RISKS Forum mailing list archives
Risks Digest 30.69
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 16 May 2018 17:33:23 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 16 May 2018 Volume 30 : Issue 69 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.69> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: America continues to ignore the risks of election hacking (The New Yorker) Russia Tried to Undermine Confidence in Voting Systems, Senators Say (NYTimes) Virginia election officials assigned 26 voters to the wrong district (WashPo) Securing Elections (Bruce Schneier) Australian Emergency Calls Fail due to lightning strike (ABC AU) Self-driving cars' shortcomings revealed in DMV reports (Merc) VW bugs: "Unpatchable" remote code pwnage (TechBeacon) Software bug led to death in Uber's self-driving crash (Ars Technica) Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT) The risk from robot weapons (via The Statesman/Asia News Network, published in The Straits Times) Is technology bringing history to life or distorting it? (WashPo) 2,000 wrongly matched with possible criminals at Champions League (BBC AU) KRACK Wi-Fi vulnerability can expose medical devices, patient records (Osborne, R 30 68) Nigerian Email Scammers Are More Effective Than Ever (WiReD) Dark code (DW) Postmortem of Fortnite Service Outage (Epic Games) Collateral damage (538) Dozens of security cameras hacked in Japan (Mainichi) Technology turns our cities into spies for ICE, whether we like it or not (LATimes) The Digital Vigilantes Who Hack Back (The New Yorker) Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate Staff (EFF) Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune) Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF) Once Again, Activists Must Beg the Government to Preserve the Right to Repair (Motherboard) Widespread Misunderstanding of x86-64 Privileged Instruction Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897) Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes) Buckle Up, Prime Members: Amazon Launches In-Car Delivery (Business Wire) Meant to Monitor Inmates' Calls Could Track You Too (NYTimes) Cell Phone Location data reportedly available to law enforcement without verification/process (Ars Technica) During disasters, active Twitter users likely to spread falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also finds most users fail to correct misinformation (Science Daily) Face recognition police tools 'staggeringly inaccurate' (BBC.com) Intel Documentation Blamed for Multiple Operating System Security Flaws (IT Pro) The Problem with Chinese GPS (Now I Know) U.S. identifies suspect in major leak of CIA hacking tools (WashPo) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 7 May 2018 22:11:57 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: America continues to ignore the risks of election hacking (The New Yorker) http://www.newyorker.com/news/news-desk/america-continues-to-ignore-the-risks-of-election-hacking "America's voting systems are hackable in all kinds of ways. As a case in point, in 2016, the Election Assistance Commission, the bipartisan federal agency that certifies the integrity of voting machines, and that will now be tasked with administering Congress's three hundred and eighty million dollars, was itself hacked. The stolen data -- log-in credentials of EAC staff members -- were discovered, by chance, by employees of the cybersecurity firm Recorded Future, whose computers one night happened upon an informal auction of the stolen passwords. ``This guy -- we randomly called him Rasputin -- was in a high-profile forum in the darkest of the darkest of the darkest corner of the dark Web, where hackers and reverse engineers, ninety-nine per cent of them Russian, hang out,'' Christopher Ahlberg, the CEO of Recorded Future, told me. ``There was someone from another country in the forum who implied he had a government background, and he wanted to get his hands on this stuff. That's when we decided we would just buy it. So we did, and took it to the government'' -- the U.S. government -- ``and the sale ended up being thwarted.'' (Ahlberg wouldn't identify which government agency his company had turned the data over to. The EAC, in a statement, referred questions about ``the investigation or information shared with the government by Recorded Future'' to the FBI The FBI, through a Justice Department spokesperson, declined to comment.)" ------------------------------ Date: Tue, 8 May 2018 22:00:18 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Russia Tried to Undermine Confidence in Voting Systems, Senators Say (NYTimes) http://www.nytimes.com/2018/05/08/us/politics/russia-2016-election-hackers.html ------------------------------ Date: Mon, 14 May 2018 00:55:08 -0400 From: Monty Solomon <monty () roscom com> Subject: Virginia election officials assigned 26 voters to the wrong district (WashPo) More than two dozen voters cast ballots in the wrong race. They were among 6,000 misassigned voters across the state. It might've cost Democrats a pivotal