ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 30 Issue 32
Saturday 10 June 2017
- How Russian Propaganda Spread from a Parody Website to Fox News
- Neil MacFarquahar and Andrew Rossback
- Securing our election systems?
- Stolen Roambee property reports itself to owner
- Mark Brader
- Voice synthesis
- Mark Brader
- Internet cameras have hard-coded password that can’t be changed
- Ars Technica
- UK police arrest man via automatic face-recognition tech
- Ars Technica
- Task force tells Congress health IT security is in critical condition
- Monty Solomon
- Cyberattack on Britain’s National Health Service—A Wake-up Call for Modern Medicine
- Monty Solmon
- Ponzi Scheme Meets Ransomware for a Doubly Malicious Attack
- Sneaky hackers use Intel management tools to bypass Windows firewall
- Ars Technica
- Self-driving cars
- Multiple items from Monty
- Re: Robot Copilot Lands 737
- Andrew Duane
- Re: Software is forever… Re: WannaCry
- Paul Edwards
- Re: What Happens When Your Car Gets Hacked?
- Dimitri Maziuk
- Re: Untold story of QF72: What happens when ‘psycho’ automation leaves pilots powerless?
- John Levine
- Info on RISKS (comp.risks)
How Russian Propaganda Spread from a Parody Website to Fox News (Neil MacFarquahar and Andrew Rossback)“Peter G. Neumann” <[email protected]>
Sat, 10 Jun 2017 16:22:19 PDT
I've been meaning to submit this for the past few days, and finally found a few spare moments: How Russian Propaganda Spread from a Parody Website to Fox News Neil MacFarquahar and Andrew Rossback *The New York Times*, 8 June 2017 Here's the time sequence described in the article: * Parody website (Made-up Russian attack on a U.S. shop * Facebook (Parody article shared) * Russian TV (Invented a quote from a U.S. Air Force general) * The Sun (Reported on the Russian TV story) * FoxNews.com (Article reprinted with only hints of skepticism)
Securing our election systems? (Slate)“Peter G. Neumann” <[email protected]>
Thu, 8 Jun 2017 12:18:46 PDT
"Despite the alarms raised by these revelations in recent days, there has been little discussion of solutions. But the way forward is relatively clear. Protecting our elections against foreign attackers ultimately requires the will to squarely address known vulnerabilities—a will that has been lacking in Washington." http://www.slate.com/articles/technology/future_tense/2017/06/congress_needs_to_act_now_to_secure_our_election_systems.html
Stolen Roambee property reports itself to ownerMark Brader
Fri, 9 Jun 2017 05:09:40 -0400 (EDT)
At the Roambee factory in Santa Clara, California, one or more thieves (the kind who are dumb enough to leave their own blood and other evidence behind them) stole a box of 100 of what they thought were cellphone chargers. Actually they were Roambee Bees, which are GPS-based trackers that broadcast their location. (Their intended use is that a company shipping goods puts one in each shipment and can always know where it is.) And they can't be turned off. It wasn't long before police recovered the stolen goods and made an arrest, and meanwhile the Roambee company got some free advertising... http://www.mercurynews.com/2017/06/06/sjm-roambee-0607/ http://www.sfgate.com/bayarea/article/any-11204181.php
Voice synthesisMark Brader
Fri, 9 Jun 2017 05:24:14 -0400 (EDT)
It says here: http://www.tdbank.com/bank/tdvoiceprint.html http://www.td.com/ca/products-services/investing/td-direct-investing/trading-platforms/voice-print-system-enroll.jsp that customers of the Toronto-Dominion Bank can arrange to have the bank's computer identify them, in part, by recognizing their voice on the phone. (I therefore presume that other banks are now doing this also.) It says here: http://www.cbc.ca/news/any-1.4084423 that a new Canadian company called Lyrebird has produced software which (they say), given a 1-minute high-quality recording of anyone's voice, can produce a highly accurate simulation of that person saying anything the user chooses. And given a 5-minute recording, the quality would be extremely hard to tell from the real thing. And someone thought that this was a GOOD idea? [I presume Mark is referring to the Toronto-Dominion Bank phone voice scheme rather than the Lyrebird scheme. The latter is obviously a good idea, because it clearly points to the stupidity of the former. PGN]
Internet cameras have hard-coded password that can’t be changed (Ars Technica)Monty Solomon <[email protected]>
