RISKS Forum mailing list archives

Risks Digest 29.44


From: RISKS List Owner <risko () csl sri com>
Date: Tue, 5 Apr 2016 17:16:15 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 5 April 2016  Volume 29 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.44.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Wrecking crew demolishes wrong house due to Google Maps error (Softpeedia)
WhatsApp adopts default encryption *WiReD*
With Hospital Ransomware Infections, the Patients Are at Risk (TechReview)
Ransomware vs. US government agencies (Al Mac)
US State Dept database vulnerabilities (Al Mac)
Technology Upgrades Get White House Out of the 20th Century (NYTimes)
Hayden on encryption v. metadata (Henry Baker)
Panama Papers (Al Mac)
Many law firms hacked (Al Mac)
Risks of car manufacturers adding flash (Steve Loughran)
Why I Don't Make Financial Decisions on My Smartphone? (NYTimes)
Chris Drewe <e767pmk () yahoo co uk>
Man gets free holidays and car rentals after changing surname to 'Null'
  (Caroline Mcguire via Chris Drewe)
How one programmer broke the Internet by deleting a tiny piece of code (QZ)
DoD Picks HackerOne to Operate Bug Bounty Pilot Program (HackerOne)
Satellite Images Can Pinpoint Poverty Where Surveys Can't (NYTimes)
"Node.js alert: Google engineer finds flaw in NPM scripts"
  (Fahmida Y. Rashid)
Google April Fool's prank backfires -- possibly? (Peter Houppermans)
April fools? (Martyn Thomas)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 01 Apr 2016 19:35:27 +0800
From: Dan Jacobson <jidanni () jidanni org>
Subject: Wrecking crew demolishes wrong house due to Google Maps error

Company Demolishes Wrong Housing Duplex Following Google Maps Error
Wrecking crew forgets to double-check location
http://news.softpedia.com/news/company-demolishes-wrong-housing-duplex-after-google-maps-error-502188.shtml

A wrecking company has demolished the wrong housing duplex after one of its
employees was misled by a Google Maps error. In December 2015, the city of
Rowlett, near Dallas, Texas, was hit by a tornado that destroyed or damaged
multiple houses. Some of the unlucky homeowners who had their houses damaged
beyond repair contacted demolition companies to have their house lots
cleared in order to start rebuilding their new homes.  One of the contacted
companies was Billy L. Nabors Demolition, who was contracted to demolish the
house at 7601 Cousteau Drive... Never, ever, hire a demolition company from
another town...

------------------------------

Date: Tue, 5 Apr 2016 9:17:45 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: WhatsApp adopts default encryption

*WiReD*
http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/

------------------------------

Date: Sun, 3 Apr 2016 02:12:22 -0400
From: Monty Solomon <monty () roscom com>
Subject: With Hospital Ransomware Infections, the Patients Are at Risk

Ransomware that locks up patient data in hospitals is disrupting medical
care, and the problem is set to get worse.

https://www.technologyreview.com/s/601143/with-hospital-ransomware-infections-the-patients-are-at-risk/

------------------------------

Date: Mon, 4 Apr 2016 14:06:09 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Ransomware vs. US government agencies

Some 29 federal agencies reported they were targeted with ransomware 321
times between June and early December 2015, according to a Department of
Homeland Security response to an inquiry by Sen. Tom Carper.  The Delaware
Democrat, who serves as the ranking member of the US Senate Homeland
Security and Governmental Affairs Committee, had requested information about
the government's ransomware defenses as part of the panel's oversight of
government IT security.
<https://www.hsgac.senate.gov/download/dhs-responds-to-carper-inquiries-on-response-to-threat-of-ransomware>
<http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=01C0457D-DF6D-47E1-9096-07413536C080>

Assistant Attorney General Peter Kadzik, in the DOJ's response
to Carper's inquiry, said the FBI's Internet Crime Complaint Center (IC3)
received 7,694 ransomware complaints in 2015, with losses from these
attacks costing victims an estimated $57.6 million.

