precedence: bulk
Subject: Risks Digest 29.48
RISKS-LIST: Risks-Forum Digest Monday 25 April 2016 Volume 29 : Issue 48
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.48.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Newcastle servers downed by water-main flood early last week
(Lindsay Marshall)
55-million Philippine voters' personal information exposed (PGN)
Personal info of 93.4-million Mexicans exposed on Amazon (
Marc Rotenberg)
Bucking the Trend on Voting Rights (NYTimes editorial)
The E.U.'s Dangerous Data Rules (Daphne Keller and Bruce D. Brown)
Night-vision goggles case cause plane crash (WashPost)
U.S. carriers mum on 60 Minutes report on vulnerability in SS7
(FierceWireless via Geoff Goodfellow)
U.S. Cyberwar aims to cripple ISIS operations (David Sanger)
FBI admits it paid $1.3m to hack into that iPhone (*The Guardian* via
danny burstein)
Facebook bug bounty hunter find bug -- and exploit in progress
(Peter Houppermans)
Kindle Unlimited Scam (Ann Christy via Charles B. Weinstock)
If Emoji Are the Future of Communication Then We're Screwed (NYMag)
Hacker: This is how I broke into Hacking Team (CSOonline via Monty Solomon)
The big picture on software backdoors (Mark Thorson)
Air Force blames deadly crash on goggles case (CNN via Monty Solomon)
The Burr-Feinstein Proposal Is Simply Anti-Security
(Electronic Frontier Foundation via David Farber)
No Phones for You! Chic Businesses Are Abandoning Landlines (NYT)
Windows Users - Apple and Govt say to remove Quicktime from your PC
(Chris J Brady)
Re: BMW's car-sharing service launches--and almost lands Ars a ticket
(Richard Bos)
Re: Bank Back Stabbing (Alister Wm Macintyre)
Re: Man accidentally deletes his entire company with one line of bad code:
*NOT TRUE* (Martin Ward, John Levine, Rick Steeves, Matt Bishop)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 19 Apr 2016 19:31:28 +0000
From: Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Subject: Newcastle servers downed by water-main flood early last week
[Please pass the word on to any of your friends and colleagues who would
normally be reading RISKS via the UK redistribution on catless.ncl.ac.uk,
courtesy of Lindsay Marshall. Lindsay noted to me that catless was on a
very old Newcastle server, and presumably will be rebooted -- eventually.
Lindsay has been our heroic maintainer of the risks.org RISKS repository
and its redistribution of RISKS issues to the UK for years and years.
However, this outage is way beyond his responsibility, and is agonizing.
Meanwhile, you can read RISKS as comp.risks or at risks@ftp.sri.com. PGN]
[Lindsay responded to my query: "It was a water main. But our big machine
room has always been deep underground."]
------------------------------
Date: Fri, 22 Apr 2016 14:41:54 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: 55-million Philippine voters' personal information exposed
The Philippines' Commission on Elections' entire database of of 55-million
Philippine voters was breached, initially on 27 Mar 2016.
Trend Micro reported it on 6 Apr, with subsequent items in *The Register*
and *The Guardian*. *The New York Times* reported it on 22 Apr.
http://www.nytimes.com/aponline/2016/04/22/world/asia/ap-as-philippines-election-hacking-.html?emc=eta1
------------------------------
Date: Fri, 22 Apr 2016 15:06:05 -0400
From: Marc Rotenberg <rotenberg@epic.org>
Subject: Personal info of 93.4-million Mexicans exposed on Amazon
"This incident clearly erodes the confidence of citizens in a of government
bodies. Some citizens might decide to never provide data again to the
Instituto Nacional Electoral, the next time their ID expires," Guzman adds,
noting that although it's a relief that financial and bank information were
not leaked, "the information could still be used for criminal purposes, since
the location[s] of citizens are available."
* * *
With this leak, Mexico now joins a list of countries where almost the entire
population has had their personal information leaked or breached, as 93.4
million represents over 72% of Mexico's estimated population. Belize,
Greece, Israel, Philippines, and Turkey have also experienced leaks of the
majority of their population's personal information. And of course, let's
not forget that Chris Vickery had also discovered 191 million U.S. voters --
data leaking due to a similarly misconfigured database.
http://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/
------------------------------
Date: Mon, 25 Apr 2016 12:01:00 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Bucking the Trend on Voting Rights (*The New York Times*)
Lead editorial, *The New York Times*, 25 Apr 2016, relating to Virginia
Governor Terry McAuliffe restoring voting rights to more than 200,000 people
who have completed their sentences for felony convictions. This reverses
Virginia's previous lifetime ban on voting. [PGN-ed]
Final paragraph: Congress should amend the Voting Rights Act to restore
preclearance and apply it to all jurisdictions with a recent history of
discriminatory voting practices. And state officials who are not busy
trying to disenfranchise people should be following Mr McAuliffe's
example, and working to make it easier for people to vote.
