RISKS Forum mailing list archives
Risks Digest 30.73
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 26 Jun 2018 18:08:36 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 26 June 2018 Volume 30 : Issue 73 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.73> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Tim Cook on Why Apple News Needs Human Editors (The Wrap) Facial Recognition Company Kairos CEO argues that technology's bias and capacity for abuse make it too dangerous for use by law enforcement (Slashdot) Police Use of Facial Recognition With License Databases Spur Privacy Concerns (WSJ via WaPo) Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (NYTimes) Adverse Events in Robotic Surgery: A Retrospective Study of 14 Years of FDA Data (arxiv.org) When the Robot Doesn't See Dark Skin (NY Times) Having better risk-based analysis for your banks and credit cards (Rex Sanders) It's time to stop laughing at Nigerian scammers, because they're stealing billions of dollars (Cleve R. Wootson Jr.) Those Chinese-language robocalls are a scam to get your bank information, officials say (WashPo) How a company outed China's spies: David Sanger (Gabe Goldberg) Chinese Fans Paid Dearly for World Cup Tickets That Never Materialized. (NYTimes) Germany becomes the last big Western power to buy killer robots (Innocence lost -- The Economist) Orlando Airport Becomes 1st In US To Require Face Scan Of All International Travelers (Talking Points Memo) Cryptocurrency exchange hacks in 2018 (Taipei Times) Bitcoin Could Break the Internet, Central Banks' Overseer Says (Bloomberg) West Virginia Becomes First State to Test Mobile Voting by Blockchain in a Federal Election (GovTech) The Tractors that Turn Farmers into Hackers (Now I Know) "Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware" (Danny Palmer) Hacker figured out how to brute-force iPhone passcode (ZDNet) Supreme Court says police need a warrant for historical cell location records (Zach Whittaker) Why Hackers Aren't Afraid of Us (David E. Sanger) Beijing subways to get bio-ID system (StraitsTimes) Scanning immigrants old fingerprints, U.S. threatens to strip thousands of citizenship (WashPo) M&A isn't what it used to be (Fortune) A new way to do big data with entity resolution (Web Informant) Tesla sues former employee for allegedly stealing gigabytes of data, making false claims to media. (CNBC) Show me the money (Fortune) Visa fingers 'very rare' datacentre switch glitch for payment meltdown (The Register) Recounting Horror Stories? Over Guitar Center's Warranties (NYTimes) The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting 20 Years in Jail (Motherboard) Clarinetist discovers his ex-girlfriend faked a rejection letter from his dream school (The Washington Post) Internet TV firmware update/soft power-switch failure (Richard M Stein) Ghost Cytometry May Improve Cancer Detection, Enable New Experiments (SciAm) Creating bizarre interfaces (Rob Slade) More dodgy numbers - LinkedIn this time (Tony Harminc) Maybe they'll accept postcard calls for help (Gabe Goldberg) Re: Another risk of driverless cars (Ed Ravin) Re: Microsoft, Github, & distributed revision control (Wol) Re: Florida skips gun background checks for a year after employee (R A Lichtensteiger, Gabe Goldberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 26 Jun 2018 08:41:03 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Tim Cook on Why Apple News Needs Human Editors (The Wrap) [It seems nice to find a use for human Natural Intelligence after all, in this era of relying on Artificial Intelligence and Machine Learning. PGN] Tim Cook wants your news experience to be a little less stressful -- and that's why Apple is leaning on humans, rather than algorithms, to highlight its top stories in Apple News, according to the exec. "News was kind of going a little crazy," said Cook on Monday night at the Fortune CEO Initiative conference in San Francisco, explaining Apple's latest attempt to curb polarization. Apple's solution, unveiled earlier in the day, was a new, curated tab for coverage of the 2018 midterm elections. The stories will be picked by human editors, and will offer coverage from a variety of viewpoints, from Vox to Fox News. "For Apple News, we felt top stories should be selected by humans," said Cook, "to make sure you're not picking content that strictly has the goal of enraging people." https://www.thewrap.com/tim-cook-on-why-apple-news-needs-human-editors-news-was-kind-of-going-a-little-crazy/ ------------------------------ Date: Mon, 25 Jun 2018 11:27:38 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facial Recognition Company Kairos CEO argues that technology's bias and capacity for abuse make it too dangerous for use by law enforcement (Slashdot) Facial recognition technologies, used in the identification of suspects, negatively affects people of color. To deny this fact would be a lie. And clearly, facial recognition-powered government surveillance is an extraordinary invasion of the privacy of all citizens -- and a slippery slope to losing control of our identities altogether. via NNSquad https://yro.slashdot.org/story/18/06/25/189247/ceo-of-facial-recognition-company-kairos-argues-that-the-technologys-bias-and-capacity-for-abuse-make-it-too-dangerous-for-use-by-law-enforcement ------------------------------ Date: Mon, 18 Jun 2018 08:43:34 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Police Use of Facial Recognition With License Databases Spur Privacy Concerns (WSJ via WaPo) Behind WSJ paywall -- http://www.wsj.com/articles/police-use-of-drivers-license-databases-to-nab-crooks-spurs-privacy-concerns-1529233200 WaPo linkage to WSJ story with commentary quoted below -- http://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/06/18/the-cybersecurity-202-trump-associates-may-need-a-lesson-on-how-to-use-their-encrypted-apps/5b2675f91b326b3967989b28/?utm_term=.908214921adf (See "Facial recognition versus privacy" in "The Cybersecurity 202," by Derek Hawkins.) 