RISKS Forum mailing list archives
Risks Digest 30.19
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 21 Mar 2017 15:59:09 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 21 March 2017 Volume 30 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.19> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Britain's surveillance agency slaps down claim it was involved in Trump 'wiretap' (The WashPo) Justice Department charges Russian spies and criminal hackers in Yahoo intrusion (The WashPo) Inside the Russian hack of Yahoo: How they did it (CSO Online) Facebook just made it harder for you to share fake news (The Telegraph) A Small Table Maker Takes On Alibaba's Flood of Fakes (The NYTimes) "How to Counterfeit Quantum Money" (CORDIS News) Two Dead After T-Mobile 'Ghost Calls' Flood 911 Center in Texas (Gizmodo) "Security breach fears over 26 million NHS patients" (Laura Donnelly) Install this FREE android application and go to jail (tk) Court Orders ISP To Hand Over Identities Behind 5,300 IP Addresses To Copyright Trolls (torrentfreak/slashdot) Man in Trouble Due to Police IP Address Error (*Metro* via Chris Drewe) USAF had their own dataloss going on, recently... (ZDNet) Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam (Krebs) Expert: Apple may have deployed unauthorized patch by mistake (CSO Online) Re: Avast Cybercapture of personal files (Barry Gold) Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Notatla, Arthur Flatau) Re: self-checkout at grocery stores (David Lamkin) Re: automation, restaurants, and industrial robots (Kelly Bert Manning) CRISPR assassinations (Gene Spafford) Re: Science (Wendy M. Grossman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 17 Mar 2017 08:11:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Britain's surveillance agency slaps down claim it was involved in Trump 'wiretap' NNSquad https://www.washingtonpost.com/news/worldviews/wp/2017/03/17/britains-gchq-breaks-its-silence-to-slap-down-claim-it-was-involved-in-trump-wiretap/ The Daily Telegraph, a right-leaning British newspaper, said on Friday that intelligence sources told the paper that Spicer and Lt. Gen. H.R. McMaster, Trump's national security adviser, have apologized for the claims. "The apology came direct from them," a source told the paper. There was no immediate comment from the Trump administration. Meanwhile, a spokesman for Theresa May, the British prime minister, did not confirm that an apology had been made. But he did say that the White House had given assurances -- to the British ambassador in Washington and the prime minister's national security adviser -- that the allegations that GCHQ had spied on Trump won't be repeated. Analysts said that GCHQ's unusual reaction was an attempt to distance itself from the raging debate in the U.S. "They really don't want to get drawn into the toxic contest going on between the administration and the intelligence agencies in the U.S.," said Ewan Lawson, a senior research fellow at the Royal United Services Institute. "They want to put some pretty clear space between them." He noted that the agency's quick, robust statement was unusual, but to stay silent "would give space to conspiracy theorists." ------------------------------ Date: Wed, 15 Mar 2017 09:44:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Justice Department charges Russian spies and criminal hackers in Yahoo intrusion https://www.washingtonpost.com/world/national-security/justice-department-charging-russian-spies-and-criminal-hackers-for-yahoo-intrusion/2017/03/15/64b98e32-0911-11e7-93dc-00f9bdd74ed1_story.html The Justice Department announced Wednesday the indictments of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first U.S. criminal cyber charges ever against Russian government officials. The indictments target two members of the Russian intelligence agency FSB, and two hackers hired by the Russians. The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials. The indictments are part of the largest hacking case brought by the United States. ------------------------------ Date: Sun, 19 Mar 2017 12:29:39 -0400 From: Monty Solomon <monty () roscom com> Subject: Inside the Russian hack of Yahoo: How they did it http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html ------------------------------ Date: Tue, 21 Mar 2017 12:14:55 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook just made it harder for you to share fake news NNSquad http://www.telegraph.co.uk/technology/2017/03/20/facebook-just-made-harder-share-fake-news/ Some Facebook users in the United States have reported seeing a pop-up window appear when an article is disputed by third-party fact checkers. ------------------------------ Date: Sun, 19 Mar 2017 21:20:05 -0400 From: Monty Solomon <monty () roscom com> Subject: A Small Table Maker Takes On Alibaba's Flood of Fakes http://www.nytimes.com/2017/03/18/business/alibaba-fake-merchandise-e-commerce.html With his computer and simple software, Greg Hankerson hunts for counterfeits and seeks other small businesses willing to fight a Chinese e-commerce giant. ------------------------------ Date: Fri, 17 Mar 2017 12:13:55 -0400 (EDT) From: "ACM TechNews" <technews-editor () acm org> Subject: "How to Counterfeit Quantum Money" CORDIS News (16 Mar 2017) via ACM TechNews, 