RISKS Forum mailing list archives
Risks Digest 30.11
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 28 Jan 2017 8:22:33 PST
RISKS-LIST: Risks-Forum Digest Saturday 28 January 2017 Volume 30 : Issue 11 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.11> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: "The missile may have veered ... towards the United States" (AFP via danny burstein) Clip from Schlosser's Command and Control (Ken Knowlton) Russians Charged With Treason Worked in Office Linked to Election Hacking (The NYTimes) United Airlines resumes flights after temporary ground order (CNN via Monty Solomon) Galaxy Note 7 investigation concludes, pair of issues will cost Samsung $5 billion (geoff goodfellow) Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says (The NYTimes) Verizon remotely disables remaining Galaxy Note 7 phones (Kelly Bert Manning) "HP recalls over 100,000 more laptop batteries for fire hazard" (Agam Shah) "Cisco scrambling to fix a remote code execution problem in Webex" (Tim Greene) TOR servers misused for spam (Gerrit Muller) "OpenSSL issues new patches as Heartbleed still lurks" (Fahmida Y. Rashid) White House kills their comment phone line, but a new one appears (Lauren Weinstein) Facebook is changing its Trending section to fight the spread of fake news (Lauren Weinstein) Massive networks of fake accounts found on Twitter (BBC) U.S. Park Service tweets were result of old Twitter passwords (Martyn Williams) Fake news costing advertisers reputation, ad dollars (enterpriseinnovation) Report fake news at alt-facts.net (alt-facts) Finding credibility clues on Twitter (Science Daily) The real reason why Trump using an old Android phone should freak you out (BGR) Donald Trump is using a private gmail account to secure the most powerful Twitter account in the world (Sam Biddle) Republican voter fraud? (PGN) Cellphone dependency (Neil Youngman) Re: CIA unveils new rules for collecting information on Americans (Mark F) Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Amos Shapir) Re: Leap-seconds (John Levine) Re: Japan testing USB phone charging in public buses (Andrew Duane) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 22 Jan 2017 19:49:07 -0500 (EST) From: danny burstein <dannyb () panix com> Subject: "The missile may have veered ... towards the United States" [AFP via Yahoo!] UK govt accused of covering up failed Trident nuclear missile test London (AFP) - The British government was accused on Sunday of covering up a failed test of its nuclear weapons deterrent last year, just weeks before lawmakers voted to renew the system. [...] *The Sunday Times* newspaper, citing a senior naval source, claimed that the Trident II D5 missile failed after being launched from a British submarine off the coast of Florida in June. The cause of the failure is top secret but the source suggested the missile may have veered off in the wrong direction towards the United States. https://www.yahoo.com/news/uk-govt-accused-covering-failed-trident-nuclear-missile-113729062.html [Nothing in the story about what stopped the missile from reaching the US or, for that matter, how far it flew ------------------------------ Date: Wed, 25 Jan 2017 21:43:23 -0500 From: Ken Knowlton <kcknowlton () aol com> Subject: Clip from Schlosser's Command and Control Excerpt from Eric Schlosser's "Command and Control," Penguin, 2013, P.475 All of these military computer networks are far more technologically advanced than the gold telephone that used to connect General LeMay to the White House. But sometimes they experience a glitch. In October 2010 a computer failure at F. E. Warren Air Force Base knocked fifty Minuteman III missiles offline. For almost an hour, launch crews could not communicate with their missiles. One third of the Minuteman IIIs at the base had been rendered inoperable. The Air Force denied that the system had been hacked and later found the cause of the problem: a circuit card was improperly installed in one of the computers during routine maintenance. But the hacking of America's nuclear command-and-control system remains a serious threat. In January 2013, a report by the Defense Science Board warned that the system's vulnerability to a large-scale cyber attack had never been fully assessed. Testifying before Congress, the head of the U.S. Strategic Command, General C. Robert Kehler, expressed confidence that no "significant vulnerability" existed. Nevertheless, he said that an "end-to-end comprehensive review" still needed to be done, that "we don't know what we don't know," and that the age of the command-and-control system might inadvertently offer some protection against the latest hacking techniques. Asked