RISKS Forum mailing list archives
Risks Digest 30.79
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 8 Aug 2018 14:02:24 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 8 August 2018 Volume 30 : Issue 79 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.79> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The Midterm Elections Are in Serious Danger of Being Hacked, Thanks to Trump (Mother Jones) West Virginia to introduce mobile phone voting for midterm elections (Money.CNN) Election screw-up (McClatchy) Traceability (Vint Cerf) Putin is afraid of one thing ... (Michael Morell) FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data. (WashPo) Old credit-bureau breaches (The New York Times) Tech Company Sees Autonomous GA Aircraft (Russ Niles) 2 Blasts, a Stampede and a 'Flying Thing': Witnesses Tell of Attack on Maduro (NYTimes) An Alaskan borough turns to typewriters and handwriting after its computers were hacked (WashPo) HP Inkjet Printers Remote CodeEx (HP) "German police hacking hit by volley of complaints: Can 'state trojan' law survive?" (ZDnet) Disney's 'Christopher Robin' Won't Get China Release Amid Pooh Crackdown (Hollywood Reporter) South Korea longs for a train to Europe but U.S. sanctions on North Korea block the way (WashPo) Magical thinking about machine learning won't bring the reality of AI any closer (The Guardian) Keeping Zuckerberg Safe Now Costs an Extra $10 Million a Year (Bloomberg) Your Company Needs a Digital Ombudsman. Pronto. (Medium) To Fight Fake News, SETI Researchers Update Alien-Detection Scale (SciAm) An Alaskan borough turns to typewriters and handwriting after its computers were hacked. (WashPo) UK F-35 secrets said leaked after Tinder account hacked (The Times of Israel) "New Wi-Fi attack cracks WPA2 passwords with ease" (Charlie Osborne) How a bunch of lava lamps protect us from hackers (WiReD) The Information on School Websites Is Not as Safe as You Think (NYTimes) Rich Irony from an "Unwitting" Liar (Henry Baker) Socially engineering a whale ... (Rob Slade) Re: The Ordinary License Plate's Days May Be Numbered (Wol) Re: Employees as subjects in clinical trials (Robert R. Fenichel) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 3 Aug 2018 18:56:20 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Midterm Elections Are in Serious Danger of Being Hacked, Thanks to Trump (Mother Jones) *As President Barack Obama* prepared to leave office, his administration had no doubt that Russia had mounted a devastating disinformation campaign and hacked our electoral systems -- and would likely do it again. But President-elect Donald Trump was notably uninterested in the threat. When FBI Director James Comey and other leaders of the intelligence community visited Trump Tower in January 2017 to explain how the country had been attacked, Comey recalled in his memoir, Trump's team had ``no questions about what the future Russian threat might be.'' Instead, Comey wrote, they launched ``immediately into a strategy session¦about how they could spin what we'd just told them.'' The meeting set the tone for the administration. After four months as attorney general, Jeff Sessions told the Senate he had not once been briefed on Russian election interference, even though his department oversees the FBI, which investigates Russia's disinformation campaigns and hacks like the one in Illinois. When John Bolton took over as national security adviser in April, he promptly pushed out two top White House cybersecurity experts. In May, Homeland Security Secretary Kirstjen Nielsen, whose department also plays a leading role in election security, Told reporters she wasn't aware of US intelligence agencies having found that Russia aimed to help Trump; she made similar remarks at a July security conference. The White House has acknowledged just one Cabinet-level meeting on election security, and it didn't come until May. SOURCES: <http://www.dni.gov/files/documents/ICA_2017_01.pdf> <http://time.com/4817199/jeff-sessions-testimony-russia-investigation-briefing/ <http://www.c-span.org/video/%3Fc4742826/nielsen-question-russian-support-trump <http://www.huffingtonpost.com/entry/kirstjen-nielsen-homeland-security-trump-russia_us_5b50ad1ce4b0fd5c73c30dfa <http://www.whitehouse.gov/briefings-statements/readout-president-donald-j-trumps-meeting-regarding-election-security/> http://www.motherjones.com/politics/2018/07/the-midterm-elections-are-in-serious-danger-of-being-hacked-thanks-to-trump/ ------------------------------ Date: Tue, 7 Aug 2018 19:43:28 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: West Virginia to introduce mobile phone voting for midterm elections (Money.CNN) West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November's election easier for troops living abroad. But election integrity and computer security experts expressed alarm at the prospect of voting by phone, and one went so far as to call it "a horrific idea." ... Ballots are anonymized, the company says, and