precedence: bulk Subject: Risks Digest 29.43 RISKS-LIST: Risks-Forum Digest Friday 1 April 2016 Volume 29 : Issue 43 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.43.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: SPECIAL EXTRA ISSUE Keeping technology real -- in the movies (Avi Rubin) New variant of ransomware spreading, please do not share (Kevin Fu) ---------------------------------------------------------------------- Date: Fri, 1 Apr 2016 00:33:23 -0400 From: Avi Rubin <avirubin@gmail.com> Subject: Keeping technology real (in the movies) [Special to RISKS, included with permission] Ever notice how some shows are more realistic than others in their portrayal of technology. Consider the popular TV series *24*, an entertaining but laughably implausible program, where, satellite imagery captures absolutely everything that happens anywhere in real time, and where the government can easily decrypt any cipher. On the other hand, shows like The Good Wife and Mr. Robot clearly utilized expert consultants to achieve more genuine descriptions of technology. I think movies, such as the recent. *The Martian* and my old favorite, *Sneakers*, which employ expert consultants, have a more legitimate feel, even for lay audiences, and the final product is better when the use of technology and science is realistic. Three days ago, I was approached by movie producers Brian Grazer and Ron Howard of Imagine Entertainment with an offer that will be hard to refuse. They are working on a film project about a team of hackers that manages to subvert the primaries of both parties in a US Presidential election. I've been asked to consult with the screenwriters so that their portrayal of the hackers and their activities passes the *sniff test* as they call it. In other words, they don't want techies to cringe when they see the movie. Without spoiling the plot (which would result in huge sanctions due to the strongly worded NDA I had to sign), the story is quite fascinating. The hackers are able to systematically infiltrate the underlying tallying mechanism used in every state, despite the wide variety of systems. Even the caucuses are not safe. On the Republican side, the system is rigged so that a bigoted, childish, and boastful billionaire demagogue runs away with the election. The hackers are so skilled that they manage to also rig exit polls so that nobody even questions whether the results are legitimate. On the Democratic side, the hackers are more careful, and keep their candidate in second place, and orchestrate a surge midway through the primary season. They manage to keep an unlikely, over-the-hill, radically liberal, self-declared socialist in the hunt, by carefully manipulating the primaries and caucuses such that his rise seems gradual. According to the script, alongside the hackers is a well-orchestrated hijacking of the media, whose coverage feigns outrage at the success of the two surprising candidates, while at the same time providing just enough cover to the story so that the public believes it. Word is that Larry David is being considered for the role of the Democratic candidate, but the studio is struggling to find someone to play the Republican. Perhaps the character is just not credible enough. Rumor has it that Charlie Sheen is angling for the job, but Imagine Entertainment feels he is too likeable. The producers have not shared the ending with me yet, and I'm dying to see how it turns out, but I have to say, that making this scenario believable is the biggest challenge I have ever faced. For some reason they insist on paying me in small denominations of unmarked bitcoin, deposited to an untraceable Cuban account. The coins are only valid on April 1 in odd numbered years. Avi Rubin, JOHNS HOPKINS UNIVERSITY, Professor, Computer Science Technical Director, Information Security Institute rubin@jhu.edu 410-516-8177 http://www.cs.jhu.edu/~rubin/ ------------------------------ Date: Fri, 1 Apr 2016 00:34:16 -0400 From: Kevin Fu <kevinfu@umich.edu> Subject: New variant of ransomware spreading, do not share [Special to RISKS, included with permission] I have an important alert about a new variant of ransomware. If you were not one of the lucky few to receive FBI's call for help in battling ransomware, now you can be in the know. Please keep this alert confidential. As you know, malware has been invading hospitals across the world, causing disruptions to operations. California. Kentucky. West Virginia. The Baltimore-Washington Region. Australia. Germany. The ransomware variants are multiplying with gibberish names like CryptoLocker, Locky, and CryptoWall. The latest, Samas, is unique in that its infection vector does not use phishing to trick a user into clicking on a link that installs the malware. Rather, Samas directly attacks servers running JBoss. This is where things get really scary. I've been working closely with authorities, and because I trust you, I need to warm you about a new variant. Stefan Savage of UCSD explains to me that there are three key reasons why ransomware has become so profitable. First, the Wassenaar Agreement no longer requires that ransomware use export-controlled cryptography. Thus, hackers now have advanced cryptography that is virtually unbreakable without the help of Bruce Schneier. Second, ransomware relies on anonymous payments (Bitcoin). Third, the ransomware operators provide excellent customer service so that victims always hear from their friends that paying the ransom results in the data being successfully decrypted. Alas, these three pillars of ransomware are crumbling. First, the Obama Administration softened its stance the Wassenaar Agreement. Second, organized crime is smart and recognizes that the recent collapse of various Bitcoin exchanges means an unstable virtual currency that threatens their business model. Third, crowdsourced customer support is likely to become significantly more expensive with Bernie Sanders demanding a federal minimum online wage being raised to 0.036 Bitcoins. It's this perfect storm of instability that has quietly led to the newest variant of ransomware dubbed, "Handsomware." The old ransomware used Bitcoin to keep payments anonymous. The new Handsomware variant uses Flooz instead of Bitcoin. Flooz is an alternate currency popularized by celebrity spokesperson Whoopi Goldberg. In ads for consumer use of Flooz currency, Whoopi urges parents, "It's just like money. Give 'em Flooz!" https://www.youtube.com/watch?v=4s7V9I7LVp4 Unlike Bitcoin, Flooz does not rely on exchanges that cause wide and frequent fluctuations in value. Philip Kaplan, a noted expert on Flooz, colorfully wrote on his MySpace page, "Holy crap, Flooz is the shit." He further wrote of Flooz that, "Investors have pumped $51.5 million into three rounds." This virtually ensures the success of Flooz as an alternate currency. There's no stopping it. While Whoopi has been advertising Flooz for more everyday things like graduation gifts, she had no idea that organized crime would flock to Flooz like GOP candidates to third party runs. The Handsomware variant also changes the encryption scheme. Instead of using slow number-theoretic algorithms like RSA, it uses something known as the One Direction fandomized encryption technique pioneered by Goldwasser and Micali. Unlike trapdoor-based public key encryption systems, the One Direction encryption system ignores all text files and binaries. Instead, it focuses on what you really care about: images. Handsomware uses One Direction to replace plaintext images such screenshots of your best Candy Crush scores or radiological images with photos of 1D boy-band singer Liam Payne with the Handsomware binary embedded steganographically the images using the Recursion Theorem. This scheme is devious, because teenage girls across the country immediately open the encrypted images and share them with their friends---further spreading Handsomware to Snapchat and other critical infrastructure that fuels the American economy. The Handsomware writers were also able replace the costly customer support that was limited by minimum Bitcoin wage laws. Instead, they use the silent majority of disgruntled workers who feel no one has listened to them. Malware writers sense an opportunity, and have made grandiose promises. An anonymous post on one Handsomware site proclaims, "Make Ransomware Great Again!" Another post says, "Build a Firewall!" Yes, that's right. A new piece of malware has invaded our countryland. It calls itself handsome, it brags of its massive currency, and it encrypts your drive to think carefully. Nothing can Trump this new malware. Although this message is confidential, you have my permission to forward this message to your most trusting friends. April Fools! Kevin Fu, Associate Professor, EECS Department, The University of Michigan kevinfu@umich.edu web.eecs.umich.edu/~kevinfu/ Twitter @DrKevinFu ------------------------------ End of RISKS-FORUM Digest 29.43 ************************