17 Mar 2017 Researchers in Poland and the Czech Republic have theoretically shown that ultrasecure currency designed using quantum mechanics can be forged by exploiting a serious security flaw. The quantum money was minted photonically, with a series of photons transmitted to a bank using their polarizations to encode information. Criminals intercepting the photons would find accurate counterfeiting impossible because duplicating quantum data is imperfect. However, because individual photons can be missed or distorted in transmission, banks accept partial quantum bills, which gives crooks an opening to make imperfect forgeries that are still similar enough for banks to verify them. Using an optimal cloner, the researchers demonstrated a bank would accept forged quantum currency if the standard for accuracy was not sufficiently high. They say an effective standard for acceptance would require the received photons' polarizations to be more than approximately 84-percent identical to the original. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-12fadx211524x072322&; ------------------------------ Date: Thu, 16 Mar 2017 09:50:09 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Two Dead After T-Mobile 'Ghost Calls' Flood 911 Center in Texas NNSquad http://gizmodo.com/two-dead-after-t-mobile-ghost-calls-flood-911-center-in-1793332222 T-Mobile is just the latest mobile carrier to deal with problematic 911 calls, but this time, the problems are bad. Like so bad, people are dying. This month, numerous "ghost calls" from T-Mobile numbers flooded 911 call centers in Texas and have been linked to two deaths. And although the calls originated from T-Mobile devices, people using all carriers were unable to reach 911 dispatchers during the incidents. Scarier still, nobody knows what's causing them. [Also noted by Mark Braderd, who asks Why Only One City?: T-Mobile bug blamed for deaths of 911 callers in Dallas http://www.washingtonpost.com/news/morning-mix/wp/2017/03/16/t-mobile-ghost-calls-clog-dallas-911-families-blame-backlog-for-deaths/ ] ------------------------------ Date: Sun, 19 Mar 2017 22:40:09 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: "Security breach fears over 26 million NHS patients". Laura Donnelly, Health Editor, *The Telegraph*, 17 Mar 2017 <http://www.telegraph.co.uk/authors/laura-donnelly/>, http://www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/ The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure. The investigation centres on one of the most popular computer systems used by GPs. Unbeknown to doctors, switching on "enhanced data sharing" -- so records could be seen by the local hospital -- meant they can also be accessed by hundreds of thousands of workers across the country. It means receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons can look up sensitive information about individuals - even if there is no medical reason to do so. Patients would not have been told their records were available in this way, and information could be accessed for malicious reasons, or fall in to criminal hands, privacy experts warned. ------------------------------ Date: Thu, 16 Mar 2017 09:18:25 +0300 From: tk <tkalama1 () gmail com> Subject: Install this FREE android application and go to jail In Turkey, the intelligence community is searching and arresting anyone that has downloaded a free android application called "Bylock". Hundreds of people that have used this program were arrested after the ruling party AKP declared that it was the means of communication of the members of the Gulen sect. Gulen was once a partner of the AKP regime, but they have since had a falling out with Erdogan, presumably because to the control of loot, er, funds of Turkey. Latest development was the arrest of 25 people that were found to have used this program (in Turkish): http://www.cumhuriyet.com.tr/haber/turkiye/699620/25_ilde__ByLock__operasyonu__52_tutuklama.html ------------------------------ Date: Thu, 16 Mar 2017 19:40:27 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Court Orders ISP To Hand Over Identities Behind 5,300 IP Addresses To Copyright Trolls (torrentfreak/slashdot) Sweden's new Patent and Market Court, that was formed last year to handle specialist copyright complaints, handed down a ruling on Friday. It grants Njord and its partners the right to force ISP Telia to hand over the personal details of subscribers behind thousands of IP addresses, despite the ISP's objections. [...] claims that each unlawfully downloaded and shared a range of movie titles including CELL, IT, London Has Fallen, Mechanic: Resurrection, Criminal and September of Shiraz. [...] https://yro.slashdot.org/story/17/03/15/209256/court-orders-isp-to-hand-identities-behind-5300-ip-addresses-to-copyright-trolls ------------------------------ Date: Sat, 18 Mar 2017 17:49:39 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Man in Trouble Due to Police IP Address Error There was a small item in the 'Metro' giveaway newspaper for March 14th (can't find it on-line but http://metro.co.uk/) about a guy from Sheffield, England, who was arrested and bailed under strict conditions by the police in July 2011 suspected of illegally downloading images of child abuse. It turned out that the police's request to the ISP had erroneously