'A detective fed an image taken from an Instagram picture provided by the victim into Maryland's face recognition system and the database returned the driver's license photo of the suspect, Elinson writes. ``This digital-age crime-solving technique is at the center of a debate between privacy advocates and law-enforcement officials: Should police be able to search troves of driver's license photos, many who have never been convicted of a crime, with facial recognition software?'' Elinson writes.' Possible 4th amendment violtation of the US Constitution covering illegal search and seizure. Jacobsen v. United States defined 'search' and 'seizure' for the 4th amendment: "protects two types of expectations, one involving 'searches', the other 'seizures'. A search occurs when an expectation of privacy that society is prepared to consider reasonable is infringed. A seizure of property occurs where there is some meaningful interference with an individual's possessory interests in that property." https://en.wikipedia.org/wiki/Search_and_seizure A blanket search and happenstance match across a unified motor vehicle photo database apparently violates that standard. ------------------------------ Date: Sat, 23 Jun 2018 21:08:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (NYTimes) http://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html Their stories are part of a new pattern of behavior in domestic abuse cases tied to the rise of smart home technology. Internet-connected locks, speakers, thermostats, lights and cameras that have been marketed as the newest conveniences are now also being used as a means for harassment, monitoring, revenge and control. In more than 30 interviews with The New York Times, domestic abuse victims, their lawyers, shelter workers and emergency responders described how the technology was becoming an alarming new tool. Abusers -- using apps on their smartphones, which are connected to the Internet-enabled devices -- would remotely control everyday objects in the home, sometimes to watch and listen, other times to scare or show power. Even after a partner had left the home, the devices often stayed and continued to be used to intimidate and confuse. ------------------------------ Date: Tue, 19 Jun 2018 13:53:56 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Adverse Events in Robotic Surgery: A Retrospective Study of 14 Years of FDA Data (arxiv.org) Homa Alemzadeh, Ravishankar. Iyer, Zbigniew Kalbarczyk, Nancy Leveson, Jai Raman http://arxiv.org/pdf/1507.03518.pdf An acquaintance expressed enthusiasm for their forthcoming robotic surgical procedure. The well-respected Southern California National Cancer Institute at the City of Hope -- a hospital and medical- industrial complex -- effused the benefits of the "world's best robotic surgeon." Being cautious about a hard-sell, I sent a link to this report with a few choice questions to inquire about before signing the consent form. Wonder what this analysis would show for the past 4+ years of MAUDE data? Similar trend, better, or worse?
From the summary page:
Methods: Weanalyzed the adverse events data related to robotic systems and instruments used in minimally invasive surgery, reported to the U.S. Food and Drug Administration (FDA) MAUDE database from January 2000 to December 2013. We determined the number of events reported per procedure and per surgical specialty, the most common types of device malfunctions and their impact on patients, and the causes for catastrophic events such as major complications, patient injuries, and deaths. Results: During the study period, 144 deaths (1.4% of the 10,624 reports), 1,391 patient injuries (13.1%), and 8,061 device malfunctions (75.9%) were reported. The numbers of injury and death events per procedure have stayed relatively constant since 2007 (mean = 83.4, 95% CI, 74.2 [?] 92.7). Surgical specialties, for which robots are extensively used, such as gynecology and urology, had lower number of injuries, deaths, and conversions per procedure than more complex surgeries, such as cardiothoracic and head and neck (106.3 vs. 232.9, Risk Ratio = 2.2, 95% CI, 1.9-2.6). Device and instrument malfunctions, such as falling of burnt/broken pieces of instruments into the patient (14.7%), electrical arcing of instruments (10.5%), unintended operation of instruments (8.6%), system errors (5%), and video/imaging problems (2.6%), constituted a major part of the reports. Device malfunctions impacted patients in terms of injuries or procedure interruptions. In 1,104 (10.4%) of the events, the procedure was interrupted to restart the system (3.1%), to convert the procedure to non-robotic techniques (7.3%), or to reschedule it to a later time (2.5%). Conclusions: Despite widespread adoption of robotic systems for minimally invasive surgery, a non-negligible number of technical difficulties and complications are still being experienced during procedures. Adoption of advanced techniques in design and operation of robotic surgical systems may reduce these preventable incidents in the future. ------------------------------ Date: Thu, 21 Jun 2018 19:07:21 -0700 From: Richard M Stein <rmstein () ieee org> Subject: When the Robot Doesn't See Dark Skin (NY Times) http://mobile.nytimes.com/2018/06/21/opinion/facial-analysis-technology-bias.html A graduate student's testimonial about algorithmic bias, and a harbinger to corporations that deploy facial recognition to assist hiring decisions and to enable their revenue capture processes. ------------------------------ Date: Tue, 12 Jun 2018 18:55:01 -0700 From: "Sanders, Rex" <rsanders () usgs gov> Subject: Having better risk-based analysis for your banks and credit cards One of my back-of-card numbers routes you to a seemingly infinite-depth tree of `press 1 for another marketing pitch' choices, which I've never plumbed deep enough to find the fraud department. I once had the direct line to the fraud department -- see RISKS-27.85 for that depressing story. If only I could remember where I kept that number... Now I just call the local branch and have them route me. Just checked - the number on the back of my oldest card has rubbed off. That's OK, I couldn't read it without a magnifying glass anyway. Maybe better physical protection and larger typefaces for critically important numbers? Assuming your bank is halfway competent at simple, non-digital UX is also RISKy. ------------------------------ Date: Wed, Jun 13, 2018 at 3:09 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: It's time to stop laughing at Nigerian scammers, because they're stealing billions of dollars (Cleve R. Wootson Jr.) Cleve R. Wootson Jr., *The Washington Post*, 12 Jun 2018 