race. http://www.washingtonpost.com/local/virginia-politics/voters-assigned-to-wrong-districts-may-have-cost-democrats-in-pivotal-virginia-race/2018/05/13/09a9dd8a-5465-11e8-a551-5b648abe29ef_story.html ------------------------------ Date: Tue, 15 May 2018 00:07:08 -0500 From: Bruce Schneier <schneier () schneier com> Subject: Securing Elections (PGN-excerpted from Bruce's CRYPTO-GRAM, 15 May 2018) Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them. [This is a long item, perhaps intended for non-RISKS readers. Nevertheless, it is highly relevant and timely. The full article is at https://www.schneier.com/crypto-gram/ PGN] ------------------------------ Date: Sun, 6 May 2018 01:54:31 +0000 From: John Colville <John.Colville () uts edu au> Subject: Australian Emergency Calls Fail due to lightning strike (ABC AU) Calls to 000 (the Australian emergency phone number) failed to large areas of Australia on May 04 2018. Government to investigate Telstra triple-0 outage after emergency calls go unanswered http://www.abc.net.au/news/2018-05-04/telstra-triple-zero-outages-several-states-cable-damaged/9725860 ------------------------------ Date: Thu, 3 May 2018 15:51:21 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Self-driving cars' shortcomings revealed in DMV reports (Merc) NNSquad http://www.mercurynews.com/2018/05/01/self-driving-cars-shortcomings-revealed-in-dmv-reports/ The disengagement reports themselves identify other problems some self-driving vehicles struggle with, for example heavy pedestrian traffic or poorly marked lanes. In describing the events that caused their backup drivers to take the controls, the companies have provided a new window into the road-worthiness -- or not -- of their cars and systems. Baidu, a Chinese Internet-search giant, reported a case in which driver had to take over because of a faulty steering maneuver by the robot car; several cases of "misclassified" traffic lights; a failure to yield for cross traffic; delayed braking behind a car that cut quickly in front; drifting out of a lane; and delayed perception of a pedestrian walking into the street. ------------------------------ Date: Sat, 12 May 2018 02:29:16 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: VW bugs: "Unpatchable" remote code pwnage (TechBeacon) Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-Internet insecure. They broke into a recent-model VW and an Audi, via the cars' Internet connections, and were able to jump from system to system, running arbitrary code. Worryingly, they fully pwned the unauthenticated control bus connected to some safety-critical systems -- such as the cruise control. But VW has no way to push updates to its cars, and won't alert owners to visit a dealer for an update. http://techbeacon.com/vw-bugs-unpatchable-remote-code-pwnage ------------------------------ Date: Mon, 7 May 2018 15:27:41 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Software bug led to death in Uber's self-driving crash (Ars Technica) NNSquad http://arstechnica.com/tech-policy/2018/05/report-software-bug-led-to-death-in-ubers-self-driving-crash/ The fatal crash that killed pedestrian Elaine Herzberg in Tempe, Arizona, in March occurred because of a software bug in Uber's self-driving car technology, The Information's Amir Efrati reported on Monday. According to two anonymous sources who talked to Efrati, Uber's sensors did, in fact, detect Herzberg as she crossed the street with her bicycle. Unfortunately, the software classified her as a "false positive" and decided it didn't need to stop for her. Distinguishing between real objects and illusory ones is one of the most basic challenges of developing self-driving car software. Software needs to detect objects like cars, pedestrians, and large rocks in its path and stop or swerve to avoid them. However, there may be other objects -- like a plastic bag in the road or a trash can on the sidewalk -- that a car can safely ignore. Sensor anomalies may also cause software to detect apparent objects where no objects actually exist. [Also noted by Wendy Grossman: Classic case of where you set the positive/negative error rate tradeoffs in the classifier, but with the consequences amped up because it's a car on public roads, not a bit of software deciding between cats and giraffes: if you set the threshold too low the car stops (and jolts its passengers) for every plastic bag and shadow. If you set it too high...you get deaths. I wouldn't really call that a bug; I'd call it an experimental error. So besides the risks inherent in deciding where you set the threshold, there's the risk of allowing companies like Uber to run their experiments on public roads.] ------------------------------ Date: Sun, 13 May 2018 13:35:53 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT) The New York Times http://mobile.nytimes.com/2018/05/13/business/deadly-convenience-keyless-cars-and-their-carbon-monoxide-toll.html "It seems like a common convenience in a digital age: a car that can be powered on and off with the push of a button, rather than the mechanical turning of a key. But