RISKS Forum mailing list archives
Risks Digest 29.93
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 21 Nov 2016 14:35:05 PST
RISKS-LIST: Risks-Forum Digest Monday 21 November 2016 Volume 29 : Issue 93 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.93> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: *Fake News* gives new meaning to *No news is good news*?!! (PGN) Programmers are having a huge discussion about the unethical and illegal things they've been asked to do (Business Insider) Nobody has real friends anymore (NYPost via Geoff Goodfellow) 8 million GitHub profiles were leaked from GeekedIn's MongoDB - (Troy Hunt) Zuckerberg dies temporarily due to glitch (The Guardian) Vigilante who aided Steubenville football website hack to plead guilty (Ars Technica) In two weeks, it will be easier for Uncle Sam to search your computer (Ars Technica) IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies (CitizenLab) Chinese company installed secret backdoor on hundreds of thousands of phones (Ars Technica) The Cyber-War on the Tibetan Community - a case study (CyberLab) NSO Group's iPhone Zero Days used against a UAE Human Rights Defender (Bill Marczak and John Scott-Railton) Office Depot insider speaks out about unnecessary computer fixes (JesseJones) Kryptowire discovers mobile phone firmware that transmitted PII (Jim Reisert) Risks to toilets in computing systems (Toby Douglass) Testimony last week for a U.S. House Committee on IoT Security by Kevin Fu and Bruce Schneier (PGN) Hackers Claim Theft of Data from Gorilla Glue (Motherboard) Biggest Spike in Traffic Deaths in 50 Years? Blame Apps (The NYTimes) iPhones Secretly Send Call History to Apple, Security Firm Says (Kim Zetter) Re: iPhone 'Touch Disease' (Brian Clark via Werner U) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 18 Nov 2016 9:58:53 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: *Fake News* gives new meaning to *No news is good news*?!! Fake News may be becoming the biggest Real-News story of the century. It is certainly getting wide coverage. Here are just a few of the items that seem RISKS-relevant. Facebook fake news writer Paul Horner reveals how he tricked Trump supporters, and possibly influenced election http://www.hollywoodreporter.com/news/facebook-fake-news-writer-president-donald-trump-win-948218 Facebook fake-news writer: "I think Donald Trump is in the White House because of me." https://www.washingtonpost.com/news/the-intersect/wp/2016/11/17/facebook-fake-news-writer-i-think-donald-trump-is-in-the-white-house-because-of-me/ Access to LinkedIn now officially blocked in Russia: new law requires personal data of Russians must be stored within Russia. https://consumerist.com/2016/11/17/access-to-linkedin-now-officially-blocked-in-russia/ Viral Fake Election News Outperformed Real News On Facebook In Final Months Of The US Election; fake election news stories generated more total engagement on Facebook than top election stories from 19 major news outlets combined. https://www.buzzfeed.com/craigsilverman/viral-fake-election-news-outperformed-real-news-on-facebook Fake News on Facebook? In Foreign Elections, That's Not New http://www.nytimes.com/2016/11/18/technology/fake-news-on-facebook-in-foreign-elections-thats-not-new.html Automated Pro-Trump Bots Overwhelmed Pro-Clinton Messages, Researchers Say: to rant, confuse people on facts, or simply muddy discussions, http://www.nytimes.com/2016/11/18/technology/automated-pro-trump-bots-overwhelmed-pro-clinton-messages-researchers-say.html President Obama on fake news problem: "We won't know what to fight for"; it represents a true threat to some of the fundamental U.S building blocks of society. https://techcrunch.com/2016/11/17/president-obama-on-fake-news-problem-we-wont-know-what-to-fight-for/ White supremacist Twitter users are creating fake 'black person' accounts to stir up online racism http://www.rawstory.com/2016/11/white-supremacist-twitter-users-are-creating-fake-black-person-accounts-to-stir-up-online-racism/ Facebook's New Plan to Deal With Fake News Is Too Vague and Too Late http://gizmodo.com/facebooks-new-plan-to-deal-with-fake-news-is-too-vague-1789171552 Mark Zuckerberg Announces Facebook Will Fight Fake News -- Next To An Ad With Fake News