[30259] in RISKS Forum
Risks Digest 30.08
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Jan 10 15:14:43 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 10 Jan 2017 12:14:32 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 10 January 2017 Volume 30 : Issue 08
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.08>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Russian Hackers Find Ready Bullhorns in the Media (Max Fischer)
France blocks 24,000 cyberattacks amid fears that Russia may try to
influence French presidential election (David Chazan)
Russia's RT: The Network Implicated in U.S. Election Meddling
(Russell Goldman)
How to Starve Online Hate (Pagan Kennedy)
Disrupting The Business Model of the Fake News Industry
(Katherine Haenschen and Paul Ellenbogen)
A Chilling PBS Documentary Shows How Mistakes Are Made (Neil Genzlinger)
FDA Offers Advice for Hacking Risks With St Jude Cardiac Devices
(Arthur Flatau)
Vulnerability Disclosure Attitudes and Actions (NTIA)
Perhaps a laptop can be too thin? (Henry Baker)
Iran's p*rn censorship broke browsers as far away as Hong Kong (The Verge)
"Windows security patches crash Active Directory Admin Center"
(Woody Leonhard)
"More than 10,000 exposed MongoDB databases deleted by ransomware groups"
(Lucian Constantin)
Re: Cloudflare explains the leap second bug (David E. Ross)
Re: Russian Hacking (Dick Mills)
Re: "TV anchor says live on-air 'Alexa ...'," (Adam Shostack,
Jeremy Epstein, Mark Thorson)
IoT Home Inspector Challenge (FTC via Alister Wm Macintyre)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 8 Jan 2017 13:16:17 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Russian Hackers Find Ready Bullhorns in the Media (Max Fischer)
Max Fischer, *The New York Times*, 8 Jan 2017
http://www.nytimes.com/2017/01/08/world/europe/russian-hackers-find-ready-bullhorns-in-the-media.html?partner=rss&emc=rss
But in this case, the source was Russia's military intelligence agency,
the GRU -- operating through shadowy fronts who worked to mask that
fact -- and its agenda was to undermine the American presidential
election. By releasing documents that would tarnish Hillary Clinton and
other American political figures, but whose news value compelled coverage,
Moscow exploited the very openness that is the basis of a free press. Its
tactics have evolved with each such operation, some of which are still
unfolding. Thomas Rid, a professor of security studies at King's College
London who is tracking the Russian influence campaign, said it goes well
beyond hacking: "It's political engineering, social engineering on a
strategic level."
------------------------------
Date: Sun, 8 Jan 2017 14:52:03 -0500
From: Monty Solomon <monty@roscom.com>
Subject: France blocks 24,000 cyberattacks amid fears that Russia may try to
influence French presidential election (David Chazan)
http://www.telegraph.co.uk/news/2017/01/08/france-blocks-24000-cyber-attacks-amid-fears-russia-may-try/
------------------------------
Date: Sun, 8 Jan 2017 15:31:08 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Russia's RT: The Network Implicated in U.S. Election Meddling
(Russell Goldman)
Russell Goldman, *The New York Times*, 8 Jan 2017
http://www.nytimes.com/2017/01/07/world/europe/russias-rt-the-network-implicated-in-us-election-meddling.html
Created by Russia's government to offer “the Russian view on global news,”
RT acted like a Kremlin propaganda operation, an American intelligence
report suggests.
------------------------------
Date: Sun, 8 Jan 2017 15:45:19 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How to Starve Online Hate (Pagan Kennedy)
Many companies don't know that their ads are appearing next to abhorrent
content. Tell them.
http://www.nytimes.com/2017/01/07/opinion/sunday/how-to-destroy-the-business-model-of-breitbart-and-fake-news.html
[The same article by Pagan Kennedy is in the hardcopy National Edition of
*The New York Times* Sunday Review, although with the title in the subject
line above. PGN]
------------------------------
Date: Sun, 8 Jan 2017 16:15:03 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Disrupting The Business Model of the Fake News Industry
(Katherine Haenschen and Paul Ellenbogen)
https://freedom-to-tinker.com/2016/12/14/disrupting-the-business-model-of-the-fake-news-industry/
In the aftermath of the 2016 election, researchers and media professionals
alike seized on the vast proliferation of so-called *Fake News* on Facebook
as a cause for concern. An informed citizenry is a necessary condition for
democracy, so it is far from ideal to have millions of people consuming
intentionally misleading information masquerading as hard news. Now that
Facebook has admitted that it has a problem with Fake News, Mark Zuckerberg
and Co. need to do even more to prevent its spread on the platform. We
propose one solution: Facebook should block advertising links to Fake News
websites and Fake News pages on the Facebook platform itself. [...]
