[30265] in RISKS Forum
Risks Digest 30.11
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Jan 28 11:22:42 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 28 Jan 2017 8:22:33 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 28 January 2017 Volume 30 : Issue 11
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.11>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
"The missile may have veered ... towards the United States"
(AFP via danny burstein)
Clip from Schlosser's Command and Control (Ken Knowlton)
Russians Charged With Treason Worked in Office Linked to Election Hacking
(The NYTimes)
United Airlines resumes flights after temporary ground order
(CNN via Monty Solomon)
Galaxy Note 7 investigation concludes, pair of issues will cost
Samsung $5 billion (geoff goodfellow)
Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says
(The NYTimes)
Verizon remotely disables remaining Galaxy Note 7 phones
(Kelly Bert Manning)
"HP recalls over 100,000 more laptop batteries for fire hazard" (Agam Shah)
"Cisco scrambling to fix a remote code execution problem in Webex"
(Tim Greene)
TOR servers misused for spam (Gerrit Muller)
"OpenSSL issues new patches as Heartbleed still lurks" (Fahmida Y. Rashid)
White House kills their comment phone line, but a new one appears
(Lauren Weinstein)
Facebook is changing its Trending section to fight the spread of fake news
(Lauren Weinstein)
Massive networks of fake accounts found on Twitter (BBC)
U.S. Park Service tweets were result of old Twitter passwords
(Martyn Williams)
Fake news costing advertisers reputation, ad dollars (enterpriseinnovation)
Report fake news at alt-facts.net (alt-facts)
Finding credibility clues on Twitter (Science Daily)
The real reason why Trump using an old Android phone should freak you out
(BGR)
Donald Trump is using a private gmail account to secure the most
powerful Twitter account in the world (Sam Biddle)
Republican voter fraud? (PGN)
Cellphone dependency (Neil Youngman)
Re: CIA unveils new rules for collecting information on Americans (Mark F)
Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Amos Shapir)
Re: Leap-seconds (John Levine)
Re: Japan testing USB phone charging in public buses (Andrew Duane)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 22 Jan 2017 19:49:07 -0500 (EST)
From: danny burstein <dannyb@panix.com>
Subject: "The missile may have veered ... towards the United States"
[AFP via Yahoo!]
UK govt accused of covering up failed Trident nuclear missile test
London (AFP) - The British government was accused on Sunday of covering up a
failed test of its nuclear weapons deterrent last year, just weeks before
lawmakers voted to renew the system. [...]
*The Sunday Times* newspaper, citing a senior naval source, claimed that the
Trident II D5 missile failed after being launched from a British submarine
off the coast of Florida in June.
The cause of the failure is top secret but the source suggested the missile
may have veered off in the wrong direction towards the United States.
https://www.yahoo.com/news/uk-govt-accused-covering-failed-trident-nuclear-missile-113729062.html
[Nothing in the story about what stopped the missile from reaching the US
or, for that matter, how far it flew
------------------------------
Date: Wed, 25 Jan 2017 21:43:23 -0500
From: Ken Knowlton <kcknowlton@aol.com>
Subject: Clip from Schlosser's Command and Control
Excerpt from Eric Schlosser's "Command and Control," Penguin, 2013, P.475
All of these military computer networks are far more technologically
advanced than the gold telephone that used to connect General LeMay to the
White House. But sometimes they experience a glitch. In October 2010 a
computer failure at F. E. Warren Air Force Base knocked fifty Minuteman III
missiles offline. For almost an hour, launch crews could not communicate
with their missiles. One third of the Minuteman IIIs at the base had been
rendered inoperable. The Air Force denied that the system had been hacked
and later found the cause of the problem: a circuit card was improperly
installed in one of the computers during routine maintenance. But the
hacking of America's nuclear command-and-control system remains a serious
threat. In January 2013, a report by the Defense Science Board warned that
the system's vulnerability to a large-scale cyber attack had never been
fully assessed. Testifying before Congress, the head of the U.S. Strategic
Command, General C. Robert Kehler, expressed confidence that no "significant
vulnerability" existed. Nevertheless, he said that an "end-to-end
comprehensive review" still needed to be done, that "we don't know what we
don't know," and that the age of the command-and-control system might
inadvertently offer some protection against the latest hacking
techniques. Asked whether Russia and China had the ability to prevent a
cyberattack from launching one of their nuclear missiles, Kehler replied,
"Senator, I don't know."