https://news.slashdot.org/story/16/11/19/1834205/mark-zuckerberg-announces-facebook-will-fight-fake-news----next-to-an-ad-with-fake-news Here's why Twitter turned down a Donald Trump advertising campaign http://www.recode.net/2016/11/19/13685832/twitter-rejects-donald-trump-ad-campaign A real-names domain-registration policy would discourage political lying http://cis471.blogspot.com/2016/11/a-real-names-domain-registration-policy.html How Fake News Goes Viral http://www.nytimes.com/2016/11/20/business/media/how-fake-news-spreads.html?partner=rss&emc=rss NYTimes Editorial: Facebook and the Digital Virus Called Fake News http://www.nytimes.com/2016/11/20/opinion/sunday/facebook-and-the-digital-virus-called-fake-news.html Call it a 'crazy idea,' Facebook, but you need an executive editor https://www.washingtonpost.com/lifestyle/style/call-it-what-you-want-facebook-but-you-need-an-executive-editor/2016/11/20/67aa5320-aaa6-11e6-a31b-4b6397e625d0_story.html For the 'new yellow journalists,' opportunity comes in clicks and bucks https://www.washingtonpost.com/national/for-the-new-yellow-journalists-opportunity-comes-in-clicks-and-bucks/2016/11/20/d58d036c-adbf-11e6-8b45-f8e493f06fcd_story.html Misinformation in China Watching the Election from The Post-Truth Future https://medium.com/@xuhulk/watching-the-election-from-the-post-truth-future-97a0d66bdcfe#.hsjwf0wbk ------------------------------ Date: Sun, 20 Nov 2016 21:49:01 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Programmers are having a huge discussion about the unethical and illegal things they've been asked to do NNSquad http://www.businessinsider.com/programmers-confess-unethical-illegal-tasks-asked-of-them-2016-11 "We are killing people," Martin says. "We did not get into this business to kill people. And this is only getting worse." He pointed out that "there are hints" that developers will increasingly face some real heat in the years to come. He cited Volkswagen America's CEO, Michael Horn, who at first blamed software engineers for the company's emissions cheating scandal during a Congressional hearing, claimed the coders had acted on their own "for whatever reason." Horn later resigned after US prosecutors accused the company of making this decision at the highest levels and then trying to cover it up. But Martin pointed out, "The weird thing is, it was software developers who wrote that code. It was us. Some programmers wrote cheating code. Do you think they knew? I think they probably knew." ------------------------------ Date: Sat, 19 Nov 2016 08:48:47 -1000 From: Geoff.Goodfellow () iconia com Subject: Nobody has real friends anymore http://nypost.com/2016/11/17/social-media-is-making-you-a-bad-friend/ ------------------------------ Date: Thu, 17 Nov 2016 19:52:57 -0500 From: Monty Solomon <monty () roscom com> Subject: 8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/ ------------------------------ Date: Thu, 17 Nov 2016 08:12:48 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Zuckerberg dies temporarily due to glitch https://www.theguardian.com/technology/2016/nov/11/facebook-profile-glitch-deaths-mark-zuckerberg By the way, here are his https://www.facebook.com/4/groups , and here are some more, https://www.facebook.com/search/4/groups (view on desktop computer). ------------------------------ Date: Thu, 17 Nov 2016 20:01:32 -0500 From: Monty Solomon <monty () roscom com> Subject: Vigilante who aided Steubenville football website hack to plead guilty http://arstechnica.com/tech-policy/2016/11/kyanonymous-to-plead-guilty-to-2-of-4-federal-counts-in-hacking-case/ ------------------------------ Date: Thu, 17 Nov 2016 19:58:15 -0500 From: Monty Solomon <monty () roscom com> Subject: In two weeks, it will be easier for Uncle Sam to search your computer http://arstechnica.com/tech-policy/2016/11/judges-getting-new-powers-to-expand-electronic-surveillance-state/ ------------------------------ Date: Sat, 19 Nov 2016 01:13:00 +0100 From: Werner U <werneru () gmail com> Subject: IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies (CitizenLab) https://citizenlab.org/2016/09/imsi-catcher-report-calls-transparency-proportionality-minimization-policies/ Christopher Parsons, 13 Sep 2016 <https://citizenlab.org/category/author/christopher-parsons/> Tamir Israel <https://cippic.ca/about-us#staff> The