had an extra digit added to the IP address, so he was mistakenly put under investigation. After a long legal battle he won a significant sum in compensation, though the suspicion remains forever. Now that much criminal evidence is increasingly based on computer records -- not just web surfing and e-mail traffic details but also utility bills, telephone usage, and such like -- one wonders how this sort of RISK can be handled. On one hand, there's the chance of genuine errors causing innocent people to be caught up as shown above, while on the other hand it may be easier to fabricate 'evidence' to maliciously get people into trouble. How easy is it to challenge this sort of thing in court? After all, most Internet users probably wouldn't know what their IP address is, or even what an IP address is. ------------------------------ Date: Fri, 17 Mar 2017 12:13:55 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: USAF had their own dataloss going on, recently... (ZDNet) ZDNet http://www.zdnet.com/article/leaked-us-military-files-exposed/ NEW YORK -- A unsecured backup drive has exposed thousands of US Air Force documents, including highly sensitive personnel files on senior and high-ranking officers. Security researchers found that the gigabytes of files were accessible to anyone because the Internet-connected backup drive was not password protected. The files, reviewed by ZDNet, contained a range of personal information, such as names and addresses, ranks, and Social Security numbers of more than 4,000 officers. Another file lists the security clearance levels of hundreds of other officers, some of whom possess "top secret" clearance, and access to sensitive compartmented information and codeword-level clearance. Phone numbers and contact information of staff and their spouses, as well as other sensitive and private personal information, were found in several other spreadsheets. ------------------------------ Date: Sun, 19 Mar 2017 11:42:01 -0400 From: Monty Solomon <monty () roscom com> Subject: Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/ On Thursday, March 16, the CEO of Defense Point Security, LLC -- a Virginia company that bills itself as "the choice provider of cyber security services to the federal government" -- told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher's net. Also, More than 120,000 affected by W-2 Phishing scams this tax season http://www.csoonline.com/article/3180684/security/more-than-120-000-affected-by-w-2-phishing-scams-this-tax-season.html ------------------------------ Date: Sun, 19 Mar 2017 11:28:14 -0400 From: Monty Solomon <monty () roscom com> Subject: Expert: Apple may have deployed unauthorized patch by mistake http://www.csoonline.com/article/3181488/data-center/expert-apple-may-have-deployed-unauthorized-patch-by-mistake.html ------------------------------ Date: Wed, 15 Mar 2017 16:40:01 -0700 From: Barry Gold <barrydgold () ca rr com> Subject: Re: Avast Cybercapture of personal files (Goas, RISKS-30.18) Benoit Goas wrote:
I just downloaded a set of (obviously personal) medical images from an imaging lab, which allows downloads only as executable zip file (their website runs only with silverlight, but that's not the main issue).
Goas's message highlights another problem: encapsulating images in executable files. I ran into this recently. I was rear-ended and sought treatment for the resulting whiplash injury. I started with an orthopedist, who took x-rays and found no skeletal problems. He prescribed chiropractic and/or physical therapy, and gave me my images on a CD (or DVD). I brought the DVD to a chiropractor's office, and they viewed the images -- by running an EXECUTABLE file on the CD/DVD. Apparently there is no standardized format (or formats) for medical images, so instead of just sending an image it is "normal" to send the image in an executable that will display it -- assuming that the recipient is running an OS that can run that executable. What happens if the recipient has a Mac instead of a PC/Windows? Or a Linux system? Or some more esoteric OS? But worse yet, the recipient is running an .exe file from an outside source. Suppose my orthopedist's office has been infected by malware? Then the chiropractor's computer is now _also_ infected with that malware. Any professional I see about this problem will want to see those images, and will promptly be infected with the malware. What a mess! ------------------------------ Date: Thu, 16 Mar 2017 09:55:28 +0000 From: lists () notatla org uk Subject: Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Flatau, R-30-18) Assuming someone ahead of you has bought chicken during the shift of the current cashier that might not be the only reason to use self-checkout. Food standards officials discovered that 40 per cent of packets of chicken in a range of supermarkets, convenience stores and butchers were covered with bacteria on the outside. Of 20 packets of chicken studied, eight had food poisoning bacteria on their wrapping ... Shoppers are now being warned to wash their hands after handling chicken cartons to combat the risk of catching the campylobacter ... http://www.microbeworld.org/component/jlibrary/?view=article&id=5827 ------------------------------ Date: Fri, 17 Mar 2017 09:55:42 -0500 From: Arthur Flatau <flataua () acm