[31158] in RISKS Forum
Risks Digest 30.45
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Sep 5 20:15:06 2017
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 5 Sep 2017 16:07:25 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 5 September 2017 Volume 30 : Issue 45
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.45>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
West Air CRJ accident involved two different causes (PGN)
Kaspersky: The Cyber Insecurity Company (Jeanne Shaheen)
Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little
Scrutiny (Nicole Perlroth et al.)
How Russian & Alt-Right Twitter Accounts Worked Together to Skew the
Narrative About Berkeley (Caroline O.)
Ice-cold Kaspersky shows the industry how to handle patent trolls
(The Register)
Open-source voting in San Francisco? (Dominic Fracassa)
Millions of Time Warner Cable Customer Records Exposed in Third-Party Data
Leak (Gizmodo)
Internet Censorship Bill Would Spell Disaster for Speech and Innovation
(EFF)
Hacking Retail Gift Cards Remains Scarily Easy (WiReD)
Radio Hacker Interrupts Police Chase in Australia (Bleeping Computer)
US government: We can jail you indefinitely for not decrypting your data
(The Register)
Risks of biometrics: man with no arms refused by bank demanding fingerprints
(NBC News)
Re: Wisconsin Company to Implant Microchips In Employees
(Richard A. O'Keefe)
Re: Microchipping employees (John Levine)
Re: Cracked screen => cracked security? (Richard Bos)
Re: Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie?
(Michael Bacon)
Password: hint: birthday (Dan Jacobson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 2 Sep 2017 9:59:46 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: West Air CRJ accident involved two different causes
https://fearoflanding.com/accidents/accident-reports/when-both-your-mind-and-your-instruments-are-lying/
------------------------------
Date: Tue, 5 Sep 2017 8:04:59 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Kaspersky: The Cyber Insecurity Company (Jeanne Shaheen)
Jeanne Shaheen (U.S. Senator from New Hampshire (Dem))
Kaspersky Lab is too close to the Kremlin to trust its software
Op-Ed in today's issue of *The New York Times*
https://www.nytimes.com/2017/09/04/opinion/kapersky-russia-cybersecurity.html
Kaspersky Lab, the cybersecurity company, is close to Putin's government.
So why is the U.S. government using its software?
[This op-ed is a rather comprehensive warning.
See previous related items in RISKS-30.10, 30.34, 30.37. PGN]
------------------------------
Date: Fri, 1 Sep 2017 21:00:05 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Russian Election Hacking Efforts, Wider Than Previously Known, Draw
Little Scrutiny (Nicole Perlroth et al.)
Nicole Perlroth, Michael Wines, and Matthew Rosenberg
*The New York Times*, 1 Sep 2017
https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html
``The more places we looked, the worse things looked. In fact, we
discovered that VR Systems was not the only back-end supplier of election
services that was hacked by Russians ahead of Election Day. Two more
vendors that provide critical election services were also hacked.''
See also
https://www.nytimes.com/2017/09/01/insider/in-election-interference-its-what-reporters-didnt-find-that-matters.html?_r=0
------------------------------
Date: September 2, 2017 at 2:53:05 AM EDT
From: Dewayne Hendricks <dewayne@warpspeed.com>
Subject: How Russian & Alt-Right Twitter Accounts Worked Together to Skew
the Narrative About Berkeley (Caroline O.)
#Antifa and #Berkeley were hot topics last weekend in America and in Russia.
Caroline O., Medium, 1 Sep 2017
https://medium.com/@RVAwonk/how-russian-alt-right-twitter-accounts-worked-together-to-skew-the-narrative-about-berkeley-f03a3d04ac5d
Social media [sic] has an important role in shaping perceptions of current
events, as well as influencing mainstream news coverage of those events.
Platforms like Twitter provide real-time access to events going on around
the world, allowing anyone to get a front-row seat for breaking news. But
as much as it has opened up new channels of information, social media has
also open ed up new avenues for manipulating perceptions of reality.