------------------------------
Date: Mon, 9 Jan 2017 23:07:31 -0500
From: Monty Solomon <monty@roscom.com>
Subject: A Chilling PBS Documentary Shows How Mistakes Are Made
(Neil Genzlinger)
Neil Genzlinger, *The New York Times*, 4 Jan 2015
http://www.nytimes.com/2017/01/04/arts/television/a-chilling-pbs-documentary-shows-how-mistakes-are-made.html
*Command and Control* is an *American Experience* episode on PBS on 10 Jan
[tonight]. It recounts a 1980 maintenance blunder at a missile silo in
Arkansas.
------------------------------
Date: Mon, 9 Jan 2017 16:36:10 -0600
From: Arthur Flatau <flataua@acm.org>
Subject: FDA Offers Advice for Hacking Risks With St Jude Cardiac Devices
The US Food and Drug Administration today issued a Safety Communication: to
reduce the risk of patient harm due to cybersecurity vulnerabilities
associated with St Jude Medical's radio-frequency-enabled implantable
cardiac devices and corresponding Merlin@home Transmitter[1].
<http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm?source=govdelivery&utm_medium=email&utm_source=govdelivery>
After months of reviewing information, the FDA confirmed there are
"vulnerabilities" that if exploited could allow an unauthorized user to
"remotely access a patient's RF-enabled implanted cardiac device by altering
the Merlin@home Transmitter."
The FDA said there has been no reports of patient harm related to the
cybersecurity vulnerabilities but that if hacked, the "transmitter could be
used to modify programming commands to the implanted device, which could
result in rapid battery depletion and/or administration of inappropriate
shocks."
http://www.medscape.com/viewarticle/874193
------------------------------
Date: Sun, 8 Jan 2017 15:21:07 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Vulnerability Disclosure Attitudes and Actions (NTIA)
A Research Report from the NTIA Awareness and Adoption Group
https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf
------------------------------
Date: Sun, 08 Jan 2017 12:02:22 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: Perhaps a laptop can be too thin?
Perhaps it's time for Apple to bring back the "Titanium" Powerbook?
[I'll bet Steve Frappier is *really glad* that he wasn't carrying a
Samsung Galaxy Note 7 in his backpack... Now if Apple could only make
bullet-proof software... HB]
MacBook saves man's life during Fort Lauderdale airport shooting
WPLG Miami 7 Jan 2017
http://www.chron.com/news/article/Macbook-saves-man-s-life-Fort-Lauderdale-10842126.php
There were bullets flying at Fort Lauderdale-Hollywood International Airport
when 11 people were shot. Five of them didn't make it out of the baggage
claim area alive. And Steve Frappier was lucky. He credited his Apple
MacBook Pro for saving his life. The 37-year-old traveler from Atlanta
brought his school-issued lap top, because he was going to an education
conference. He placed it in his backpack, but didn't think of it when he
felt an impact on his back during the shooting. Frappier said he saw a man
get shot in the head and heard his wife screaming.
When the bloodshed was over, he said he went to the men's restroom and saw a
bullet hole on the lap top. He gave it to FBI agents. And he was in shock
when they found a 9 mm bullet in his backpack. That was when he realized a
gunman aimed to kill him, but the laptop took the bullet for him. "If I
didn't have that backpack on, the bullet would have shot me between the
shoulders," Frappier said.
------------------------------
Date: Sun, 8 Jan 2017 20:38:12 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Iran's p*rn censorship broke browsers as far away as Hong Kong
(The Verge)
The Verge via NNSquad
http://www.theverge.com/2017/1/7/14195118/iran-porn-block-censorship-overflow-bgp-hijack
Thursday afternoon, something very unusual happened to super - - - - - - -
-.com. That site and 255 others -- many of them p*rn sites -- suddenly
began dropping off the web. The servers showed no problems, but users from
Russia to Hong Kong were typing the URLs into their browsers and getting
blank pages. Something on the Internet was getting in the way.