it is a convenience that can have a deadly effect. "On a summer morning last year, Fred Schaub drove his Toyota RAV4 into the garage attached to his Florida home and went into the house with the wireless key fob, evidently believing the car was shut off. Twenty-nine hours later, he was found dead, overcome with carbon monoxide that flooded his home while he slept. '``After 75 years of driving, my father thought that when he took the key with him when he left the car, the car would be off,'' said Mr. Schaub's son Doug.' Adoption of technological convenience carries transition risk. The article discusses a wrongful death lawsuit boosted by internal Toyota memos that discovered recommendations to integrate audible and visual warnings when the engine remains active with no key fob inside the vehicle. This recommendation was 86'd from implementation. Over 20 people have perished from vehicle-generated CO poisoning since 2006. ------------------------------ Date: Sun, 13 May 2018 16:34:51 -0700 From: Richard M Stein <rmstein () ieee org> Subject: The risk from robot weapons (via The Statesman/Asia News Network, published in The Straits Times) http://www.straitstimes.com/asia/south-asia/the-risk-from-robot-weapons-the-statesman-contributor 'A letter warning against the coming race of these weapons was signed in 2015 by over 1,000 AI experts.' 'Peter Singer, an expert on future warfare at 'New America", a think tank, has said that very powerful forces propel the AI arms race - geopolitical compulsions, scientific advances and profit-seeking high technology companies. 'Scharre has also raised the possibility that perhaps because of badly written codes or perhaps because of cyber attack by an adversary, military use autonomous systems can malfunction, raising possibilities of attack on people or soldiers on the same side, or escalating conflicts or killing to unintended, highly exaggerated levels.' Numerous public proclamations admonishing on AV weapon risks are insufficient to deter investment and capability pursuit. There's apparently too much momentum among businesses and governments to deflect this juggernaut. With the Manhattan Project, scientific leadership recognized the risks nuclear weapons raised. Some scientists argued for a demonstration, rather than deployment, to compel quick Japanese surrender. Nagasaki and Hiroshima were destroyed to temporarily establish and project US nuclear hegemony as a deterrent. Aggressive international diplomacy among progressive governments might negotiate an non-proliferation of autonomous weaponry treaty (NPAWT), like the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). However, an enforceable and verifiable treaty is unlikely to timely emerge given historical human proclivity and myopia, despite empirical evidence that argues for deliberate restraint and negotiation. [A timely reminder on the importance of negotiation to cut the risk of war can be found here (http://www.nytimes.com/2018/05/11/opinion/nuclear-doomsday-denial.html).] ------------------------------ Date: Sun, 13 May 2018 17:22:56 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Is technology bringing history to life or distorting it? (WashPo) *The Washington Post* http://www.washingtonpost.com/news/retropolis/wp/2018/05/10/is-technology-bringing-history-to-life-or-distorting-it/ "Whatever its shortcomings, the Kennedy speech is just the latest way that history is being digitally re-created, updated and manipulated as never before. From meticulously colorized photographs to immersive virtual-reality battlefields, scholars, artists and entrepreneurs are dragging the old days into the computer age. And scholastic standards are straining to keep up. "The U.S. Military Academy is working on a phone-based app along the lines of Pokemon Go that will let visitors see how George Washington's troops strung a massive iron chain across the Hudson River. A team in North Carolina has synthesized an important but unrecorded 1960 speech by Martin Luther King Jr., acoustically accurate down to the echoes in the Durham church." Simulation capability has improve to the point where a political leader can be used to construct a fictitious speech which appears authentic, with the power to convince an enraptured audience. This capability, if exploited by mendacious political entities, can accelerate democracy's decline. Publication of false and misleading political speech, especially by elected authorities, empowers authoritarianism. Current political discourse in the US is heavy with misleading facts and falsehoods that confuse public sentiment. This manipulation distracts attention from government's intent to apparently conceal a hidden political agenda. Exactly what the agenda is, beyond "pay for play," is difficult to divine. The introduction of bots applied for this purpose introduces an asymmetric multiplier for dissembled political discourse. By the time a policy becomes apparent through executive enforcement, the bots will have buried the policy agenda into a messaging morass that will potentially overwhelm any