------------------------------
Date: Sat, 28 Jan 2017 7:22:01 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Russians Charged With Treason Worked in Office
Linked to Election Hacking (The NYTimes)
Scott Shane, David E. Sanger and Andrew E. Kramerjan.
*The New York Times*, 27 Jan 2017
http://www.nytimes.com/2017/01/27/world/europe/russia-hacking-us-election.html?smprod=nytcore-iphone&smid=nytcore-iphone-share
Two Russian intelligence officers who worked on cyberoperations and a
Russian computer security expert have been arrested and charged with treason
for providing information to the United States, according to multiple
Russian news reports.
As in most espionage cases, the details made public so far are incomplete,
and some rumors in Moscow suggest that those arrested may be scapegoats in
an internal power struggle over the hacking. Russian media reports link the
charges to the disclosure of the Russian role in attacking state election
boards, including the scanning of voter rolls in Arizona and Illinois, and
do not mention the parallel attacks on the D.N.C. and the email of John
Podesta, Mrs. Clinton's campaign chairman.
But one current and one former United States official, speaking about the
classified recruitments on condition of anonymity, confirmed that human
sources in Russia did play a crucial role in proving who was responsible for
the hacking. [...]
------------------------------
Date: Mon, 23 Jan 2017 04:07:48 -0500
From: Monty Solomon <monty@roscom.com>
Subject: United Airlines resumes flights after temporary ground order
http://www.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/index.html
[An outage for 3-plus hours attributed to an "IT problems".
------------------------------
Date: Mon, 23 Jan 2017 10:26:57 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Galaxy Note 7 investigation concludes, pair of issues will cost
Samsung $5 billion
Samsung has concluded its investigation involving the 2016 Galaxy Note 7
fires, and has determined that two different flaws resulted in the
conflagrations in the failing devices, with one creeping in after a
too-quick investigation:
http://appleinsider.com/articles/17/01/22/galaxy-note-7-investigation-concludes-pair-of-issues-will-cost-samsung-5-billion
------------------------------
Date: Mon, 23 Jan 2017 10:08:48 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says
https://www.nytimes.com/2017/01/22/business/samsung-galaxy-note-7-battery-fires-report.html
See also
http://arstechnica.com/gadgets/2017/01/galaxy-note-7-investigation-blames-small-battery-cases-poor-welding/
------------------------------
Date: Thu, 26 Jan 2017 13:17:16 -0500 (EST)
From: Kelly Bert Manning <Kelly.Manning@ncf.ca>
Subject: Verizon remotely disables remaining Galaxy Note 7 phones
How much true value is there in an expensive product that becomes useless
when the original battery needs replacement or is found to be unsafe to use?
Normally having a battery is a good thing even if you run on utility power
most of the time. I've used employer-supplied laptops with dialup VPN
connections to carry on work from during power outages. I also bought a
personal use XP laptop with a dead battery, but it still runs with Tails OS,
connected to a wall plug, when I travel or have to use a wireless or
untrustworthy wired connection during local conferences.
The Phoebus Cartel might be considered a historical anomaly but for the Auto
Industry Planned Obsolescence was a high priority corporate goal long before
Apple began persuading people to purchase and discard electronic gimcracks
every year or two. Now we see firmware becoming an integral part of
expensive consumer purchases for big ticket Internet connected things such
as cars, clothes washers and refrigerators. The VW emissions firmware
scandal shows that we should not trust corporations.
The right of consumers and consumer protective organizations to analyze
firmware and to block unwanted updates should be given legal protection, not
restricted. If it isn't we will never know whether our car or clothes washer
stopped working because it was worn out, or because the maker told it to
stop working.