recorded on a public digital ledger called blockchain. Although that technology is most often associated with Bitcoin and other cryptocurrencies, it can be used to record all manner of data. http://money.cnn.com/2018/08/06/technology/mobile-voting-west-virginia-voatz/index.html Oh, it's blockchain-based. OK, then. [See http://xkcd.com ... PGN] ------------------------------ Date: Wed, 8 Aug 2018 5:16:09 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Election screw-up (McClatchy) http://www.mcclatchydc.com/news/politics-government/article216056560.html "670 ballots in a precinct with 276 voters, and other tales from Georgia's primary" ------------------------------ Date: Sun, 5 Aug 2018 16:53:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Traceability (Vint Cerf) NNSquad http://cacm.acm.org/magazines/2018/8/229771-traceability/fulltext "This suggests to me that the notion of traceability under (internationally?) agreed circumstances (that is, differential traceability) might be a fruitful concept to explore. In most societies today, it is accepted that we must be identifiable to appropriate authorities under certain conditions (consider border crossings, traffic violation stops as examples). While there are conditions under which apparent anonymity is desirable and even justifiable (whistle-blowing, for example) absolute anonymity is actually quite difficult to achieve (another point made at the Ditchley workshop) and might not be absolutely desirable given the misbehaviors apparent anonymity invites. I expect this is a controversial conclusion and I look forward to subsequent discussion." Vint Cerf While I have frequently called for greater accountability in key aspects of Internet operations (in particular, public access to WHOIS domain data except in limited circumstances), I fear that in the general case Vint's Traceability proposal would mostly gladden the hearts of bad governmental players in countries such as China, Russia, and even here in the USA. It basically amounts to an escrowed identity system, a concept that has been widely and appropriately criticized in the encryption arena. Given that a significant degree of anonymity is crucial for human rights advocates and others who live in areas of the world that are routinely under government oppression, I do not see obvious ways that Vint's proposal could be implemented without innocent parties being even more at the mercy of oppressive governments than they are today. ------------------------------ Date: Wed, 8 Aug 2018 10:35:20 -0700 From: "Peter G. Neumann" <neumann () csl sri com> Subject: Putin is afraid of one thing ... (Michael Morell) Putin is afraid of one thing. Make him think it could happen. Michael Morell, *The Washington Post*, 7 Aug 2018 http://www.washingtonpost.com/opinions/putin-is-afraid-of-one-thing-make-him-think-it-could-happen/2018/08/07/edbe08b4-998b-11e8-b60b-1c897f17e185_story.html%3Futm_term%3D.5dc2e012e179%26wpisrc%3Dnl_most%26wpmm%3D1 Facebook revealed on 31 Jul 2018 that it had discovered a 17-month-long influence campaign sow political divisiveness on its network, an effort that bore the hallmarks of the Kremlin-connected Internet Research Agency. Two days later at the White House, the nation's top national security officials said Russia is conducting a pervasive campaign to weaken our democracy and influence this year's midterm elections. Taken together, these announcements leave no doubt that Russian President Vladimir Putin's political assault on the United States continues unabated. The most important question the Trump administration and Congress should be asking is: How can we make Putin stop? Finding the answer is essential because what Washington has done so far -- some improvements in defending against these attacks, along with a mixture of targeted sanctions against Russia, the indictment of Russian officials and organizations as well as the expulsion of Russian intelligence officers from the United States -- has not worked. Stopping Putin is vital, not just as a matter of protecting American democracy from Russian interference but also because we must signal a stronger deterrence to other adversaries, such as China, Iran and North Korea. Potential aggressors must be shown they will pay a price if they attack. With better resources than Russia for trying to undermine our democracy, China, in particular, needs to know that the United States would respond by imposing a heavy cost. The U.S. answer to Russia, so far, has been ineffective because Washington has targeted only the entities and individuals actually involved in the Russian information operations. Since the 2016 election, the United States, at various times, has imposed sanctions on at least 10 Russian organizations some more than once, and at least 23 specific individuals the sanctions' targeting has had little impact on the Russian economy overall, the political effect on Putin has been minor. Here is what the United States needs to do. In terms of