Citizen Lab and CIPPIC are releasing a report, *Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada*, which examines the use of devices that are commonly referred to as cell site simulators, IMSI Catchers, Digital Analyzers, or Mobile Device Identifiers, and under brand names such as Stingray, DRTBOX, and Hailstorm. IMSI Catchers are a class of of surveillance devices used by Canadian state agencies. They enable state agencies to intercept communications from mobile devices and are principally used to identify otherwise anonymous individuals associated with a mobile device and track them. Though these devices are not new, the ubiquity of contemporary mobile devices, coupled with the decreasing costs of IMSI Catchers themselves, has led to an increase in the frequency and scope of these devices' use. Their intrusive nature, as combined with surreptitious and uncontrolled uses, pose an insidious threat to privacy. This report investigates the surveillance capabilities of IMSI Catchers, efforts by states to prevent information relating to IMSI Catchers from entering the public record, and the legal and policy frameworks that govern the use of these devices. The report principally focuses on Canadian agencies but, to do so, draws comparative examples from other jurisdictions. The report concludes with a series of recommended transparency and control mechanisms that are designed to properly contain the use of the devices and temper their more intrusive features. The report is structured across four sections: - Section One provides an overview of the technical capabilities of IMSI Catchers. - Section Two focuses on civil society and journalists' efforts to render transparent how IMSI Catchers are used. - Section Three examines the regulation of IMSI Catchers and avenues towards lawful regulation of their use. - Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use. https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report-Gone_Opaque.pdf https://citizenlab.org/wp-content/uploads/2016/09/Rapport-Aller_Opaque-Somm_Exec-FR.pdf ------------------------------ Date: Thu, 17 Nov 2016 20:51:50 -0500 From: Monty Solomon <monty () roscom com> Subject: Chinese company installed secret backdoor on hundreds of thousands of phones http://arstechnica.com/security/2016/11/chinese-company-installed-secret-backdoor-on-hundreds-of-thousands-of-phones/ ------------------------------ Date: Sat, 19 Nov 2016 15:19:15 +0100 From: Werner U <werneru () gmail com> Subject: The Cyber-War on the Tibetan Community - a case study (CyberLab) (CyberLab, 17 Nov 2016) [Remember when the Chinese began to 'show up' offline and online looking for education and cooperation in security matters?!? I considered them 'up-to-no-good' then... and do still today. It's now nearly 20 years that I found the computers of Tibetan refugees infected with malware that made calls to Asian service numbers, which AT&T insisted on billing them for ($$$ hundreds monthly), rather than reversing the scam-charges as they should and could have...] It's Parliamentary: KeyBoy and the targeting of the Tibetan Community 17 Nov 2016 <https://citizenlab.org/tag/china/>, <https://citizenlab.org/tag/malware/>, <https://citizenlab.org/tag/targeted-threats/>, <https://citizenlab.org/tag/tibet/> Adam Hulcoop, Etienne Maynier, John Scott Railton, Masashi Crete-Nishihata, Matt Brooks <https://citizenlab.org/category/research-news/reports-briefings/, News <https://citizenlab.org/category/research-news/> Key Findings - In this report we track a malware operation targeting members of the Tibetan Parliament over August and October 2016. - The operation uses known and patched exploits to deliver a custom backdoor known as KeyBoy. - We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection. - This operation is another example of a threat actor using *just enough* technical sophistication to exploit a target. ------------------------------ Date: Fri, 18 Nov 2016 19:33:07 +0100 From: Werner U <werneru () gmail com> Subject: NSO Group's iPhone Zero Days used against a UAE Human Rights Defender (Bill Marczak and John Scott-Railton) Bill Marczak and John Scott-Railton (Senior Researchers at The Citizen Lab University of Toronto, with the assistance of the research team at Lookout