Fri, 9 Jun 2017 13:08:28 -0700
UK police arrest man via automatic face-recognition tech (Ars Technica)Monty Solomon <[email protected]>
Fri, 9 Jun 2017 13:07:00 -0700
Task force tells Congress health IT security is in critical conditionMonty Solomon <[email protected]>
Fri, 9 Jun 2017 13:08:53 -0700
Cyberattack on Britain’s National Health Service—A Wake-up Call for Modern MedicineMonty Solomon <[email protected]>
Fri, 9 Jun 2017 13:19:53 -0700
Ponzi Scheme Meets Ransomware for a Doubly Malicious AttackMonty Solomon <[email protected]>
Fri, 9 Jun 2017 13:16:07 -0700
https://www.nytimes.com/2017/06/06/technology/hackers-ransomware-bitcoin-ponzi-wannacry.html As more of our lives go online, online attackers are finding increasingly creative ways to wreak havoc using ransomware, and now, pyramid schemes.
Sneaky hackers use Intel management tools to bypass Windows firewall (Ars Technica)Monty Solomon <[email protected]>
Fri, 9 Jun 2017 13:09:57 -0700
Self-driving carsMonty Solomon <[email protected]>
Fri, 9 Jun 2017 13:16:41 -0700
[PGN has merges multiple items into one message:] https://www.nytimes.com/2017/06/07/technology/google-self-driving-cars-handoff-problem.html Robot Cars Can't Count on Us in an Emergency Scientists call it the *handoff* problem. How do you keep humans focused enough to take control of a self-driving car in an emergency? [This is an old argument that Don Norman has addressed. Partial automation is risky. On the other hand, if total automation allows overrides, it is really only partial automation, and risky! PGN] https://www.nytimes.com/2017/06/07/technology/autonomous-car-technology-challenges.html A Guide to Challenges Facing Self-Driving Car Technologists The underlying technology of autonomous vehicles has made dramatic strides in recent years. But there are still plenty of issues to be worked out. https://www.nytimes.com/2017/06/07/technology/why-car-companies-are-hiring-computer-security-experts.html Why Car Companies Are Hiring Computer Security Experts: Researchers have proved a car can be remotely hacked. Now imagine if that car was being driven entirely by a computer. https://www.nytimes.com/2017/06/07/technology/electronic-setups-of-driverless-cars-vulnerable-to-hackers.html Electronic Setups of Driverless Cars Vulnerable to Hackers: As cars become more like computers, cybercriminals will have more ways to get into their important systems.
Re: Robot Copilot Lands 737 (RISKS-30.30)Andrew Duane <[email protected]>
Fri, 9 Jun 2017 08:58:36 -0400
... and also Re: Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless? (RISKS-30.30) To paraphrase an old joke: In the future, the cockpit of an airplane will have a computer, a pilot, and a dog. It's the computer's job to fly the plane. It's the pilot's job to watch over the computer. It's the dog's job to bite the pilot if he tries to touch the controls. [Indeed, an old joke, but we have lots of young readers, so it might be okay to run it every 20 years: In November 1997, RISKS-19.47 had this line from Robert Dorsett: "With autopilots, who needs a dog to keep an eye on the pilot?" (This was in a delightful item of a plane that took off without its pilot after he got out to crank the propeller.) Incidentally, in its early days, NASA insisted that computers had to be buried under layers of equipment so that it would be very difficult for astronauts to fiddle with the hardware. There was one later case where an in-space repair actually had to be made. However, software is easy to remediate without physical access. PGN]
Re: Software is forever… Re: WannaCry (Keating, RISKS 30.31)Paul Edwards <[email protected]>
Fri, 9 Jun 2017 20:35:52 +1000
> ... How bad would the state need to be before this last option starts > looking good? Far, far worse than it does now, frankly. One issue that is often overlooked in this debate is that of application affinity. I work in financial services; it's scary how many applications will not work on anything more modern than Windows XP, or rely on appallingly out-of-date and deprecated versions of Java. A friend of mine works in healthcare in IT; she faces a similar problem with certain applications that are used to monitor patient well-being in ICU. Forcibly turning off non-supported OSes, frameworks or languages that the given applications require? What could possibly go wrong?
Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.31)Dimitri Maziuk <[email protected]>
Thu, 8 Jun 2017 16:29:37 -0500
As synchronicity would have it, RedHat has recently fixed a security problem in Remote Procedure Calls detailed in CVE-2017-8779: ".. a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated" The "fix" is causing rpcbind to crash 4 seconds after starting. By now probably the largest user of RPC is file sharing via Network File System (NFS) and the result of the "fix" is network shares disappearing. If remember my NFS correctly, this would not affect already connected shares, so the problem may possibly go unnoticed for quite some time. We downgraded our rpcbind and are waiting for the fix of the fix. In the meantime other patches are not getting installed so as to not accidentally reinstall the bad one. Funny enough, the "older unpatched" RHEL 5 systems are not very vulnerable to this particular problem because they're EOL and not receiving any fixes anymore. Including bad ones. The vulnerability itself requires a skilled attacker inside your security perimeter sending "thousands of specially crafted messages" to eventually accomplish the exact thing that RedHat did in 4 seconds with a single patch.
Re: What Happens When Your Car Gets Hacked? (Ross, RISKS-30.30)Lothar Kimmeringer <[email protected]>
Fri, 9 Jun 2017 21:51:07 +0200
> knowledgeable Windows 7 users block automatic patches [...] > They wait a week or more to see what other experience with > new patches before accepting them. The patch for the bug in SMB was marked as "critical, wormable". Whoever calls him/herself "knowledgeable" and waits with installing that kind of patch, should be called by others in a completely different way. Waiting to install a patch that fixes a typo in a context-menu is one thing but ignoring a patch fixing a wormable bug is something completely different. That's an announced shot into your own foot or - taking real consequences into account - potentially killing people in the UK because they couldn't be treated due to the hospitals' computers got affected.
Re: Untold story of QF72: What happens when ‘psycho’ automation leaves pilots powerless? (Manning, RISKS-30.31)“John Levine” <[email protected]>
8 Jun 2017 23:01:26 -0000
> ... sometimes with disastrous results. But sometimes without. In this article, William Langewiesche credits the successful ditching of US 1549 as much to the Airbus flight automation as to the skill of the pilot. http://www.vanityfair.com/culture/2009/06/us_airways200906 The question is whether the pilot or the software is more likely to go nuts. The answer is not obvious to me, particularly in cases like the Air France flight off Brazil where the instruments went nuts in a way that would have been harmless if the crew ignored them, but instead the crew did exactly the wrong thing and lost the plane.
Re: Untold story of QF72: What happens when ‘psycho’ automation leaves pilots powerless? (Manning, RISKS-30.31)William Brodie-Tyrrell <[email protected]>
Fri, 9 Jun 2017 08:56:31 +0930
Does Prof. Leveson also refuse to go near roads? This is a wonderful illustration of people who should know better still optimising away the tiniest risks that seem controllable while ignoring other greater but less-newsworthy risks. I can well believe that the Boeing philosophy is safer, but I'd take the deaths per passenger-mile in an Airbus over just about any other form of transport including a taxi to the airport. In light of terrorism vs car crashes, Airbus vs heart attacks, sharks vs falling out of bed, one could almost make a generalisation that "if everyone is frightened of it, it's probably not a threat to you". Same thing seems to apply in infosec: all the panic over 0-days, APT, etc vs people not bothering to apply vendors' patches and reusing the same password on 50 different websites.
Please report problems with the web pages to the maintainer