Executive summary: Screwed up BGP ... again.
------------------------------
Date: Mon, 09 Jan 2017 09:50:16 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Windows security patches crash Active Directory Admin Center"
(Woody Leonhard)
Woody Leonhard, InfoWorld, 6 Jan 2017
The bad December patches include Windows 7 security-only KB 3205394 and
Windows 10 cumulative updates KB 3206632, KB 3205386
http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html
opening text:
It's been three weeks since Microsoft released its December security
patches, and a bad conflict with the Active Directory Admin Center (and, by
some accounts, SCCM) is only now reaching the mainstream. Those of you
running Active Directory take note.
The good news: Uninstalling the wayward patch solves the problem. The bad
news: Nobody seems to know exactly which patches trigger the crash.
------------------------------
Date: Mon, 09 Jan 2017 09:53:47 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "More than 10,000 exposed MongoDB databases deleted by
ransomware groups" (Lucian Constantin)
Lucian Constantin, Romania Correspondent, InfoWorld, 6 Jan 2017
Five groups of attackers are competing to delete as many publicly
accessible MongoDB databases as possible
http://www.infoworld.com/article/3155201/security/more-than-10000-exposed-mongodb-databases-deleted-by-ransomware-groups.html
selected text:
Groups of attackers have adopted a new tactic that involves deleting
publicly exposed MongoDB databases and asking for money to restore them. In
a matter of days, the number of affected databases has risen from hundreds
to more than 10,000.
The issue of misconfigured MongoDB installations, allowing anyone on the
Internet to access sensitive data, is not new. ... puts their number at
more than 99,000.
On Monday, security researcher Victor Gevers from the GDI Foundation
reported that he found almost 200 instances of publicly exposed MongoDB
databases that had been wiped and held to ransom by an attacker or a group
of attackers named Harak1r1.
The bad news is that most of them don't even bother copying the data before
deleting it, so even if the victims decide to pay, there's a high chance
they won't get their information back.
[See also Fahmida Y. Rashid, MongoDB ransomware attacks sign criminals
are going after servers, applications:
http://www.infoworld.com/article/3155435/cyber-crime/mongodb-ransomware-attacks-sign-criminals-are-going-after-servers-applications.html
PGN, also from Gene]
------------------------------
Date: Sun, 8 Jan 2017 11:48:03 -0800
From: "David E. Ross" <david@rossde.com>
Subject: Re: Cloudflare explains the leap second bug (RISKS-30.07)
There is really no excuse for Cloudflare's problem with the recent
leap-second. In 1969 and for many years afterward, I worked on computer
software that handled leap-seconds correctly. All we needed was about 2
month's advance notice that a leap-second would occur; today, such notices
are available much more than 2 months in advance.
The key to proper handling of time is that computer systems should
internally maintain atomic time (TAI, from the French term Temps Atomique
International) instead of universal time (UTC, French Temps universel
coordonné). TAI and UTC share the same definition of a second, and a TAI
clock ticks its seconds at the exact same instant as a UTC clock.
However, a TAI clock does not tick the same second as a UTC clock. This is
because TAI never has leap-seconds, which means that it has a growing
failure to align with time computed from the sun. UTC, on the other hand,
requires leap-seconds to keep its time aligned with sun-time. Thus, today a
UTC clock might show 11:24:00 while a TAI clock will simultaneously show
11:24:27.
At the very beginning of 1 January 2017, while a TAI clock kept ticking
60-second minutes, a UTC clock ticked a 61-second minute. This is how it
looked, allowing for the fact that, before then, the two were already 26
seconds misaligned:
UTC TAI
31 Dec 16 23:59:58 1 Jan 17 00:00:24
31 Dec 16 23:59:59 1 Jan 17 00:00:25
31 Dec 16 23:59:60 1 Jan 17 00:00:26 <= the leap-second
1 Jan 16 00:00:00 1 Jan 17 00:00:27
1 Jan 17 00:00:01 1 Jan 17 00:00:28
For user interfaces, a simple routine in the software on which I worked
converted internal TAI to external UTC for displays and reports and
converted external UTC to internal TAI for user input. A more complex
software routine handled the fact that the earth's rotation exhibits annual
and semi-annual fluctuations and thus the earth's current rotational
position and velocity. All this was necessary because the software was used
to operate earth-orbiting space satellites. Accurate time is needed to
determine what spot on the rotating earth was directly beneath a satellite
while giving the human users data in terms of "wall clock" time (UTC).
Cloudflare is not alone in having software developed by individuals who have
little knowledge about the dynamics of time. The problem of careless
(ignorant?) programmers is even promoting plans to eliminate leap-seconds,
which would mean a gradual (but generally unnoticeable in a human lifetime)
shift in the times of sunrise, sunset, and tides.
------------------------------
Date: Mon, Jan 9, 2017 at 3:52 AM
From; [Identity withheld by Dave Farber per request]
Subject: Re: "The Real Name Fallacy"
The only thing the requirement for real names in social networks produces is
an enormous chilling effect on the writing by exactly the category of people
we would all want to read and learn from: smart, aware of the realities of
life, having opinions of their own, and desiring to talk about things which
actually matter rather than engage in verbal mutual grooming.
Smart - because smart people are interested in big and often controversial
issues. Meaningless chatter about celebrity antics and greatness of Burning
Man is for dullards.
Only a person totally oblivious to how corporate business works uses his
real name to discuss anything remotely politically sensitive on-line. The
rest of us understands very well that the first thing an HR dept does upon
receiving a qualified resume is on-line search to see any dirt (in the eyes
of the HR drone) which may justify tossing the resume into trash can. In
many cases this "vetting" could be totally illegal, but the law is also
totally unenforceable here. Besides "I was rejected because lady in HR
disliked my joke about cats" isn't going to impress the judge. Same goes for
the people searching dirt on their opponents in corporate political games,
etc. No one who has any awareness of the reality would want to conflate
personal with professional.
Now, the mindless parrots merely regurgitating approved blabber from the
mainstream press are probably reasonably safe. They also are absolutely
boring. Thank you, I can read WaPo myself. The only interesting speech is by
those who have to say something new or different and have mind of their own.
Finally... nobody cares about pictures of cats, vacation photos, or stories
about how great the last party was. It's content-free, it is nothing more
than mutual grooming. I like yours, you like mine. Nothing wrong with that,
but, please, I have a mind which needs something more complicated than
simian camaraderie.
The obvious and observable result is terrifying dullness of social networks
- and willing and widespread disrespect of the "real names only" policies by
virtually everyone whose words I may be interested in reading (and who
haven't yet secured an unassailable position of a tenured professor or a
housewife).
And, yes, I'm one of those who got banned by Facebook for not using my real
name. I consider it beneath myself to use Photoshop to bypass the
idiotically easy identity check FB requires, so I'm not coming back to that
platform, ever.
------------------------------
Date: Mon, 9 Jan 2017 10:41:29 -0500
From: Dick Mills <dickandlibbymills@gmail.com>
Subject: Re: Russian Hacking
In RISKS-30.06, PGN said:
"Nevertheless, nation-state hacking into other nations' systems is
reprehensible."
That would carry a lot more moral authority if it was preceded by a pledge
by the US government to forswear hacking other nation's systems. But we
openly talk about US Cybercommand whose mission is to do exactly that.
As discussed in RISKS-30.04, *The Washington Post)* told of the USA's long
history of interfering in other nation's elections or promoting regime
change. But in today's bizarre political debate, hacking another nation's
systems may be deemed more reprehensible than assassination or bombing their
capitol city.
------------------------------
Date: Mon, 9 Jan 2017 11:43:23 -0500
From: Adam Shostack <adam@shostack.org>
Subject: Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)
PGN notes that there's a history of these attacks documented in RISKS.
There was also a talk at Blackhat this summer which summarized, modeled, and
presented security guidance and privacy guidance for voice driven products.
It will be interesting to see how well they did at predicting the problems
which emerge.
http://www.ewf-usa.com/page/voiceprivacy
https://www.blackhat.com/us-16/briefings.html#building-trust-and-enabling-innovation-for-voice-enabled-iot
------------------------------
Date: Sun, 8 Jan 2017 18:49:21 -0500
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)
This really shouldn't be much of a surprise. When voice commands were just
beginning, there was the (likely apocryphal) story that during an early
demo, someone yelled from the back of the room "format c:", at which point
the system did as instructed.