------------------------------
Date: Thu, 26 Jan 2017 09:07:39 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "HP recalls over 100,000 more laptop batteries for fire
hazard" (Agam Shah)
Agam Shah, InfoWorld, 24 Jan 2017
The move expands a recall that was first announced last year
http://www.infoworld.com/article/3161135/computers/hp-recalls-over-100000-more-laptop-batteries-for-fire-hazard.html
opening text:
HP is expanding its recall of laptop batteries with overheating issues that
can cause computer damage and even fire.
The company is recalling an additional 101,000 batteries in some laptops
sold between March 2013 through October 2016. This is an expansion of the
recall initiated in June 2016, which involved HP recalling 41,000 batteries.
The batteries are in laptop brands including HP, Compaq, ProBook, Envy,
Compaq Presario, and Pavilion laptops. Battery packs sold separately are
also affected.
------------------------------
Date: Thu, 26 Jan 2017 09:11:44 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Cisco scrambling to fix a remote code execution problem in
Webex" (Tim Greene)
Tim Greene, Network World, 25 Jan 2017
http://www.infoworld.com/article/3161515/security/cisco-scrambling-to-fix-a-remote-code-execution-problem-in-webex.html
There's no workaround and no final patch for a critical bug that can
open up users' computers to remote code execution attacks
opening text:
Cisco's Webex Browser Extension contain a critical bug that can open up
customers' entire computers to remote code execution attacks if the browsers
visit websites containing specially crafted malicious code.
The company says it is in the process of correcting the problem, and has
apparently made a few initial steps toward a permanent fix. It says there is
no workaround available.
------------------------------
Date: Tue, 24 Jan 2017 16:31:30 +0100
From: Gerrit Muller <gerrit.muller@gmail.com>
Subject: TOR servers misused for spam
I am running a simple website with a number of CGI-based forms for client
input or feedback. In these years, I have been blocking Spammers using
.htaccess, denying access to IP addresses that spam. Since about one month,
the amount of spam via this website has increased an order of magnitude, if
not more.
A significant increase of spam messages come from Urkraine, Kazachstan,
Russia, and other (former) Soviet or East European countries.
However, I also see an increase of sites where you wouldn't expect such bad
behavior, such as Microsoft and MIT. The response of the abuse departments
is that they cannot block them, since these are TOR-based servers. The
answer from MIT is copied below:
----start response---
Hello.
Thank you for the report.
The IP address in question is a Tor exit node.
https://www.torproject.org/overview.html
There is little we can do to trace this matter further. As can be seen
from the overview page, the Tor network is designed to make tracing of
users impossible. The Tor network is run by some 5000 volunteers who use
the free software provided by the Tor Project to run Tor routers. Client
connections are routed through multiple relays, and are multiplexed
together on the connections between relays. The system does not record
logs of client connections or previous hops.
The Tor project does provide an automated DNSRBL for you to query to flag
requests from Tor nodes as requiring special treatment:
https://www.torproject.org/tordnsel/
Regards,
Security Operations, Massachusetts Institute of Technology
IS&T | Operations & Infrastructure | Security Operations, security@mit.edu
http://ist.mit.edu/secure
---end response---
The risk is that TOR servers with its good intent to help protect anonymity
will pollute regular Internet traffic.
Gerrit Muller, professor systems engineering, USN-NISE, Kongsberg, Norway
------------------------------
Date: Fri, 27 Jan 2017 15:39:19 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "OpenSSL issues new patches as Heartbleed still lurks"
(Fahmida Y. Rashid)
Fahmida Y. Rashid, InfoWorld, 27 Jan 2017
OpenSSL issues new patches as Heartbleed still lurks
The latest OpenSSL update may only address moderate-severity
vulnerabilities, but admins shouldn't get lax about staying current
with the patches
http://www.infoworld.com/article/3162426/security/openssl-issues-new-patches-as-heartbleed-still-lurks.html
selected text:
The OpenSSL Project has addressed some moderate-severity security flaws, and
administrators should be particularly diligent about applying the patches
since there are still 200,000 systems vulnerable to the Heartbleed flaw.