In addition to federal agencies, state and local governments are also being
targeted. The Multistate Information and Analysis Center told DHS that
MS-ISAC's associated Computer Emergency Response Team identified and
addressed 40 incidents related to ransomware-associated activity on state,
local, tribal and territorial governments' systems.

We do not know if recent occasional news stories about ransomware attacks on
local institutions, are included in those statistics.

http://www.govinfosecurity.com/ransomware-attacks-against-government-agencies-widespread-a-9005

To boost profits, operators of ransomware are hiring and funding their own
development teams to fashion new variants of malware, according to Cisco's
latest Midyear Security Report.
<http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html>

https://fcw.com/articles/2015/12/04/lyngaas-congressmen-ransomware.aspx

Senator Carper's inquiry was sent December 2015.

According to the DHS 7 page (50 k PDF) report:

The Department of Homeland Security's (DHS) National Cybersecurity and
Communications Integration Center (NCCIC) has received reports of 337
ransomware-related incidents since June 2015. The NCCIC received these
reports from federal government agencies, the private sector, international
partners, and the general public.

The DoJ report is 8 pages (5.8 meg), part of which is redacted in the
general public edition.

There is more info in these 2 reports, than the ransomware statistics I am
citing.

------------------------------

Date: Sat, 2 Apr 2016 23:07:03 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: US State Dept database vulnerabilities

The US State Dept has a system, for tracking people who wish to travel to
and from the USA, which has been found to have vulnerabilities exposing a
billion people to hackers, and alter applications of potential visitors to
the USA, potentially opening the border to terrorists. In 2015 alone, the
State Department denied more than 2,200 applications from people with a
*suspected connection to terrorism,* a senior homeland security official
told lawmakers last month.

It is the Consular Consolidated Database (CCD). It holds current and
archived visa records and data, including names, photos, addresses,
biometric data and identification numbers from the Bureau of Consular
Affairs (BCA) and is key to processing passport applications for visa
applicants and travelers.  Visit search engines looking for info on this,
and we find this is not the first instance of cybersecurity problems with
the CCD.

http://abcnews.go.com/US/exclusive-security-gaps-found-massive-visa-database/story?id=38041051

http://thehill.com/policy/cybersecurity/274819-security-holes-found-in-state-department-visa-database-report

http://fortune.com/2016/04/02/data-sheet-saturday-april-2-2016/

https://fcw.com/articles/2016/04/01/visa-state-vulnerable.aspx

http://cio.economictimes.indiatimes.com/news/digital-security/security-vulnerabilities-found-in-us-visa-database-report/51657905

https://travel.state.gov/content/visas/en/law-and-policy/bulletin.html

------------------------------

Date: Mon, 4 Apr 2016 12:28:47 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Technology Upgrades Get White House Out of the 20th Century

As President Obama prepares to leave the White House, one of his legacies
will be the office information technology upgrade that his staff has finally
begun.

http://www.nytimes.com/2016/04/04/us/politics/technology-upgrades-get-white-house-out-of-the-20th-century.html

Risks?  Distributed/conflicting technology teams/ agendas/ authorities/
abilities, plus a nice dose of politics and national security. Stir
vigorously until catastrophe ensues.

------------------------------

Date: March 23, 2016 at 8:11:11 PM EDT
From: Henry Baker <hbaker1 () pipeline com>
Subject: Hayden on encryption v. metadata

  [Also in Cryptography]

https://www.lawfareblog.com/lawfare-podcast-general-michael-hayden-discusses-american-intelligence-age-terror

Highly recommended, *especially* if you disagree with Hayden.

Basically, Hayden is ok with just about anything -- including torture -- so
long as it is approved by someone higher up.  Methinks he might not fare so
well in a Nuremberg-type trial, but perhaps those ethics are sooo last
century.

However, Hayden does think that the FBI is p*ss*ng into the wind on
encryption, because any restrictions on encryption will drive technology
overseas & weaken the U.S. tech economy.

Hayden is basically agreeing with the statement "we kill people based on
metadata", so you'd better believe that social graphs, GPS coordinate
positions, etc., are being hoovered up, big time.  Perhaps the FBI will be
forced to de-parallel-construct their DRT-bag data for the U.S. courts, but
I suspect that NSA has no such scruples.