http://www.washingtonpost.com/news/business/wp/2018/06/12/its-time-to-stop-laughing-at-nigerian-scammers-because-theyre-stealing-billions-of-dollars/> By this point, savvy people know it's a bad idea to trust an email from a Nigerian prince hoping to use their bank account to unload a dead relative's vast wealth. And they're just as suspicious of the sudden Internet-based love interest with questionable grammar who needs a few thousand untraceable dollars to clear up a passport issue in time for a magical first date. But in a sophisticated and terrifying evolution of the Nigerian 419 scam, web-savvy crime syndicates are figuring out ways to bilk U.S. citizens of billions. On Monday, the FBI announced the arrest of 74 people across the world -- including 29 people in Nigeria and 41 in the United States -- who authorities say were part of complex international networks that combed filings by the Securities and Exchange Commission, spoofed CEO emails and successfully targeted even hardened employees whose jobs are to safeguard their companies from financial mismanagement. The recent scams have the same DNA as the poorly worded emails that have been showing up in people's inboxes since the 1990s. Instead of playing on hopes of finding love or lust for sudden wealth, they play on fears about missing a vital company payment or upsetting a boss's boss. ``[Scammers] are doing their research =A6 going onto company websites and looking for the right people,'' FBI Assistant Director Scott Smith, who helped lead the investigation, told the Wall Street Journal. ``They may even go as far as pulling annual reports and finding what companies they do business with and [impersonating] those accounts.'' Adeyemi Odufuye and his team, for example, sifted SEC records, company websites and other business documents, looking for the names and email addresses of chief executives, chief financial officers and controllers, court documents say. Odufuye, who had a half dozen nicknames, including ``Jefe,'' the Spanish word for ``chief'' or ``boss,'' led a crew responsible for stealing $2.6 million, including $440,000 from one business in Connecticut, according to the Justice Department. The schemes used a variety of tactics to gain people's trust and steal their money, federal authorities say. They registered website domain names that were hard to distinguish from the companies they were targeting -- impersonations meant to give emails an air of authenticity. Some of those emails arrived with malware attachments that would snap images of a victim's desktop or transmit key log information -- a hacker trick for nabbing someone's password. They even employed money mules whose sole purpose was to move the ill-gotten gains from account to account, authorities say, disguising the electronic paper trail from investigators. Odufuye was extradited from Britain on Jan. 3. He pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. The arrests highlighted just how many people are falling for the latest iterations of the Nigerian hustle, as well as the staggering losses American businesses are accruing. According to FBI figures obtained by the Journal, victims of such scams reported $275 million in losses in 2015. By 2017, reported losses had more than doubled, to $675 million. And in the first quarter of this year, more than 4,000 victims reported $685 million in losses. The bureau estimates American businesses have lost more than $3.7 billion as a result of the schemes. [...] ------------------------------ Date: Mon, 25 Jun 2018 23:01:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Those Chinese-language robocalls are a scam to get your bank information, officials say (WashPo) Chinese-language robocalls deliver news that grabs your attention, but officials say its a scam. http://www.washingtonpost.com/technology/2018/06/25/those-chinese-language-robocalls-are-scam-get-your-bank-information-officials-say/ ------------------------------ Date: Sat, 23 Jun 2018 23:10:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How a company outed China's spies: David Sanger David Sanger at the /New York Times/ has out a new book on cyber-espionage and digital intrigue, /The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age/ http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b115f4a535e2b485b1789f3f375e1073611e7bd4a8c2e39026a36d168ee80c33101dac76cd060ebedf808eee024af7038d While I have not yet read it, I did catch an excerpt that has been making the rounds on Twitter. The passage reveals new details about how Mandiant http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b1e33dccd1b1b19967fdd3db4d574b14135333f2ccc46d62024c45d534fe899947777dd672ffba305d0eda1a47b626850c a computer forensics firm founded by Kevin Mandia, a U.S. Air Force veteran, clinched its landmark linking of a Chinese hacking group that had ravaged American corporates in years past and Unit 61398 of the Chinese military. (Hat tip to Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies and author of another excellent book, /Rise of the Machines: A Cybernetic History/ <http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b15862f33bc618a74cddc338b47e8562192dc1cc88e026527fbc008d819ad9908f1453a14ffe8667be803e821ccf1bfce3 Here's the section in question: ``As soon as they detected Chinese hackers breaking into the private networks of some of their clients -- mostly Fortune 500 companies -- Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops,'' Sanger writes. ``They could see their keystrokes while actually watching them at their desks.'' When Mandiant released its report <http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b134d0686d1809e54df0439805a9d31442058231d86692283d911a1d54b32b5acb7a4899f461362a1eafd6018485d37e07> on the hacking group, so-called Advanced Persistant Threat 1, or ``APT1,'' the paper was a bombshell. Now five years later, the firm's methodology, as revealed by Sanger, has resulted in a second bombshell. If accurate -- and it seems to be, given that Sanger describes personally watching over the shoulders of Mandiant's crew while it spied on the spies -- the anecdote suggests that Mandiant engaged, even if mildly, in a ``hack back,'' a highly controversial and legally dubious countermeasure. (The firm did not immediately respond to /Fortune's/ request for comment about the incident on Saturday afternoon.) http://view.email.fortune.com/%3Fqs%3De36c55d435df1a4da802a828235a31d7640ebe0e56daa04d722e64c7c27f5d83576c8f8fa4ccb939566f599751947197e3c8b49489ddc97cff62553d68593c70e2199e1a46148814 ------------------------------ From: Monty Solomon <monty () roscom com> Date: Fri, 22 Jun 2018 00:01:27 -0400 Subject: Chinese Fans Paid Dearly for World Cup Tickets That Never Materialized. (NYTimes) The New York Times, 21 Jun 2018 http://www.nytimes.com/2018/06/21/world/asia/china-world-cup-ticket-scam-anzhi.html Thousands of Chinese soccer fans may have been victims of a ticketing swindle allegedly orchestrated by a Moscow company. ------------------------------ Date: Fri, 22 Jun 2018 10:16:33 -0400 From: Jose Maria Mateos <chema () rinzewind org> Subject: Germany becomes the last big Western power to buy killer robots (Innocence lost -- The Economist) http://www.economist.com/europe/2018/06/23/germany-becomes-the-last-big-western-power-to-buy-killer-robots%3Ffsrc%3Drss%257Ceur To the relief of commanders and the dismay of pacifists, Germany's armed forces have crossed a threshold. On June 13th a Bundestag committee voted to approve the spending of nearly $1.1bn to lease from Israel five drones which can be equipped with deadly weapons. Hitherto Germany has been the only big Western country not to buy ``killer robots''. In part this reflects antipathy to America's use of remotely controlled missiles for ``targeted killings'' of terrorist suspects (and the people standing next to them) in places like Pakistan and Yemen. What a relief, yes. http://rinzewind.org/blog-es ------------------------------ Date: Fri, 22 Jun 2018 10:17:51 -0400 From: Jose Maria Mateos <chema () rinzewind org> Subject: Orlando Airport Becomes 1st In US To Require Face Scan Of All International Travelers (Talking Points Memo) http://talkingpointsmemo.com/news/orlando-international-airport-face-scan-requirement Florida's busiest airport is becoming the first in the nation to require a face scan of passengers on all arriving and departing international flights, including U.S. citizens, according to officials there. The expected announcement Thursday at Orlando International Airport alarms some privacy advocates who say there are no formal rules in place for handling data gleaned from the scans, nor formal guidelines on what should happen if a passenger is wrongly prevented from boarding. https://rinzewind.org/blog-es ------------------------------ Date: Wed, 20 Jun 2018 13:58:49 -0700 From: Mark Thorson <eee () dialup4less com> Subject: Cryptocurrency exchange hacks in 2018 (Taipei Times) The second in two weeks in South Korea: http://www.taipeitimes.com/News/biz/archives/2018/06/21/2003695228 In January, a Japanese exchange was hacked for nearly USD$500 million. The market prices for various cryptocurrencies appear to have declined in response to these events. ------------------------------ Date: Sun, 17 Jun 2018 20:03:42 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Bitcoin Could Break the Internet, Central Banks' Overseer Says (Bloomberg) http://www.bloomberg.com/news/articles/2018-06-17/bitcoin-could-break-the-internet-central-banks-overseer-says Bitcoin Could Break the Internet, Central Banks' Overseer Says Swiss-based BIS says cryptocurrencies have design flaws Blockchain can't handle or replace current payment system load The Bank of International Settlements just told the cryptocurrency world it's not ready for prime time -- and as far as mainstream financial services go, may never be. In a withering 24-page article released Sunday as part of its annual economic report, the BIS said Bitcoin and its ilk suffered from `a range of shortcomings' that would prevent cryptocurrencies from ever fulfilling the lofty expectations that prompted an explosion of interest -- and investment -- in the would-be asset class. ------------------------------ Date: Thu, 14 Jun 2018 11:36:22 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: West Virginia Becomes First State to Test Mobile Voting by Blockchain in a Federal Election (GovTech) West Virginia has become the first state to allow Internet voting by blockchain, offering the technology to deployed and overseas military service members and their families in two counties. The pilot test is in place for the state's May 8 primary elections and is very limited in scope -- West Virginia Secretary of State Mac Warner said maybe a couple dozen voters will participate. But if it goes well, the state wants to try allowing all eligible military voters statewide to use it during the November general elections. ``I'm really not concerned about numbers. We're really just looking at the technology.'' http://www.govtech.com/biz/West-Virginia-Becomes-First-State-to-Test-Mobile-Voting-by-Blockchain-in-a-Federal-Election.html ------------------------------ Date: Wed, 13 Jun 2018 15:57:06 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Tractors that Turn Farmers into Hackers (Now I Know) So farmers are fighting back. First, they're filing lawsuits, challenging the application of the DMCA. Second, they're lobbying state governments as well as the federal government, seeking protection from the DMCA in this fashion. (There's a growing movement http://www.fastcompany.com/40518779/right-to-repair-legislation-has-now-been-introduced-in-17-states for states to adopt a *right to repair*, for example.) John Deere is challenging those efforts, and they're slow to come about anyway. Urgency demanded an immediate response. The result: As Motherboard reports, <http://motherboard.vice.com/en_us/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware> tractor hacking is growing increasingly popular. The Motherboard reporter made his way to an online message board where unauthorized copies of John Deere software are for sale. There, he found dozens of threads from farmers desperate to fix and modify their own tractors. According to people on the forums and the farmers who use it, much of the software is cracked in Eastern European countries such as Poland and Ukraine and then sold back to farmers in the United States. By and large, the solution seems to work -- for now at least. Forbes warns that this third-party software may contain malware: ``It's possible infected farm equipment might participate in illegal botnets, or worse, the malware might impact the safety of the operators.'' So there is some risk involved. On the