independent observer's (the free press) ability to analyze. The result is likely to suppress litigation that thwarts ill-conceived public policy that exclusively benefits "payers." ------------------------------ Date: Sat, 5 May 2018 11:51:07 +0200 From: Alberto Cammozzo <ac+nexa () zeromx net> Subject: 2,000 wrongly matched with possible criminals at Champions League (BBC AU) (via Diego Latella) http://www.bbc.com/news/uk-wales-south-west-wales-44007872 More than 2,000 people were wrongly identified as possible criminals by facial scanning technology at the 2017 Champions League final in Cardiff. South Wales Police used the technology as about 170,000 people were in Cardiff for the Real Madrid v Juventus game. But out of the 2,470 potential matches with custody pictures - 92% - or 2,297 were wrong. Chief Constable Matt Jukes said officers "did not take action" and no one was wrongly arrested. South Wales Police have made 450 arrests in the last nine months using the automatic facial recognition (AFR) software, which scans faces comparing them to about 500,000 custody images http://www.bbc.co.uk/news/technology-39735637Cdf0d5bf31bb44f614f0908d5b45569c1%7C40779d3379c44626b8bf140c4d5e9075%7C1 ------------------------------ Date: Sun, 6 May 2018 15:15:31 +0100 From: Wols Lists <antlists () youngman org uk> Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient records (Osborne, R 30 68) Actually, I believe it exploits a flaw in the most common IMPLEMENTATION of the protocol. For security reasons, once the key has been checked the first time, the recipient forgets it (over-writes it with 0s), so if the attacker can interrupt the handshake at that point, they can resend a key of all zeros and authenticate. The receiver should either abort the handshake completely, or not forget the key until the handshake is complete. ------------------------------ Date: Sun, 6 May 2018 22:54:59 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Nigerian Email Scammers Are More Effective Than Ever (WiReD) You would think that after decades of analyzing and fighting email spam, there'd be a fix by now for the Internet's oldest hustle -- the Nigerian Prince scam. There's generally more awareness that a West African noble demanding $1,000 in order to send you millions is a scam, but the underlying logic of these 00 pay a little, get a lot-- schemes, also known as 419 fraud, still ensnares a ton of people. In fact, groups of fraudsters in Nigeria continue to make millions off of these classic cons. And they haven't just refined the techniques and expanded their targets -- they've gained minor celebrity status for doing it. http://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever ------------------------------ Date: Sun 6 May 2018 11:12:58 -0000 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: Dark code (DW) In the way of the TSB computing disaster (which DW has a long piece on the legacy code that runs banking systems, so old that no one understands it any more. The problem: you can't stay in business without updating, and updating it breaks things. Ellen Ullman has often written about this -- see for example 1997's Close to the Machine and her more recent sort-of-sequel. http://m.dw.com/en/fail-by-design-bankings-legacy-of-dark-code/a-43645522 ------------------------------ Date: Sun, 6 May 2018 13:36:41 -0400 From: Monty Solomon <monty () roscom com> Subject: Postmortem of Fortnite Service Outage (Epic Games) On 11 Apr 2018, we experienced an extended outage coinciding with the release of Fortnite 3.5. The outage blocked all logins for all players to our platform. We know many millions of you were excited about dropping from the Battle Bus with your friends, and it was a long time to wait to check out our 3.5 release. We sincerely apologize for the downtime. We're sharing more technical details in this post to give you a better understanding about what went wrong, what we did to fix it, and how we can prevent future issues like this from happening again. http://www.epicgames.com/fortnite/en-US/news/postmortem-of-service-outage-4-12 ------------------------------ Date: Sun, 6 May 2018 16:31:20 -0700 From: Mark Thorson <eee () dialup4less com> Subject: Collateral damage (538) You can't opt out from other people sharing data about you, such as the relative of the Golden State Killer who put DNA data on a website. http://fivethirtyeight.com/features/you-cant-opt-out-of-sharing-your-data-even-if-you-didnt-opt-in/ ------------------------------ Date: Mon, 7 May 2018 16:16:28 -0400 From: George Mannes <gmannes () gmail com> Subject: Dozens of security cameras hacked in Japan (Mainichi) from Mainichi.jp English-language site: http://mainichi.jp/english/articles/20180507/p2g/00m/0dm/063000c%23cxrecs_s TOKYO (Kyodo) -- Dozens of Canon Inc.'s security cameras connected to the Internet have been hacked across Japan, making them uncontrollable at waterways, a fish market, and a care facility among other places, users said Monday. Over 60 cameras nationwide are believed to have been illegally accessed so far. ... While it remains unclear