There was an unclassified program by a small midwest company a couple of
years ago that did 2 things: collected huge amounts of continuous hires
video surveillance imagery and built a time-line database.  Subsequently, an
inquiry about the position of a car a 2:17pm at such-and-such a location
could be run *backwards* in time to see where the car came from.  Although
this data was used to catch a few very surprised criminals who found the
police patiently waiting for them at their homes, it was either deemed too
creepy (hard to believe!) or too expensive to continue.

However, I think the real reason why this surveillance technique was dropped
(from public discussion, anyway) is that exactly the same database
technology is *already* in use to track cellphones backwards in time.  This
can be done with cheap, ubiquitous NSA junior-varsity-type technology --
collect cellphone signals, wifi signals, Bluetooth signals.

Thus, if person X is noticed at location Y at time T, then the database can
track person X backwards over the past hours, days, months to see if person
X ever came close to person Y.

If this happens in some locations on the globe, and if person Y is considered a "bad guy/gal", then person X is now 
considered to be a "bad guy/gal".  Hayden may not even know person X's name or gender, but the U.S. might still target 
person X for killing simply on the basis of this metadata.  Hayden seems completely ok with this sort of thinking, but 
then he has lime on his cleats (his too cute football analogy re coming too close to getting out of bounds).

So while the encryption fight is going on, a far more insidious type of surveillance is taking place, but without being 
discussed or approved by anyone in Congress or the courts.

I believe that this type of system is what Hayden is referring to when he
 says that -- far from "going dark" -- this is currently the "golden age" of surveillance.

------------------------------

Date: Mon, 4 Apr 2016 20:14:40 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Panama Papers

11.5 million documents leaked, estimated to contain about 2.6 terabytes of
data.  They were at a law firm in Panama.  Contents cover off-shore
accounts, and financial activities which may be illegal for some of the
participants, depending on their home nations, where the money went, and if
proper tax reporting was done.

Many allegations, in the papers, need confirmation.

The named individuals are denying this info.

The law firm says they are a victim, in this leak.

https://www.reddit.com/live/wp1fvdxxwb45/

https://panamapapers.icij.org/graphs/

http://www.usatoday.com/story/tech/news/2016/04/04/stealing-115-million-documents-panama-papers-snowden-sony-hack-leak/82613940/

http://www.reuters.com/article/us-panama-tax-idUSKCN0X10C2

------------------------------

Date: Tue, 5 Apr 2016 14:37:31 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Many law firms hacked

50 plus law firms got hacked, including the most prestigious, of several
nations.

The good news is that many law firms are waking up to their fiduciary cyber
security responsibilities, much more rapidly than we have seen for other
industries.. Firms are also signing up to join the information-sharing group
about cyberthreats formed by Financial Services Information Sharing and
Analysis Center (FS-ISAC).
https://www.fsisac.com/

http://abovethelaw.com/2016/03/beware-of-big-hacking-in-biglaw/
See page 2 of above link, for where I got this list of 47 of the law firms
involved.

This list was compiled by Flashpoint (via Crain's Chicago Business).
<http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1>

Akin Gump Strauss Hauer & Feld
Allen & Overy
Baker & Hostetler
Baker Botts
Cadwalader Wickersham & Taft
Cleary Gottlieb Steen & Hamilton
Covington & Burling
Cravath Swaine & Moore
Davis Polk & Wardwell
Debevoise & Plimpton
Dechert
DLA Piper
Ellenoff Grossman & Schole
Freshfields Bruckhaus Deringer
Fried Frank Harris Shriver & Jacobson
Gibson Dunn & Crutcher
Goodwin Procter
Hogan Lovells
Hughes Hubbard & Reed
Jenner & Block
Jones Day
Kaye Scholer
Kirkland & Ellis
Kramer Levin Naftalis & Frankel
Latham & Watkins
McDermott Will & Emery
Milbank Tweed Hadley & McCloy
Morgan Lewis & Bockius
Morrison & Foerster
Nixon Peabody
Paul Hastings
Paul Weiss Rifkind Wharton & Garrison
Pillsbury Winthrop Shaw Pittman
Proskauer Rose
Ropes & Gray
Schulte Roth & Zabel
Seward & Kissel
Shearman & Sterling
Sidley Austin
Simpson Thacher & Bartlett
Skadden Arps Slate Meagher & Flom
Sullivan & Cromwell
Vinson & Elkins
Wachtell Lipton Rosen & Katz
Weil Gotshal & Manges
White & Case
Wilkie Farr & Gallagher

Apparently some crooks were seeking info on mergers & acquisitions, for the
purpose of insider trading.

