Prev

RISKS Digest 29.95

Tuesday 29 November 2016

Hacker demanded ransom from San Francisco Muni Metro

PGN <neumann@csl.sri.com>

Date: Tue, 29 Nov 2016 11:35:16 PST

The Muni Metro had 900 employee computer workstations hacked with ransomware, with demands for payment of 100 bitcoins (roughly $73,000) to unlock those computers. The Muni Metro management took a strong and very sensible strategy—refusing to pay, essentially rebuilding the entire system from backups, and making all rides free in the interim. Although the demands warned that personal information would be released if the payment were not made, DHS advisors suggested that access to PII was unlikely -- given the nature of the attack.

Andrew Storms (VP of New Context in San Francisco) is quoted: “Critical infrastructure, both large and small, remains a target and is susceptible to ransomware. IBM has named transportation as a key cyber-target, given that the sector is increasingly relying on computer-based control, and yet security is such that hackers can cause a lot of damage with comparative ease.''

[Source: Michael Cabanatuan and Marissa Lang, *San Francisco Chronicle*, 29 Nov 2016, PGN-ed]

[Other sources: http://fortune.com/2016/11/28/muni-hack-san-francisco/ http://www.sfexaminer.com/muni-guarantees-customer-data-not-risk-hacker-sends-new-threat/ ]

[And who might still be saying "We don't need no steenkin' security!" -- when what we have already really stinks. PGN]

Locky ransomware uses decoy image files to ambush Facebook, LinkedIn

Tom Mendelsohn <werneru@gmail.com>

Date: Mon, 28 Nov 2016 22:50:18 +0100

Tom Mendelsohn, Ars Technica, 25 Nov 2016 Low-tech malware snares users via flaws in social networks' code to spread automatically. http://arstechnica.com/security/2016/11/locky-ransomware-decoy-image-files-boobytrap-facebook-linkedin/

According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Check Point won't go into detail on how the exploit works until the vulnerability is patched by LinkedIn and Facebook.

Ars has asked for comment from both Facebook and LinkedIn. See also

http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/ http://arstechnica.co.uk/security/2016/04/nuclear-ransomware-exploit-kit-details/ http://arstechnica.co.uk/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro/

New Variants of Cerber and Locky ransomware launched simultaneously

Check Point <werneru@gmail.com>

Date: Mon, 28 Nov 2016 23:07:33 +0100

Check Point Threat Intelligence Team, 24 Nov 2016 Two thanksgiving presents from the leading ransomware http://blog.checkpoint.com/2016/11/24/14959/ http://fortune.com/2016/11/28/muni-hack-san-francisco/ http://www.sfexaminer.com/muni-guarantees-customer-data-not-risk-hacker-sends-new-threat/

NTSB on Aviation: Risks of checklists, especially when ignored

PGN <neumann@csl.sri.com>

Date: Sat, 26 Nov 2016 12:04:41 PST

http://www.ntsb.gov/investigations/AccidentReports/Pages/AAR1503.aspx http://aviationweek.com/business-aviation/gulfstream-crash-triggers-finding-unsettling-data

"Despite these positive comments, our investigation revealed an operation in which checklists and flight control checks were not accomplished by the flight crew, as specified in their training and the aircraft operations manual. In order to successfully complete training, neither of these omissions would have been acceptable. However, considering that each crewmember successfully completed recurrent training eight months before the crash, they obviously knew and demonstrated they were aware of these requirements."

It seems that checklists can be very important when observed, but still somewhat of a placebo: The routine itself can be routinely treated rather superficially. The same thing applies to all safety-related procedures, security upgrades, network reconfigurations, and more. In addition, training simulators may be inconsistent with reality, or at least have emergency corner cases that might not be covered.