------------------------------
Date: Mon, 25 Apr 2016 12:01:00 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The E.U.'s Dangerous Data Rules (Keller/Brown)
Daphne Keller and Bruce D. Brown
The E.U.'s Dangerous Data Rules
Op-Ed, *The New York Times*, 25 Apr 2016
Can Europe protect privacy without creating *splinternets*?
Important op-ed. Here's the final paragraph:
Privacy is a real issue, and shouldn't be ignored in the Internet age. But
applying those national laws to the Internet needs to be handled with more
nuance and concern. These developments should not be driven only by privacy
regulators. State departments, trade and justice ministries and telecom
regulators in France and other European countries should be demanding a
place at the table. So should free-expression advocates. One day,
international agreements may sort this all out. But we shouldn't Balkanize
the Internet in the meantime. Once we've erected barriers online, we might
not be able to tear them down.
------------------------------
Date: Tue, 19 Apr 2016 09:44:39 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Night-vision goggles case cause plane crash (WashPost)
https://www.washingtonpost.com/news/checkpoint/wp/2016/04/19/night-vision-goggle-case-cause-of-plane-crash-that-killed-14-air-force-says/
------------------------------
Date: Tue, 19 Apr 2016 09:12:53 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: U.S. carriers mum on 60 Minutes report on vulnerability in SS7
A follow-up article on yesterday's article:
http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19
------------------------------
Date: Mon, 25 Apr 2016 12:01:00 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: U.S. Cyberwar aims to cripple ISIS operations (David Sanger)
David Sanger, *The New York Times* front page, 25 Apr 2016
A New Line of Attack: Using Secret Weapons to Infiltrate Computer Networks
------------------------------
Date: Thu, 21 Apr 2016 17:55:01 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: FBI admits it paid $1.3m to hack into that iPhone (*The Guardian*)
*The Guardian*
FBI admits it paid $1.3m to hack into San Bernardino shooter's iPhone
The FBI paid about $1.3m for software to hack into the iPhone of San
Bernardino gunman Syed Farook, director James Comey told a London audience
on Thursday.
The staggering price illustrates the growth of the so-called "exploit
market" for digital spy tools and cyber weapons as governments increasingly
use hacker tricks for law enforcement and war. Prices for such software are
rarely disclosed, although anything in the seven-figure range is extremely
expensive.
https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid
[Yes, the alleged cost is staggering, However, perhaps the FBI is
including all sorts of secondary costs, or having paid multiple sources
for multiple exploits, or simply not understanding that the vulnerability
that they actually exploited was well known in various communities, and
could have have been acquired for free from certain sources! PGN]
------------------------------
Date: Fri, 22 Apr 2016 12:53:25 +0200
From: Peter Houppermans <peter@houppermans.net>
Subject: Facebook bug bounty hunter find bug -- and exploit in progress
In short, a bug bounty hunter (someone looking to find bugs to take
advantage of a reward program) was examining Facebook and eventually found a
way in, only to discover that someone was already in the specific system.
Facebook proclaimed this to be residue left by another bounty hunter (making
the later one a hunter-gatherer?), a statement I have some problems with as
I personally would clear out malware as fast I'd discover it.
The story is summarised here, including a link to the rather interesting
writeup of the technical details:
http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/
------------------------------
Date: Tue, 19 Apr 2016 11:34:26 -0400
From: "Charles B. Weinstock" <weinstock@conjelco.com>
Subject: Kindle Unlimited Scam
According to Ann Christy, scammers are gaming the Amazon Kindle Unlimited
system by publishing fake books with many pages, and tricking people into
downloading them because:
1. They are free to download during the first five days of publication, and
2. They use click farms to force the books to the top of the Kindle
Unlimited bestseller list.
http://www.annchristy.com/ku-scammers-on-amazon-what-you-need-to-know/
The books themselves encourage the reader to go to the last page of the book
to be entered into a contest or some such. This causes Amazon to believe
that the entire book was read and results in a maximum payout to the
scammer. (Authors earn royalties on Kindle Unlimited books based on the
number of pages read -- apparently as measured by the last page read.)