A disproportionate number of systems on this list were servers hosted on
Amazon Web Services. That may have more to do with the fact that it's easy
for anyone to spin up new AWS instances, than with an actual issue in
AWS. With IT security out of the loop, there's no one enforcing security
controls on what types of software to install when setting up the server,
which means there's nothing stopping the server owner from adding the
vulnerable version of OpenSSL to the stack. Some of the virtual servers may
be abandoned and forgotten, and since they were created outside of the IT
process, no one knows to look for them to check the OpenSSL version.
"If there are servers that are vulnerable, then it's because people aren't
aware they have them," said Mike Pittenger, vice president of strategy for
Black Duck Software.
------------------------------
Date: Fri, 27 Jan 2017 17:10:14 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: White House kills their comment phone line, but a new one appears
via NNSquad
It appears that the new administration has killed the traditional White
House public phone number for citizen comments at (202) 456-1111 -- now it
just tells you to hang up and use Facebook instead. But a new comment line
has appeared at a New York City number, which seems somehow appropriate:
(347) 781-4664.
------------------------------
Date: Wed, 25 Jan 2017 13:00:51 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Facebook is changing its Trending section to fight the
spread of fake news
[Note: The term "fake news" (originally used to refer what is now
sometimes called "alternative news") has also been pre-empted, and used
to misrepresent "real news" by those to whom it is unpleasant. PGN]
NNSquad
Facebook is changing its Trending section to fight the spread of fake news
https://www.recode.net/2017/1/25/14376734/facebook-trending-topics-update-fake-news
Facebook is updating Trending, the section of the service that highlights
popular topics being discussed on Facebook, to better prevent fake news
stories from appearing there. As part of the update, Facebook says it's
going to stop pulling in trending topics that surface based off a single
news report. Instead, it'll feature topics that have been covered by a
number of media outlets, an attempt to avoid one-off fake news stories
that get lots of people talking but haven't been vetted by other media
organizations. "We think it'll help [minimize] cases where maybe one
specific story goes viral even if there might not be something real going
on in the world about that story," said Will Cathcart, a VP of product
management at Facebook.
Facebook continues to be in the lead fighting fake news, while Google lags
behind.
------------------------------
Date: Fri, 27 Jan 2017 08:28:35 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Massive networks of fake accounts found on Twitter (BBC)
Via NNSquad
http://www.bbc.com/news/technology-38724082
The largest network ties together more than 350,000 accounts and further
work suggests others may be even bigger. UK researchers accidentally
uncovered the lurking networks while probing Twitter to see how people use
it. Some of the accounts have been used to fake follower numbers, send
spam and boost interest in trending topics.
------------------------------
Date: Wed, 25 Jan 2017 16:13:32 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: U.S. Park Service tweets were result of old Twitter passwords
(Martyn Williams)
Martyn Williams, PC World, 25 Jan 2017
http://www.pcworld.com/article/3161718/government/us-park-service-tweets-were-result-of-old-twitter-passwords.html
Two instances of tweets from U.S. National Park Service accounts that became
political hot potatoes in the last few days were the result of bad password
management, according to officials.
"An unauthorized user had an old password in the San Francisco office and
went in and started retweeting things that were in violation of their
policy," [Sean Spicer] said of Saturday's incident.
------------------------------
Date: Fri, 27 Jan 2017 17:30:27 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Fake news costing advertisers reputation, ad dollars
via NNSquad
Fake news costing advertisers reputation, ad dollars
http://www.enterpriseinnovation.net/article/fake-news-costing-advertisers-reputation-ad-dollars-2009959187
Fake new is news today. Since the US presidential began in the US last
year, fake news took center stage. However, a new report from Forrester
titled "Fake News: More Proof That Advertisers Must Choose Quality Over
Quantity" noted that the real targets are advertisers and their purse
strings -- not the readers. It is also creating a massive headache as ads
are running into danger of being placed alongside news that can hurt brand
reputations and even derail well-thought out ad campaigns.
------------------------------
Date: Sun, 22 Jan 2017 16:22:12 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Report fake news at alt-facts.net
NNSquad
In honor of the new "alternative facts" White House, you can now
report fake news at:
https://alt-facts.net
------------------------------
Date: Fri, 27 Jan 2017 12:14:29 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Finding credibility clues on Twitter
NNSquad
https://www.sciencedaily.com/releases/2017/01/170127131306.htm
By scanning 66 million tweets linked to nearly 1,400 real-world events,
researchers have built a language model that identifies words and phrases
that lead to strong or weak perceived levels of credibility on
Twitter. Their findings suggest that the words of millions of people on
social media have considerable information about an event's credibility --
even when an event is still ongoing.