why Canon cameras have been targeted, the city of Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture, which lost control of the cameras for monitoring the levels of their waterways, said they had failed to reset the cameras' default passwords..... Hackings were also reported at other locations including a fish market in Hiroshima, a care facility for the disabled in Kobe, and a Naha branch of a company based in Saitama Prefecture.... [This news item seems custom-designed for a classic-style PGN joke linking fishy business at the market, constant comp.risks complaints about poor password management, and Hiroshima's hometown baseball team, the Carp. Have at it.] [OK. Carpe Diem? I had dinner in Kobe's in Lahaina (Maui) last night. I have no beef with this item, even if it might smell fishy. ``If you knew Sushi like I knew Sushi,'' oh, whatta place... ``She shells seashells by the seashore.'' PGN] ------------------------------ Date: Wed, 9 May 2018 23:53:49 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Technology turns our cities into spies for ICE, whether we like it or not (LATimes) There are more than 30 Oakland Police Department patrol cars roaming the city with license plate readers, specialized cameras that can scan and record up to 60 license plates per second. Meanwhile, the Alameda County Sheriff's Office maintains a fleet of six drones to monitor crime scenes when it sees fit. The Alameda County district attorney's office owns a StingRay, a device that acts as a fake cell tower and forces phones to give up their location. And that's just in one little corner of California. Just as consumer electronics continually get faster, cheaper, smaller, and more sophisticated, so too do the tools law enforcement uses to spy on us. What once demanded significant money and manpower can be accomplished easily by machine. This advanced technology is hurtling toward us so fast that privacy laws can't keep up. http://www.latimes.com/opinion/op-ed/la-oe-farivar-surveillance-tech-20180502-story.html ------------------------------ Date: Sun, 6 May 2018 22:22:09 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Digital Vigilantes Who Hack Back (The New Yorker) American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? http://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back ------------------------------ Date: Wed, 9 May 2018 23:57:31 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate Staff (EFF) Electronic Frontier Foundation Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door briefing for Senate staff about the realities of device encryption. While policymakers hear frequently from the FBI and the Department of Justice about the dangers of encryption and the so-called Going Dark problem, they very rarely hear from actual engineers, cryptographers, and computer scientists. Indeed, the usual suspects testifying before Congress on encryption are nearly the antithesis of technical experts. The all-star lineup of panelists included Dr. Matt Blaze, professor of computer science at the University of Pennsylvania, Dr. Susan Landau, professor of cybersecurity and policy at Tufts University; Erik Neuenschwander, Apple's manager of user privacy; and EFF's tech policy director Dr. Jeremy Gillula. http://www.eff.org/deeplinks/2018/05/bring-nerds-eff-introduces-actual-encryption-experts-us-senate-staff [Incidentally, this is the 20th anniversary of the famous L0pht testimony from Mudge's team, which immediately followed my testimony for the U.S. Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs included in Weak Computer Security in Government: Is the Public at Risk? <http://www.csl.sri.com/neumann/senate98.html> PGN] ------------------------------ Date: Mon, 14 May 2018 15:06:45 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune) Throughout the many arguments over encrypted communications, there has been at least one constant: the venerable tools for strong email encryption are trustworthy. That may no longer be true. On Tuesday, well-credentialed cybersecurity researchers will detail what they call critical vulnerabilities in widely-used tools for applying PGP/GPG and S/MIME encryption. According to Sebastian Schinzel, a professor at the Münster University of Applied Sciences in Germany, the flaws could reveal the plaintext that email encryption is supposed to cover up -- in both current and old emails. The researchers are advising everyone to temporarily stop using plugins for mail clients like Microsoft Outlook and Apple Mail that automatically encrypt and decrypt emails -- at least until someone figures out how to remedy the situation. Instead, experts say, people should switch to tools like Signal, the encrypted messaging app that's bankrolled by WhatsApp co-founder Brian Acton. http://fortune.com/2018/05/14/email-encryption-tool-vulnerability-cybersecurity-warning/ ------------------------------ Date: Tue, May 15, 2018 at 12:38 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF) Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018 http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0 Don't panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now. A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim's own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days. Because of the straightforward nature of the proof of concept, the severity of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect, EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now. Because we are awaiting the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in. These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community. There may be simpler mitigations available soon, as vendors and commentators develop narrower solutions, but this is the safest stance to take for now. Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails, any of which could be maliciously crafted to expose ciphertext to attackers. While you may not be directly affected, the other participants in your encrypted conversations are likely to be. For this attack, it isn't important whether the sender or the receiver of the original secret message is targeted. This is because a PGP message is encrypted to both of their keys. At EFF, we have relied on PGP extensively both internally and to secure much of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of PGP for both internal and external email. Our recommendations may change as new information becomes available, and we will update this post when that happens. How The Vulnerabilities Work PGP, which stands for Pretty Good Privacy, was first released nearly 27 years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP transformed the level of privacy protection available for digital communications, and has provided tech-savvy users with the ability to encrypt files and send secure email to people they've never met. Its strong security has protected the messages of journalists, whistleblowers, dissidents, and human rights defenders for decades. While PGP is now a privately-owned tool, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, and is described in the OpenPGP Internet standards document. The paper describes a series of vulnerabilities that all have in common their ability to expose email contents to an attacker when the target opens a maliciously crafted email sent to them by the attacker. In these attacks, the attacker has obtained a copy of an encrypted message, but was unable to decrypt it. The first attack is a direct exfiltration attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message -- including the captured ciphertext -- as unencrypted text. Then the email client's HTML parser immediately sends or exfiltrates the decrypted message to a server that the attacker controls. The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext. Here are some technical details of the vulnerability, in plain-as-possible language: When you encrypt a message to someone else, it scrambles the information into ciphertext such that only the recipient can transform it back into readable plaintext. But with some encryption algorithms, an attacker can modify the ciphertext, and the rest of the message will still decrypt back into the correct plaintext. This property is called malleability. This means that they can change the message that you read, even if they can't read it themselves. To address the problem of malleability, modern encryption algorithms add mechanisms to ensure integrity, or the property that assures the recipient that the message hasn't been tampered with. But the OpenPGP standard says that it's ok to send a message that doesn't come with an integrity check. And worse, even if the message does come with an integrity check, there are known ways to strip off that check. Plus, the standard doesn't say what to do when the check fails, so some email clients just tell you that the check failed, but show you the message anyway. ... http://dewaynenet.wordpress.com/feed/ ------------------------------ Date: Wed, 9 May 2018 23:50:09 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Once Again, Activists Must Beg the Government to Preserve the Right to Repair (Motherboard) The excruciating DMCA section 1201 exemption process is upon us again, and the right to repair tractors, cars, and electronics is at stake. http://motherboard.vice.com/en_us/article/mbxzyv/dmca-1201-exemptions ------------------------------ Date: Thu, 10 May 2018 04:34:02 -0700 From: Bob Gezelter <gezelter () rlgsc com> Subject: Widespread Misunderstanding of x86-64 Privileged Instruction Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897) Apparently, a large number kernel-level developers have misunderstood the documentation concerning the interruptability of an x86-64 instruction. This misunderstanding has made many major operating systems on the x86-64 platform vulnerable to a privilege escalation hazard. Patches have reportedly been issued. Intel has also re-issued its x86-64 Software Development Manuals. A description of the vulnerability can be found at: http://cve.mitre.org/cgi-bin/cvename.cgi%3Fname%3DCVE-2018-8897 [For those of you following the CVE list, it has just