Law firms have also been victimized by ransomware.

Law firms have also been recipients of the CEO scam [browse on "Fake
President Scam"], where a junior executive is ordered by the higher one to
transmit some money some place, and keep this confidential, when the order
is really coming from someone faking out the senior executive.  If all their
security rules, and normal e-mail traffic, are on the computer network, and
the computer network is hacked, then this kind of scam is easy to
perpetrate.

A problem common to many companies, including law firms, is that senior
leaders of the companies are free to disregard security rules which apply to
lower level employees, but they are above the company laws & regulations.
If they had proper security audits, this would be revealed, and if the law
required that they show the results of audits to their clients, then such
behavior would cease, and the whole industry would become more secure.

http://www.lawgazette.co.uk/practice/ma-hack-attack-on-48-elite-law-firms/5054524.article

http://www.americanlawyer.com/id=1202753706763/Cravath-Admits-Breach-as-Law-Firm-Hacks-Go-Public-?slreturn=20160305150736

http://www.bbc.com/news/technology-35933246

A common claim by hacked outfits, is that no data was taken, and we always
wonder how they know this.

Breach laws only require that non-government organizations truthfully report
when the data taken is PII of humans.

There are many forms of breaches, for which the breached institution has no
legal obligation to report the event to anyone, and many reasons to cover it
up, so as not to have their reputation impaired.

Government organizations are generally required to report breaches to
whatever government agency tracks security problems, and tries to manage
their mitigation.  Most of this never gets to the general public beyond some
statistics.

Due Diligence when we contract with some place for business, includes
finding out if they have good security.  But just as good security requires
layered protection, cover-ups also involve layers, so potential customers,
of outfits which are good at cover-ups, will probably never learn about
security breaches there.

Who financed the implementation of IT security, at the hacked law firms?

In the business world there are many professions.

We trust lawyers to know the law.

We trust accountants to balance the books.

We trust IT security professionals to know what is needed, and to do the job
right, provided they get the resources they need to implement good security.

We do not trust people to perform jobs for which they have not had the
proper training. We do not trust people, who do not have training, to know
what they are missing out, by not having the training. Unfortunately, many
business leaders lack the understanding I have stated above.

------------------------------

Date: Mon, 4 Apr 2016 18:20:01 +0100
From: Steve Loughran <steve.loughran () gmail com>
Subject: Risks of car manufacturers adding flash

For people wondering how secure their newly purchased car is, why not take
a look at the manual on the "media centre", a manual which is now bigger
than one on "driving your vehicle safely to your chosen destination"

I was certainly surprised to see a section on how to disable flash in the
manual of a 2012 car we had just purchased second-hand.

https://www.flickr.com/photos/steve_l/25625279674/in/album-72157623050830883/

I've been trying very had to have a vaguely secure house, with "removing
flash off all devices" being one of the tasks undertaking. The fact that
it's being built into vehicle entertainment systems means I appear to be
fighting a losing battle.

An emergency check of the vehicle showed me that, fortunately, the previous
owner had not opted for the "web browser" feature when buying their
vehicle. As well as keeping flash out the vehicle, it meant their web
browsing history and cookies were not available to me.