other hand, there's risk at doing nothing. As one farmer using Ukrainian software told Motherboard, there's always a chance that John Deere (or a successor company) will just declare the tractor obsolete. And in that case, he asked, ``What happens [then]? Are we supposed to throw the tractor in the garbage, or what?'' http://www.forbes.com/sites/jasonbloomberg/2017/04/30/john-deeres-digital-transformation-runs-afoul-of-right-to-repair-movement/%236e56ffcb5ab9 http://nowiknow.com/the-tractors-that-turn-farmers-into-hackers/ ------------------------------ Date: Mon, 25 Jun 2018 18:41:07 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware" (Danny Palmer) Danny Palmer, ZDNet, 22 June 2018 http://www.zdnet.com/article/three-month-old-drupal-vulnerability-is-being-used-to-deploy-cryptojacking-malware/ The update was deemed critical, but users who haven't applied the patch are being targeted by attackers deploying cryptocurrency miners. Drupal's content management software is a popular tool for building websites, but this popularity, combined with the critical vulnerability (dubbed 'Drupalgeddon 2' by some), means that attackers have found a way to make a profit. The vulnerability is being used to deliver cryptojacking malware, which quietly uses the power of the Drupal user's machine to mine for Monero, depositing it into wallets run by the attackers. The only side effects a victim might notice is that their system is running slower, or the fan is doing more work than usual. The secretive nature of cryptojacking has helped bolster its popularity among attackers during the course of the year. [...] ------------------------------ Date: Fri, 22 Jun 2018 18:57:12 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Hacker figured out how to brute-force iPhone passcode (ZDNet) https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/ ------------------------------ Date: Mon, 25 Jun 2018 18:42:51 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Supreme Court says police need a warrant for historical cell location records" (Zach Whittaker) Zack Whittaker for Zero Day, 22 Jun 2018 The case was one of the long-awaited privacy legal decisions of the year. http://www.zdnet.com/article/supreme-court-search-warrant-cell-location-records ------------------------------ Date: June 24, 2018 at 04:29:47 GMT+9 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Why Hackers Aren't Afraid of Us (David E. Sanger) David E. Sanger, *The New York Times*, 16 Jun 2018 The United States has the most fearsome cyberweaponry on the planet, but we won't use it for fear of what will come next http://www.nytimes.com/2018/06/16/sunday-review/why-hackers-arent-afraid-of-us.html WASHINGTON -- Ask finance ministers and central bankers around the world about their worst nightmare and the answer is almost always the same: Sometime soon the North Koreans or the Russians will improve on the two huge cyberattacks they pulled off last year. One temporarily crippled the British health care system and the other devastated Ukraine before rippling across the world, disrupting shipping and shutting factories -- a billion-dollar cyberattack the White House called ``the most destructive and costly in history.'' The fact that no intelligence agency saw either attack coming -- and that countries were so fumbling in their responses -- led a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it. Cyberattacks have been around for two decades, appearing in plotlines from ``Die Hard'' movies to the new novel by Bill Clinton and James Patterson. But in the real world, something has changed since 2008, when the United States and Israel mounted the most sophisticated cyberattack in history on Iran's nuclear program, temporarily crippling it in hopes of forcing Iran to the bargaining table. (The two countries never acknowledged responsibility for the attack.) As President Barack Obama once feared, a cyberarms race of historic but hidden proportions has taken off. In less than a decade, the sophistication of cyberweapons has so improved that many of the attacks that once shocked us -- like the denial-of-service attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea's hacking of Sony in 2014 -- look like tiny skirmishes compared with the daily cybercombat of today. Yet in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I.A. and shot right back at us. That's what happened with the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N.S.A. had developed. No wonder the agency has refused to admit that the weapons were made in America: It raised the game of its attackers. Nuclear weapons are still the ultimate currency of national power, as the meeting between President Trump and Kim Jong-un in Singapore last week showed. But they cannot be used without causing the end of human civilization -- or at least of a regime. So it's no surprise that hackers working for North Korea, Iran's mullahs, Vladimir V. Putin in Russia and the People's Liberation Army of China have all learned that the great advantage of cyberweapons is that they are the opposite of a nuke: hard to detect, easy to deny and increasingly finely targeted. And therefore, extraordinarily hard to deter. That is why cyberweapons have emerged as such effective tools for states of all sizes: a way to disrupt and exercise power or influence without starting a shooting war. Cyberattacks have long been hard to stop because determining where they come from takes time -- and sometimes the mystery is never solved. But even as the United States has gotten better at attributing attacks, its responses have failed to keep pace. Today cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack. And though Secretary of Defense Jim Mattis has said the United States should be prepared to use nuclear weapons to deter a huge non-nuclear attack, including using cyberweapons, against its electric grid and other infrastructure, most experts consider the threat hollow. At his confirmation hearings in March to become director of the N.S.A. and commander of the United States Cyber Command, Gen. Paul Nakasone was asked whether our adversaries think they will suffer if they strike us with cyberweapons. ``They don't fear us,'' General Nakasone replied. ------------------------------ Date: Tue, 19 Jun 2018 14:47:36 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Beijing subways to get