------------------------------
Date: 26 Jan 2017 22:23:29 -0500
From: "Bob Frankston" <Bob19-0501@bobf.frankston.com>
Subject: The real reason why Trump using an old Android phone should freak
you out (BGR)
http://bgr.com/2017/01/26/donald-trumps-android-phone-security/
------------------------------
Date: Thu, 26 Jan 2017 13:43:29 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Donald Trump is using a private gmail account to secure the most
powerful Twitter account in the world (Sam Biddle)
January 26 2017, 12:54 p.m.
https://goo.gl/MYseKG
Trump's account is an obviously juicy target for such an attack,
representing what BuzzFeed's Joe Bernstein described as ``a national
security disaster waiting to happen.'' An unauthorized declaration of, say,
imminent hostilities or economic sanctions coming from the president'99s
official account could destabilize the entire world. [The rest is fairly
scary. PGN]
------------------------------
Date: Thu, 26 Jan 2017 16:44:12 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Voter fraud?
Steve Doocy (Fox News Co-host of Fox & Friends) apparently voted twice in
the Republican primaries.
https://twitter.com/tbonier/status/824702199678787584
------------------------------
Date: Mon, 23 Jan 2017 13:41:57 +0000
From: Neil Youngman <neil.youngman@googlemail.com>
Subject: Cellphone dependency
The first article in RISKS-30.09 was about a Tesla driver being stranded
because he he was out of cellphone coverage. It was immediately followed by
Nissan's "solution" for situations that are too complex for self-driving
cars, which relies on their being able to contact a call centre.
We seem to be at risk of making our cars cellphone dependent.
Regular readers of RISKS will be aware of the limitations of cell phone
technology, not just in terms of coverage, but also in their vulnerability
to overloading and power loss particularly in crisis scenarios.
------------------------------
Date: Mon, 23 Jan 2017 08:19:53 -0500
From: Mark F <mark49607@gmail.com>
Subject: Re: CIA unveils new rules for collecting information on Americans
(RISKS-30.10)
I think this link should be included:
"Central Intelligence Agency Intelligence Activities: Procedures Approved
by the Attorney General Pursuant to Executive Order 12333"
https://www.cia.gov/about-cia/privacy-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf
------------------------------
Date: Mon, 23 Jan 2017 11:45:50 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
(RISKS-30.10)
While ease of development may be in the eye of the developer, I certainly
wouldn't commend for readability a language in which a blank in the wrong
place might completely change the meaning of a routine!
------------------------------
Date: 23 Jan 2017 02:17:58 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Leap-seconds (Frankston, RISKS-30.09)
> It's so weird to me that people **** all over leap seconds, but are fine
> with leap years and arbitrary timezone changes.
They're not at all the same. Leap years are perfectly regular and
predictable, and timezones only affect the presentation of time, not the
calculations.
The problem with leap seconds is that they do affect the calculations, and
they're irregular and unpredictable.
------------------------------
Date: Mon, 23 Jan 2017 09:09:36 -0500
From: Andrew Duane <e91.waggin@gmail.com>
Subject: Re: Japan testing USB phone charging in public buses
(Baker, RISKS-30.10)
> What could possibly go wrong? It is well known that the NSA -- as well as
> other nation-state actors -- place malicious USB chargers in public places
> that can infect computers and phones that are attached.
As someone who travels a lot for business, sometimes to relatively unknown
places for me, this is exactly why I carry such a "condom". It's simply a
couple of clearly marked USB cables that don't have any data lines in them.
They are power-only. Now I don't have to care what USB port I plug in to,
whether it's a public charging station or a friendly stranger's laptop.
OK, the problem of a high-voltage USB killer isn't solved by this, but
that's not my threat model (yet).
http://www.theregister.co.uk/2015/10/14/sneaky_220v_usb_fries_laptops/
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.11
************************