Brooklyn prosecutor caught wiretapping a love interest

The New York Times <neumann@csl.sri.com>

Date: Tue, 29 Nov 2016 3:18:53 PST

http://www.nytimes.com/2016/11/28/nyregion/brooklyn-prosecutor-accused-of-using-illegal-wiretap-to-spy-on-love-interest.html

Mr. Trump's Lies About the Vote

The New York Times <neumann@csl.sri.com>

Date: Tue, 29 Nov 2016 11:47:25 PST

Excerpts from today's editorial in *The New York Times*, 29 Nov 2016

On Sunday, President-elect Trump unleashed a barrage of tweets complaining about calls for recounts or vote audits in several closely contested states, and culminating in this message: "In addition to winning the Electoral College in a landslide, I won the popular vote if you deduct the millions of people who voted illegally."

This is a lie, part of Mr. Trump's pattern, stretching back many years, of disregard for indisputable facts. There is no evidence of illegal voting on even a small scale anywhere in the country, let alone a systematic conspiracy involving "millions". [...]

In addition to insulting law-abiding voters everywhere, these lies about fraud threaten the foundations of American democracy.

The entire editorial is worth reading, including the relative relevance of the popular vote and the Electoral College.

Inside a Fake News Sausage Factory: 'This Is All About Income'

Lauren Weinstein <lauren@vortex.com>

Date: Fri, 25 Nov 2016 21:46:44 -0800

via NNSquad http://www.nytimes.com/2016/11/25/world/europe/fake-news-donald-trump-hillary-clinton-georgia.html

Jobless and with graduation looming, a computer science student at the premier university in the nation of Georgia decided early this year that money could be made from America's voracious appetite for passionately partisan political news. He set up a website, posted gushing stories about Hillary Clinton and waited for ad sales to soar. "I don't know why, but it did not work," said the student, Beqa Latsabidze, 22, who was savvy enough to change course when he realized what did drive traffic: laudatory stories about Donald J. Trump that mixed real—and completely fake -- news in a stew of anti-Clinton fervor.

Trump's presidential hires and advisors own a hell of a lot of fake news sites

BoingBoing <lauren@vortex.com>

Date: Sat, 26 Nov 2016 09:50:19 -0800

via NNSquad http://boingboing.net/2016/11/26/trumps-presidential-hires-an.html

Floyd Brown invented the Reagan-era Willie Horton lie, helped create the Citizens United group, and now owns Liftable Media, including sites like Conservative Tribune (50th most-trafficked site in the USA) and Western Journalism (81st), whence came fake news stories like the lie that Obama had altered the White House logo to include a white flag of surrender (the logo change came from GWB's White House); the lie that Muslims had been "ordered" to vote for Hillary; the lie that Obama had encouraged millennial non-citizen Latinos to vote without fear of reprisals; the lie that Clinton had a Vegas "drug holiday" before the debate; the lie that Obama's birth certificate was not accepted by experts as genuine -- Brown's sites are all included in Facebook's verified news sources. Brown is a Trump advisor, also identified by Trump's spokesperson as "a close friend."

[Don't forget Swift-boating. We've had lots of opportunities to recognize the problem. PGN]

Fake News and the Internet Shell Game

The New York Times <lauren@vortex.com>

Date: Mon, 28 Nov 2016 18:00:47 -0800

via NNSquad http://www.nytimes.com/2016/11/28/opinion/fake-news-and-the-internet-shell-game.html

The use of social media to spread political misinformation online is partly just a giant shell game. Propagandists often don't care whether everyone, or even most people, really believe the specific things they are selling (although it turns out that lots of people always do). They don't have to get you to actually believe the penny is under the wrong shell. They just have to get you confused enough so that you don't know what is true. That's still deception. And it is this kind of deception that dreadful for-profit conspiracy sites like Liberty Writers News have been particularly adept at spreading. Sure, some percentage of people actually believed the content of such sites (for instance, that Hillary Clinton was behind the death of a federal agent). But a far greater number of people came away ever so slightly more doubtful of what is true. They didn't believe Hillary Clinton ordered a hit, but they didn't disbelieve it either. It simply became part of the background, one more unsettled question.

Do away with the FCC?

The Washington Post via Eric Burger <eburger@standardstrack.com>

Date: Tue, Nov 22, 2016 at 10:46 PM

(via Dave Farber) http://www.washingtonpost.com/people/brian-fung>

A top adviser to Donald Trump on tech policy matters proposed all but abolishing the nation's telecom regulator last month, foreshadowing possible moves by the president-elect to sharply reduce the Federal Communications Commission's role as a consumer protection watchdog.