Since the Kindle Unlimited royalty pool is fixed across all books this means
that authors of legitimate books are getting less than they should because
the scammers are taking thousands of dollars out of the pool.
------------------------------
Date: Mon, 18 Apr 2016 22:13:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: If Emoji Are the Future of Communication Then We're Screwed
http://nymag.com/following/2016/04/people-often-disagree-about-what-emoji-mean.html
Investigating the Potential for Miscommunication Using Emoji
http://grouplens.org/blog/investigating-the-potential-for-miscommunication-using-emoji/
*Blissfully happy* or *ready to fight*: Varying Interpretations of Emoji
http://grouplens.org/site-content/uploads/Emoji_Interpretation.pdf
------------------------------
Date: Mon, 18 Apr 2016 21:40:59 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hacker: This is how I broke into Hacking Team
http://www.csoonline.com/article/3057980/security/hacker-this-is-how-i-broke-into-hacking-team.html
http://pastebin.com/raw/0SNSvyjJ
------------------------------
Date: Mon, 18 Apr 2016 22:48:09 -0700
From: Mark Thorson <eee@sonic.net>
Subject: The big picture on software backdoors
Consider this.
http://smbc-comics.com/comics/1460904126-20160417.png
------------------------------
Date: Wed, 20 Apr 2016 01:00:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Air Force blames deadly crash on goggles case
http://www.cnn.com/2016/04/19/politics/us-air-force-plane-crash-afghanistan/index.html
------------------------------
Date: Thu, 21 Apr 2016 15:10:34 -0400
From: "David Farber" <dfarber@me.com>
Subject: [IP] The Burr-Feinstein Proposal Is Simply Anti-Security | Electronic
Frontier Foundation
https://www.eff.org/deeplinks/2016/04/burr-feinstein-proposal-simply-anti-security
------------------------------
Date: Wed, 20 Apr 2016 22:05:20 -0400
From: Monty Solomon <monty@roscom.com>
Subject: No Phones for You! Chic Businesses Are Abandoning Landlines (NYT)
Many phone numbers these days merely lead to automated voice mail with
directions to a website. And some businesses have abandoned phones
altogether.
http://www.nytimes.com/2016/04/21/fashion/phones-businesses-landline.html
------------------------------
Date: Thu, 21 Apr 2016 00:25:25 +0000 (UTC)
From: Chris J Brady <chrisjbrady@yahoo.com>
Subject: Windows Users - Apple and Govt say to remove Quicktime from your PC
The company releasing the info is Trend Micro/DV Labs as part of their "Zero
Day Initiative".
http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/http://zerodayinitiative.com/about/
but the actual flaw was discovered by Steven Seeley of Source Incite
-- according to the credit line in the reports:
http://zerodayinitiative.com/advisories/ZDI-16-241/
http://zerodayinitiative.com/advisories/ZDI-16-242/
The Department of Homeland Security’s U.S. Computer Emergency Readiness Team
(US-CERT) is a clearing house for computer security information, and is
simply passing along the information from the Zero Day Initiative advisories
https://www.us-cert.gov/ncas/alerts/TA16-105A
And for completeness, here is the link to the Wall Street Journal article:
http://www.wsj.com/articles/windows-users-its-time-to-dump-apples-quicktime-1461007437
------------------------------
Date: Tue, 19 Apr 2016 16:47:33 GMT
From: raltbos@xs4all.nl (Richard Bos)
Subject: Re: BMW's car-sharing service launches--and almost lands Ars a
ticket (Ars, RISKS-29.47)
Erm... no. Reading the article, it's clear that it wasn't the service that
led to the traffic violation, it was *the journalist blindly following the
satnav* that did it. It would've resulted in a (almost) ticket, regardless
of whether this happened in a shared Beamer or the author's private Ford.
There is a RISKS lesson here, certainly, but it's an old one and it has
nothing to do with ReachNow specifically: when you turn on your satnav, do
not turn off your brain.
------------------------------
Date: Mon, 25 Apr 2016 14:43:10 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Re: Bank Back Stabbing (RISKS-29.47)
[Fin: Uh...and just whose rating would that be? I can hand out stars, too,
and will be more than happy to if you send me the names of the
institutions. - Fin]
fin@nym.hush.com asked a question about what rating system I was using for
the due diligence, in my "Bank Back stabbing" post, for which I plan
additional future installments, after I have cooled down enough from my
anger with recent incidents, to describe with clarity and conciseness, to
best of my ability.