self-defense, it must secure the nation's elections system, especially the software that holds data on registered voters. Every vote should be tallied on a backup paper ballot that could be used to verify election results, if necessary. New rules and better enforcement are needed to keep foreign money out of U.S. elections. The federal government should work with individual campaigns to fortify the security of the technology and networks they use. Finally, better coordination across the government is needed to protect U.S. elections, which would probably best be achieved by creating a Hybrid Threats Center similar to the National Counterterrorism Center. Intelligence officials outline threats to midterm elections FBI Director Christopher Wray and Homeland Security Secretary Kirstjen Nielsen on 2 Aug 2018 discussed the disinformation attempts on the 2018 elections. (Reuters) There are several bills in Congress, all with support on both sides of the aisle, that would institute most of these changes and pay for them, but the legislation is frozen by the partisanship this issue stirs. As for imposing costs on those who attack the United States: Fully implement sanctions already on the books. That is still not happening. But then move beyond targeted sanctions to broad-based sanctions that are designed to hurt the Russian economy -- just as the Obama administration's sanctions against Iran were designed to do, as are the Trump administration's. Make it clear to Putin that we would drop the sanctions when he stopped interfering in the democratic institutions of the United States and its allies, some of which are also under siege. What would such sanctions look like? A Senate bill introduced on 2 Aug 2018, again with sponsors from both parties, is a good start: Prohibit any transaction related to Russian energy projects and bar the purchase of new Russian sovereign debt. Washington should encourage its allies to join in these efforts. Putin is afraid of one thing. He is afraid that one day the Russian middle class will finally rebel against his regime and rush into the streets demanding change. It happened in Tunis, Cairo and other Middle Eastern and North African cities between 2010 and 2012, and it happened most alarmingly, from Putin's perspective, four years ago in Kiev when Ukrainians threw out a government beholden to Moscow. Sanctions that bite at the heart of the Russian economy -- sanctions that increase the risk that Russia's middle class will become restive -- will get Putin's attention. The leaders that the United States has chosen, and the security experts they have appointed and confirmed, are aware of the threat. A failure to defend the nation as well as possible, and failure to impose severe costs on those attacking our democracy, would be seen by history as a major abdication of responsibility. The statements from intelligence officials at the White House last week were an excellent first step. More steps, and stronger ones, are urgently needed. Michael Morell, a career intelligence officer, served as the deputy director of the Central Intelligence Agency from 2010 to 2013; during that period, he served twice as acting CIA director. He is the host of the Intelligence Matters podcast. [Edited for RISKS. The original has a slew of subtended URLs. PGN] ------------------------------ Date: Thu, 2 Aug 2018 01:42:00 -0400 From: Monty Solomon <monty () roscom com> Subject: FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data. (WashPo) FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data A group called FIN7 allegedly stole the numbers of an estimated 15 million cards in a long-running scheme. http://www.washingtonpost.com/world/national-security/fbi-charges-ukrainians-with-hacking-us-chains-stealing-customers-credit-card-data/2018/08/01/7b74badc-95bc-11e8-a679-b09212fb69c2_story.html ------------------------------ Date: Sun, 5 Aug 2018 17:55:32 -0400 From: =?iso-8859-1?Q?Jos=E9 Mar=EDa?= Mateos <chema () rinzewind org> Subject: Old credit-bureau breaches (The New York Times) These days I have been reading "Creditworthy: A History of Consumer Surveillance and Financial Identity in America". It is an excellent study of how the credit bureau / data broker industry started in the United States of America. I was amused by the inclusion of the following news item, which could have been published yesterday: http://www.nytimes.com/1984/06/22/business/credit-file-password-is-stolen.html "Credit File Password Is Stolen", New York Times, June 22nd, 1984. A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. [...] TRW, the nation's largest credit reporting company, said its files had been breached by someone who stole a password from a Sears, Roebuck & Company store on the West Coast. The credit company said it changed the password immediately after being told of the breach by an informant two weeks ago. The password could have been illegally used for a month, at most, and probably a week, said Geri L. Schanz, a TRW