whether Russia and China had the ability to prevent a cyberattack from launching one of their nuclear missiles, Kehler replied, "Senator, I don't know." ------------------------------ Date: Sat, 28 Jan 2017 7:22:01 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Russians Charged With Treason Worked in Office Linked to Election Hacking (The NYTimes) Scott Shane, David E. Sanger and Andrew E. Kramerjan. *The New York Times*, 27 Jan 2017 http://www.nytimes.com/2017/01/27/world/europe/russia-hacking-us-election.html?smprod=nytcore-iphone&smid=nytcore-iphone-share Two Russian intelligence officers who worked on cyberoperations and a Russian computer security expert have been arrested and charged with treason for providing information to the United States, according to multiple Russian news reports. As in most espionage cases, the details made public so far are incomplete, and some rumors in Moscow suggest that those arrested may be scapegoats in an internal power struggle over the hacking. Russian media reports link the charges to the disclosure of the Russian role in attacking state election boards, including the scanning of voter rolls in Arizona and Illinois, and do not mention the parallel attacks on the D.N.C. and the email of John Podesta, Mrs. Clinton's campaign chairman. But one current and one former United States official, speaking about the classified recruitments on condition of anonymity, confirmed that human sources in Russia did play a crucial role in proving who was responsible for the hacking. [...] ------------------------------ Date: Mon, 23 Jan 2017 04:07:48 -0500 From: Monty Solomon <monty () roscom com> Subject: United Airlines resumes flights after temporary ground order http://www.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/index.html [An outage for 3-plus hours attributed to an "IT problems". ------------------------------ Date: Mon, 23 Jan 2017 10:26:57 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Galaxy Note 7 investigation concludes, pair of issues will cost Samsung $5 billion Samsung has concluded its investigation involving the 2016 Galaxy Note 7 fires, and has determined that two different flaws resulted in the conflagrations in the failing devices, with one creeping in after a too-quick investigation: http://appleinsider.com/articles/17/01/22/galaxy-note-7-investigation-concludes-pair-of-issues-will-cost-samsung-5-billion ------------------------------ Date: Mon, 23 Jan 2017 10:08:48 -0500 From: Monty Solomon <monty () roscom com> Subject: Galaxy Note 7 Fires Caused by Battery and Design Flaws, Samsung Says https://www.nytimes.com/2017/01/22/business/samsung-galaxy-note-7-battery-fires-report.html See also http://arstechnica.com/gadgets/2017/01/galaxy-note-7-investigation-blames-small-battery-cases-poor-welding/ ------------------------------ Date: Thu, 26 Jan 2017 13:17:16 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Verizon remotely disables remaining Galaxy Note 7 phones How much true value is there in an expensive product that becomes useless when the original battery needs replacement or is found to be unsafe to use? Normally having a battery is a good thing even if you run on utility power most of the time. I've used employer-supplied laptops with dialup VPN connections to carry on work from during power outages. I also bought a personal use XP laptop with a dead battery, but it still runs with Tails OS, connected to a wall plug, when I travel or have to use a wireless or untrustworthy wired connection during local conferences. The Phoebus Cartel might be considered a historical anomaly but for the Auto Industry Planned Obsolescence was a high priority corporate goal long before Apple began persuading people to purchase and discard electronic gimcracks every year or two. Now we see firmware becoming an integral part of expensive consumer purchases for big ticket Internet connected things such as cars, clothes washers and refrigerators. The VW emissions firmware scandal shows that we should not trust corporations. The right of consumers and consumer protective organizations to analyze firmware and to block unwanted updates should be given legal protection, not restricted. If it isn't we will never know whether our car or clothes washer stopped working because it was worn out, or because the maker told it to stop working. ------------------------------ Date: Thu, 26 Jan 2017 09:07:39 -0800 From: Gene Wirchenko <genew () telus net> Subject: "HP recalls over 100,000 more laptop batteries for fire hazard" (Agam Shah) Agam Shah, InfoWorld, 24 Jan 2017 The move expands a recall that was first announced last year http://www.infoworld.com/article/3161135/computers/hp-recalls-over-100000-more-laptop-batteries-for-fire-hazard.html