The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 57

Thursday 1 March 2018

Contents

Using a Laser to Wirelessly Charge a Smartphone Safely Across a Room
James Orton
Bill Gates: Cryptocurrency is super-risky over the long-term
Emmie Martin
"Wine lovers cannot buy Burgundy as Google cracks down on 'gun' searches"
The Telegraph via Chris Drewe
"SAML protocol bug let hackers log in as other users"
Zack Whittaker via Gene Wirchenko
23,000 HTTPS certificates axed after CEO emails private keys
Ars Technica
New Orleans alleged to have secretly used Palantir predictive policing
CSO
Voice Assistants Are Being Built Into New Smart Home Products at CES 2018
Consumer Reports via Gabe Goldberg
I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick
TroyHunt
Weird attachment on ATM
Dave Horsfall
Artificial intelligence and national security
Allen/Chan via Diego Latella
Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users
WiReD
Re: The Myth of the Hacker-Proof Voting Machine
Mark E. Smith
Re: US Border Patrol Hasn't Validated E-Passport Data For Years
John Levine
Re: mystery deliveries from Amazon
John Levine
Info on RISKS (comp.risks)

Using a Laser to Wirelessly Charge a Smartphone Safely Across a Room (James Orton)

ACM TechNews <technews-editor@acm.org>
Wed, 28 Feb 2018 13:09:34 -0500
James Urton, UW News 20 Feb 2018,
  via ACM TechNews, Wednesday, February 28, 2018

Researchers at the University of Washington (UW) have developed a way to
safely charge a smartphone wirelessly across a room using a narrow,
near-infrared beam from a laser emitter.  The engineers mounted a thin power
cell to the back of the smartphone, and custom-designed safety features that
included a metal heat sink to dissipate excess heat and a reflector-based
mechanism to deactivate the laser in case someone attempts to move in the
beam's path.  "These features give our wireless charging system the robust
safety standards needed to apply it to a variety of commercial and home
settings," says UW professor Arka Majumdar.  The smartphone emits
high-frequency acoustic "chirps" so the emitter can detect when a user has
set the phone on the charging surface.  The team also notes the emitter can
be tweaked to expand the charging beam's radius to up to 100 square
centimeters from a distance of 12 meters.

http://www.washington.edu/news/2018/02/20/using-a-laser-to-wirelessly-charge-a-smartphone-safely-across-a-room/

  [This innovation might have some fascinating implications on security,
  reliability, and more.  PGN]


Bill Gates: Cryptocurrency is super-risky over the long-term (Emmie Martin)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Tue, 27 Feb 2018 16:13:33 -0700
Emmie Martin, CNBC, 27 Feb 2018
http://www.cnbc.com/2018/02/27/bill-gates-calls-cryptocurrency-super-risky-in-reddit-ama.html

  Bill Gates is not a fan of cryptocurrency.  During a recent "Ask Me
  Anything" session on Reddit, the Microsoft co-founder said that the main
  feature of cryptocurrencies is the anonymity they provide to buyers, and
  Gates thinks that can actually be harmful.

  "The government's ability to find money laundering and tax evasion and
  terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies
  are used for buying fentanyl and other drugs, so it is a rare technology
  that has caused deaths in a fairly direct way."

  When a Reddit user pointed out that plain cash can also be used for
  illicit activities, Gates said that crypto stands out because it can be
  easier to use. "Yes—anonymous cash is used for these kinds of things,
  but you have to be physically present to transfer it, which makes things
  like kidnapping payments more difficult," he wrote.


"Wine lovers cannot buy Burgundy as Google cracks down on 'gun' searches" (The Telegraph)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 01 Mar 2018 22:14:54 +0000
http://www.telegraph.co.uk/news/2018/02/27/wine-lovers-cannot-buy-burgundy-tipple-google-internet-giant
Wine lovers can no longer purchase their favourite Burgundy tipple using
Google's Shopping service after the Internet giant cracked down on search
queries featuring the term 'gun'.  Online shoppers have complained about
being unable to browse dozens of products such as Burgundy wine, water guns
and music by American rock band Guns N' Roses.       ^^^               ^^^^
                                ^^^^

  [Gabe Goldberg commented on the same article in Business Insider:
    "The risk? Computers doing what they're told."
  PGN]


"SAML protocol bug let hackers log in as other users" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Wed, 28 Feb 2018 08:50:15 -0800
  [Bonus risk included!  (The headline states that the bug was in the protocol,
  but it is actually in the implementation.)]

Zack Whittaker for Zero Day, 27 Feb 2018
http://www.zdnet.com/article/saml-protocol-bug-puts-single-sign-on-accounts-at-risk/

A validation bug in how some single sign-on products implemented an open
authentication standard could have allowed an attacker to log in to a site
or service as though they were the victim they were targeting.

selected text:

But this new vulnerability lets an attacker take the authenticated response
to a login request and switch a portion with an attacker's information
instead.

That means an attacker can log in as though they were the victim they were
targeting.

The exploit works by modifying the response once a username and password has
been verified. It then sends a message back to the user's browser to log
them in. If an attacker modifies the response, the validating signature is
also meant to change—but if the signatures aren't properly checked, the
system is none the wiser.Duo researchers said the results of the attack
"varies greatly" between services at risk by the bug.


23,000 HTTPS certificates axed after CEO emails private keys (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Thu, 1 Mar 2018 08:42:52 -0800
NNSquad
http://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/

  A major dust-up on an Internet discussion forum is touching off troubling
  questions about the security of some browser-trusted HTTPS certificates
  when it revealed the CEO of a certificate reseller emailed a partner the
  sensitive private keys for 23,000 TLS certificates.


New Orleans alleged to have secretly used Palantir predictive policing (CSO)

Gene Wirchenko <genew@telus.net>
Wed, 28 Feb 2018 14:12:50 -0800
https://www.csoonline.com/article/3259445/security/new-orleans-alleged-to-have-secretly-used-palantir-predictive-policing.html

The New Orleans Police Department is accused of secretly using
Palantir's predictive policing technology to predict who would cause
a crime or be a victim of it.
"Ms. Smith", *CSO*, 28 Feb 2018

The city of New Orleans and Palantir Technologies are accused of using the
city to secretly test Palantir's predictive policing technology since 2012.
Even the City Council allegedly was in the dark about the program that was
used to predict who was most likely to commit a crime or be a victim of it.

The Verge published a disturbing report about how the Palantir system
managed to fly under the radar for years. It alleges "Palantir established
it as a philanthropic relationship with the city through Mayor Mitch
Landrieu's signature NOLA For Life program. Thanks to its philanthropic
status, as well as New Orleans' 'strong mayor' model of government, the
agreement never passed through a public procurement process."

But it wasn't just in 2012; the partnership was reportedly extended three
times and was set to expire on Feb. 21, 2018. Neither New Orleans nor
Palantir would comment as to the program's current status.


Voice Assistants Are Being Built Into New Smart Home Products at CES 2018 (Consumer Reports)

Gabe Goldberg <gabe@gabegold.com>
Thu, 1 Mar 2018 16:03:19 -0500
The most private room in the house may not be so private anymore. At CES
2018, Kohler announced a line of connected kitchen and bath products called
Kohler Konnect, all of which work with Alexa, Google Assistant, and Apple
HomeKit for Siri.

The star of the lineup is Kohler's Verdera Voice Lighted Mirror, which has
microphones, speakers, and Amazon Alexa built in so it can answer questions
("What's the weather today?"), adjust its lights by voice ("Turn on shaving
mode"), and control other compatible devices around the house, including
Kohler's other connected products—no separate smart speaker required.

Kohler is just one of many manufacturers showing off products with Alexa or
Google Assistant baked right in. Other brands include iDevices, First Alert,
and GE Lighting.

http://www.consumerreports.org/smart-home/voice-assistants-coming-to-every-room-of-home-ces-2018/

Didn't Orwell's 1984 predict that mirror?


I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick (TroyHunt)

Monty Solomon <monty@roscom.com>
Tue, 27 Feb 2018 10:14:44 -0500
http://www.troyhunt.com/i-wanna-go-fast-why-searching-through-500m-pwned-passwords-is-so-quick/


Weird attachment on ATM

Dave Horsfall <dave@horsfall.org>
Tue, 27 Feb 2018 08:01:54 +1100
The "Krebs on Security" blog (KrebsOnSecurity.com) has a running series on
ATM skimmers, and some of them are quite dastardly (the skimmers I mean, not
the series).  Well, I saw a suspicious device on an ATM that I was about to
use; it was a box just above the card slot, clearly labeled "scanner", and
what looked like a window under it.

It turned out to be a sensor for the smart-card chip (common in the world
outside of the USA); I didn't try it, but all the same:

  If it's sniffing my card, how do I know it's legitimate, and:

  What better way to train the sheeple to get accustomed to funny
  attachments on ATMs?


Artificial intelligence and national security (Allen/Chan)

Diego Latella <Diego.Latella@isti.cnr.it>
Tue, 27 Feb 2018 13:44:31 +0100
G. C. Allen and T. Chan, Artificial intelligence and national security
http://thebulletin.org/artificial-intelligence-and-national-security11521
  [Suggested by F. Lenci, whom I thank for the notice.]