spokesman. She said there was no indication that merchandise was illegally charged. A preliminary examination of the Sears account determined no unusual activity; a store is billed each time its password is used and billings have not been higher than normal. Miss Schanz added that the intruders would not have been able to change information on the computer files. But TRW is conducting an intensive investigation to find out who breached the system and how. Ernest L. Arms, a spokesman for Sears in Chicago, said his company was ''concerned'' about the TRW incident, but he would supply no further details. Computer experts yesterday said the breach again raises the issue of whether the nation's companies and consumers are adequately protected. Yes, it definitely raised the issue. José María (Chema) Mateos ------------------------------ Date: Mon, 6 Aug 2018 13:48:30 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Tech Company Sees Autonomous GA Aircraft (Russ Niles) http://cdn.avweb.com/media/newspics/325/p1ck69odbj45312341mkikeb1ecv6.jpeg Forget that shiny new octocopter, a Bay-area startup wants to make your Cessna 172 autonomous. XWing says <http://medium.com/xwing/hello-from-xwing-b25451771a61> "plug and play" software that can make most light aircraft fly autonomously. Details on how it works have not been released but the technology will revolve around "sensing, reasoning and control," according to aviation tech website TransportUP <http://transportup.com/headlines-breaking-news/vehicles-manufactures/automated-flight-startup-xwing-raises-4-million-in-funding/> It will also work on helicopters and multicopters but its designer sees its main benefit as making GA [General Aviation] accessible to the masses. According to XWing founder Marc Piette the key is getting rid of pilots.[*] ``Getting a license and maintaining proficiency even on a single [-engine] aircraft type is time consuming and challenging,'' he said in a post on his website. ``Removing the need for a pilot will have a significant impact in opening up the aviation market.'' Piette says that by eliminating pilots more people will be attracted to aircraft ownership and that will increase demand for small planes. The higher volumes will reduce production costs and make GA aircraft more affordable, Piette theorizes. ``We see a bright future where people and places are ever more connected, where small aircraft can finally take their rightful place in the transportation landscape, and where autonomous flight will have a profound impact on society as we know it,'' he wrote. Apparently some investors are seeing that bright future as TransportUP is reporting XWing has attracted $4 million in initial investment, including some from Microsoft. * [NOTE: The purpose of drones is to get rid of pilots and passengers. But someone has to be around to take the `blame' when something goes wrong... PGN] ------------------------------ From: Monty Solomon <monty () roscom com> Date: Mon, 6 Aug 2018 01:38:14 -0400 Subject: 2 Blasts, a Stampede and a 'Flying Thing': Witnesses Tell of Attack on Maduro (NYTimes) http://www.nytimes.com/2018/08/05/world/americas/venezuela-drone-attack-nicolas-maduro.html A drone attack that failed to kill President Nicolas Maduro of Venezuela unfolded on live TV and in front of many witnesses: ``It was like, bang, I had never heard a sound like that in my life.'' ------------------------------ Date: Thu, 02 Aug 2018 13:10:02 +0800 From: Richard M Stein <rmstein () ieee org> Subject: An Alaskan borough turns to typewriters and handwriting after its computers were hacked (WashPo) http://www.washingtonpost.com/technology/an-alaskan-borough-turns-to-typewriters-and-handwriting-after-its-computers-were-hacked/2018/08/01/7689dafa-ab56-4e03-9677-556fc970e3ea_story.html Sage advice to adopt for any organization seeking resilience against ransomware opportunism. Paper files stored in filing cabinets and cooked by typewriters are immune from ransomware or DNS tunneling ex- filtration, but not fire or black bag ops (breaking & entering + theft). ------------------------------ Date: Tue, 7 Aug 2018 17:07:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: HP Inkjet Printers Remote CodeEx (HP) Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution. http://support.hp.com/us-en/document/c06097712 ------------------------------ Date: Wed, 08 Aug 2018 11:05:07 -0700 From: Gene Wirchenko <genew () telus net> Subject: "German police hacking hit by volley of complaints: Can 'state trojan' law survive?" (ZDnet) Germany's use of state-sponsored malware to fight crime is under fire from several sides. http://www.zdnet.com/article/german-police-hacking-hit-by-volley-of-complaints-can-state-trojan-law-survive/ Civil rights activists and politicians will in the coming days launch a volley of constitutional complaints against the German government over its use of state-sponsored malware in criminal investigations. The first is that the recent law does not respect the