Security.) https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware. *Updated (Sept 1, 2016)*: Today Apple released security updates <https://support.apple.com/en-us/HT201222> for Desktop Safari and Mac OS X. These updates patch the Trident vulnerabilities that identified in this report for desktop users. The Trident vulnerabilities used by NSO could have been weaponized against users of non iOS devices, including OSX. ------------------------------ Date: Wed, 16 Nov 2016 15:36:13 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Office Depot insider speaks out about unnecessary computer fixes (JesseJones) via NNSquad Office Depot is selling fixes for computer problems that don't exist and pushing customers to purchase costly repairs, a KIRO 7 investigation found. Now, after watching Jesse investigation, the company is pledging take appropriate action. http://jessejones.com/story/office-depot-insider-speaks-out/ ------------------------------ Date: Wed, 16 Nov 2016 17:54:48 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Kryptowire discovers mobile phone firmware that transmitted PII 15 Nov 2016 Kryptowire discovers mobile phone firmware that transmitted personally identifiable information (PII) without user consent or disclosure http://www.kryptowire.com/adups_security_analysis.html Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD. These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices. The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd. ------------------------------ Date: Thu, 17 Nov 2016 19:44:02 +0100 From: Toby Douglass <toby_public () winterflaw net> Subject: Risks to toilets in computing systems Thin supply chains are efficient but potentially fragile, as they in their efficiency lack redundancy or immediately available spare capacity. In Berlin, there is found a chain of large, low-cost gyms by the name of McFit. This gym chain owns a subsidiary brand, High5, composed of smaller, more highly branded gyms. The gyms are largely automatic, with minimal staff counts - typically one staff member, two at busy times, with perhaps two hundred people in the gym. Access to the gym, the lockers and even the vending machines is by key-card. McFit offers a minimum membership of one year. High5 offers a monthly subscription, and with an option to be able to attend McFit gyms. As such, it is not uncommon for people to join High5 and then attend only a McFit gym. This leads to the question of the integration of the computer systems at these two chains, such that the High5 card can function at the McFit gyms. For the last three weeks, the High5 cards have not functioned in McFit gyms, either to access the gym, or to open and close lockers. The High5 web-site itself no longer allows users to log into their accounts; clicking on the "login" button leads - without explanation, and so confusingly - to the "join now" page. In theory it is possible to log in *at* the High5 gyms, but it turns out that if the account in question lacks a photo, attempting to login silently disables the account, and so it is then no longer possible to log in even at the gym. (I have been looking to do so to change the IBAN used to pay for my account.) When a High5 member now attends a McFit gym, they must wait for assistance, which typically takes five to ten minutes. The gym has a small supply of unallocated McFit access cards to allow for locker use in such cases. It has become increasingly common for High5 members to take such a card but not return it, and then on their next visit, simply to edge past the access turnstile (there is room to do so), so that they need not suffer the onerous wait for assistance. As such, the supply of locker cards is running low. Where the demands upon staff time have now significantly risen, routine maintenance - emptying bins, cleaning the toilets, etc - has suffered. During peak times, the bins begin to overflow and the toilets and urinals, not the least fragrant even in the best of times, stink. (As an aside, as far as I am aware, there has been no communication from High5 or McFit to their customers regarding these matters; the web-site is silent in these matters and there has been no email.) When conducting failure analysis, the correct approach is to follow the chain of failure as far as possible, to find the *earliest* point at which