exceeded 100,000 CVE entries. This should be a warning for anyone reading RISKS who believes our computer systems are secure. PGN] ------------------------------ Date: Thu, 10 May 2018 18:01:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes) http://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html Researchers can now send secret audio instructions undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant. ------------------------------ Date: Fri, 11 May 2018 11:15:06 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Buckle Up, Prime Members: Amazon Launches In-Car Delivery (Business Wire) Millions of Prime members with Chevrolet, Buick, GMC, Cadillac and Volvo cars can now use Amazon Key to have their Amazon packages delivered inside their vehicle parked at home, work or near other locations in their address book In-car delivery is available at no extra cost for Prime members -- customers simply download the Amazon Key App, link to their connected car and start ordering on Amazon.com; no additional hardware or devices required To get started, customers download the Amazon Key App and then link their Amazon account with their connected car service account. Once setup is complete and the delivery location has been registered, customers can shop on Amazon.com and select the In-Car delivery option at checkout. On delivery day, the Amazon Key App lets customers check if they've parked within range of the delivery location, and provides notifications with the expected 4-hour delivery time window. The App also notifies customers when the delivery is on its way, and the package has been delivered. Customers can track when their car was unlocked and relocked in the App's activity feed, and rate their in-car delivery. http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery ------------------------------ Date: Sat, 12 May 2018 02:30:18 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Meant to Monitor Inmates' Calls Could Track You Too (NYTimes) http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html A company catering to law enforcement and corrections officers has raised privacy concerns with a product that can locate almost anyone's cellphone across the United States. ------------------------------ Date: Sat, 12 May 2018 06:38:12 -0700 From: Bob Gezelter <gezelter () rlgsc com> Subject: Cell Phone Location data reportedly available to law enforcement without verification/process (Ars Technica) Ars Technica is reporting that a service meant for use with prison phone systems lacks authentication and safeguards. It has reportedly already been used to track people without legal jurisdiction. Access to non-anonymized geolocation data for mobile devices by third parties is a serious privacy hazard. The article does not indicate the degree of reporting or other measures undertaken to ensure accountability. In this context, even advertising delivered to a identifiable device is a hazard. http://arstechnica.com/tech-policy/2018/05/senator-furious-at-polices-easy-ability-to-get-real-time-mobile-location-data/ ------------------------------ Date: Sun, 13 May 2018 11:08:59 -0400S From: Gabe Goldberg <gabe () gabegold com> Subject: During disasters, active Twitter users likely to spread falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also finds most users fail to correct misinformation (Science Daily) http://www.sciencedaily.com/releases/2018/05/180512190537.htm ------------------------------ Date: Sun, 13 May 2018 10:01:11 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: "Warning: Dangerous Fake Emails About Google Privacy Changes" (Lauren's Blog) http://lauren.vortex.com/2018/05/13/warning-dangerous-fake-emails-about-google-privacy-changes If you use much of anything Google, by now you've likely gotten at least one email from Google noting various privacy-related changes. They typically have the Subject: Improvements to our Privacy Policy and Privacy Controls and tend to arrive not from the expected simple "google.com" domain but rather from unusual appearing Google subdomains, with addresses like: privacy-noreply () www3 l google com The notice also includes a bunch of links to various relevant privacy pages and/or systems at Google. All of this is in advance of the effective date for the European Union's "GDPR" laws. If you're not familiar with the GDPR, it's basically the latest hypocritical move by the EU on their relentless march toward dictating the control of personal data globally and to further their demands to become a global censorship czar -- with the ability to demand the deletion of any search engine results around the world that they find inconvenient. Joseph Stalin would heartily approve. One can assume that Google's privacy team has been putting in yeoman's service to meet the EU's dictatorial demands, and it's logical that Google decided to make other changes in their privacy ecosystem at the same time, and now is informing users about those changes. Unfortunately, phishing crooks are apparently already taking advantage of this situation -- in particular several aspects