bio-ID system (StraitsTimes) http://www.straitstimes.com/asia/east-asia/beijing-subways-to-get-bio-id-system "BEIJING (CHINA DAILY/ASIA NEWS NETWORK) - The Beijing subway system plans to introduce bio-recognition technology at stations this year to improve transport efficiency and reduce costs, a senior manager said. "Two bio-recognition technologies - facial recognition and palm touch - are being considered, said Zhang Huabing, head of enterprise development for Beijing Subway, the operator of most lines in the city, during the International Metro Transit Exhibition in Beijing last Thursday (June 14). "Facial recognition technology can track passenger movements with cameras connected to online networks that recognise people when they enter a station, potentially allowing them to bypass traditional ticketing." A 21st century city needs a 21st century infrastructure. Tracking and surveillance of citizens is routine for an authoritarian government. Two systems, each keyed to a distinct biometric signature, increase correlation potential, and minimize false-positive/false-negative matches. Hope the reference compare files are consistent and accurate to avoid "rounding up the usual suspects." One step closer to P.K. Dick's "Minority Report" panoptic surveillance. ------------------------------ Date: Wed, 13 Jun 2018 19:48:20 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Scanning immigrants old fingerprints, U.S. threatens to strip thousands of citizenship (WashPo) http://www.washingtonpost.com/world/national-security/scanning-immigrants-old-fingerprints-us-threatens-to-strip-thousands-of-citizenship/2018/06/13/2230d8a2-6f2e-11e8-afd5-778aca903bbe_story.html "The report said U.S. Immigration and Customs Enforcement (ICE) has 315,000 old fingerprint records being digitized and uploaded to the Homeland Security IDENT database. "Those prints can be compared with those already in the database. Foreigners who obtained American citizenship years ago and have been otherwise living quietly in the United States could be at risk of a knock at their doors." Biometrics, like other digital personal identifying information, are easy to store and retrieve for comparison purposes, though they can be forged (see http://catless.ncl.ac.uk/Risks/30/28%23subj5.1) Judicial findings against ICE's IDENT DB matches will be difficult to overturn until an independent audit discovers a content and/or metadata discrepancy that halts expulsions. ------------------------------ Date: Sun, 24 Jun 2018 11:43:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: M&A isn't what it used to be (Fortune) *Good help is hard to find.* One of the leading cryptocurrency producers, *Stellar*, is in talks to acquire *Chain*, the San Francisco-based startup building blockchain technology for the financial industry, for $500 million, to be paid in in Stellar's digital currency Lumens. The acquisition may be motivated more by the need to get Chain's engineering talent rather than its products -- a classic acquire, *Fortune* reports. http://click.email.fortune.com/%3Fqs%3D25e1b6512ea240afe48d4576335322695209118da8fd0311c5031a7f0a69ffd8b262e779eea1f42ce349d175d731870ed2c2254f314c2c7c I guess I'll create a digital currency, surely my broker will let me invest that. I'll mine a couple trillion dollars of it on my spare PC. ------------------------------ Date: Sun, 24 Jun 2018 17:15:01 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A new way to do big data with entity resolution (Web Informant) I have this hope that most of you reading this post aren't criminals, or terrorists. So this might be interesting to you, if you want to know how they think and carry out their business. Their number one technique is called channel separation, the ability to use multiple identities to prevent them from being caught. Let's say you want to rob a bank, or blow something up. You use one identity to rent the getaway car. Another to open an account at the bank. And other identities to hire your thugs or whatnot. You get the idea. But in the process of creating all these identities, you aren't that clever: you leave some bread crumbs or clues that connect them together, as is shown in the diagram. http://blog.strom.com/wp/%3Fp%3D6586 Tradecraft. ------------------------------ Date: Wed, 20 Jun 2018 21:49:28 -0400 From: Monty Solomon <monty () roscom com> Subject: Tesla sues former employee for allegedly stealing gigabytes of data, making false claims to media. (CNBC) http://www.cnbc.com/2018/06/20/tesla-sues-former-employee-for-allegedly-stealing-gigabytes-of-data-making-false-claims-to-media.html ------------------------------ Date: Sun, 24 Jun 2018 11:45:50 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Show me the money (Fortune) *Show me the money*. Authors, software developers, and other creators could track and collect royalty payments directly using a new blockchain technology https://click.email.fortune.com/%3Fqs%3D25e1b6512ea240afb6961cb4545ed51c4253472d66d62cf90bcc10f9f08ed6f1e389bc9d06850a04292bb27cb946de9572d9b3a6b4b7ead4 announced by *Microsoft* and consulting firm *EY* on Wednesday. "The scale, complexity and volume of digital rights and royalties transactions makes this a perfect application for blockchains," Paul Brody, EY's global innovation leader for blockchain, tells /Fortune/. ...because blockchains are so much simpler and better understood. ------------------------------ Date: Thu, 21 Jun 2018 00:19:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Visa fingers 'very rare' datacentre switch glitch for payment meltdown (The Register) Visa has said a `very rare' partial network switch failure in one of its two data centres led to the fiasco earlier this month that caused millions of transactions in Europe to be declined. http://www.theregister.co.uk/2018/06/19/visa_pins_payment_problems_on_very_rare_fault_in_data_centre_switch/ Dang those partial failures -- so much worse than total failures. ------------------------------ Date: Tue, 12 Jun 2018 23:30:03 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Recounting Horror Stories? Over Guitar Center's Warranties (NYTimes) Former employees and customers at the giant music retailer described problems with how it sells protection plans, particularly in Puerto Rico. Guitar Center said in a statement for this article that it had been ``made aware of an issue