org> Subject: Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Notatla, RISKS-30.19) No doubt this has little to do with computers. This might actually be another reason to use a human staffed checkout lane. I have seen cashiers in the store I most often buy groceries from clean the conveyor belt with (what I assume is) some anti-bacterial spray. I don't recall seeing that in self-checkout lane. Of course, bacteria from chicken are of little concern at the home improvement stores. ------------------------------ Date: Fri, 17 Mar 2017 08:10:10 +0000 From: David Lamkin <drl () metanate com> Subject: Re: self-checkout at grocery stores (RISKS-30.18) If the store trusts its customers, as in the UK store Waitrose (admittedly a well heeled lot given its margins), self checkout can be much more convenient. They provide a scanner you use as you pick & 'checkout' becomes payment only: <https://www.waitrose.com/home/about_waitrose/quick_check.html> Interestingly the availability of this excellent feature doesn't stop the queues at the staffed or self service checkouts! Metanate Limited. Station Court, Great Shelford, Cambridge CB22 5NE, UK www.metanate.com (Consultancy) www.schemus.com (Data synchronisation) ------------------------------ Date: Fri, 17 Mar 2017 21:50:37 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: automation, restaurants, and industrial robots The 2017 March 15 RISKS items about automation, fast-food service, and Dangerous industrial robots brought back a memory of "Intent to Deceive" by Larry Niven. Note the title. It is always interesting to hear from Dr. Leveson. My father started working life in his early teens as an early 1940s whistle punk at a coastal BC logging camp. Her high pressure steam analogy of the state of software safety had a personal resonance for me. Steam punk has taken on a different meaning these days. https://books.google.ca/books?id=IBDAL13yLAUC&pg=PA34&dq=whistle+punk&hl=en&sa=X&ved=0ahUKEwistfKC9N7SAhVUVWMKHcj6AzcQ6AEIHDAA#v=onepage&q=whistle%20punk&f=false http://www.obooksbooks.com/2015/3984_2.html# "And then I remember that he went into a fully automated kitchen, through a door that wasn't built for humans. That kitchen machinery could handle full-sized sides of beef. Dreamer obviously wasn't a robot. What would the kitchen machinery take him for?" Science Fiction writer Frederick Pohl also anticipated a number of potential future risks when he was working as an advertising executive during the day while writing science fiction during his spare time. With the move to displays in cars and Internet connections we might have to be wary of situations were advertisements could distract drivers in cars, although not yet with our aircars. https://books.google.ca/books?id=JCVbAAAAMAAJ&focus=searchwithinvolume&q=safety+cranks "They listened to the safety cranks and stopped us from projecting our messages on aircar windows--but we bounced back. ... soon we'll be testing a system that projects direct on the retina" Science Fiction has a long history of portraying "Mad Men in Space". http://www.sf-encyclopedia.com/entry/advertising If you think this is far fetched consider why ad blockers are so popular, and recall that at least one Internet home firewall maker decided to interrupt browser sessions periodically by redirecting browsers to one of their corporate web sites. Why worry about your network equipment being hacked with corporations behaving like that? Pohl's novel divides the population into two classes, executives and everybody else. Other science fiction stories view automation as leading to divisions such as taxpayers and citizens. As Analog Magazine told us in 1990, Future Shock is the sense of bewilderment felt by those who were not paying attention. (volume 110, page 67) ------------------------------ Date: Wed, 15 Mar 2017 15:29:40 -0400 From: Gene Spafford <spaf () purdue edu> Subject: CRISPR assassinations (RISKS-30.17) In 1982, Frank Herbert wrote The White Plague, a novel about how a person creates a genetically-engineered disease that targets only women. He intends it to only affect Ireland, but of course it gets out and sweeps the world. The novel describes some of the consequences. Although not as compelling as Dune, Herbert manages to conjure up a believable set of consequences of a species threatened with extinction. I remember reading it and thinking it was implausible (at the time), but that the difficulty in targeting a particular subset of the population is likely to be a problem. Given some of the genetic diversity and distribution we don't fully understand, and the ability of many pathogens to undergo change, any targeted microbe might well end up killing far more than the attacker intends. Bugs in the bug could well spell our doom. ------------------------------ Date: Thu, 16 Mar 2017 16:30:12 +0000 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: Re: Science (Muller, RISKS-30.18)
What is really worrisome is that academics do not question these rules and apparently prefer a false sense of objectivity.
Time to revive the Underground Grammarian, who wrote a wonderful article about the passive voice back in the 1980s. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.19 ************************
Current thread:
- Risks Digest 30.19 RISKS List Owner (Mar 21)