RISKS Forum mailing list archives
Risks Digest 30.46
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 11 Sep 2017 16:59:18 PDT
RISKS-LIST: Risks-Forum Digest Monday 11 September 2017 Volume 30 : Issue 46 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.46> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Equifax Hack May Expose Data of 143 Million Users (Polly Mosendz) More info on Equifax breach (Lauren Weinstein) PSA: no matter what you write, Equifax may tell you you've been impacted by the hack (TechCrunch) Hurricane Harvey Knocked Out Cell Service. Now Calls for Backup Wireless Power Are Rising (Fortune) Fake Russian Facebook Accounts Planted $100,000 in Political Ads (Vindu Goel and Scott Shane) Fake Facebook 'like' networks exploited code flaw to create millions of bogus 'likes' (Elizabeth Weise) Facebook Wins, Democracy Loses (NYTimes) Virginia scraps touchscreen voting machines (Morgan Chalfant) A huge solar flare temporarily knocked out GPS communications (Engadget) Apple and Google Fix Browser Bug. Microsoft Does Not. (Bleeping Computer) Dogwhistle ultrasound returns in a new guise (The Verge) India's Supreme Court ruled that privacy is a constitutional right (Menaka Guruswamy) 'Game of Thrones' was pirated more than a billion times -- far more than it was watched legally (The Washington Post) 10 minutes of silence storms iTunes charts thanks to awful Apple UI (The Register) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 8 Sep 2017 9:41:10 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Equifax Hack May Expose Data of 143 Million Users (Polly Mosendz) Polly Mosendz, Bloomberg, 8 Sep 2017 Class action seeking to represent 143 million consumers alleges company didn't spend enough on protecting data. https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit A proposed class-action lawsuit was filed against Equifax Inc. late Thursday evening, shortly after the company reported that an unprecedented hack had compromised the private information of about 143 million people. In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack. Data revealed included Social Security numbers, addresses, driver's license data, and birth dates. Some credit card information was also put at risk. Equifax first discovered the vulnerability in late July, though it chose not to announce it publicly until more than a month later. The company was widely criticized for its customer service approach in the aftermath of the hack, as users struggled to understand whether their information had been affected. Others expressed frustration that three senior executives sold about $1.7 million in stock in the days following the discovery of the hack. A spokeswoman for Equifax said the men âhad no knowledge that an intrusion had occurred at the time.â The plaintiffs in the lawsuit are Mary McHill and Brook Reinhard. Both reside in Oregon and had their personal information stored by Equifax. âIn an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's information from unauthorized access by hackers,â the complaint stated. âEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyberattacks but chose not to.â The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally. [See also:] http://www.businessinsider.com/equifax-hackers-may-have-accessed-personal-details-143-million-us-customers-2017-9 https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?smprod=nytcore-ipad&smid=nytcore-ipad-share DF: by using the service, you may be giving up legal rights: https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/ ------------------------------ Date: Fri, 8 Sep 2017 18:21:50 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: More info on Equifax breach There is increasing evidence to suggest that primary impacts of the Equifax breach involve consumers who interacted directly with (and provided personal information to) their public facing website. The breach does not appear at this time to involve their core credit reporting databases. ------------------------------ Date: Fri, 8 Sep 2017 18:07:44 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: [SCAM!] PSA: no matter what you write, Equifax may tell you you've been impacted by the hack via NNSquad https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?ncid=rss What this means is not only are none of the last names tied to your Social Security number, but there's no way to tell if you were really impacted. It's clear Equifax's goal isn't to protect the consumer or bring them vital information. It's to get you to sign up for its revenue-generating product TrustID. ------------------------------ Date: Mon, 11 Sep 2017 09:35:43 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Hurricane Harvey Knocked Out Cell Service. Now Calls for Backup Wireless Power Are Rising via NNSquad http://fortune.com/2017/08/30/hurricane-harvey-cell-backup-power/ The wireless industry has for years successfully fought regulations that would force mobile phone networks to be hardened so they work during storms, but it may face renewed demands after Hurricane Harvey knocked out seven of 10 cell towers in the hardest-hit counties of Texas. Depending on cell service during a disaster is a disaster in and of itself. That's why so many telecom experts hang onto their landlines as lifelines! I sure as hell do! ------------------------------ Date: Thu, 7 Sep 2017 9:13:39 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Fake Russian Facebook Accounts Planted $100,000 in Political Ads (Vindu Goel and Scott Shane) Vindu Goel and Scott Shane, The New York Times, 6 Sep 2017 Providing new evidence of Russian interference in the 2016 election, Facebook disclosed on Wednesday that it had identified more than $100,000 worth of divisive ads on hot-button issues purchased by a shadowy Russian company linked to the Kremlin. The fake accounts were created by a Russian company called the Internet Research Agency" (which is known for using troll accounts to post on social media and comment on news websites). ------------------------------ Date: Fri, 8 Sep 2017 10:12:35 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Fake Facebook 'like' networks exploited code flaw to create millions of bogus 'likes' (Elizabeth Weise) via NNSquad, USA Today https://www.usatoday.com/story/tech/news/2017/09/07/facebook-fake-likes-scammers-collusion-networks/642446001/ A thriving ecosystem of websites that allow users to automatically generate millions of fake "likes" and comments on Facebook has been documented by researchers at the University of Iowa. ------------------------------ Date: Sat, Sep 9, 2017 at 3:36 PM From: <james.morris () cmu edu> Subject: Facebook Wins, Democracy Loses (Siva Vaidhyanathan) Siva Vaidhyanathan, The New York Times, 8 Sep 2017 [via Dave Farber] Wait! Facebook, unlike Twitter, does not allow puppets, i.e. accounts controlled by other accounts. I recall Egyptian Spring activists complaining about this. Does Facebook allow ads, i.e. something paid for, to masquerade as unpaid posts? It shouldn't; Google doesn't. Finally, any ad should allow its reader to learn about who paid for it. None of these rules would prevent Russian robot trolls from posting evil ideas, but it would make detecting them easier. A skeptical reader could ask "Who posted this, and who are their friends?"
Healthy democracies have transparency in political advertising. That doesn't matter to Facebook.
<https://www.nytimes.com/2017/09/08/opinion/facebook-wins-democracy-loses.html> ------------------------------ Date: Fri, Sep 8, 2017 at 10:28 PM From: Richard Forno <rforno () infowarrior org> Subject: Virginia scraps touchscreen voting machines (Morgan Chalfant) Morgan Chalfant, *The Hill*, 9 Sep 2017, via Dave Farber http://thehill.com/business-a-lobbying/349896-virginia-scraps-touchscreen-voting-machines The Virginia State Board of Elections moved Friday to do away with touchscreen voting machines in the state by November's election, a move aimed at boosting security. The board decided to phase out the machines this year after the Virginia Department of Elections recommended that the touchscreen voting machines be decertified. The recommendation came after security experts breached numerous types of voting machines with ease at the DEF CON cybersecurity conference in Las Vegas in July, according to The Richmond Times-Dispatch. The move comes amid heightened concerns over foreign interference in future elections, in light of the U.S. intelligence community's conclusion that Russia used cyberattacks and disinformation to interfere in the 2016 presidential election. Virginia's gubernatorial election will take place in November, meaning that the move to get rid of the machines would result in 22 localities having to replace their equipment less than two months before the vote. The state has already passed a law mandating that the machines be phased out by 2020. According to the Times-Dispatch, 10 localities have already started purchasing new equipment. The remaining 12 would need to work quickly to phase out the old equipment by Nov. 7. ``The security of the election process is always of paramount importance. The Department is continually vigilant on matters related to security of voting equipment