Misinformation and disinformation often spread faster than the truth, and by
the time the narrative is corrected, social media has already moved on to
the next big thing.
The narrative surrounding last weekend's protests in Berkeley took shape on
social media and was picked up, at least in part, by mainstream news
outlets. The result was a skewed presentation of events that was almost
entirely devoid of the context in which they took place. Even more
troubling: that narrative was influenced by pro-Russian social media
networks, including state-sponsored propaganda outlets, botnets, cyborgs,
and individual users.
In the case study below, I describe how the narrative surrounding Berkeley
was picked up and shaped by Russian-linked influence networks, which saw a
chance to drive a wedge in American society and ran with it. Next, I look at
the individual accounts and users that were identified as top influencers on
Twitter, and explore what they were posting, how they worked together to
craft a narrative, and the methods they used to amplify their message.
Finally, I look at how news coverage of the events in Berkeley was shaped by
the skewed narrative that emerged on social media.
This is just a single case study in a larger story, but it serves as an
important reminder that Russia is still exploiting social media to harm
U.S. interests -- and that plenty of Americans are willing to join in on the
effort.
The Russian Connection
Russian-linked influence networks and propaganda arms quickly took interest
in the Berkeley protests last weekend. On Sunday afternoon, the top story on
the front page of Russian propaganda outlet RT was about the events in
Berkeley. (Note that this was the main landing page, not the America
section).
RT tweeted stories about the protests throughout the day Sunday (and some on
Saturday), posting dramatic images and using trending hashtags to maximize
their reach. Many of these tweets were retweeted by the semi-automated
pro-Kremlin account @TeamTrumpRussia [...,] which spent much of the day
amplifying the hashtags #Berkeley and #Antifa.
On Twitter, the hashtag #Berkeley was amplified by Russian-linked influence
networks, as evidenced by the output of the Hamilton 68 dashboard, a project
of the Alliance for Securing Democracy, which tracks the activity of 600
Twitter accounts linked to Russian influence operations. These include
state-sponsored propaganda outlets like Sputnik and RT, as well as
individual users, automated accounts (bots), and cyborgs (accounts that
produce automated content some of the time, but are human-controlled at
other times) that actively and frequently amplify Kremlin propaganda
(knowingly, and in some cases, potentially unknowingly).
------------------------------
Date: Fri, 1 Sep 2017 08:58:18 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Ice-cold Kaspersky shows the industry how to handle patent trolls
(The Register)
https://www.theregister.co.uk/2017/08/31/kaspersky_handles_patent_trolls/
------------------------------
Date: Mon, 4 Sep 2017 17:35:13 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Open-source voting in San Francisco? (Dominic Fracassa)
Dominic Fracassa, San Francisco considers open-source voting system
San Francisco Chronicle, 4 Sep 2017
http://www.sfchronicle.com/politics/article/San-Francisco-could-become-first-local-government-12170869.php&cmpid=twitter-premium
[Open-source voting systems could be a major step forward compared
with outsourced proprietary systems with no accountability. However,
please remember that everything else in the election process is still
a potential source of risks. PGN]
------------------------------
Date: Fri, 1 Sep 2017 12:43:15 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Millions of Time Warner Cable Customer Records Exposed in
Third-Party Data Leak (Gizmodo)
via NNSquad
http://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579
The files, more than 600GB in size, were discovered on August 24 by the
Kromtech Security Center while its researchers were investigating an
unrelated data breach at World Wrestling Entertainment. Two Amazon S3
buckets were eventually found and linked to BroadSoft, a global
communications company that partners with service providers, including
AT&T and TWC. The 4 million TWC records are not all tied to unique
customers, meaning 4 million individual people were not exposed by the
breach. Due to the sheer size of the cache, it was not immediately clear
precisely how subscribers were affected. The leaked data included
usernames, emails addresses, MAC addresses, device serial numbers, and
financial transaction information--though it does not appear that any
Social Security numbers or credit card information was exposed. Time
Warner Cable was purchased by Charter Communications last year and is now
called Spectrum, though the leaked records date back from this year to at
least 2010.