In the USA, banks are regulated by the FDIC government organization, which
awards stars for a variety of adherence to best practices and level of risk
of default, such as having enough money to sustain obligations, diversity of
investments across different industry sectors . what we laymen call SAFE and
SECURE, from both a financial perspective and a cyber perspective. One star
means it has one foot in the grave. Five stars is the best.
Via Internet search, we can find sites which list banks in our area, and
what their FDIC ratings are, and other info. It is not as well organized
for other kinds of financial institutions, some of which have better
insurance funds than the FDIC.
There are also both government, and better-business-bureau type resources
which tell us what kinds of complaints other consumers have had against
institutions, and how they were resolved. I don't care if there are a lot
of complaints. I care that they are resolved swiftly, politely, and with
justice.
Then after finding high star, or equivalent, institutions, which apparently
behave in a civilized way, my next due diligence interests include rate
competitiveness, and ease of access to their services.
Alister Wm Macintyre (Al Mac) https://www.linkedin.com/in/almacintyre
Panama Papers group: https://www.linkedin.com/groups/8508998
------------------------------
Date: Tue, 19 Apr 2016 08:56:12 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Man accidentally deletes his entire company with one line
of bad code: *NOT TRUE* (RISKS-29.47)
As you probably know by now, this story is now claimed to be a hoax by the
original forum poster. The Independent has this update:
"Since this story was posted, Mr Marsala has claimed that his original post
was a hoax and written as a marketing stunt, but that it had happened to a
client of his in 2006. Contacted by The Independent, Mr Marsala said that
the post was guerilla [*] marketing for another, unnamed, company."
ServerFault has deleted the original question.
The real RISK is that these days, anyone can post anything to just about any
popular forum and have it taken up and printed by the major news networks
without any checking or verification. As if to illustrate this point, one of
the sidebars to this story is a link to the story "Women considered to write
better code than men as long as they don't reveal their gender, study
suggests"
http://www.independent.co.uk/life-style/gadgets-and-tech/news/women-better-code-men-github-study-a6870836.html
This story reports on a paper "authored by a group of six students from
California Polytechnic State University and North Carolina State University,
[which] has been published online, *but is not yet peer-reviewed.*" (my
emphasis).
So: some students wrote a paper, put it on a web site, and it gets picked up
by major news networks: before it has even been peer-reviewed.
"A lie can travel halfway around the world before the truth can get its
boots on" (Incorrectly attributed to Mark Twain: but the truth is still
trying to catch up with the incorrect attribution!)
Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering
martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
[* "300-pound guerilla my dreams?" (in British currency) PGN]
------------------------------
Date: 18 Apr 2016 23:56:08 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Man accidentally deletes his entire company with one line
of bad code: *NOT TRUE* (RISKS-29.47)
The reason it sounded too good to be true is that it was. It's a hoax.
http://www.repubblica.it/tecnologia/2016/04/15/news/cancella_l_azienda_per_sbaglio_la_disavventura_tecnologica_di_marco_marsala-137693154/
http://www.nydailynews.com/news/national/man-deleted-entire-company-hoax-article-1.2604511
------------------------------
Date: Mon, 18 Apr 2016 20:13:53 -0400
From: Rick Steeves <risks@corwyn.net>
Subject: Re: Man accidentally deletes his entire company with one line
of bad code: *NOT TRUE* (RISKS-29.47)
And news that even RISKS users can fall for a hoax:
http://www.pcworld.com/article/3057235/data-center-cloud/that-man-who-deleted-his-entire-company-with-a-line-of-code-it-was-a-hoax.html
(really, someone who claims the original error, and then follows it up with
then claiming that he got the if / of command reversed when attempting a
recovery was a good clue).
------------------------------
Date: Tue, 19 Apr 2016 21:01:08 -0700
From: Matt Bishop <mabishop@ucdavis.edu>
Subject: Re: Man accidentally deletes his entire company with one line
of bad code: *NOT TRUE* (RISKS-29.47)
According to Snopes, this is a hoax: see
http://www.snopes.com/man-deletes-company-code/
... From that: "Marsala admitted to making up the scenario in order to
promote his small company, which (naturally) provides outsourced server
management services."
Not sure that's how I'd go about promoting a server management company ...
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.48
************************