. 800] appeared to have signed the petition"

Petition for second EU referendum may have been manipulated

Data shows people from countries including Iceland and Tunisia backed petition that should only be signed by Britons and UK residents

Nicola Slawson @nicola_slawson, *The Guardian*, 26 Jun 2016

A petition calling for a second EU referendum which has gained more than 3 million signatures appears to have been manipulated. The request on parliament's official petitions website should have been signed only by British citizens and UK residents. However, the petition's data shows signatories from countries around the world, including Iceland, the Cayman Islands and Tunisia, and in some cases there are more signatures than total population. [...]

[Lots of anecdotal stuff deleted. PGN]

FAA Officials Discuss Standards to Neutralize Cyberattacks

Gabe Goldberg <>

Date: Thu, 23 Jun 2016 09:43:03 -0400

WASHINGTON Even as U.S. and European regulators jointly pursue ways to fend off cyberattacks against aviation, they are increasingly focused on devising standards to ensure that any successful hackers will be detected and neutralized.

Those twin goals are being widely discussed at an international safety conference here this week, while new details emerge about proposed safeguards being developed by a Federal Aviation Administration-created panel of government and industry officials. <> <> or if that doesn't work because of paywall, try this ugly URL:

Healthcare workers prioritize helping people over information security

BoingBoing <>

Date: Tue, 28 Jun 2016 09:33:49 -0700


These workarounds were driven by clinicians' need to get their jobs done and by IT's failure to understand what that entailed. For example, IT's imposition of password rotation schedules meant that no one knew what their passwords were from moment to moment, forcing them to write them down and share them (in some cases, IT might have had this policy set by vendors or regulators/insurers). Aggressive timeouts on terminals meant that clinicians spent an undue amount of time logging in, making it impossible to get their work done. Other IT-based checks forced even-more-dangerous workarounds, like the system that wouldn't let doctors save work without ordering potentially lethal blood thinners, which they'd have to remember to log back in and cancel, or kill their patients. A thumbprint-based signing system for death certificates only accepted thumbprints from one doctor, meaning that his signature was on every death certificate, regardless of whose patient the deceased had been.

Let's be 100% clear about this lethal situation. It is 100% the fault of the IT industry for creating systems that are so abysmally suited to the tasks at hand that healthcare workers need to behave these ways to get their jobs done and save lives.

Hacker Advertises Slew of Alleged Healthcare Organization Records

Motherboard <>

Date: Tue, 28 Jun 2016 11:51:50 -0700

Motherboard via NNSquad

A hacker is advertising hundreds of thousands of alleged records from healthcare organizations on a dark web marketplace, including social security and insurance policy numbers. The data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more, the hacker selling the data, who goes by the handle "thedarkoverlord," told Motherboard. News site Deep Dot Web first reported the news on Saturday. The breaches supposedly come from three different healthcare organizations: one in Farmington, Missouri with 48,000 records; another in Atlanta, Georgia with 397,000 entries, and the third in the Central/Midwest US with 210,000 records. Thedarkoverlord has decided to not name the organizations, as he has threatened each with a ransom demand.

Clinton's private e-mail was blocked byspam filters, so State IT turned them off

Sean_Gallagher <>

Date: Thu, 23 Jun 2016 10:42:59 -0600

Sean Gallagher, *Ars Technica*, 23 Jun 2016

Documents recently obtained by the conservative advocacy group Judicial Watch show that in December 2010, then-Secretary of State Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off—potentially exposing State's employees to phishing attacks and other malicious e-mails.

The mail problems prompted Clinton Chief of Staff Huma Abedin to suggest to Clinton, "We should talk about putting you on State e-mail or releasing your e-mail address to the department so you are not going to spam." Clinton replied, "Let's get [a] separate address or device but I don't want any risk of the personal [e-mail] being accessible."

Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade

Gizmodo <>

Date: Mon, 27 Jun 2016 09:10:38 -0700

Gizmodo via NNSquad

A California woman has won a $10,000 judgment from Microsoft after the company dropped its appeal in a case in which she alleged that her work computer became slow and unreliable after automatically upgrading itself to Windows 10.

Class action suit, anyone?