The fact that car manufacturers are putting software with such an awful
track record of security into the firmware of their systems is not a good
sign for future vehicle security

------------------------------

Date: Sun, 3 Apr 2016 11:44:20 -0400
From: Monty Solomon <monty () roscom com>
Subject: Why I Don't Make Financial Decisions on My Smartphone?

http://www.nytimes.com/2016/03/27/your-money/why-i-dont-make-financial-decisions-on-my-smartphone.html

------------------------------

Date: Tue, 29 Mar 2016 22:40:19 +0100
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: Man gets free holidays and car rentals after changing surname
  to 'Null' (Caroline Mcguire)

Just spotted this on a newspaper web site -- don't know if it's for real
(but it's not April 1st yet!):

Caroline Mcguire for MailOnline
<http://www.dailymail.co.uk/travel/travel_news/article-3513652/The-cleverest-time-Man-gets-free-holidays-car-rentals-changing-surname-Null.html>

People will go to extreme lengths to bag themselves a freebie these days,
but one American has come up with the ultimate bag to get free holidays - a
name change.

The man claims to have been given seven free nights at seven different
hotels and free-of-charge car rental after changing his surname to 'Null'.

Raven Felix Null, 24, from the United States, says he changed his
surname after becoming an adult and claims the word 'Null' is
incompatible with a lot of computer programming, leading to many systems
not recognising him as a person.

------------------------------

Date: Sat, 2 Apr 2016 21:17:42 -0400
From: Monty Solomon <monty () roscom com>
Subject: How one programmer broke the Internet by deleting a tiny piece of code

http://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/

------------------------------

Date: Sat, 2 Apr 2016 10:52:20 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: DoD Picks HackerOne to Operate Bug Bounty Pilot Program

Washington, DC -- In a first-of-its-kind program for the federal government,
the *Department of Defense* has selected San Francisco-based *HackerOne* to
operate its "Hack the Pentagon" bug bounty pilot, aimed at bolstering the
department's cybersecurity. Under the program, the company will invite
qualified hackers to participate in a 20-day bug bounty pilot beginning
April 18. The goal will be to find and report security vulnerabilities
within DoD websites so they can be safely resolved. Individual bounty
payments will depend on a number of factors, but will come from the $150,000
in funding for the program. "This initiative will put the department's
cybersecurity to the test in an innovative but responsible way," said
Defense Secretary *Ashton Carter.* "I encourage hackers who want to bolster
our digital defenses to join the competition and take their best shot." A
registration site is now live and can be accessed at the top link below.
https://hackerone.com/hackthepentagon

------------------------------

Date: Sun, 3 Apr 2016 12:47:29 -0400
From: Monty Solomon <monty () roscom com>
Subject: Satellite Images Can Pinpoint Poverty Where Surveys Can't

http://www.nytimes.com/2016/04/03/upshot/satellite-images-can-pinpoint-poverty-where-surveys-cant.html

Information that can be gathered from novel sources, using algorithms, can help determine the best places to spend 
limited resources.

------------------------------

Date: Fri, 01 Apr 2016 10:06:11 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Node.js alert: Google engineer finds flaw in NPM scripts"
  (Fahmida Y. Rashid)

Fahmida Y. Rashid, InfoWorld, 28 Mar 2016
Node.js developers, run NPM install at your own risk -- a
self-replicating worm can easily spread through the ecosystem
http://www.infoworld.com/article/3048526/security/nodejs-alert-google-engineer-finds-flaw-in-npm-scripts.html

------------------------------

Date: Fri, 1 Apr 2016 12:53:58 +0200
From: Peter Houppermans <peter () houppermans net>
Subject: Google April Fool's prank backfires -- possibly?

The Net appears awash with reports about a Google Mail prank that
backfired:
http://techcrunch.com/2016/04/01/google-reverses-gmail-april-1-prank-after-users-mistakently-put-gifs-into-important-emails/

It appears Google took it upon itself to replace various buttons in their
user interface with some that added information to email.

I am aware that it's April 1st so even the news stories could be pranks
themselves.

------------------------------

Date: Fri, 1 Apr 2016 11:35:25 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: April fools?

With apologies to Arthur C Clarke:  "any description of sufficiently advanced
technology is indistinguishable from an April Fool."

  [Note: The Silver Swan, 1611 madrigal by Orlando Gibbons, words allegedly
  by Sir Christopher Hatton, the last line of which is
    More Geese than Swans now live, more Fools than Wise ...  PGN]

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.44
************************


Current thread: