RISKS Forum mailing list archives
Risks Digest 30.98
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 27 Dec 2018 16:38:00 PST
RISKS-LIST: Risks-Forum Digest Friday 27 December 2018 Volume 30 : Issue 98 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.98> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Largest car recalls in 2018 (Car and Driver) Best Cyber Stories of 2018 (Motherboard) How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually. (Geoff Goodfellow) Inspector General audit finds basic cybersecurity lax for US ballistic missile defense systems (Rob Wilcox) Our Cellphones Aren't Safe (Cooper Quintin, The New York Times) Our Cellphones Aren't Safe (2018) and The Electronic Serial Number: A cellular 'sieve' -- 'spoofers' can defraud users and carriers (June 1987) Parachutes are no better than backpacks-- randomized trial (BMJ) Facebook shared even more than previously known (NYTimes) UK security researchers find lax security in app-controlled consumer hot tubs (BBC) Apple Watch ECG is putting a lot of health control in consumers' hands (CNBC) Innovation and Immigration (W.A. Griffin on Wiiliam Kerr) Tesla Mobile Service (Rob Slade) Computers Determine States of Consciousness (Scientific American) Facebook, recidivus -- again -- and yet again .. (Rob Slade)) IRS Linux move delayed by lingering Oracle Solaris systems (ZDNet) Canada: OPC publishes guidance for organizations and individualso related to protecting personal information collected during cannabis transactions (GC) FCC Launches New Offensive Against Scam, Robo Calls (EWeek) This patent shows Amazon may seek to create a database of suspicious persons using facial-recognition technology (WashPost) Re: Sneaky parrot uses Amazon Alexa to shop ... (danny burstein) Re: Drone shatters passenger jet's nose-cone, radar (Amos Shapir) Re: The GPS wars are here (Erling Kristiansen) Re: "Market volatility: Fake news spooks trading algorithms" (paul wallich) Re: New Zealand courts banned ...; Google just emailed it out. (Dick Mills) Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Amos Shapir) Re: Risks of `Reply All' and failing to BCC (Paul Robinson) Re: She'd just had a stillborn child. Tech companies wouldn't let her forget it (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 19 Dec 2018 17:33:07 -0500 From: George Sherwood <sherwood () testcover com> Subject: Largest car recalls in 2018 (Car and Driver) Annie White lists the 10 largest recalls in Car and Driver's January 2019 issue: 4,846,885 FCA. Cruise control cannot be canceled. 1,619,112 Ford. Fire after seatbelt pretensioner deployment. 1,357,311 Honda. Passenger frontal airbag inflator may explode. 1,301,986 Ford. Steering wheel may detach. 1,282,596 Ford. Stuck canister purge valve may cause stall. 1,149,237 FCA. Tailgate may open unexpectedly. 1,015,918 GM. Temporary loss of electric power steering. 807,329 Toyota. Hybrid system may shut down and cause stall. 691,726 Honda. Passenger frontal airbag inflator may explode. 622,657 Toyota & Pontiac. Passenger frontal airbag inflator may explode. Recall numbers, listed on page 019, are from January--October 2018. ------------------------------ Date: Sun, 23 Dec 2018 09:15:42 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Best Cyber Stories of 2018 (Motherboard) Dead CIA agents, ignored whistleblowers, Irresponsible encryption mongers, what-were-they-thinking ethics failures X N, election hacking, reaping-what-you-sow govt hacking blowback, Congressional oversight^H^H^H^H^Hlook, ordinary-citizens-are-human-shields-and- collateral damage, etc. In other words, 2018 was a very good year, if you happened to be a malicious hacker or a govt contractor (but I repeat myself). https://motherboard.vice.com/en_us/article/xwj38j/motherboard-cybersecurity-jealousy-list-2018 The Cybersecurity Stories We Were Jealous of in 2018 by Lorenzo Franceschi-Bicchierai and Joseph Cox Dec 21 2018, 7:10am Here at Motherboard, we are passionate about cybersecurity. ... here's a very incomplete list of our favorite stories ... that we wish we had done ourselves. Kaspersky's 'Slingshot' Report Burned An Isis-focused Intelligence Operation (Cyberscoop) https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/ What is a cybersecurity firm's responsibility around not exposing certain hacking operations? Here, Cyberscoop showed that sometimes companies do decide to unmask campaigns targeting arguably legitimate threats, such as terrorists. We also explored this dilemma in our feature on Kaspersky Lab a few weeks after Chis Bing and Patrick O'Neill's scoop. The CIA's Communications Suffered A Catastrophic Compromise. It Started In Iran. (Yahoo News) https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html The US government and its intelligence apparatus suffered a deadly blow in China in 2011 and 2012, when more than two dozen CIA sources and informants were killed. But it all started in Iran in 2009, when hackers broke into a CIA "Internet-based covert communications system," as revealed in this bombshell report by Zach Dorfman and Jenna McLaughlin. How Persian Gulf Rivals Turned US Media Into Their Battleground (BuzzFeed News) https://www.buzzfeednews.com/article/kevincollier/qatar-uae-iran-trump-leaks-emails-broidy Sometimes the best weapon a hacker can use is not an exploit or phishing kit, but the media. If you can discredit your enemy through the relatively cheap method of enticing a journalist with a scoop, you're onto a winning strategy. Just look at how Guccifier 2.0--a persona allegedly created by the Russian government--distributed the hacked Democrats material too. Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (Forbes) https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/ This story broke open an entire avenue of reporting for us and others: finally, someone was selling relatively cheap tools for unlocking iPhones, which led to widespread proliferation of the tech not just among the three-letter intelligence agencies of the world, but also among state- and local law enforcement. This has ramifications for all sorts of things in the so-called Going Dark debate, and kicked off a new game of security cat-and-mouse between Apple and Grayshift. FBI Repeatedly Overstated Encryption Threat Figures To Congress, Public (The Washington Post) https://www.washingtonpost.com/world/national-security/fbi-repeatedly-overstated-encryption-threat-figures-to-congress-public/2018/05/22/5b68ae90-5dce-11e8-a4a4-c070ef53f315_story.html The FBI has been complaining about encryption ... well, pretty much since the 1990s. And in the last few years, particularly after Apple refused to help unlock an alleged terrorist's iPhone, the battle has intensified. This Washington Post scoop showed that the numbers trotted out by FBI officials when talking about how damaging strong encryption is during investigations were overstated and sometimes incorrect. In other words, encryption isn't as much of an hurdle as the FBI would like us to believe. Google Plans to Launch Censored Search Engine in China, Leaked Documents Reveal (The Intercept) https://theintercept.com/2018/08/01/google-china-search-engine-censorship/ Ryan Gallagher not only broke the news that Google was developing a search engine for China, one that would censor terms around human rights and protests, but he's also remained on top of the story. His reporting sparked widespread protests both internally at Google and among human rights organizations, questions at a Congressional hearing, and, just this week, he reported that Google has hit a major roadblock with the project as disputes have grown internally. This story reminded us--once again--that companies that have a good track record for caring about human rights don't always stay that way, and that a handful of employees speaking up can change the course of a multi-billion company. Google Is Helping the Pentagon Build AI for Drones (Gizmodo) https://gizmodo.com/google-is-helping-the-pentagon-build-ai-for-drones-1823464533 Speaking of Google employees standing up against a controversial program, this story about the Internet giant's secret Pentagon contract broke long before Googlers organized marches to protest their own company. Kate Conger's relentless reporting on the story led to Google shutting down the program and was one of the original stories that helped kick off a new wave of protests by Silicon Valley employees against their own companies. Facebook Is Giving Advertisers Access to Your Shadow Contact Information (Gizmodo) https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051 It wasn't a great year for Facebook's bosses either. Cambridge Analytica, a constant struggle to moderate content, and some embarrassing breaches affecting millions of people, among a slew of seemingly endless scandals. You may have missed or forgotten this story, but it's worth your time. Kashmir Hill, with the help of a team of smart researchers, proved how Facebook mines your cell phone's contact data to suggest new friends on the social network, and to serve you better targeted ads. Your Apps Know Where You Were Last Night, and They're Not Keeping It Secret (The New York Times) https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html Speaking of apps that know too much ... there are only a few outlets with the resources, reach, and dedication to take a story and present it in such a way that the general public can really understand a security issue. This is one of those stories--the sharing of location data lifted by apps may not be a new phenomenon, but the Times team produced the definitive piece tangibly explaining what this means for the privacy of everyone with a smartphone. Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (The New York Times) https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html We've extensively covered how malware is used in cases of domestic violence, stalking, and abuse. This Times piece looked at the next step in that use of technology at home: the Internet of Things. Definitely worth a read if you are concerned with how technology can impact the lives of ordinary, non-technical people. And if you don't, why are you reading a post about cyber articles? Russian Troll Farm Hijacked American Teen Girls' Computers for Likes (The Daily Beast) https://www.thedailybeast.com/russia-troll-farm-hijacked-american-teen-girls-computers-for-likes As a hacker, Kevin Poulsen brings some of the coolest technological approaches into journalism. Here, Poulsen found a dodgy browser extension belonging to Russia's controversial troll army, the Internet Research Agency. He then bought the domain linked to it, letting him see what sort of data it was collecting, and from where. He found the IRA's software on computers all over the place. A great reminder to think how can journalists approach a story from a different, technological angle. A Quebecer Spoke Out Against The Saudis--Then Learned He Had Spyware On His iPhone (CBC) https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179 What's the point of writing about malware, spyware, and hacking if you can't show readers how the technology affects real people? Every great infosec story should have a human angle. This is a great example of that. Former Motherboard editor Matt Braga visited one of the latest victims of government-sponsored hacking, a growing problem that's putting regular people all over the world in danger. Gray Hat--Marcus Hutchins' Profile (New York Magazine) https://nymag.com/intelligencer/2018/03/marcus-hutchins-hacker.html The security researcher better known as MalwareTech helped stop WannaCry, one of the most virally infectious malware outbreaks ever. Months later, the FBI arrested him for a crime he's accused to have committed when he was a teen. This in-depth profile tries to answer a universal question in the world of cybersecurity: does a hacker hero always have to have a past? And if so, what should authorities do with them? Service Meant to Monitor Inmates' Calls Could Track You, Too (The New York Times) https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html File this under "companies you probably never heard of doing sketchy things that can affect us all." The Times scored another huge scoop revealing that Securus Technologies, a firm that provides and monitors inmates phone calls, was letting pretty much anyone track people's cell phones for a fee. Thanks to Securus, anyone "can find the whereabouts of almost any cell phone in the country within seconds," according to the investigation. As we found out later, and rather unsurprisingly, Securus wasn't securing this data at all. The Crisis of Election Security (The New York Times) https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html You've heard about election hacking for years. Everyone is worried about it, but seemingly no one is doing anything to prevent it. Veteran infosec reporter (and Motherboard contributor) Kim Zetter goes deep into the history and crisis of election security, writing perhaps the definitive piece about the subject. A must-read for anyone who cares about democracy and the integrity of the elections. The Untold Story Of NotPetya, The Most Devastating Cyberattack In History (Wired) https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ The outbreak of destructive malware NotPetya never got the attention it deserved, perhaps because it came a few weeks after the headline-grabbing WannaCry ransomware outbreak. Andy Greenberg makes it justice in this thrilling tale, part of his upcoming book, on how NotPetya crippled the largest shipping company in the world. The only downside of this story is that it will make you want to read more, but you'll have to wait until the book comes out. In Leaked Chats, Wikileaks Discusses Preference For Gop Over Clinton, Russia, Trolling, And Feminists They Don't Like (The Intercept) https://theintercept.com/2018/02/14/julian-assange-wikileaks-election-clinton-trump/ WikiLeaks and Julian Assange's fall from grace has been documented over the last few years, but this report built on a treasure trove of leaked chat logs, felt like the nail in the coffin. The Intercept revealed how the secret-spilling organization candidly talked about their preference for the Republican party to win the 2016 election, their thoughts on the "bright, well connected, sadistic sociopath" Hillary Clinton, and some unsavory comments about feminist activists. Israeli Cyber Firm Negotiated Advanced Attack Capabilities Sale With Saudis, Haaretz Reveals (Haaretz) https://www.haaretz.com/israel-news/.premium-israeli-company-negotiated-to-sell-advanced-cybertech-to-the-saudis-1.6680618 The controversial and successful spyware vendor NSO Group has been in the headlines for a couple of years, after researchers caught government hackers using sophisticated hacking tools developed by the company to hack a Dubai-based human rights activist. This investigation by Israeli newspaper Haaretz exposed the behind the scenes story of how Saudi Arabia bought iPhone malware from NSO for more than $200 million. Russian Hackers Posed As ISIS To Threaten Military Wives (Associated Press) https://apnews.com/4d174e45ef5843a0ba82e804f080988f The threat of ISIS hackers has often been unjustifiably hyped up. But in this deeply reported story, people like Angela Ricketts show that the threat was real enough for some people. The AP's Raphael Satter talked to several people targeted by ISIS sympathizers, putting a face to the victims of a scary online campaign. We need more stories that focus on the victims of hacking, this was a great example of that. And Satter and his colleagues at the AP have produced several more in the last few months that are also worth your time. Living with Depression in Tech (Jonathan Zdziarski's personal blog) https://www.zdziarski.com/blog//ZUp=7437 Apple security researcher and forensic expert Jonathan Zdziarski here opened up about an incredibly important and often overlooked topic: mental health in tech. Zdziarski powerfully details his own struggle with depression, and at the same time offers a hopeful tale of overcoming it with a lot of hard work, introspection, and learning. ... ------------------------------ Date: Thu, 27 Dec 2018 06:50:35 -1000 From: geoff goodfellow <geoff () iconia com> Subject: How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually. In late November, the Justice Department unsealed indictments against eight people accused of fleecing advertisers of $36 million in two of the largest digital ad-fraud operations ever uncovered. Digital advertisers tend to want two things: people to look at their ads and premium websites -- i.e., established and legitimate publications -- on which to host them. The two schemes at issue in the case, dubbed Methbot and 3ve by the security researchers who found them, faked both. Hucksters infected 1.7 million computers with malware that remotely directed traffic to spoofed websites -- empty websites designed for bot traffic. https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf that served up a video ad purchased from one of the Internet's vast programmatic ad-exchanges, but that were designed, according to the indictments, ``to fool advertisers into thinking that an impression of their ad was served on a premium publisher site,'' like that of *Vogue* or *The Economist*. Views, meanwhile, were faked by malware-infected computers with marvelously sophisticated techniques to imitate humans: bots *faked* clicks, mouse movements, and social network login information to masquerade as engaged human consumers https://cdn2.hubspot.net/hubfs/3400937/WO_Methbot_Operation_WP_01.pdf/ Some were sent to browse the Internet to gather tracking cookies from other websites, just as a human visitor would have done through regular behavior. Fake people with fake cookies and fake social-media accounts, fake-moving their fake cursors, fake-clicking on fake websites -- the fraudsters had essentially created a simulacrum of the Internet, where the only real things were the ads. How much of the Internet is fake? Studies generally suggest that, year after year, less than 60 percent of web traffic is human; some years, according to some researchers, a healthy majority of it is bot. For a period of time in 2013, *The Times* reported https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html this year, a full half of YouTube traffic was `bots masquerading as people', a portion so high that employees feared an inflection point after which YouTube's systems for detecting fraudulent traffic would begin to regard bot traffic as real and human traffic as fake. They called this hypothetical event *The Inversion*. In the future, when I look back from the high-tech gamer jail in which President PewDiePie will have imprisoned me. http://nymag.com/intelligencer/2018/12/why-pewdiepies-anti-semitic-youtube-jokes-dont-hurt-him.html http://nymag.com/intelligencer/2018/12/how-much-of-the-internet-is-fake.html ------------------------------ Date: Thu, 20 Dec 2018 22:17:38 -0800 From: Rob Wilcox <robwilcoxjr () gmail com> Subject: Inspector General audit finds basic cybersecurity lax for US ballistic missile defense systems [Note the cover story in the latest issue of *The Nation*, which goes into huge details on related cases. PGN] Cabinet departments have Inspectors General (IG) with wide and deep audit responsibility. Most agencies take IG reports seriously; the IG reports high in hierarchically-cultured agencies. The Department of Defense has released an audit of select ballistic missile defense-related facilities. These facilities manage information and operations, which if known, would compromise function of these systems. The IG audited a sample of facilities. (Longtime RISKS readers may be aware that many believe these systems will never work as represented. One need only read back to the work of Dr David Parnas.) Flaws included lack of two-factor authentication, encryption, intrusion detection and prevention systems, physical access to servers and least privilege authorization processes. ``During our site visit, we observed security footage showing that a representative from the [redacted] gained unauthorized access to the [redacted] facility by simply pulling the door open. The security camera footage also showed that although the representative stopped to ask for directions, the individual she stopped did not request to see her [redacted] badge or question her facility access. Furthermore, the security footage showed that the security officer at the front desk also did not request to see her [redacted] badge.'' Enterprise IT security, credit card security, critical infrastructure, federal IT standards, NIST and cybersecurity professional NGO entities have recommended these basic controls for many years. Unclassified report: https://media.defense.gov/2018/Dec/14/2002072642/-1/-1/1/DODIG-2019-034.PDF. ------------------------------ Date: Thy, 27 Dec 2018 14:59:18 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Our Cellphones Aren't Safe (Cooper Quintin, The New York Times) https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html This article my not be new to you, but it raises a plethora of issues with landline and cellular telephones that have existed for many years, and indeed many that have been well know -- e.g., see Geoff Goodfellow's message from 1987, which follows this one. Risks noted in Cooper's article include fake cell towers siphoning off information, readily available spying tools, SS7 security weaknesses, governmental desires for easy access, and lots more. Some of the issues from the Keys Under Doormats report are also present. [Note: I started writing this while reading *The Times* over breakfast, and revised it after reading Geoff's item this afternoon. PGN] ------------------------------ Date: Thu, 27 Dec 2018 09:56:49 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Our Cellphones Aren't Safe (2018) and The Electronic Serial Number: A cellular 'sieve' -- 'spoofers' can defraud users and carriers (June 1987) Cooper Quintin (EFF), *The New York Times*, 27 December 2018 Security flaws threaten bank accounts. So why aren't we fixing them? https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html EXCERPT: America's cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country's. According to intelligence reports, spies are eavesdropping on President Trump's cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it. This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities. Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners' knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications. These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims' accounts. How did we get here, and why is our cellular infrastructure so insecure?... [...] [And, PGN notes, here is Geoff's excerpt from something he wrote originally in 1985]
Date: 12 Jun *1987* 13:40-PDT From: Geoffrey S. Goodfellow <Geoff () CSL SRI COM> Subject: Article on Cellular [in]security.
The following is reprinted from the *November 1985* issue of Personal Communications Technology magazine by permission of the authors and the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct., Fairfax, VA 22032, 703/352-1200. Copyright 1985 by FutureComm Publications Inc. All rights reserved. THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'? 'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr. What's the greatest security problem with cellular phones? Is it privacy of communications? No. Although privacy is a concern, it will pale beside an even greater problem: spoofing. [*Security flaws threaten our privacy and bank accounts. So why aren't we fixing them?*] 'Spoofing' is the process through which an agent (the 'spoofer') pretends to be somebody he isn't by proffering false identification, usually with intent to defraud. This deception, which cannot be protected against using the current U.S. cellular standards, has the potential to create a serious problem -- unless the industry takes steps to correct some loopholes in the present cellular standards. Compared to spoofing, the common security concern of privacy is not so severe. Most cellular subscribers would, at worst, be irked by having their conversational privacy violated. A smaller number of users might actually suffer business or personal harm if their confidential exchanges were compromised. For them, voice encryption equipment is becoming increasingly available if they are willing to pay the price for it. Thus, even though technology is available now to prevent an interloper from overhearing sensitive conversations, cellular systems cannot -- at any cost -- prevent pirates from charging calls to any account. This predicament is not new to the industry. Even though cellular provides a modern, sophisticated quality mobile communications service, it is not fundamentally much safer than older forms of mobile telephony. History of Spoofing Vulnerability... [...] http://massis.lcs.mit.edu/archives/cellular/cellular.sieve [When will they ever learn? (Little boxes made of Ticky-Tacky.) PGN] ------------------------------ Date: Sat, 22 Dec 2018 09:36:40 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Parachutes are no better than backpacks-- randomized trial (BMJ) The actual paper: Parachute use to prevent death and major trauma when jumping from aircraft: randomized controlled trial. https://www.bmj.com/content/363/bmj.k5094 An article explaining the situation in a slightly more readable fashion. https://www.npr.org/sections/health-shots/2018/12/22/679083038/researchers-show-parachutes-dont-work-but-there-s-a-catch The point being: be careful when relying on the outcome of studies. ------------------------------ Date: Wed, 19 Dec 2018 9:49:49 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Facebook shared even more than previously known (NYTimes) Facebook network gave Microsoft, Amazon, Spotify and others far greater access to people's data than it has disclosed. https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html ------------------------------ Date: Tue, 25 Dec 2018 05:26:55 -0800 From: Rob Wilcox <robwilcoxjr () gmail com> Subject: UK security researchers find lax security in app-controlled consumer hot tubs (BBC) About 30,000 hot tubs are controlled by Balboa Water App. The app uses a cloud service to access a WiFi controller attached to the hot tub through the consumer's Internet-connected home network. The researchers explored and found common IOT (Internet of Things) security flaws. - Simplified setup of the WiFi network made it susceptible to hackers within local range. There was no MAC-level security. - One of those modes allowed the controllers to be discoverable by anyone on the Internet. - The tub controller authentication to the cloud uses a static username/password sent in the clear and easily discoverable (now published.) There is no authentication of the user to the mobile app. - Software quality poor and poor vendor response to the threat. All those resulted in the capability to compromise the clock, temperature and pumps. Interestingly, the programmers used a faulty conversion between Fahrenheit and Celsius! The whole story is a fascinating read: humorous, for the researchers justifying buying a hot tub and controller to their management - then photographing themselves in Santa caps using the tub; and sad ,because the vendor only returned calls to the researchers after the BBC broke the story. The system vendor has been very naughty this year. We hope this story brings a smile (and maybe a groan) to Risks readers! And we wish you all a secure new year! https://www.pentestpartners.com/security-blog/hackers-in-hot-water-pwning-smart-hot-tubs-yes-really/ https://www.bbc.com/news/technology-46674706 [Richard Stein noted the BBC item and commented, ``The home is a castle, unless connected to The Internet of Mistakes.'' PGN] ------------------------------ Date: Fri, 21 Dec 2018 17:16:01 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple Watch ECG is putting a lot of health control in consumers' hands (CNBC)o As more people have access to an ECG, doctors are being inundated with patient data, and it's not all good. Apple says users of its watch should still consult their doctor. https://www.cnbc.com/2018/12/19/apple-watch-ecg-is-putting-a-lot-of-health-control-in-consumers-hands.html ------------------------------ Date: Mon, 24 Dec 2018 12:00:20 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Innovation and Immigration (W.A. Griffin on William Kerr) The Innovation Engine, an article in the Jan-Feb 2019 Harvard Magazine by William A. Griffin discusses research by Professor William Kerr, and makes some interesting points regarding innovation and immigration. For example, * 33% of U.S. Nobel Laureates since 1901 have been immigrants. * 40% of American doctoral degrees were awarded to noncitizens. * More than 25% of American entrepeneurs were born overseas. Kerr is quoted: ``powerful ideas are the main force behind long-term economic growth.'' [Xenophobia involves less logic than Zeno's paradoxes, and might be mistaken for Zenophobia, PGN] ------------------------------ Date: Fri, 21 Dec 2018 16:15:22 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Tesla Mobile Service So, I saw a car labeled "Tesla Mobile Service." Do they go to where a driver is in trouble, unplug the car, and plug it in again? ------------------------------ Date: Thu, 20 Dec 2018 11:09:43 +0800 From: Richard Stein <rmstein () ieee org> Subject: Computers Determine States of Consciousness (Scientific American) https://www.scientificamerican.com/article/computers-determine-states-of-consciousness/ In "Google is training machines to predict when a patient will die" (http://catless.ncl.ac.uk/Risks/30/74%23subj22.1, we learned that physiological measurements might be someday be applied by a machine-based algorithm to assess "death likelihood," and possibly advise a hastening or postponement of palliative healthcare treatment. Basically, Google's gizmo will yield a number of sorts indicative of a patient's viability to sustain biological activity. Now add in another data point via a machine capability based on the "DOC-Forest" algorithm trained to interpret EEG signals and conclude a value for "Disorder of Consciousness." https://en.wikipedia.org/wiki/Disorders_of_consciousness identifies several states of consciousness: locked in syndrome, minimally conscious, persistent vegetative, chronic coma, and brain death. Apparently, neurologists are sometimes challenged to accurately determine patient consciousness level (based on arousal and awareness): can they hear spoken words or music? Feel a touch though they don't react? Or smell odors? If yes, what does this imply about patient recovery and rehabilitation potential? Medical imaging (MRI, PET, CT, etc.) may yield inconclusive evidence, or are difficult to assess for an unconscious patient's brain state and recovery likelihood. If two points determine a line, would this hypothetical line's 1st derivative (the slope) imply "terminate life support" or "sustain life support"? Risk: Medical practice decision support via black box, inexplicable AI. Might be time to add a "Black Box" warning to some medical technology. See https://www.fda.gov/downloads/ForConsumers/ConsumerUpdates/UCM107976.pdf ------------------------------ Date: Thu, 20 Dec 2018 11:05:48 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Facebook, recidivus -- again -- and yet again ... Facebook exposes your pics. And sells the phone number you gave them for security purposes. And tries to predict your movements. And has breaches they try to hide. And tries to ad-block even when it hurts you. And gives you a VPN that spies on you. None of this is new, of course. Those of us in the security field are possibly getting a wee bit tired of continuing "news" of Facebook's misdeeds. (And probably expect to be hearing the same of Instagram and Whatsapp at any moment.) The thing is, Facebook keeps on promising to do better, but actions that they take appear to be minimal and feckless. When Facebook is caught out, they seem to immediately want to turn the tables and say it is the fault of the users (or someone else). But, if you can find actual facts, Facebook never seems to come out clean. Some have posited that Facebook's whole structure and business model is simply inherently bad. Whether that is true or not, unethical behaviour is deeply entrenched at Facebook, and, in corporations, ethics always derive from the top. Some companies, even with deep problems with misfeasance (if not malfeasance) do manage to turn things around, but only with a housecleaning at the top. Facebook seems completely unwilling to take the necessary steps. https://lite.cnn.io/en/article/h_d6f18ad97cce69b248364fa11ff2902c If you want to get at the reports behind some of the items mentioned, see https://community.isc2.org/t5/Industry-News/Facebook-recidivus-again-and-yet-again/m-p/17181 or https://is.gd/zoHD6G ------------------------------ Date: Wed, 19 Dec 2018 20:13:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: IRS Linux move delayed by lingering Oracle Solaris systems (ZDNet) The auditors missed two reasons why this migration has gone so wrong: Politics and funding. Rep. Gerry Connolly (D-Va) told NextGov, a federal technology news publication, "Since Republicans gained control of the House of Representatives in 2010, their partisan attacks have left the IRS with nearly 10,000 fewer customer service representatives to assist taxpayers and a patchwork of IT systems, some dating back to the Kennedy Administration, which is ultimately harming all taxpayers." Or, as IRS CTO Terence Milholland told Congress in 2016, "The situation is analogous to operating a 1960s automobile with the original chassis, two suspension and drivetrain, but with a more modern engine, satellite radio, and a GPS navigation system. It runs better than the original model but not nearly as efficiently as a system bought today." More recently, Nina Olson, the IRS national taxpayer advocate, told Congress, "Since FY 2010, the IRS budget has been reduced by 20 percent on an inflation-adjusted basis, and the IRS workforce has declined by about the same percentage. These reductions have led to significant cuts in taxpayer service levels and have prevented the IRS from deploying new technology that would improve the taxpayer experience." Linux could improve technology and save funding, but to save money, first you have to spend money. If, and only if, the IRS can modernize its systems can Linux show what it can do for both the agency and the American taxpayer. https://www.zdnet.com/article/irs-linux-move-delayed-by-lingering-oracle-solaris-systems/ ------------------------------ Date: Wed, 19 Dec 2018 11:06:31 -0500 From: Kelly Bert Manning <bo774 () freenet carleton ca> Subject: Canada: OPC publishes guidance for organizations and individuals related to protecting personal information collected during cannabis transactions (GC) https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an 181217/ https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_can_201812/ "Cannabis is illegal in most jurisdictions outside of Canada. The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully." https://www.oipc.bc.ca/guidance-documents/2248 The bottom line seems to be use cash, not a bank card, to limit the data trail. Not using pot might be an even better idea if you plan to travel to other countries in the future. This seems to be directed at people who will be buying pot now that it is legal in Canada. It is a non-issue for the rest of us who do not use pot. Apparently we can expect higher produce prices as greenhouses convert from tomatoes, peppers and lettuce to pot. I don't recall that being mentioned previously as a likely outcome of pot legalization. https://www.ctvnews.ca/canada/what-does-cannabis-cost-across-canada-1.4138585 ------------------------------ Date: Wed, 19 Dec 2018 10:10:11 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: FCC Launches New Offensive Against Scam, Robo Calls (EWeek) Carriers were required to explain their plans for comprehensive call blocking on 19 Nov, with the ability to be in place in 2019. http://www.eweek.com/networking/fcc-launches-new-offensive-against-scam-robo-calls The risk? Security better late than never. But very late. ------------------------------ Date: Wed, 19 Dec 2018 12:52:49 +0800 From: Richard Stein <rmstein () ieee org> Subject: This patent shows Amazon may seek to create a database of suspicious persons using facial-recognition technology (WashPost) https://www.washingtonpost.com/technology/2018/12/13/this-patent-shows-amazon-may-seek-create-database-suspicious-persons-using-facial-recognition-technology The patent application proposes to use doorbell camera photo-capture with resident approval/disapproval input supplements to compile an "Ok to pass" and "Not ok to pass" database shared among neighbors, a digitally-surveilled 'Neighborhood Watch' program. This database would be shared with local law enforcement community. "An algorithm shouldn't be deciding whether someone is suspicious," he said. "We're [Jake Snow of ACLU Northern California] calling on Amazon to be more thoughtful of the consequences of their technology being deployed in communities and to put people before profit." Risk: False-positive profiling potential and 'suspicious label' attribution via algorithmic physical appearance interpretation. Perhaps the algorithm may be more effective if it applied tactile phrenology as an image capture supplement? ------------------------------ Date: Thu, 20 Dec 2018 19:44:25 -0500 From: danny burstein <dannyb () panix com> Subject: Re: Sneaky parrot uses Amazon Alexa to shop ... TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal sanctuary for swearing too much, is using technology to cause even more trouble. The Times of London reports Rocco, an African grey, has been using Amazon Alexa to shop online while his owner was away. [snip] The default "wake up" call to the Alexa Echo Spybot is the word "Alexa". However, you can change it to "Echo" and a couple of others. Yeah, it's a pain to do so, involving pulling up the Alexa application on your phone and going through a bunch of menus, but it would solve this specific problem. ------------------------------ Date: Sat, 22 Dec 2018 11:22:29 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Drone shatters passenger jet's nose-cone, radar (RISKS-30.97) This incident, and the one in Gatwick yesterday, raise the notion that it's time to require that each drone over a certain size carry an ID chip, and have these registered somewhere; this way a drone's owner could be identified in case of an incident. Such regulations are in effect for dogs in many jurisdictions, it seems that drones need an even stricter supervision. ------------------------------ Date: Fri, 21 Dec 2018 11:04:44 +0100 From: Erling Kristiansen <erling.kristiansen () xs4all nl> Subject: Re: The GPS wars are here I wonder how future AVs (autonomous vehicles) will react to GPS jamming. And GPS spoofing, making the AV think it is in a different place, might be even more fun. ------------------------------ Date: Thu, 20 Dec 2018 19:46:28 -0500 From: paul wallich <pw () panix com> Subject: Re: "Market volatility: Fake news spooks trading algorithms" [all about how the market has been so volatile downward because of high-speed trading algorithms getting suckered by fake news] Don't blame the algorithm, blame the training set. The kinds of news-scanning programs described are ultimately trying to get ahead of what their programmers/trainers/historical data say human traders would do in a similar situation. And pretty much since the founding of markets, human traders have been making ill-informed hair-trigger trades based on faulty analysis of rumors or questionable headlines. The pattern has been around in all the decades I've been watching: some piece of news or non-news triggers a spike in buying or selling of a particular company's stock, and then within hours or days the stock is back to its previous value/trend. The money that's made in these swings comes from figuring out what all the other lemmings (apology to the real rodents in question) are going to do, and doing it faster or in the other direction. So the algorithms are just being thoughtlessly greedy faster and with more resources at their command. (Once again, a computer can make a mistake in microseconds that would take humans working with paper and pencil several minutes to make). ------------------------------ Date: Sun, 23 Dec 2018 15:37:05 -0500 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: New Zealand courts banned ...; Google just emailed it out. (RISKS-30.97) I have two problems with that report. 1. It is a disturbing trend when every local judge in every country issues orders that he expects to be enforced globally. By what authority do they claim that power? Can a Russian judge order silence about hacking elections? 2. Google is not an originator of news. In all likelihood, the name of the accused was being discussed openly in NZ sources, and was indeed "trending" as Google said. Only American firms are accused of evil behavior, while home-grown companies, forums, and news sources get a free pass. I expect that we'll see the day when The Guardian UK editorializes about how evil Google is for indexing an article from The Guardian web site. ------------------------------ Date: Sat, 22 Dec 2018 11:10:45 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96) Thanks for this, and many other answers I have received, but they all refer to *outgoing* mail; my question was how to stop Google from inserting links into *incoming* mail, over whose contents and format I have no control. ------------------------------ Date: Wed, 26 Dec 2018 22:11:56 +0000 (UTC) From: Paul Robinson <paul () paul-robinson us> Subject: Re: Risks of `Reply All' and failing to BCC (Shapir, RISKS-30.97) I've seen it myself. I was on the mailing list for potential suppliers to the Washington Metropolitan Area Transit Authority (the Washington, DC bus and rail transit provider) a few years ago when they sent out a notice of an upcoming request for bid to me and the other 1645 subscribers to that mailing list, because whoever sent it out posted all 1646 names in the "To;" field. The message header ran for 75 screens; the message was one screen, about 10-15 lines. ------------------------------ Date: Sat, 22 Dec 2018 11:15:20 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: She'd just had a stillborn child. Tech companies wouldn't let her forget it (RISKS-30.97) This reminds me of the story (urban legend?) about a search site's algorithm which noticed that some people who had searched for a certain cancer medicine, also searched later for funeral homes and tombstones... ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.98 ************************
Current thread:
- Risks Digest 30.98 RISKS List Owner (Dec 27)