boundaries set by the Constitutional Court in a 2008 ruling, which said state-sponsored malware, Staatstrojaner, can only be used to monitor ongoing communications, and not to search people's computers. The second part of the GFF's argument is that ``there is an indirect detrimental effect on IT security as a whole.'' Ulf Buermeyer, the organization's chairman, said: ``To use one of these state-sponsored malwares, authorities usually need a security flaw in the system they want to target. These flaws can not only be exploited by German state actors, but also by foreign state actors, or by plain criminals. We argue that trojans are detrimental to our security in general. It creates a strong incentive for state actors in Germany not to disclose security flaws to vendors. We say this is a risk and the German legislature entirely neglected this risk.'' ------------------------------ Date: Mon, 6 Aug 2018 11:52:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Disney's 'Christopher Robin' Won't Get China Release Amid Pooh Crackdown (Hollywood Reporter) http://www.hollywoodreporter.com/heat-vision/christopher-robin-refused-china-release-winnie-pooh-crackdown-1131907 A source pins the blame on the country's crusade against images of the Winnie the Pooh character, which has become a symbol of the resistance with foes of the ruling Communist Party, namely Chinese leader Xi Jinping. China's censorship regime isn't just oppressive and evil, it's utterly insane. ------------------------------ Date: Tue, 7 Aug 2018 17:11:54 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: South Korea longs for a train to Europe but U.S. sanctions on North Korea block the way (WashPo) The Washington Post, 3 Aug 2018 During their meeting in the peninsula's demilitarized zone in late April, South Korean President Moon Jae-in handed Kim a USB stick containing detailed plans for an inter-Korean rail network. The two Korean leaders agreed to work toward reconnecting their rail network, built under Imperial Japan at the turn of the 20th century, then severed during the Korean War in the 1950s. http://www.washingtonpost.com/world/asia_pacific/south-korea-longs-for-a-train-to-europe--but-us-sanctions-on-north-korea-block-the-way/2018/08/03/1760ef76-9007-11e8-9b0d-749fb254bc3d_story.html Moon better hope Kim doesn't read Risks. ------------------------------ Date: Sun, 5 Aug 2018 19:17:47 +0900 From: "Dave Farber" <farber () gmail com> Subject: Magical thinking about machine learning won't bring the reality of AI any closer (The Guardian) http://www.theguardian.com/commentisfree/2018/aug/05/magical-thinking-about-machine-learning-will-not-bring-artificial-intelligence-any-closer%3FCMP%3DShare_iOSApp_Other ------------------------------ Date: Sun, 5 Aug 2018 13:04:43 -0400 From: Monty Solomon <monty () roscom com> Subject: Keeping Zuckerberg Safe Now Costs an Extra $10 Million a Year. (Bloomberg) http://www.bloomberg.com/news/articles/2018-08-02/protecting-mark-zuckerberg-just-got-more-expensive-for-facebook ------------------------------ Date: Sun, 5 Aug 2018 09:31:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Your Company Needs a Digital Ombudsman. Pronto. (Medium) via NNSquad http://medium.com/s/story/your-company-needs-a-digital-ombudsman-pronto-9454c61c273b Who Needs this Role? Google famously convened an ethics board to ruminate over the possible dangers A.I. poses for the future. That's admirable from a Let's-Avoid-the-Robopocalypse perspective, but Google needs this position of digital ombudsman to focus on their users' concerns now. (A quick Google search reveals that I'm not the first to suggest it.) Facebook needs this position. So does Twitter. And Snapchat. And Amazon. But the need extends well beyond these obvious digital and social media companies. One of the best articles I've seen on this topic in ages. And before anyone points it out, yeah, I did notice that it links back to my earlier discussions (updated many times over the years) regarding Google and Ombudsmen, via a link to a Techdirt article that I've previously noted. ------------------------------ Date: Sun, 05 Aug 2018 18:39:39 +0800 From: Richard M Stein <rmstein () ieee org> Subject: To Fight Fake News, SETI Researchers Update Alien-Detection Scale (Scientific American) http://www.scientificamerican.com/article/to-fight-fake-news-seti-researchers-update-alien-detection-scale/ SETI has created a new calculator to assess ET's signal to Earth. The calculator uses enumerated input values, with a few range selection options, to characterize the signal structure. The ET-for-real-calculator can be found here: http://dh4gan.github.io/rioscale2/. A peer-reviewed article published in the International Journal of Astrobiology article discusses the Rio2.0 scale, a method to characterize ET's signal as calculator input. I think the risk here, common to all software stacks, is whether or not it has been sufficiently qualified, especially for edge/threshold- trigger conditions that might