Whether or not this is true (and I heard it at least a couple decades ago),
it's unfortunate that the Alexa designers didn't consider the known risks...
[In the process of trying to figure out when I heard about disk formatting
first, I ran across a Dilbert cartoon from 1994 demonstrating this risk:
http://dilbert.com/strip/1994-04-24]
------------------------------
Date: Sun, 8 Jan 2017 17:56:47 -0800
From: Mark Thorson <eee@sonic.net>
Subject: Re: "TV anchor says live on-air 'Alexa ...'," (RISKS-30.07)
[Alexa, subscribe me to the Risks Digest!]
This presents opportunities for calling talk radio stations and giving Alexa
commands.
------------------------------
Date: Mon, 9 Jan 2017 09:48:46 -0600
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: IoT Home Inspector Challenge (FTC)
If you can come up with a tool that keeps zombie botnets from taking over
your connected hairbrush, refrigerator, or nanny cam, the US Federal Trade
Commission (FTC) wants to pay you $25,000.00, assuming you are the first to
contact the FTC with a best solution in the FTC "IoT Home Inspector
Challenge." There are also awards of $3,000.00 each for honorable mention
winners.
The winning tool needs to be able to resolve the problems of "smart" and
"IoT" devices that have out-of-date or inadequate security.
Submissions will be accepted, starting in March 2017, with final deadline
May 22. Winners shall be announced around 2017 July 27.
https://www.ftc.gov/iot-home-inspector-challenge
https://www.ftc.gov/news-events/blogs/business-blog/2017/01/25000-prize-winner-internet-things-home-inspector-challenge
https://www.consumer.ftc.gov/blog/announcing-internet-things-home-inspector-challenge
Rules, such as who owns the solution.
https://www.ftc.gov/news-events/contests/iot-rules
and FAQ https://www.ftc.gov/iot/faqs
How to participate in the contest: https://www.ftc.gov/node/1010513
I have not read the complete contents of all the above links, just their
summary statements and abstracts. I suggest people, interested in
participating in the contest, ought to do so.
Not mentioned in the challenge requirements, but important to me:
* Provide to our home, car, work place, etc. services similar to that of a
Firewall, where we have the option of telling which "smart" or "IoT"
services may operate in which modes, like OFF, require a Yes/No from
operator, which actions to perform, do 100% spying on us, accept as valid
commands, anything we hear on radio, TV, other background noise.
* Identify "smart" and "IoT" connected gadgets in the home, or affecting the
home, such as neighbor wifi, smart utility company meters, which have the
capability of messing with electronics in the home, and/or have capability
of harming the home.
* Identify any purchased items whose internal "RFID" was not turned off,
when we purchased it.
* Provide aids to backing up current config, then obtaining latest security
patches, if any are available.
* Scan all these "smart" and IoT home connections, identify which of them
have what viruses, remove them. Have option to setup an automated
schedule of scans, like we have on most computers.
* Offer a log of hack attempts into your home's connected devices, and a way
to share that log with security organizations, similar to DShield of
Firewall logs, and KNUJON for spam e-mail.
* Offer a log, on incidents of smart devices sending info from our home,
which we can sort to see which devices are most prolific in doing so.
* Plug & Play alert the moment another "smart" or "IoT" or other similar
technology device is introduced into the household.
* Develop a hand held device to carry around to locate the spies which have
Internet connections.
For connected devices in which it is impossible to fix their cyber
security, offer information links, which collectively provide:
* Brand names of competitor products, which provide similar services,
with vastly superior cyber security;
* How to disconnect the "smart" or "IoT" hardware, making it impossible for
that device to be a continuing threat.
* Legal site opinion on whether it is against the law in your nation, city,
province, etc. to disconnect this threat, what the penalties can be if you
do so, and are caught.
* While we may own devices for specific purposes, but illegal for us to use
them for other purposes, who can we sue, when those devices act against
our best interests?
------------------------------
Date: Wed, 17 Aug 2016 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.08
************************