I've browsed the Executive Summary and Recommendations of this report:
G. C. Allen and T. Chan, Artificial intelligence and national security.  I
haven't read the full report yet, but it seems to me that, once again, the
issue of AI (and ICT) dependability as a general but fundamental feature of
the specific technology at hand is not addressed, while the advances in
machine learning and AI seem to be taken for granted as representing a
turning point in the use of automation in warfare.  In addition, as far as I
could see, there are no references to the ethical dimension of the
introduction of (lethal) autonomous weapons or AI tech in the battlefield.
Shouldn't computer scientists [and systems engineers], and in particular
those expert in computer ethics, dependability, trustworthiness,
correctness, etc. be more effective and active in this discussion?  [DL]

Dott. Diego Latella, CNR-ISTI, Via Moruzzi 1, 56124 Pisa, Italy
(http:www.isti.cnr.it)

  [The quest for a war-free world has a basic purpose: survival. But if in
  the process we learn how to achieve it by love rather than by fear, by
  kindness rather than compulsion; if in the process we learn how to combine
  the essential with the enjoyable, the expedient with the benevolent, the
  practical with the beautiful, this will be an extra incentive to embark on
  this great task.  Above all, remember your humanity.  Sir Joseph Rotblat]


Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users (WiReD)

Lauren Weinstein <lauren@vortex.com>
Thu, 1 Mar 2018 09:17:26 -0800
WiReD via NNSquad
http://www.wired.com/story/chrome-yubikey-phishing-webusb/

  There's no better way to protect yourself from the universal scourge of
  phishing attacks than with a hardware token like a Yubikey, which stymies
  attackers even if you accidentally hand them your username and
  password. But while Yubikey manufacturer Yubico describes its product as
  "unphishable," a pair of researchers has proven the company wrong, with a
  technique that allows clever phishers to sidestep even Yubico's last
  bastion of login protection.

It's important to note that this exploit category does NOT represent a flaw
in U2F itself, but essentially a side-channel vulnerability created by an
unrelated subsystem. This specific problem in Chrome will be straightforward
to fix, but does highlight the complexity of these security environments. As
the saying goes: Security is hard!

  [Caveat from Drew Dean channeling Kenn White on Twitter: This is
  apparently true only for the YubiKey Neo, which uses the CCID protocol
  over USB, not for the classic Blue, Nano, or 4 series.  PGN]


Re: The Myth of the Hacker-Proof Voting Machine (RISKS-30.56)

"Mark E. Smith" <mymark@gmail.com>
Tue, 27 Feb 2018 18:34:55 -0800
  ''This is an extraordinarily powerful tool if all you want to do is simply
  discredit democracy,'' [Douglas W.] Jones says. ''All you have to do is
  create the appearance of something having happened, even if it hasn't
  happened.''

If the risk is that of discrediting democracy, our electoral system in and
of itself serves that function already. As far as I can tell, that's what US
elections are designed to do: create the appearance of something having
happened, such as systemic or institutional change, even when nothing has
happened and the same big corporations are still financing both parties to
continue the same political agenda as before.


Re: US Border Patrol Hasn't Validated E-Passport Data For Years (Lily Hay Newman via Forno, RISKS-30.56)

"John Levine" <johnl@iecc.com>
27 Feb 2018 21:19:53 -0500
That is really pitiful.  Passport data use a standard PKI and they are
signed with the same kind of certificates that web sites use.  You can get
passport reading apps for phones that will show you what's on your
passport's chip.  US passports are signed with a CA from the US State
Department.

They don't even have to collect the certs, since the ICAO keeps the database
for the benefit of airlines that want to verify passengers' passports.


Re: mystery deliveries from Amazon (Manning, RISKS-30.56)

"John Levine" <johnl@iecc.com>
27 Feb 2018 20:59:45 -0500
In article <34.CMM.0.90.4.1519781441.risko@chiron.csl.sri.com3813> you write:
>While some of this may involve harassment the vast majority is probably
>related to the issue of Fake Reviews / "brushing".

Apparently not.  One of the articles mentioned that theory and Amazon
said that there aren't many reviews for unordered stuff.

  "Our review detection systems are trained to catch this type of
  behavior and we will continue our ongoing efforts to detect and
  prevent abuse. Our investigations thus far indicate that there have
  been few reviews written on these shipments. We have removed these and
  will continue to remove any we do find immediately. We will hold
  offenders that have violated our policies accountable," said a
  spokesperson for Amazon in a statement to ABC News.

Please report problems with the web pages to the maintainer

Top