accrue into an accidental public alarm. Hopefully, they'll be a few conscientious reviewers to evaluate the signal and calculator output before an emergency broadcast commences. Wonder if an adaptation can be automatically applied to various public information sources (e.g., social media platforms) to quickly identify bot publications w/o compromising free speech? The EditorBot might live someday. ------------------------------ Date: Thu, 2 Aug 2018 01:42:53 -0400 From: Monty Solomon <monty () roscom com> Subject: An Alaskan borough turns to typewriters and handwriting after its computers were hacked. (WashPo) A ransomware attack infected the town's computers and email system, forcing officials to pull them offline. http://www.washingtonpost.com/technology/2018/08/01/an-alaskan-borough-turns-typewriters-handwriting-after-its-computers-were-hacked/ ------------------------------ Date: Mon, 6 Aug 2018 12:22:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: UK F-35 secrets said leaked after Tinder account hacked (The Times of Israel) A British Royal Air Force airwoman had her Tinder dating account hacked, leading to secrets about the country's new F-35 fighter jets being leaked, according to a Sunday report in the UK's Daily Mail <http://www.dailymail.co.uk/news/article-6027207/Honeytrap-spy-stole-secrets-new-RAF-stealth-jet-hacking-Tinder-profile.html> The RAF confirmed to the Mail that some information about the top secret planes was passed on to a third party after the woman's profile was hacked. The perpetrator used her account to strike up an online friendship with another member of the air force. http://www.timesofisrael.com/uk-f-35-secrets-said-leaked-after-tinder-account-hacked/ ------------------------------ Date: Wed, 08 Aug 2018 11:23:42 -0700 From: Gene Wirchenko <genew () telus net> Subject: "New Wi-Fi attack cracks WPA2 passwords with ease" (Charlie Osborne) Charlie Osborne for Zero Day | August 8, 2018 The common Wi-Fi security standard is no longer as secure as you think. http://www.zdnet.com/article/new-wi-fi-attack-cracks-wpawpa2-passwords-with-ease/ A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard. The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled. ------------------------------ Date: Tue, 7 Aug 2018 18:39:58 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How a bunch of lava lamps protect us from hackers (WiReD) Edward Craven Walker lived to see his greatest invention,the lava lamp <http://www.wired.com/2013/09/lava-lamp-50/ cultural comeback. But the British tinkerer (and famed nudist, incidentally) died before he could witness the 21st-century digital potential of his analog creation. Inside the San Francisco office of theweb security company Cloudflare <http://www.wired.com/tag/cloudflare/ groovy hardware help protect wide swaths of the Internet from infiltration. Here's how it works. Every time you log in to any website, you're assigned a unique identification number. It should be random, because if hackers can predict the number, they'll impersonate you. Computers, relying as they do on human-coded patterns, can't generate true randomness -- but nobody can predict the goopy mesmeric swirlings of oil, water, and wax. Cloudflare films the lamps 24/7 and uses the ever-changing arrangement of pixels to help create a superpowered cryptographic key. ``Anything that the camera captures gets incorporated into the randomness,'' says Nick Sullivan, the company's head of cryptography <http://www.wired.com/tag/cryptography/ includes visitors milling about and light streaming through the windows. (Any change in heat subtly affects the undulations of those glistening globules.) Sure,/theoretically/, bad guys could sneak their own camera into Cloudflare's lobby to capture the same scene, but the company's prepared for such trickery. It films the movements of a pendulum in its London office and records the measurements of a Geiger counter in Singapore to add more chaos to the equation. Crack that, Russians. http://www.wired.com/story/cloudflare-lava-lamps-protect-from-hackers/ ------------------------------ Date: Sat, 4 Aug 2018 02:34:09 -0400 From: Monty Solomon <monty () roscom com> Subject: The Information on School Websites Is Not as Safe as You Think (NYTimes) Some tracking scripts may be harmless. But others are designed to recognize I.P. addresses and embed cookies that collect information prized by advertisers. http://www.nytimes.com/2018/08/02/education/learning/school-websites-information-tracking.html ------------------------------ Date: Sat, 04 Aug 2018 15:24:15 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Rich Irony from an "Unwitting" Liar Is it just me, or is anyone else in computer science annoyed by James Clapper's recent apology book tour, during which he blames everyone but the intelligence community for Hillary Clinton's 30,000 lost emails? Having been involved in the computer science field for half a century, with a personal email history almost as old, I