opening text: HP is expanding its recall of laptop batteries with overheating issues that can cause computer damage and even fire. The company is recalling an additional 101,000 batteries in some laptops sold between March 2013 through October 2016. This is an expansion of the recall initiated in June 2016, which involved HP recalling 41,000 batteries. The batteries are in laptop brands including HP, Compaq, ProBook, Envy, Compaq Presario, and Pavilion laptops. Battery packs sold separately are also affected. ------------------------------ Date: Thu, 26 Jan 2017 09:11:44 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Cisco scrambling to fix a remote code execution problem in Webex" (Tim Greene) Tim Greene, Network World, 25 Jan 2017 http://www.infoworld.com/article/3161515/security/cisco-scrambling-to-fix-a-remote-code-execution-problem-in-webex.html There's no workaround and no final patch for a critical bug that can open up users' computers to remote code execution attacks opening text: Cisco's Webex Browser Extension contain a critical bug that can open up customers' entire computers to remote code execution attacks if the browsers visit websites containing specially crafted malicious code. The company says it is in the process of correcting the problem, and has apparently made a few initial steps toward a permanent fix. It says there is no workaround available. ------------------------------ Date: Tue, 24 Jan 2017 16:31:30 +0100 From: Gerrit Muller <gerrit.muller () gmail com> Subject: TOR servers misused for spam I am running a simple website with a number of CGI-based forms for client input or feedback. In these years, I have been blocking Spammers using .htaccess, denying access to IP addresses that spam. Since about one month, the amount of spam via this website has increased an order of magnitude, if not more. A significant increase of spam messages come from Urkraine, Kazachstan, Russia, and other (former) Soviet or East European countries. However, I also see an increase of sites where you wouldn't expect such bad behavior, such as Microsoft and MIT. The response of the abuse departments is that they cannot block them, since these are TOR-based servers. The answer from MIT is copied below: ----start response--- Hello. Thank you for the report. The IP address in question is a Tor exit node. https://www.torproject.org/overview.html There is little we can do to trace this matter further. As can be seen from the overview page, the Tor network is designed to make tracing of users impossible. The Tor network is run by some 5000 volunteers who use the free software provided by the Tor Project to run Tor routers. Client connections are routed through multiple relays, and are multiplexed together on the connections between relays. The system does not record logs of client connections or previous hops. The Tor project does provide an automated DNSRBL for you to query to flag requests from Tor nodes as requiring special treatment: https://www.torproject.org/tordnsel/ Regards, Security Operations, Massachusetts Institute of Technology IS&T | Operations & Infrastructure | Security Operations, security () mit edu http://ist.mit.edu/secure ---end response--- The risk is that TOR servers with its good intent to help protect anonymity will pollute regular Internet traffic. Gerrit Muller, professor systems engineering, USN-NISE, Kongsberg, Norway ------------------------------ Date: Fri, 27 Jan 2017 15:39:19 -0800 From: Gene Wirchenko <genew () telus net> Subject: "OpenSSL issues new patches as Heartbleed still lurks" (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld, 27 Jan 2017 OpenSSL issues new patches as Heartbleed still lurks The latest OpenSSL update may only address moderate-severity vulnerabilities, but admins shouldn't get lax about staying current with the patches http://www.infoworld.com/article/3162426/security/openssl-issues-new-patches-as-heartbleed-still-lurks.html selected text: The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw. A disproportionate number of systems on this list were servers hosted on Amazon Web Services. That may have more to do with the fact that it's easy for anyone to spin up new AWS instances, than with an actual issue in AWS. With IT security out of the loop, there's no one enforcing security controls on what types of software to install when setting up the server, which means there's nothing stopping the server owner from adding the vulnerable version of OpenSSL to the stack. Some of the virtual servers may be abandoned and forgotten, and since they were created outside of the IT process, no one knows to look for them to check