[TWC could be an abbreviation for TrustWorthy Computing or
Time Warner Cable, but not both at the same time! PGN]
------------------------------
Date: Sun, 3 Sep 2017 10:45:58 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Internet Censorship Bill Would Spell Disaster for Speech and
Innovation (EFF)
NNSquad
https://www.eff.org/deeplinks/2017/08/internet-censorship-bill-would-spell-disaster-speech-and-innovation
There's a new bill in Congress that would threaten your right to free
expression online. If that weren't enough, it could also put small
Internet businesses in danger of catastrophic litigation.
------------------------------
Date: Fri, 1 Sep 2017 12:13:39 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Hacking Retail Gift Cards Remains Scarily Easy (WiReD)
In November of 2015, Will Caput worked for a security firm assigned to a
penetration test of a major Mexican restaurant chain, scouring its websites
for hackable vulnerabilities. So when 40-year-old Caput took a lunch break,
he had beans and guacamole on his mind. He decided to drive to the local
branch of the restaurant in Chico, California. While there, still in the
mindset of testing the restaurant's security, he noticed a tray of
unactivated gift cards sitting on the counter. So he grabbed them all -- the
cashier didn't mind, since customers can load them with a credit card from
home via the web -- and sat down at a table, examining the stack as he ate
his vegetarian burrito.
As he flipped through the gift cards, he noticed a pattern. While the final
four digits of the cards seemed to vary randomly, the rest remained constant
except one digit that appeared to increase by one with every card he
examined, neatly ticking up like a poker straight. By the time he finished
his burrito, he had a plan to defraud the system.
https://www.wired.com/story/gift-card-hacks
------------------------------
Date: Mon, 4 Sep 2017 16:01:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Radio Hacker Interrupts Police Chase in Australia
https://www.bleepingcomputer.com/news/security/radio-hacker-interrupts-police-chase-in-australia/
------------------------------
Date: Fri, 1 Sep 2017 08:43:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: US government: We can jail you indefinitely for not decrypting your
data (The Register)
https://www.theregister.co.uk/2017/08/30/ex_cop_jailed_for_not_decrypting_data/
------------------------------
Date: Tue, 5 Sep 2017 09:37:28 +0100
From: John Utteridge <ju@wireless-solutions.ltd.uk>
Subject: Risks of biometrics: man with no arms refused by bank demanding
fingerprints (NBC News)
http://www.nbcnews.com/id/32675980/ns/us_news-weird_news/t/banks-thumbprint-rule-irks-man-no-arms/
John Utteridge, Software Engineer - Wireless Solutions Ltd., Station House,
50 North St., Havant, Hants. PO9 1QU http://www.wireless-solutions.ltd.uk
[There also seem to be older people with sufficiently worn-down fingers
that are not recognizable on some fingerprinting devices. PGN]
------------------------------
Date: Fri, 1 Sep 2017 16:50:31 +1200
From: "Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Subject: Re: Wisconsin Company to Implant Microchips In Employees (R-30.40)
It looks to me as if fingerprint scanners would be just as convenient to use
as waving an embedded chip, offer better affordance (you can see what to put
where), and are a *lot* cheaper than embedded chips. Near as I can make out
from the IT Professionals NZ code of ethics, this is unethical.
As for the security claims, try these cartoons:
http://www.gocomics.com/brewsterrockit/2017/08/29
http://www.gocomics.com/brewsterrockit/2017/08/30
http://www.gocomics.com/brewsterrockit/2017/08/31
[Groan. See the previous item from John Utteridge. PGN]
------------------------------
Date: 1 Sep 2017 11:28:25 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Microchipping employees (RISKS-30.40)
> ... It will be trivial to design a microchip that not only reports the
> current id, but can be reprogrammed to a new id from a simple
> device. Secondly, it will be fairly easy to build a scanner that picks up
> the ids of anyone nearby. Quick scan and reprogram and I am a new person
> with your credit limit.
While I agree that chipping yourself is a bad idea, this is not why.