can recall the heavy hand of the intelligence community in monopolizing encryption technology and criminalizing its export. The intelligence community's watchword: "NOBUS", meaning "NObody But U.S." (may use high-quality encryption and authentication). This heavy hand made it impossible to incorporate encryption and authentication into the fabric of everyday computer systems, and hence impossible for computers to *routinely* protect ordinary communications like emails. Only after Bernstein v. United States (1999) and Junger v. Daley (2000) was encryption finally permitted to become a fully integrated component of everyday computer systems. The computer science community thus lost *forty years* of experience and software development that would have led to email systems capable of storing Hillary's emails securely -- even in her home closet. As the recent "Spectre" class of CPU vulnerabilities demonstrates, we are still living with legacy of this intelligence community "unwitting" (I prefer "witless") blunder. I would like to repeat to James Clapper what my grandmother used to say to me when I was a child: "when you point your (index) finger at someone, your other four fingers are pointing at yourself." I also have a better suggestion for the name of Clapper's book: "Redacts and Sneers: Half Truths from a Liar in Intelligence" rather than "Facts and Fears: Hard Truths from a Life in Intelligence" http://news.harvard.edu/gazette/story/2018/06/clapper-frets-over-past-damage-present-shortcomings-future-threats-to-us-intelligence/ Christina Pazzanese Harvard Staff Writer 22 Jun 2018 The worries over U.S. intelligence Former Director of National Intelligence James Clapper says he felt compelled to speak out about President Trump and the investigation into Russia's interference in the 2016 election. ------------------------------ Date: Fri, 3 Aug 2018 12:45:52 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Socially engineering a whale ... When you know who someone is, have followed their patterns, and know who their friends are, you can get them to respond to phishing messages. At least, that was the theory when DFO lured an orca away from the harbour where he had taken up residence. (And now someone is going to take issue with "residence," since he was not from one of the resident pods, but was a transient.) http://vancouversun.com/news/local-news/orca-lured-from-comox-harbour-with-audio-playback-of-other-whales or http://is.gd/WHuq3X (And, yes, I know that orcas are delphinidae and therefore not true whales ...) (And, yes, I meant phishing, not fishing.) (false positive, identification, identity theft, impersonation, phishing, social engineering, social media) (Oh, you want even more links to security? Well, there is life safety, since transients feed on mammals, and that's what we are ...) (See also under "bears": http://catless.ncl.ac.uk/Risks/30/76%23subj21 ------------------------------ Date: Thu, 2 Aug 2018 19:29:39 +0100 From: Wols Lists <antlists () youngman org uk> Subject: Re: The Ordinary License Plate's Days May Be Numbered (Shapir, RISKS-30.78) It always amazes me not many countries follow the UK approach, where in normal circumstances the licence plate stays with the vehicle from manufacture to destruction. And I'm sure plenty of people will scream about the risks of ANPR (automatic number plate recognition) but it works well - mostly - for us where a computer in a police car scans neighbouring plates, then checks them against an online database for tax and insurance. Traders have a special plate which allows them to drive vehicles that are otherwise not registered, taxed or insured. This does, however, bring another risk into play. So many bills are paid monthly now, including insurance, so if you aren't alert it's far too easy - as happened to my daughter - for the insurance debit to bounce, the insurance company cancels the policy, the ANPR picks up your vehicle, and you get stopped for driving the vehicle without insurance. And the insurance company normally does NOT notify you that the payment bounced! In those circumstances, you are supposed either to re-insure your vehicle, at the roadside, by (smart)phone or the police will seize the vehicle. My daughter was lucky - the police let her proceed when she couldn't contact her insurers but many people have had their vehicle seized and it usually costs about £200 to get it back! ------------------------------ Date: Wed, 1 Aug 2018 21:14:17 -0400 From: "Robert R. Fenichel" <bot () fenichel net> Subject: Re: Employees as subjects in clinical trials (Maziuk) I'm sorry if I misinterpreted what Dimitri Maziuk said a few issues ago. Other followers of RISKS will need to review the entries and, as they see fit, apportion fault between the transmission & reception functions in our communication. Reply to bob () fenichel net ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.79 ************************
Current thread:
- Risks Digest 30.79 RISKS List Owner (Aug 08)