In a 21 Oct 2016 blog post, Mark Jamison, who on Monday was named one of two members of Trump's tech policy transition team, laid out his ideal vision for the government's role in telecommunications, concluding there is little need for the agency to exist. <http://www.techpolicydaily.com/communications/do-we-need-the-fcc/>

Forget Net Neutrality, Trump FCC Advisor Wants to Kill the FCC Itself

Motherboard <lauren@vortex.com>

Date: Wed, 23 Nov 2016 13:17:37 -0800

via NNSquad http://motherboard.vice.com/read/forget-net-neutrality-trump-fcc-advisor-wants-to-kill-the-fcc-itself

Open Internet advocates reacted with alarm to Jamison's proposal to abolish most of the FCC. "Such a proposal is dripping with irony, given that the dominant ISPs consistently rank among the most hated companies by consumers, ripping off their subscribers in numerous creative ways," Lauren Weinstein, a veteran tech policy expert and net neutrality advocate, told Motherboard. "One of the few checks on their abuses has been the FCC." "Reducing the FCC's authority in this context would be a sure path toward the rich getting richer and subscribers being shafted even worse than they are today," Weinstein added. A FCC spokesperson declined to comment on Jamison's proposal.

Did Russian Agents Influence the U.S. Election with Fake News?

Vanity Fair <lauren@vortex.com>

Date: Sat, 26 Nov 2016 13:10:49 -0800

via NNSquad http://www.vanityfair.com/news/2016/11/fake-news-russia-donald-trump

Two new reports suggest that the Russian government tried to destroy Hillary Clinton's reputation and tilt the election towards Donald Trump. ...

Facebook and Google have been falling over themselves in the past few weeks, trying to figure out how to solve their fake-news problem. Now the scope of their challenges [is] coming into view: a new report from two groups of independent researchers suggests that the two platforms were leveraged by propagandists, funded by the Russian government, to influence the outcome of the U.S. presidential election by filling Americans' news feeds with false stories intended to sow distrust of democracy. The Foreign Policy Research Institute and PropOrNot, a nonpartisan group of researchers, independently provided reports to The Washington Post that detailed a sophisticated, multi-pronged disinformation campaign designed to propagate two specific messages: first, that Hillary Clinton was deathly ill and was secretly plotting to turn America into a plutocracy run by "shadowy financiers"; and second, that the world was on the brink of a war with Russia. The groups traced 200 of the biggest fake news websites to the Russian government, as well as a group of botnets and human "trolls", which planted stories and reached at least 15 million Americans. (For a sense of scale, more than 135 million people voted in 2016. Clinton appears likely to win the popular vote by more than two million ballots despite decisively losing the electoral college.)

Re: Russian propaganda effort helped spread 'fake news' during election, experts say

Dick Mills <dickandlibbymills@gmail.com>

Date: Mon, 28 Nov 2016 08:44:15 -0500

Alas, truth is so much in the eye of the beholder.

The Washington Post said: "Two teams of independent researchers found that the Russians exploited American-made technology..."

https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html

But *The Intercept* suggests, that the Post's source is a group of fake researchers.

"In casting the group behind this website as *experts*, The Post described PropOrNot simply as "a nonpartisan collection of researchers with foreign policy, military and technology backgrounds." Not one individual at the organization is named. The executive director is quoted, but only on the condition of anonymity, which the Post said it was providing the group "to avoid being targeted by Russia's legions of skilled hackers."

https://theintercept.com/2016/11/26/washington-post-disgracefully-promotes-a-mccarthyite-blacklist-from-a-new-hidden-and-very-shady-group/

Why do we beat ourselves up arguing about truth rather than facts? Bare facts need no explanation, no context, no commentary, no characterizations, are never misleading, and do not constitute propaganda, lessons, or public education. A fact by definition is something that can be verified by third parties, and all third parties can be expected to come to the same conclusion.

To me, a trusted news source sticks to bare facts and abstains from all embellishments. But in my lifetime, I've never seen such a news source.

We can all agree about facts, but never agree on the truth.

Dick Mills, Sailing Vessel Tarwathie

Why Trump and Fake News are Putting the Pressure on Facebook

Bloomberg <farber@gmail.com>

Date: Sat, 26 Nov 2016 13:45:00 -0500

Bloomberg, 25 Nov 2016

Following criticism that fake news had an impact on the U.S. election, Facebook has promised to tackle phony articles. Bloomberg's Ramy Inocencio reports on "Bloomberg Daybreak: Asia." Fake news is big news these days. There's an emotional debate over the explosion of information on the Internet—and on social media sites in particular—that's provably false or intentionally misleading. As content of dubious authenticity swirls on platforms like Facebook, Twitter and Google, many in the media worry consumers may lose trust in stories that are actually true. Maybe most uncomfortable are the social media companies, Facebook especially. They make millions in ad revenue by distributing information, but the last thing they want are the responsibilities that come with being a publisher, like ensuring stories are accurate.

To read the entire article, go to http://bloom.bg/2fx6BRu

Sent from the Bloomberg iPad application. Download the free application at http://itunes.apple.com/us/app/bloomberg-for-ipad/id364304764?mt=8

"How Fake and False News Distort Google and Others"

Lauren Weinstein <lauren@vortex.com>

Date: Fri, 25 Nov 2016 14:01:48 -0800

via NNSquad https://lauren.vortex.com/2016/11/25/how-fake-and-false-news-distort-google-and-others

With all of the current discussions regarding the false and fake news glut on the Internet—often racist in nature, some purely domestic in origin, some now believed to be instigated by Putin's Russia—it's obvious that the status quo for dealing with such materials is increasingly untenable.

But what to do about all this?

As I have previously discussed, my general view is that more information -- not less—is the best solution to these distortions that may have easily turned the 2016 election on its head.

https://lauren.vortex.com/2016/11/16/crushing-the-internet-liars

Labeling, tagging, and downranking of clearly false or fake posts is an approach that can help to reduce the tendency for outright lies to be treated equivalently with truth in social media and search engines. These techniques also avoid invoking the actual removal of lying items themselves and the "censorship" issues that then may come into play (though private firms quite appropriately are indeed free to determine what materials they wish to permit and host—the First Amendment only applies to governmental restraints on speech in the USA).

How effective might such labeling be? Think about the labeling of "fake news" in the same sort of vein as the health warnings on cigarette packs. We haven't banned cigarettes. Some people ignore the health warnings, and many people still smoke in the USA. But the number of people smoking has dropped dramatically, and studies show that those health warnings have played a major role in that decrease.

Labeling fake and false news to indicate that status—and there's a vast array of such materials where no reasonable arguments that they are not untrue can reasonably exist—could have a dramatic positive impact. Controversial? Yep. Difficult? Sure. But I believe that this can be approached gradually, starting with top trending stories and top search results.

A cure-all? No, just as cigarette health warnings haven't been cure-alls. But many lives have still been saved. And the same applies to dealing with fake news and similar lies masquerading as truthful posts.

Naysayers suggest that it's impossible to determine what's true or isn't true on the Internet, so any attempts to designate anything that's posted as really true or false must fail. This is nonsense. And while I've previously noted some examples (Man landing on the moon, Obama born in Hawaii) it's not hard to find all manner of politically-motivated lies that are also easy to ferret out as well.

For example, if you currently do a Google search (at least in the USA) for: Southern Poverty Law Center You will likely find an item on the first page of results (even before some of the SPLC's own links) from online [...] Breitbart—whose [...] Steve Bannon has now been given a senior role in the upcoming Trump administration.

The link says: FBI Dumps Southern Poverty Law Center as Hate Crimes Resource

Actually, this is a false story, dating back to 2014. It's an item that was also picked up from Breitbart and republished by an array of other racist sites who hate the good work of the SPLC fighting both racism and hate speech.

Now, look elsewhere on that page of Google search results—then on the next few pages. No mention of the fact that the original story is false, that even the FBI itself issued a statement noting that they were still working with the SPLC on an unchanged basis.