[Gene Wirchenko also spotted more: ]

"Swagger stumbles: Flaw enables remote code execution"

Fahmida Y. Rashid <>

Date: Tue, 28 Jun 2016 10:51:47 -0700

Fahmida Y. Rashid, InfoWorld, 27 Jun 2016 Swagger's code generators and parsers forgot the core tenet of software development, which is never to trust user input

selected text:

Because Swagger's generators and parsers don't verify input when generating code, a maliciously-crafted Swagger document can result in remote code execution, Rapid7 said in a blog post disclosing the vulnerability.

"Severe flaws in widely used open source library put many projects at risk"

Lucian Constantin <>

Date: Fri, 24 Jun 2016 10:26:07 -0700

When was the last time you heard the Open Source saw about number of eyeballs?

Lucian Constantin, InfoWorld, 22 Jun 2016 Input validation flaws in libarchive could lead to remote code execution

selected text:

Libarchive ... provides real-time access to files compressed with a variety of algorithms, ...

The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS.

The Cisco Talos researchers found an integer overflow, a buffer overflow, and a heap overflow in the libarchive code that handles 7-Zip, mtree and rar files, respectively.

"Over half of world's top domains weak against email spoofing"

Charlie Osborne <>

Date: Fri, 24 Jun 2016 11:06:48 -0700

Charlie Osborne for Zero Day, ZDN, 23 Jun 2016 Misconfigured email servers could prompt spoof emails being 'sent' from legitimate services.

selected text:

By using only a few lines of Python, the firm's researchers found that over 50 percent of top 500 Alexa websites were vulnerable to spoofing—either through having no authentication configured or by having settings misconfigured.

"US Customs wants foreign nationals to reveal their social media handles"

Chris Duckett <>

Date: Tue, 28 Jun 2016 11:03:27 -0700

Chris Duckett, ZDNet, 27 Jun 2016 Travelers looking to enter the United States will be asked by US Customs for their social media IDs under a new proposal.

selected text:

US Customs and the Department of Homeland Security (DHS) want to ask foreign nationals entering the United States to hand over their social media handles at a cost of almost $300 million a year.

According to a notice posted on the US federal register, travelers would be asked to "Please enter information associated with your online presence -- Provider/Platform—Social media identifier".

Responding to the question would be optional.

And how long would this be optional?

What are the risks guns could be banned from video games?

Paul Robinson <>

Date: Sat, 25 Jun 2016 06:28:02 +0000 (UTC)

Some people have wondered, because of the public shootings that occur every so often, including the most recent ones in Orlando and Germany, is there a risk that computer games might be forbidden to show weapons - specifically guns - or that video games that show guns being used to wound or kill people, especially in apocalyptic or "collapse of civilization" scenarios, where players might engage in rampages, including the potential for the killing of soldiers and police officers, could be banned or prohibited from distribution?

Short version:

The various governments of the United States—which means: the federal government and both a state government and a sub agency of a state government such as a county or city - lack the power to prohibit a maker of a video game from including guns in a video game, the use of guns in a video game, the use of guns on a video game to kill people, or the use of video games to kill soldiers, uniformed police officers, or even a protected class of people or an identifiable minority or religious group such as blacks, Jews, Catholics, Muslims, Protestants, gays, whites, American Indians, men, women, or children.

[Long version much too long for RISKS. Truncated. PGN]

Vacationing Security Researcher Exposes Austrian ATM Skimmer

SlashDot <>

Date: Sun, 26 Jun 2016 21:01:19 +0200

(Posted by EditorDavid on Sunday June 26, 2016) <>

While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. (<>)

New submitter rmurph04 shares Ben's story:

I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off!

Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery.

Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes

SlashDot <>

Date: Sun, 26 Jun 2016 21:18:33 +0200

<> (Posted by EditorDavid on Saturday June 25, 2016)

Long-time SlashDot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC) <>, which includes fixes for two high-severity vulnerabilities in the tool <>. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Yet another study showing old hard drives should be destroyed

Benoit Goas <>

Date: Tue, 28 Jun 2016 22:05:29 +0200

I just read about another study on what can be recovered from old hardrives. Risks are obvious! See at

Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats

TechCrunch <>

Date: Mon, 27 Jun 2016 16:52:15 -0700

Hellman no longer does crypto research, though he retains a position at Stanford; instead, he has been advocating for changes in policy that acknowledge the new, more interconnected global community. "I see cyberweapons as very similar to nuclear weapons," he said. "Early on we had a monopoly on nuclear weapons so we thought they were the greatest thing going. But unlike a nuclear weapon, a cyberweapon doesn't destroy itself, so like with Stuxnet, our adversaries were able to take it apart and figure out how it works. We need to start thinking this through more carefully."