of these Google notification emails. First, the legitimate Google privacy emails going out recently and currently are a veritable flood. It appears that Google is sending these out to virtually every email address ever associated with any Google account since perhaps the dawn of time. I've already received approximately 1.3E9 of them. OK, not really that many, but it FEELS like that many. Some of these are coming in to addresses that I don't even recognize. This morning one showed up to such a strange address that I had to go digging in my alias databases to figure out what it actually was. It turned out to be so ancient that cobwebs flew out of my screen at me when I accessed its database entry. Seriously, these are one hell of a lot of emails, and the fact that they come from somewhat unusual looking google subdomains and include links has made them fodder for the crooks. You can guess what's happening. Phishing and other criminal types are sending out fraudulent emails that superficially appear to be the same as these legit Google privacy policy notification emails. Of course, some or all of the links in the phishing emails lead not to Google but to various evil traps and personal data stealing tricks. So please, be extraordinarily careful when you receive what appear to be these privacy notices from Google. With so many real ones going out -- with multiples often ending up at the same individual via various redirects and forwarding addresses -- it's easy for fake versions to slip in among the real ones, and clicking on the links in the crooked ones or opening attachments that they include can seriously ruin your day, to say the very least. Take care, all. ------------------------------ Date: Mon, 14 May 2018 18:12:34 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Face recognition police tools 'staggeringly inaccurate' (BBC.com) http://www.bbc.com/news/technology-44089161 'The Metropolitan Police used facial recognition at London's Notting Hill carnival in 2016 and 2017 and at a Remembrance Sunday event. 'Its system incorrectly flagged 102 people as potential suspects and led to no arrests. 'In figures given to Big Brother Watch, South Wales Police said its technology had made 2,685 "matches" between May 2017 and March 2018 - but 2,451 were false alarms. 'Big Brother Watch also raised concerns that photos of any "false alarms" were sometimes kept by police for weeks.' Perhaps the UK should import and deploy PRC cameras per RISKS-30.65. ------------------------------ Date: Tue, 15 May 2018 13:25:53 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Intel Documentation Blamed for Multiple Operating System Security Flaws (IT Pro) Anybody who's been involved with tech for a while has most likely come across the expression "RTFM" on more than one occasion. Usually delivered with a degree of snark, if not downright hostility, the initialism stands for "read the ... manual," with an added expletive added for good measure. As is often pointed out, the advice is not only rude, it's also often not helpful. Sometimes there is no documentation to read and if there is, it's poorly written and difficult to understand. The latter seems to be the case with CVE-2018-8897, the latest operating system vulnerability. On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io, made public a research paper that revealed all major operating systems -- Linux, Apple, Windows and BSD -- to be affected by a flaw that can allow authenticated users to read data in memory or control low-level OS functions. The good news is that the researchers notified software developers of the problem on April 30, and by the time it was made public, patches were at the ready. http://www.itprotoday.com/endpoint-security/intel-documentation-blamed-multiple-operating-system-security-flaw ------------------------------ Date: Tue, 15 May 2018 17:52:40 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Problem with Chinese GPS (Now I Know) If you're in a foreign country and try to read a map, you may find it difficult -- unless your host nation's language is the same as your home nation's, the words are going to be different and, assuming you're not bilingual, will require some translation. But the locations of the roads, rivers, buildings, and the like should be the same, regardless of whether the map is in English, Spanish, or Chinese, right? Language aside, Google Maps should work the same everywhere, right? Well, no. http://nowiknow.com/the-problem-with-chinese-gps/ ------------------------------ Date: Tue, 15 May 2018 19:06:04 -0400 From: Monty Solomon <monty () roscom com> Subject: U.S. identifies suspect in major leak of CIA hacking tools (WashPo) The former agency employee is being held in a Manhattan jail on unrelated charges. http://www.washingtonpost.com/world/national-security/us-identifies-suspect-in-major-leak-of-cia-hacking-tools/2018/05/15/5d5ef3f8-5865-11e8-8836-a4a123c359ab_story.html ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.69 ************************
Current thread:
- Risks Digest 30.69 RISKS List Owner (May 16)