Instead of anything to indicate that the original link is promoting a false story, what you'll mostly find on succeeding pages is more anti-SPLC right-wing propaganda.

This situation isn't strictly Google's fault. I don't know the innards of Google's search ranking algorithms, but I think it's a fair bet that "truth" is not a major signal in and of itself. More likely there's an implicit assumption—which no longer appears to necessarily hold true—that truthful items will tend to rise to the top of search results via other signals that form inputs to the ranking mechanisms.

In this case, we know with absolute certainly that the original story on page one of those results is a continuing lie, and the FBI has confirmed this (in fact, anyone can look at the appropriate FBI pages themselves and categorically confirm this fact as well).

Truth matters. There is no equivalency between truth and lies, or otherwise false or faked information.

In my view, Google should be dedicated to the promulgation of widely accepted truths whenever possible. (Ironic side note: The horrible EU "Right To Be Forgotten"—RTBF—that has been imposed on Google, is itself specifically dedicated to actually hiding truths!)

As I've suggested, the promotion of truth over lies could be accomplished both by downranking of clearly false items, and/or by labeling such items as (for example) "DEEMED FALSE"—perhaps along with a link to a page that provides specific evidence supporting that label (in the SPLC example under discussion, the relevant page of the FBI site would be an obvious link candidate).

None of this is simple. The limitations, dynamics, logistics, and all other aspects of moving toward promoting truth over lies in social media and search results will be an enormous ongoing effort—but a critically crucial one.

The fake news, filter bubbles, echo chambers, and hate speech issues that are now drowning the Internet are of such a degree that we need to call a major summit of social media and search firms, experts, and other concerned parties on a multidisciplinary basis to begin hammering out practical industry-wide solutions. Associated working groups should be established forthwith.

If we don't act soon, we will be utterly inundated by the false "realities" that are being created by evil players in our Internet ecosystems, who have become adept at leveraging our technology against us—and against truth.

There is definitely no time to waste.

Macy's Website Suffers Disruptions During Critical Shopping_Day

Bloomberg via Gabe Goldberg <gabe@gabegold.com>

Date: Fri, 25 Nov 2016 20:19:12 -0500

Bloomberg, 25 Nov 2016 http://bloom.bg/2gpFtFp

The Macy's Inc. website suffered service disruptions on Black Friday, dealing a setback to a company trying to persuade shoppers—and investors -- that it can handle e-commerce.

Different sort of DDOS—too many customers!

Good at Skipping Ads? No, You're Not

The New York Times <monty@roscom.com>

Date: Sun, 27 Nov 2016 01:39:13 -0500

http://www.nytimes.com/2016/11/25/books/review/black-ops-advertising-mara-einstein.html

Research Says Samsung Galaxy S7 Safest Smartphone, iPhone 7 Worst

Inquisitr <monty@roscom.com>

Date: Sun, 27 Nov 2016 10:23:40 -0500

http://www.inquisitr.com/3747881/research-says-samsung-galaxy-s7-edge-safest-smartphone-iphone-7-one-of-the-worst/

Re: More on election integrity

Mark E. Smith <mymark@gmail.com>

Date: Fri, 25 Nov 2016 19:05:52 -0800

In https://www.washingtonpost.com/posteverything/wp/2016/11/23/u-s-elections-are-a-mess-whether-this-one-was-hacked-or-not/

Bruce Schneier wrote:

"The risks are real: Electronic voting machines that don't use a paper ballot are vulnerable to hacking."

True. But elections using electronic voting machines that do use paper ballots are also vulnerable to hacking, because the voting machines only record the votes, they do not count or tally them. That function is performed by central tabulators, and central tabulators are also computers that have been proven vulnerable to hacking.

In fact, all computers are vulnerable to hacking. If there were any hack-proof computers, governments, intelligence agencies, banks, and big corporations would buy them, and dispense with the services of security technologists like Bruce Schneier.

[And as we keep learning, election integrity is a total-system problem, from beginning to end, where every step has potential vulnerabilities -- as I have repeatedly pointed out here. Even if we had hack-proof computers (which would still be susceptible to insider misuse), there are many problems that are completely non-computer-related. PGN]