precedence: bulk Subject: Risks Digest 29.79 RISKS-LIST: Risks-Forum Digest Saturday 24 September 2016 Volume 29 : Issue 79 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: We Have to Start Thinking About Cybersecurity in Space (Zeljka Zorz) "5 Tech Trends That Have Turing Award Winners Worried" (Katherine Noyes) Tesla tones down Autopilot (San Francisco Chronicle) Krebs on Security hit by a huge DDoS attack (ZDnet via PGN) "Seagate NAS hack should scare us all" (Roger A. Grimes) Australian Police warn of malware-laden USB sticks in letterboxes (The Register via Werner U) Russian intelligence services seem responsible for hacking German political groups (The Cyberwire) China teen killing sparks Internet *addiction* boot camp debate (BBC) Banks want to make the Internet less secure for everybody (Thomas Koenig) Rogue Algorithms -- and the Dark Side of Big Data (Wharton Knowledge) WikiLeaks uploads 300+ pieces of malware among email dumps (Werner U) Re: Police try to arrest robot (Martin Ward) Re: The risks of getting your email address wrong (John Levine) Re: Microsoft dismisses Exchange vulnerability report (Bill Stewart) Re: PC without OS (Martin Ward, Dmitri Maziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 23 Sep 2016 12:18:18 -0400 (EDT) From: "ACM TechNews" Subject: We Have to Start Thinking About Cybersecurity in Space (Zeljka Zorz) Zeljka Zorz, Help Net Security, 22 Sep 2016, via ACM TechNews, 23 Sep 2016 UK-based researchers are studying the cybersecurity of space-related technologies. "An insecure environment in space will hinder economic development and increase risks to societies, particularly in crucial sectors such as communications, transport, energy, financial transactions, agriculture, food and other resources management, environmental and weather monitoring, and defense," according to Chatham House researchers David Livingstone and Patricia Lewis. They say space-related cybersecurity gaps and weaknesses need to be addressed as a matter of urgency. Cybersecurity in space includes satellites, rockets, space-based systems and vehicles, space stations and ground stations, as well as the associated networks and data centers, all of which the researchers warn could be targeted by hackers. "Possible cyberthreats against space-based systems include state-to-state and military actions; well-resourced organized criminal elements seeking financial gain; terrorist groups wishing to promote their causes, even up to the catastrophic level of cascading satellite collisions; and individual hackers who want to fanfare their skills," according to the researchers. The researchers suggest an international multi-stakeholder space security organization would provide the best opportunity for developing a sectoral response to match the range of threats. However, such an effort should avoid basing policies on technology alone. "An effective regime requires a comprehensive technological response that is integrated into a wider circle of knowledge, understanding, and collaboration," according to the researchers. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda9x073885& ------------------------------ Date: Fri, 23 Sep 2016 12:18:18 -0400 (EDT) From: "ACM TechNews" Subject: "5 Tech Trends That Have Turing Award Winners Worried" IDG News Service (09/23/16) Katherine Noyes A panel of ACM A.M. Turing Award winners convened on Thursday at the Heidelberg Laureate Forum in Germany to discuss technology trends they find troubling. Massachusetts Institute of Technology professor Barbara Liskov cited technology encouraging people to selectively filter out news and opinions differing from their own as a worrisome trend. Another concern of Liskov's is how the Internet has empowered malevolent hackers and other malefactors to target children. Meanwhile, Carnegie Mellon University's Raj Reddy discussed criminals' ability to attack freedom technologically, noting terrorists and other evildoers "can communicate with impunity with encryption today." Google chief Internet evangelist and former ACM president Vint Cerf said bug-ridden software could undermine control of devices comprising the Internet of Things. "It's ordinary devices that have a lot of software in them that don't work the way we expect them to" that constitute a major threat, he warned. Cerf also worries about the obsolescence of the software needed to access online content, and a partial solution may be to employ virtual machines in the cloud to mimic outdated hardware. However, Cerf said other issues are in need of resolution, including ownership of intellectual property and business models to support long-term preservation. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-113b5x2fda6x073885& ------------------------------ Date: Fri, 23 Sep 2016 12:13:01 PDT From: "Peter G. Neumann" Subject: Tesla tones down Autopilot Tesla says its latest software update will disable automatic steering if drivers don't keep their hands on the wheel. They are enhancing the radar system so Autopilot will work better in bright sun and bad weather. If drivers ignore three warnings to place their hands on the wheel, automatic steering will be disabled and won't resume until the car is parked. As in earlier versions, the car will slow to a stop if the warnings are ignored. [PGN-excerpted from the *San Francisco Chronicle*, 23 Sep 2016, front page of the Business Report] [I suspect that strategy won't work very well on an Automated Highway. Fortunately, we still have a way to go to work things out. I should note that I've written two articles in the past months that might need some updating in light of recent developments noted in RISKS and elsewhere: PGN, Automated Car Woes -- Whoa There! ACM Ubiquity, July 2016: PGN, Risks of Automation: A Cautionary Total-System Perspective of Our Cyberfuture, CACM Inside Risks article, October 2016: One of the risks of writing journal articles is that they should be able to have successive updates, which of course never happens. One of the benefits of RISKS is that we are continually reflecting on the ever-changing nature of computer-related technologies. The topic of self-driving cars and automated highways is certainly likely to be one such area where things will be changing! (That's just one of the reasons I never tried to write a successor to my 1995 book, *Computer-Related Risks* -- although most of what I wrote then still seems timely today.) PGN] ------------------------------ Date: Fri, 23 Sep 2016 09:18:17 PDT From: "Peter G. Neumann" Subject: Krebs on Security hit by a huge DDoS attack Brian Krebs's security blog was booted off the Akamai network after DDoS attack proves pricey. "There's no rancor or bitterness, however, since Akamai hosted the security expert's blog pro bono." The attack, 665 Gbps in size, was detected by Akamai and DDoS protection outfit Prolexic, owned by Akamai, as "almost twice the size" of attacks they have had to fend off in the past, according to Krebs. On Twitter, the security expert said in a series of tweets that despite the unknown attackers "throwing it all" at Krebs on Security, including SYN Floods, GET Floods, ACK Floods, POST Floods, and GRE Protocol Floods, the attack, one of -- if not -- the largest DDoS ever recorded, failed. http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/ [This episode seems to have a nasty slippery slope. If nothing else, it demonstrates how devastating massive denial-of-service attacks can be. Also, Akamai's booting Krebs suggests a camel's foot under the hood that may result in shooting themselves in the nose and throwing the boobie hatch out with the dirty laundry. Nip a flood in the bud in the mud with a thud? PGN] ------------------------------ Date: Fri, 23 Sep 2016 11:34:21 -0700 From: Gene Wirchenko Subject: "Seagate NAS hack should scare us all" (Roger A. Grimes) Roger A. Grimes, InfoWorld, 20 Sep 2016 An under-the-radar news story proves that computers are far from the only devices prey to attack http://www.infoworld.com/article/3121338/security/seagate-nas-hack-should-scare-us-all.html opening text: No fewer than 70 percent of Internet-connected Seagate NAS hard drives have been compromised by a single malware program. That's a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit. [At peak, seek to tweak the weak link. This reeks of leaks that peek as well. PGN] ------------------------------ Date: Fri, 23 Sep 2016 02:03:28 +0200 From: Werner U Subject: Australian Police warn of malware-laden USB sticks in letterboxes [ twist: an old trick at a new place.... still works ] Simon Sharwood, *The Register*, 21 Sep 2016 Victoria Police warn of malware-laden USB sticks in letterboxes It's called 'junk mail' for a reason people: take the pizza vouchers and ignore the rest! Police in the Australian State of Victoria have warned citizens not to trust unmarked USB sticks that appear in their letterboxes. The warning issued today, says ``The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices. Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues.'' , Only the suburb of Pakenham in Victoria's capital Melbourne has experienced the dodgy stick drop, but Victoria Police nonetheless saw fit to issue a state-wide alert. *The Register* is utterly unsurprised that some people plugged in the drives, as we've previously reported that half of people who find a USB stick in a carpark will plug it in and a USBs-left-in-car-parks phishing scam. And who could forget the attempt at industrial espionage that saw USB sticks left in the parking lot of Dutch chemical giant DSM. ? The latter two attacks were targeted. Pakenham, however, is an unremarkable outer suburb. Perhaps the perps behind this USB drop had a particular target in mind. Or perhaps USB sticks are now so cheap, and the profits to be had from cracking even home computers so large, that scattering a few dozen sticks is a crime that pays? ------------------------------ Date: Thu, 22 Sep 2016 12:26:28 -0400 (EDT) From: The CyberWire Subject: Russian intelligence services seem responsible for hacking German political groups The CyberWire 9.22.16 http://ui.constantcontact.com/sa/fwtf.jsp?llr=46gbevkab&m=1110957923263&ea=editor%40thecyberwire.com&a=1125925470626 ------------------------------ Date: Fri, 23 Sep 2016 17:02:01 -0700 From: Lauren Weinstein Subject: China teen killing sparks Internet *addiction* boot camp debate BBC via NNSquad http://www.bbc.com/news/world-asia-china-37451134 ``A murder case in China, in which a teenager reportedly tied up and killed her