Crypto Ransomware Attacks Have Jumped 500% In The Last Year

SlashDot <>

Date: Sun, 26 Jun 2016 21:25:38 +0200

<> (Posted by EditorDavid on Saturday June 25, 2016)

Kaspersky Lab is reporting that the last year saw a 500% increase in the number of users who encountered crypto ransomware. Trailrunner7 shares an article from On The Wire: Data compiled by Kaspersky researchers from the company's cloud network shows that from April 2015 to March 2016, the volume of crypto ransomware encountered by users leapt from 131,111 to 718,536 <>. That's a massive increase, especially considering the fact that ransomware is a somewhat mature threat. It didn't just burst onto the scene a couple of years ago. Kaspersky's researchers said the spike in crypto ransomware can be attributed to a small group of variants. "Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware..."

It's difficult to overstate how much of an effect the emergence of ransomware has had on consumers, enterprises, and the security industry itself. The FBI has been warning users about crypto ransomware for some time now, and has consistently advised victims not to pay any ransoms. Security researchers have been publishing decryption tools for specific ransomware variants and law enforcement agencies have had some success in taking down ransomware gangs.

Enterprise targets now account for 13% of ransomware attacks, with attackers typically charging tens of thousands of dollars, the article reports, and "Recent attacks on networks at the University of Calgary <> and Hollywood Presbyterian Medical Center <> have demonstrated the brutal effectiveness of this strategy."

Why You Should Stop Using Telegram Right Now

SlashDot <>

Date: Sun, 26 Jun 2016 21:37:10 +0200

<> (Posted by manishs on Saturday June 25, 201)

Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint <>. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states <>: One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter."

The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds:

"They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that."

The list goes on and on. <>

More Redacted Redactions

LA Times via Henry Baker <>

Date: Mon, 27 Jun 2016 16:25:37 -0700

FYI—If you accidentally redact a redaction, you get the original back!

Another example of the Streisand effect.

"Democrats released but redacted a transcript of Clinton confidant Sidney Blumenthal answering the committee's questions ... But the redaction marks are easily erased by anyone able to use a computer's cut-and-paste function."

The "Cobra Effect" that is disabling paste on password fields

Troy Hunt <>

Date: Mon, 27 Jun 2016 21:03:25 -0700

TroyHunt via NNSquad

Unfortunately, the enterprising locals saw things differently and interpreted the "cash for cobras" scheme as a damn good reason to start breeding serpents and raking in the dollars. Having now seen the flaw in their original logical, the poms quickly scrapped the scheme meaning no more snake bounty. Naturally the only thing for the locals to do with their now worthless cobras was to set them free so that they may seek out a nice cosy British settlement somewhere. This became known as the Cobra Effect or in other words, a solution to a problem that actually makes the whole thing a lot worse. Here's a modern day implementation of the Cobra Effect as it relates to the ability to paste your password into a login field ...

The inability to paste into a password field drives me bats. It makes security *worse*, not better!

Writing aid for the blind provides a case study for "compassionate engineering" at Carnegie Mellon

TechCrunch <>

Date: Mon, 27 Jun 2016 17:27:48 -0700


New mobile games and robot butlers are all well and good, but there are also many applications for the latest technology in poverty-stricken school districts and in the service of the disabled. A Carnegie Mellon project that targets both of those things is described by its creators as an exercise in what they call "compassionate engineering."

What if we're all forced to be average?

IEEE Spectrum via Bob Frankston <>

Date: 22 Jun 2016 16:51:08 -0400

The AI Dashcam App That Wants to Rate Every Driver in the World

Imagine if everyone is held to the letter of the law by a world of minders? Just with DRM what happens if we talk rules that works socially and remove human discretion? If meaning comes from context there is a major risk in all these efforts to enforce the letter of the law. One of the big advantages of the US has been our ability to reinvent ourselves.

Re: Tesla Model X autonomously crashes into building

Amos Shapir <>

Date: Fri, 24 Jun 2016 13:44:30 +0300

> Teslas are instrumented. When there's a crash like this one, it's probably > a good idea to wait until the log contents are revealed before repeating > the driver's claims; the logs often show the opposite.

But then if a crossed wire or some other bug causes pressure on the brake to be misinterpreted by the system as pressure on the accelerator, the logs would also show that the accelerator was pressed!

The question is, are the logs generated by the same system that we want to debug?