the OpenSSL version. "If there are servers that are vulnerable, then it's because people aren't aware they have them," said Mike Pittenger, vice president of strategy for Black Duck Software. ------------------------------ Date: Fri, 27 Jan 2017 17:10:14 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: White House kills their comment phone line, but a new one appears via NNSquad It appears that the new administration has killed the traditional White House public phone number for citizen comments at (202) 456-1111 -- now it just tells you to hang up and use Facebook instead. But a new comment line has appeared at a New York City number, which seems somehow appropriate: (347) 781-4664. ------------------------------ Date: Wed, 25 Jan 2017 13:00:51 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook is changing its Trending section to fight the spread of fake news [Note: The term "fake news" (originally used to refer what is now sometimes called "alternative news") has also been pre-empted, and used to misrepresent "real news" by those to whom it is unpleasant. PGN] NNSquad Facebook is changing its Trending section to fight the spread of fake news https://www.recode.net/2017/1/25/14376734/facebook-trending-topics-update-fake-news Facebook is updating Trending, the section of the service that highlights popular topics being discussed on Facebook, to better prevent fake news stories from appearing there. As part of the update, Facebook says it's going to stop pulling in trending topics that surface based off a single news report. Instead, it'll feature topics that have been covered by a number of media outlets, an attempt to avoid one-off fake news stories that get lots of people talking but haven't been vetted by other media organizations. "We think it'll help [minimize] cases where maybe one specific story goes viral even if there might not be something real going on in the world about that story," said Will Cathcart, a VP of product management at Facebook. Facebook continues to be in the lead fighting fake news, while Google lags behind. ------------------------------ Date: Fri, 27 Jan 2017 08:28:35 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Massive networks of fake accounts found on Twitter (BBC) Via NNSquad http://www.bbc.com/news/technology-38724082 The largest network ties together more than 350,000 accounts and further work suggests others may be even bigger. UK researchers accidentally uncovered the lurking networks while probing Twitter to see how people use it. Some of the accounts have been used to fake follower numbers, send spam and boost interest in trending topics. ------------------------------ Date: Wed, 25 Jan 2017 16:13:32 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: U.S. Park Service tweets were result of old Twitter passwords (Martyn Williams) Martyn Williams, PC World, 25 Jan 2017 http://www.pcworld.com/article/3161718/government/us-park-service-tweets-were-result-of-old-twitter-passwords.html Two instances of tweets from U.S. National Park Service accounts that became political hot potatoes in the last few days were the result of bad password management, according to officials. "An unauthorized user had an old password in the San Francisco office and went in and started retweeting things that were in violation of their policy," [Sean Spicer] said of Saturday's incident. ------------------------------ Date: Fri, 27 Jan 2017 17:30:27 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Fake news costing advertisers reputation, ad dollars via NNSquad Fake news costing advertisers reputation, ad dollars http://www.enterpriseinnovation.net/article/fake-news-costing-advertisers-reputation-ad-dollars-2009959187 Fake new is news today. Since the US presidential began in the US last year, fake news took center stage. However, a new report from Forrester titled "Fake News: More Proof That Advertisers Must Choose Quality Over Quantity" noted that the real targets are advertisers and their purse strings -- not the readers. It is also creating a massive headache as ads are running into danger of being placed alongside news that can hurt brand reputations and even derail well-thought out ad campaigns. ------------------------------ Date: Sun, 22 Jan 2017 16:22:12 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Report fake news at alt-facts.net NNSquad In honor of the new "alternative facts" White House, you can now report fake news at: https://alt-facts.net ------------------------------ Date: Fri, 27 Jan 2017 12:14:29 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Finding credibility clues on Twitter NNSquad https://www.sciencedaily.com/releases/2017/01/170127131306.htm By scanning 66 