used in Virginia,'' Edgardo Cortes, the state's election commissioner, said in a news release Friday. ``The ability to meaningfully participate in our democracy is one of the most important rights that we have as citizens, and the Department of Elections is dedicated to maintaining voters' confidence in the democratic process.'' Cyber-experts have raised alarm over the touchscreen devices, called direct-recording electronic, or DRE, voting machines, because they yield no paper records that can be checked with the electronic records to make sure votes are tallied accurately. More than 100 cyber- and voting experts penned a letter to Congress in June urging them to take steps to secure future elections, including a recommendation to phase out DRE voting machines and others that do not produce a voter-verified paper ballot. ``While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots, Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.'' The letter was sent the day that Department of Homeland Security officials testified of evidence that Russia targeted election-related systems in 21 states ahead of the 2016 presidential election. While officials maintain that the systems targeted were not involved in vote tallying, Moscow's interference campaign has nevertheless stoked fears about the possibility that foreign actors could attempt to use hacking to affect vote counts in the future. See also Today's Washington Post: DefCon 2017 contributed to Virginia dumping DREs https://www.washingtonpost.com/local/virginia-politics/virginia-scraps-touch-screen-voting-machines-as-election-for-governor-looms/2017/09/08/e266ead6-94fe-11e7-89fa-bb822a46da5b_story.html?utm_term=3D.6fb49dcd9b08#comments ------------------------------ Date: Thu, 7 Sep 2017 16:17:51 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A huge solar flare temporarily knocked out GPS communications (Engadget) The sun did its biggest burp in 12 years. On the morning of 6 September the sun let out two pretty sizable burps of radiation. Both were considered X-class -- the strongest type of solar flare -- with one of them proving to be the most powerful since 2005. If a solar flare is directed at Earth, which these ones were, it can generate a radiation storm that interferes with radio and GPS signals. The biggest flare ever recorded, in 2003, was so strong it even knocked out NASA's solar measurement equipment. These recent belches weren't quite on par with that, but they were enough to jam high frequency radios and interfere with GPS systems for about an hour on the side of the Earth facing the sun. Put your hand over your mouth, sun! Rude! https://www.engadget.com/2017/09/07/a-huge-solar-flare-temporarily-knocked-out-gps-communications/ Sextant, chronometer, compass, maps, oh my... ------------------------------ Date: Fri, 8 Sep 2017 15:44:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Apple and Google Fix Browser Bug. Microsoft Does Not. via NNSquad https://www.bleepingcomputer.com/news/security/apple-and-google-fix-browser-bug-microsoft-does-not-/ Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. ------------------------------ Date: Thu, 7 Sep 2017 21:17:17 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Dogwhistle ultrasound returns in a new guise Dolphin attack uses high-frequency sound against voice-based assistants such as Siri. https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google https://techcrunch.com/2017/09/06/hackers-send-silent-commands-to-speech-recognition-systems-with-ultrasound/ ------------------------------ Date: Mon, 11 Sep 2017 15:02:23 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: India's Supreme Court ruled that privacy is a constitutional right https://www.nytimes.com/2017/09/10/opinion/indias-supreme-court-expands-freedom.html ------------------------------ Date: Fri, 8 Sep 2017 23:36:25 -0400 From: Monty Solomon <monty () roscom com> Subject: 'Game of Thrones' was pirated more than a billion times -- far more than it was watched legally https://www.washingtonpost.com/news/morning-mix/wp/2017/09/08/game-of-thrones-was-pirated-more-than-a-billion-times-far-more-than-it-was-watched-legally/ ------------------------------ Date: Tue, 5 Sep 2017 21:06:48 -0400 (EDT) From: msb () vex net (Mark Brader) Subject: 10 minutes of silence storms iTunes charts thanks to awful Apple UI "A a a a Very Good Song" is A a a a simple workaround. http://www.theregister.co.uk/2017/08/16/silent_track_bug_fix_itunes/ ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.46 ************************
Current thread:
- Risks Digest 30.46 RISKS List Owner (Sep 11)