corrective action could have been taken. With this in mind, I must first note that all of this would have been avoided had McFit offered the same pricing plans as High5; people would have joined McFit directly. Beyond this, I must look past the computing problems so described, and observe that although I live in central Berlin, this McFit is the only fully equipped (weights, machines, cardio machines, etc) gym within 20 minutes walking distance of home. I would as you can imagine by now have changed gym - if I could; however, I find if I must take the metro to get to the gym, my attendance falls off dramatically. These computer problems, from my point of view, would be solved by the presence of alternative gyms - safety in variety of supply, as Churchill remarked upon the switch by the Royal Navy from coal to oil. Given the large population here, I must think that there are unusual factors which are strongly discouraging the supply of gymnasiums. I would be interested to have some understanding of those factors, as fixing them would in effect fix these problems further down the chain of failure. My gut feeling is that this may related to Risks to the Public from Government and Related Systems. ------------------------------ Date: Thu, 17 Nov 2016 11:32:45 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Testimony last week for a U.S. House Committee on IoT Security * Kevin Fu, Infrastructure Disruption: Internet of Things Security, Testimony before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing, and Trade, November 16, 2016. https://energycommerce.house.gov/hearings-and-votes/hearings/understanding-role-connected-devices-recent-cyber-attacks * Bruce Schneier, Testimony before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing, and Trade, November 16, 2016. https://energycommerce.house.gov/hearings-and-votes/hearings/understanding-role-connected-devices-recent-cyber-attacks ------------------------------ Date: Thu, 17 Nov 2016 13:16:21 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Hackers Claim Theft of Data from Gorilla Glue (Motherboard) https://motherboard.vice.com/read/hackers-claim-theft-of-data-from-gorilla-glue Motherboard, 17 Nov 2016 Hackers say they have stolen a wealth of company and personal information from US adhesive, glue, and tape company Gorilla Glue. The hackers have previously tried to extort medical organizations by demanding a sizable ransom payment in exchange for not releasing hacked data publicly. âWe have everything they ever created,â someone from the hacking group The Dark Overlord told Motherboard in an online chat. The hackers claim to have over 500GB of research and development materials, including intellectual property and product designs, and access to Dropbox and personal email accounts related to the family-run Gorilla Glue. ------------------------------ Date: Wed, 16 Nov 2016 21:47:42 -0500 From: Monty Solomon <monty () roscom com> Subject: Biggest Spike in Traffic Deaths in 50 Years? Blame Apps Highway deaths have surged in the last two years, and experts put much of the blame on in-car use of smartphones and dashboard apps. http://www.nytimes.com/2016/11/16/business/tech-distractions-blamed-for-rise-in-traffic-fatalities.html ------------------------------ Date: Thu, 17 Nov 2016 12:49:50 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: iPhones Secretly Send Call History to Apple, Security Firm Says (Kim Zetter) https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/ ------------------------------ Date: Fri, 18 Nov 2016 16:21:56 +0100 From: Werner U <werneru () gmail com> Subject: Re: iPhone 'Touch Disease' (RISKS-29.92) Apple denies responsibility (Bryan Clark in The Next Web) Bryan Clark, The Next Web, 18 Nov 2016 Apple finally acknowledges iPhone 'Touch Disease' problem ...by denying responsibility http://thenextweb.com/apple/2016/11/18/apple-finally-acknowledges-iphone-touch-disease-problem-by-denying-responsibility/ Also: TechCrunch, 17 Nov 2016 Apple addresses Touch Disease with reduced cost repair for iPhone 6 Plus https://techcrunch.com/2016/11/17/apple-addresses-touch-disease-with-reduced-cost-repair-for-iphone-6-plus/ ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.93 ************************
Current thread:
- Risks Digest 29.93 RISKS List Owner (Nov 21)