million tweets linked to nearly 1,400 real-world events, researchers have built a language model that identifies words and phrases that lead to strong or weak perceived levels of credibility on Twitter. Their findings suggest that the words of millions of people on social media have considerable information about an event's credibility -- even when an event is still ongoing. ------------------------------ Date: 26 Jan 2017 22:23:29 -0500 From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Subject: The real reason why Trump using an old Android phone should freak you out (BGR) http://bgr.com/2017/01/26/donald-trumps-android-phone-security/ ------------------------------ Date: Thu, 26 Jan 2017 13:43:29 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Donald Trump is using a private gmail account to secure the most powerful Twitter account in the world (Sam Biddle) January 26 2017, 12:54 p.m. https://goo.gl/MYseKG Trump's account is an obviously juicy target for such an attack, representing what BuzzFeed's Joe Bernstein described as ``a national security disaster waiting to happen.'' An unauthorized declaration of, say, imminent hostilities or economic sanctions coming from the president'99s official account could destabilize the entire world. [The rest is fairly scary. PGN] ------------------------------ Date: Thu, 26 Jan 2017 16:44:12 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Voter fraud? Steve Doocy (Fox News Co-host of Fox & Friends) apparently voted twice in the Republican primaries. https://twitter.com/tbonier/status/824702199678787584 ------------------------------ Date: Mon, 23 Jan 2017 13:41:57 +0000 From: Neil Youngman <neil.youngman () googlemail com> Subject: Cellphone dependency The first article in RISKS-30.09 was about a Tesla driver being stranded because he he was out of cellphone coverage. It was immediately followed by Nissan's "solution" for situations that are too complex for self-driving cars, which relies on their being able to contact a call centre. We seem to be at risk of making our cars cellphone dependent. Regular readers of RISKS will be aware of the limitations of cell phone technology, not just in terms of coverage, but also in their vulnerability to overloading and power loss particularly in crisis scenarios. ------------------------------ Date: Mon, 23 Jan 2017 08:19:53 -0500 From: Mark F <mark49607 () gmail com> Subject: Re: CIA unveils new rules for collecting information on Americans (RISKS-30.10) I think this link should be included: "Central Intelligence Agency Intelligence Activities: Procedures Approved by the Attorney General Pursuant to Executive Order 12333" https://www.cia.gov/about-cia/privacy-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf ------------------------------ Date: Mon, 23 Jan 2017 11:45:50 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (RISKS-30.10) While ease of development may be in the eye of the developer, I certainly wouldn't commend for readability a language in which a blank in the wrong place might completely change the meaning of a routine! ------------------------------ Date: 23 Jan 2017 02:17:58 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Leap-seconds (Frankston, RISKS-30.09)
It's so weird to me that people **** all over leap seconds, but are fine with leap years and arbitrary timezone changes.
They're not at all the same. Leap years are perfectly regular and predictable, and timezones only affect the presentation of time, not the calculations. The problem with leap seconds is that they do affect the calculations, and they're irregular and unpredictable. ------------------------------ Date: Mon, 23 Jan 2017 09:09:36 -0500 From: Andrew Duane <e91.waggin () gmail com> Subject: Re: Japan testing USB phone charging in public buses (Baker, RISKS-30.10)
What could possibly go wrong? It is well known that the NSA -- as well as other nation-state actors -- place malicious USB chargers in public places that can infect computers and phones that are attached.
As someone who travels a lot for business, sometimes to relatively unknown places for me, this is exactly why I carry such a "condom". It's simply a couple of clearly marked USB cables that don't have any data lines in them. They are power-only. Now I don't have to care what USB port I plug in to, whether it's a public charging station or a friendly stranger's laptop. OK, the problem of a high-voltage USB killer isn't solved by this, but that's not my threat model (yet). http://www.theregister.co.uk/2015/10/14/sneaky_220v_usb_fries_laptops/ ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.11 ************************
Current thread:
- Risks Digest 30.11 RISKS List Owner (Jan 28)