with some third-party protection plans that were sold in Puerto Rico over the past 30 months.'' ``We found that -- despite our policies and systems in place -- approximately 100 transactions including at least a protection plan have been made with Puerto Rican addresses.'' The company said the transactions represented ``a tiny fraction'' of the warranties that it sells. It blamed a ``glitch in our computer system in 2017 that inadvertently allowed orders with Puerto Rican addresses to have protection plans processed,'' as well as ``a few employees acting outside of our longstanding policy.'' http://www.nytimes.com/2018/06/07/business/guitar-center-warranty.html Yeah, the system did it. That's the ticket, blame the evil system... ------------------------------ Date: Mon, 18 Jun 2018 20:20:21 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting 20 Years in Jail (Motherboard) How a meme and a failed armed robbery gave a whole new meaning to 'domain hijacking.' http://motherboard.vice.com/en_us/article/pavwj8/armed-robbery-domain-website-gunpoint-doitforstate ------------------------------ Date: Sat, 16 Jun 2018 23:31:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Clarinetist discovers his ex-girlfriend faked a rejection letter from his dream school (The Washington Post) By this point, he and his girlfriend had already been broken up for more than a year. Even so, it did not occur to him that she could be responsible for impersonating him. ``I never would've even considered that the person I trusted the most would have done something like this to me.'' But then one of his friends suggested the possibility thathis ex-girlfriend could be responsible. After all, when they dated, Abramovitz essentially lived with her, leaving his computer easily accessible to her. She knew his passwords and could have easily logged on to his email. In May 2016, Abramovitz and his friend tried logging on to the email account that sent the fake rejection letter, giladyehuda09 () gmail com. Abramovitz remembered an old password the ex-girlfriend used for Facebook, ``and sure enough, we got right in.'' The ex-girlfriend's contact information appeared clearly in the email account. The only exchange in the Inbox was the rejection letter sent to Abramovitz. http://www.washingtonpost.com/news/morning-mix/wp/2018/06/15/clarinetist-discovers-his-ex-girlfriend-faked-a-rejection-letter-from-his-dream-school/ Yeah, risks... ------------------------------ Date: Mon, 18 Jun 2018 17:52:12 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Internet TV firmware update/soft power-switch failure While on vacation near Palm Springs, CA, the home we rented was equipped with all manner of internet of mistakes devices, including a Samsung SmartTV. At 0200 one morning, it switched on suddenly. Apparently, the owners -- out of convenience or pure ignorance -- elected for firmware auto-updates. The family was startled, as the volume had been boosted by the flash memory save and reboot; the legacy off-state was not restored. The line-of-sight TV controls remained operative. Although the Samsung SmartTV possesses an "Eco Solution" feature that auto-detects inactivity after 4 hours, or extended loss of signal, I cannot help imaging if the upgrade either bricked these soft switches, or it possessed a "thermal runaway" virus maliciously designed to ignite the unit. ------------------------------ Date: Thu, 14 Jun 2018 17:26:29 -0700 From: Richard M Stein <rmstein () ieee org> Subject: Ghost Cytometry May Improve Cancer Detection, Enable New Experiments (SciAm) http://www.scientificamerican.com/article/ghost-cytometry-may-improve-cancer-detection-enable-new-experiments/ A fascinating discussion on a new cell sorting technique to characterize morphology -- shape and type -- for disease detection. They tweaked the typical cytometry setup and added a single-pixel detector --a camera that images one pixel at a time rather than thousands at once -- creating a device that can generate a unique signature for fluorescently labeled cells based on the light they emit. Essentially this approach produces a ghost depiction of a cell's structure, an identifiable pseudo-image based on the activated light particles. A machine-learning algorithm then uses these ghost images to categorize the cells in real time, and another device sorts the incoming cells into separate compartments. Although some flow cytometers have been able to image cells for several years, ``this is the first instrument that allows the physical sorting of cells based on their morphology,'' Anne Carpenter, a computational biologist at the Broad Institute of MIT and Harvard who was not involved in the work, wrote in an e-mail. ``This is revolutionary.'' No mention of the learning algorithm training regimen -- possibly steepest descent, and the potential to get trapped at a false optimization point. One needs to ask what the certification/license requirements are to market this device. Do the certification requirements mirror that for embedded medical devices, where a manufacturer only has to show "similarity" to legacy equivalent products, and skip random control trials? ------------------------------ Date: Mon, 18 Jun 2018 17:27:00 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Creating bizarre interfaces It used to be called human-factors engineering when I went to school. Making sure that the system was as obvious and transparent as possible for the user. Since somewhat prior to the assassination of the CISSPforum by ISC2 (no, I'm not bitter. Why do you ask?), I've been exploring the interface for the new "community." One of the topics has been "labels," and particularly searching for labels. http://community.isc2.org/t5/Customer-Support/What-s-the-difference-between-labels-and-tags/m-p/11584 or http://is.gd/jgVt7 SamanthaO_isc2 has been helpful, and wrote: "I wanted to provide an update to you about searching and labels. We have enabled a filter for labels on the search page. While this does not allow you to search for labels directly, here is where you can see the various labels used throughout the Community, and filter results by certain labels." I couldn't find what she was talking about. So she posted a screen shot which showed that you could search on location ("board"), label, author, date, metadata, type of post, and contents with a series of buttons