Chips used for financial transactions don't just broadcast an account
number, they sign transactions. Hence a spy can replay a transaction but it
can't create new ones. Contact and contactless EMV chips have worked this
way for 20 years. Banks can certainly be stupid but they're not quite
*that* stupid.
------------------------------
Date: Sun, 03 Sep 2017 09:22:53 GMT
From: raltbos@xs4all.nl (Richard Bos)
Subject: Re: Cracked screen => cracked security? (Baker, R-30.44)
> People with cracked touch screens or similar smartphone maladies have a new
> headache to consider: the possibility the replacement parts installed by
> repair shops contain secret hardware that completely hijacks the security of
> the device. [...]
> On the other hand, these stories play right into the hands of those trying
> to kill "the right to repair" supported by the EFF.
On the contrary. If you have the right to repair your device on your own
initiative, you can always choose to go to a repair shop *you* trust, or
even do it yourself. If you do not have that right, you *must* go to the
official dealer -- who may not be trustworthy.
Right To Repair is not only important to cheapskates, researchers, hobbyists
and mafiosi in the Western world, but also to "terrorists" (read:
non-conformists) in more dictatorial countries. Those may not be right to
assume that an official Apple repair shop in *cough*Insert Undemocratic
Country Apple Has Close Ties With Here*cough* will supply the same,
spyware-free* replacement part that we get in Europe. And that may happen
with or without Apple's support, or even knowledge.
* I was about to insert a question mark here, but let's not be that
cynical - yet.
------------------------------
Date: Fri, 1 Sep 2017 14:32:43 +0100
From: Michael Bacon - Grimbaldus <michael.bacon@grimbaldus.com>
Subject: Re: Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a
Lie? (Shapir, RISKS-30.44)
I am afraid that Amos Shapir is in error when he refers to the wording on
British one pound banknotes, or indeed any British banknote issued by the
Bank of England since 1853.
The wording was just: "I promise to pay the bearer on demand the sum of
...". There was no mention of the means by which that would be achieved.
It is possible that wording which included the means of payment might have
appeared on bank notes issued by other than the "Old Lady of Threadneedle
Street", but the last notes issued by a private bank in England and Wales
were b y Fox, Fowler and Co in 1921, and their notes did not carry such
wording.
Further, since 1694 although with some breaks, and until 1931 when Britain
left the "Gold Standard" and the notes became backed by securities, the
means of settlement was gold, not silver; in the form of a gold sovereign.
The gold sovereign began circulation in 1489 as the "English gold sovereign"
, but which was last minted in 1604. The 'modern' gold sovereign was minted
from 1817 until withdrawal in 1932.
Guinea coins were also issued - a "guinea" being one pound and one shilling
(one pound and five pence in decimal coinage) - but not guinea notes. The
guinea was last minted in 1816, but the reference value is still used in
horse racing (the "Two Thousand Guineas Stakes" run at Newmarket in
April/May) and d in the market sale of sheep.
I would add for RISKS readers' further information, that "sterling" derives
from the silver pennies introduced after 1066 by the Norman invaders (from
one of whom, Grimbaldus, I am descended). Then, 240 sterlings weighed one
pound, hence 240 (later, copper) pennies to the "pound". The shilling, of
which there were 20 in a pound (and therefore 12 pennies to the shilling)
was also introduced by William the Conquerer. There's logic behind our old
currency.
Of course, gold and silver coins would wear away with handling, and since
their value was based on weight, they were not really practical as a coinage
in common and frequent use, and so were replaced by cupronickel and other
alloy facsimiles.
------------------------------
Date: Tue, 05 Sep 2017 01:28:49 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Password: hint: birthday
password: hint: birthday:
4/17/1992
04/17/1992
1992/4/17
1992/04/17
4/17
birthday
0417
April 17
April 17, 1992
04.17
Error: Too many attempts. Locked out.
[1992.04.17? or 17.04.1992?
Maybe even just "Friday", since all it wants is a birth *day*,
not a birth date! Then you would need a max of seven tries. PGN]
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.45
************************