mother after being sent to an [I]nternet addiction treatment centre, has sparked shock across the country. The teenager, from the northern province of Heilongjiang, had "tied the victim up in a chair until she died" on 16 September, local police say, without giving further details about the death. The 16-year-old, identified in media reports by a ps[eu]donym, Chen Xin, has handed herself in to the police. Local media say Chen Xin had been sent to an academy in Shandong, more than 1,000 km (600 miles) from her home, that specialised in "treating addictions and rebellious youths" - and which had a particular reputation for treating [I]nternet addictions.'' ------------------------------ Date: Sat, 24 Sep 2016 08:38:44 +0200 From: Thomas Koenig Subject: Banks want to make the Internet less secure for everybody In an E-Mail to the TLS mailing list at ietf.org, a representative of the "Financial Services Roundtable" asked to keep the RSA key exchange in the upcoming TLS 1.3 standard. Why on earth would they do that? One would suppose that banks, above everybody else, would need a secure Internet, in the interest of protecting their clients and themselves. Well, maybe that's not quite the case: # Like many enterprises, financial institutions depend upon the ability to # decrypt TLS traffic to implement data loss protection, intrusion detection # and prevention, malware detection, packet capture and analysis, and DDoS # mitigation. Unlike some other businesses, financial institutions also # rely upon TLS traffic decryption to implement fraud monitoring and # surveillance of supervised employees. So, to keep snooping internally, they want to make external snooping easier? Fortunately, the response was rather short: "No". Full E-Mail can be found at https://www.ietf.org/mail-archive/web/tls/current/msg21275.html ------------------------------ Date: Fri, 23 Sep 2016 13:36:45 -0400 From: "David Farber" Subject: Rogue Algorithms -- and the Dark Side of Big Data (Wharton Knowledge) http://knowledge.wharton.upenn.edu/article/rogue-algorithms-dark-side-big-data/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2016-09-22 ------------------------------ Date: Sun, 25 Sep 2016 00:14:37 +0200 aFrom: Werner U Subject: WikiLeaks uploads 300+ pieces of malware among email dumps [Sources: Gizmodo, 15 Aug 2016 and *The Register*, 19 Aug 2016] [This is an old item that somehow did not make it earlier. PGN] Michael Nunez, *WikiLeaks Published Dozens of Malware Links in Email Dump* Gizmodo, 15 Aug 2016 https://gizmodo.com/wikileaks-published-dozens-of-malware-links-in-email-du-1785293372 WikiLeaks published more than 80 variants of malware in the second email dump from Turkey's ruling political party (AKP), according to anti-virus security expert Vesselin Bontchev. Anyone searching the WikiLeaks database can easily download malware attachments by clicking on the wrong link. Bontchev published his research on his GitHub page, which shows just how extensive the threats inside WikiLeaks AKP email dump were. This is just the latest example of unethical leaking to come from the whistleblowing organization. In July, the site was criticized for ``putting women in danger by publishing sensitive information of every female voter in 79 of 81 Turkish provinces. Now, there is yet another reason to refer to the AKP email dump and dangerous and poorly executed.'' *WikiLeaks uploads 300+ pieces of malware among email dumps* http://www.theregister.co.uk/2016/08/19/wikileaks_uploads_324_bits_of_malware_in_munted_document_dump/ Darren Pauli, *The Register*, 19 Aug 2016 Freedom. Justice. Openness. And some entirely avoidable p0wnage for good luck WikiLeaks is hosting 324 confirmed instances of malware among its caches of dumped emails, a top Bulgarian anti-malware veteran says. Random checks of reported malware hashes find the trojans are flagged as malware by Virus Total's static analysis checks. Much of the malware appear to be attachments emailed by black hats in a bid to compromise the various parties affected in the WikiLeaks dumps. Dr Vesselin Bontchev says the instances of malware are only those confirmed and found in an initial search effort. Dr Bontchev, an antivirus researcher of nearly 30 years and founder of the National Laboratory of Computer Virology in Bulgaria, said there were "no doubts" that the malware hosted on WikiLeaks was indeed malware. "The list is by no means exhaustive; I am just starting with the analysis," Bontchev says. "But what is listed below is definitely malware; no doubts about it." The document dumpster uploads attachments for the emails it releases but offers no warning about the security implications of downloading macro-enabled documents, executables, and other potentially malicious files. A feasibly simple antivirus check would have cleared a lot if not all of the attachment malware given the huge 80 to 100 percent hit rate Virus Total returned when testing files selected randomly from Dr Bontchev's list. ------------------------------ Date: Fri, 23 Sep 2016 10:40:58 +0100 From: Martin Ward Subject: Re: Police try to arrest robot This one didn't pass my "smell test". The Mirror has been known to publish faked news reports in the past (google Harambe McHarambeface) Given that the previous "escapes" of the robot have been debunked: http://bgr.com/2016/06/17/robot-run-fake-promobot-escape/ this one seems unlikely to be genuine. Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/ [Then there's the old story about the person who was moving a disk unit from one part of a building at NSA to another section in which there was a downward-sloping passage across a security barrier that was protected by a guard trained to shoot anyone who crossed without appropriate credentials. According to the legend, apocryphal or otherwise, the heavy disk unit got away from its mover, and the guard shot it. PGN] ------------------------------ Date: 23 Sep 2016 02:40:30 -0000 From: "John Levine" Subject: Re: The risks of getting your email address wrong (Kumar, R-29.78) Ha, ha. If you knew my name and guessed what my Gmail address is, you would guess right. But my name is quite common, and a lot of other people with names similar to mine wrongly think that my address is their address. A very persistent John Levine is a doctor about whom I know quite a lot, including at which hospitals he bids for shifts. The normal approach for verifying an e-mail address is to send a message to it with a click here if that was you who signed up and (too often missing) click there if it wasn't you. But a lot of marketers apparently think that's too hard, and why would someone give us the wrong address? I've heard truly bizarro stories of a person who was getting someone else's bank statements, and when he called the bank to tell them, they wouldn't talk to him since of course, he wasn't the person whose statements they were sending to him. ------------------------------ Date: Fri, 23 Sep 2016 09:44:34 -0700 From: Bill Stewart Subject: Re: Microsoft dismisses Exchange vulnerability report (Houppermans) One partial mitigation to the vulnerability is to maintain separate webservers for your domain.com inside and outside your corporate firewall, so that if employees' Exchange clients do try to reach http(s)://domain.com/ before checking mailserver.domain.com, they'll get your inside one, which is presumably less vulnerable than your outside one. This also requires split DNS servers or similar firewall settings. ------------------------------ Date: Fri, 23 Sep 2016 15:35:28 +0100 From: Martin Ward Subject: Re: PC without OS (Maziuk, RISKS-29.78) On 17/09/16 19:58, Dimitri Maziuk wrote: >> So, consumers are unable to buy a PC from a major manufacturer >> without paying the "Microsoft Tax": whether they want to or not. > > No, the monopoly OS supplier can pay PC makers to include a copy of > Windows with every PC they are selling *for $500*. Nobody's stopping > them from selling barebones PCs *for $1000*. Things that are perfectly reasonable for a company to do when there is ample competition become exploitation when the company has a monopoly. For example, EpiPens which cost $1 to make are sold for $608 because they can save lives and there is no competition. Goldman Sachs made billions from speculating in food prices, while 200 million people starved, by creating a partial monopoly: http://www.independent.co.uk/voices/commentators/johann-hari/johann-hari-how-goldman-gambled-on-starvation-2016088.html https://www.theguardian.com/global-development/2011/jan/23/food-speculation-banks-hunger-poverty Because they are a monopoly, Microsoft can sell Windows at a greatly inflated price and then offer big discounts to major PC suppliers: provided they buy a copy of Windows for every PC they sell, and follow Microsoft's every whim. They wield enormous power over suppliers (and governments). When the first "netbooks" came out, they were not powerful enough to run Windows. Microsoft grudgingly allowed suppliers to sell them with Linux installed. Many people began to realise that Linux on a cheap netbook could do everything they needed: with a cheaper laptop and a longer battery life. Microsoft soon put a stop to that! ------------------------------ Date: Fri, 23 Sep 2016 09:58:42 -0500 From: Dimitri Maziuk Subject: Re: PC without OS (Ward, RISKS-29.78) > Things that are perfectly reasonable for a company to do when there > is ample competition become exploitation when the company has > a monopoly. They're not sued for being a monopoly. There are anti-trust laws for that. The ruling is that a business entity is not required to disclose the details of a deal it made with another business entity to anyone who bothers to ask. Obviously, you can't rule otherwise and have free market capitalism at the same time. There should be a special name for unstated middle that is also blatantly untrue. [PS for PGN: my apologies for getting you dragged into this: my original comment was about "Internet journalism" where the catchy headline "Consumers have no right to buy a PC without an OS, European court rules" and has no relation to the actual court ruling being reported on. It has nothing to do with Evil Capitalism bashing. Sorry about feeding that. DM] [DM, thanks! Your initial message seemed worthy for RISKS, and I try not to blow the relevance whistle too often on successive messages, but I do try to excise ensuing discourse when it wanders too far afield. PGN] ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 29.79 ************************