or drop downs. But these didn't show up when I went to the search page, so *I* posted a screen shot, showing that the buttons weren't there. And then denbesten posted: "If my window is 27cm wide, it looks like @rslade's screenshot. If 28cm, it looks like @SamanthaO_isc2's." He's right. (Well, pretty much right: the measurement on my screen seems slightly less, so I think it has to do with pixels, but ...) That *never* would have occurred to me. Given the lack of privacy (see http://catless.ncl.ac.uk/Risks/30/71%23subj23). you can test it out for yourself at http://community.isc2.org/t5/forums/searchpage/tab/message Of course, now that it's been pointed out, I can see that you might want to reduce the complexity of the screen for mobile devices. But you might want to do it in such a way that it was obvious something was hidden or missing. I think I'll go back to researching security implications of quantum computing. It's simpler ... (So, if I put the window in the top left corner of the screen does it change languages?) ------------------------------ Date: Thu, 14 Jun 2018 13:42:39 -0400 From: Tony Harminc <tharminc () gmail com> Subject: More dodgy numbers - LinkedIn this time LinkedIn shows my age (for advertising purposes) as 55-2147483647. They are not wrong. ------------------------------ Date: Thu, 21 Jun 2018 09:28:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Maybe they'll accept postcard calls for help *This is a message from Fairfax Alerts* Verizon Wireless is experiencing an outage affecting 9-1-1 and ten-digit dialing. Fairfax County residents can text 9-1-1 from a Verizon phone as an alternate. ------------------------------ Date: Thu, 21 Jun 2018 22:16:06 -0400 From: Ed Ravin <eravin () panix com> Subject: Re: Another risk of driverless cars (PGN, RISKS-30.72) You don't need to drive to an area without coverage to give your cell phone a denial-of-service attack -- cell service is subject to many other modes of interference. For example, the Evanston, Illinois incident described in RISKS-29.88, where a faulty neon sign power supply emitted RF signals sufficient to block cell service in the immediate area (and also block car owners from using their wireless dongles, which is what made that item RISKS-worthy). Stingray-style devices can also target individual phones (or vehicles with built-in phones) and block or corrupt their outgoing calls. I'm looking forward to the presentation at Black Hat 2025, where researchers will show how to subvert every current model of driverless vehicle with a combination of wireless network attacks, cell phone interference to block the remote emergency "driver", LIDAR attacks like those described in http://eprint.iacr.org/2017/613 and spoofed law-enforcement overrides. It's going to be such a mess we're going to need a new name for it, maybe "the Internet of Things, on wheels". ------------------------------ Date: Wed, 13 Jun 2018 14:36:29 +0100 From: "Wol's lists" <antlists () youngman org uk> Subject: Re: Microsoft, Github, & distributed revision control (Ohno) This completely misunderstands what git and github are - the whole point of git is that every developer has an identical copy of the source repository. "Migrating away" in this sense is as simple as creating an account on another central service and doing a push. The problem is that Github does a lot more than just host your program - it provides all the infrastructure behind it like bug tracking, enhancement requests, communications forum etc. THIS is value-add which git does not provide, and THIS is what is not easy to migrate from one central service to another. ------------------------------ Date: [lost] From: R A Lichtensteiger <risks () throwawaydomain com> Subject: Re: Florida skips gun background checks for a year after employee forgets login (Goldberg, RISKS-30.82) This blog post is incorrect and misleading. The Florida Department of Agriculture Licensing department did, in fact, perform the required background checks on applicants for licenses to carry concealed weapons or firearms. According to later news reports checks were done through FCIC (Florida Criminal Information Computer system) and NCIC (National Criminal Information Computer system -- the national FBI fingerprint data base) and they also did a NICS check (National Instant Check System), which is the name-based background check system. What did NOT happen was that 365 applications where the background check flagged one or more disqualifiers were not immediately rejected. That is a problem. But it is NOT the same problem as claiming that the checks weren't done. It's also 0.001% of the applications processed during that time period. It should also be noted that this was on LICENSE APPLICATIONS, not purchases of firearms. So 365 people who shouldn't have gotten licenses did. When the failure was discovered, those 365 licenses were reviewed (as they should have been initially). 74 were cleared and 291 still had disqualifiers. As a final observation, the same NICS check that was part of the background check for the application is done, per federal law, at EVERY sale at a gun dealer, so any PURCHASES by these people whould have been flagged by ATF and denied. http://www.orlandoweekly.com/Blogs/archives/2018/06/11/florida-revoked-291-concealed-weapons-permits-after-putnams-office-failed-to-review-background-checks The risks? Myriad 1) Relying on a cybersecurity blog for mainstream news 2) Rushing to be the first one to post on Risks and not waiting until the facts were reported. 3) Drawing Risks into US gun politics. ------------------------------ Date: Wed, 13 Jun 2018 13:40:59 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: Florida skips gun background checks for a year after employee forgets login (Lichtensteiger) 0. Thanks for your response. 1. Often cybersecurity blogs are only place reporting cybersecurity risks -- at first, or (sometimes) ever. 2. Ditto. Posting isn't "rushing", it's reporting on what's been seen. Then come responses. 3. Rather than related to gun politics, this was reported as a forgotten password issue. It could have been a state DMV or NRA. It happened to be related to firearms -- but that doesn't make it off topic/limits. ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.73 ************************
Current thread:
- Risks Digest 30.73 RISKS List Owner (Jun 26)