The Iowa Hot Lotto fraud scandal has now been resolved. A programmer who happened to be the info-security head for the Multi-State Lottery Association managed to slip in a piece of code into the proprietary system that changed the randomness on just three chosen days in the year. This enabled a would-be payoff of $14.3M. The collaborators were detected when they attempted to collect. http://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-iowa-lottery-fraud-mystery.html This is reminiscent of the Harrah's Tahoe six-slot-machine progressive payoff noted way back in RISKS-1.01 (where a shill chosen to collect the payoff never showed up, because he had a record and feared exposure [perhaps he was in a witness-protection program?], and the more recent Breeder's Cup off-track pick-six $3M scam (RISKS-22.33, 38, 39, 40)—in which bets on the first four races were altered by an insider after those races were over, and the next races wildcarded to cover all possible horses, but in a system in which the bets were never transmitted until after the fourth race (to save bandwidth?). The combination of proprietary code that cannot be inspected externally and the insider being the IT security person should recall the corresponding situation with proprietary election systems that can be hacked or rigged by insiders. [And then read Gene Wirchenko's next item! PGN]
J.M. Porup, CSO, 2 May 2018 http://www.csoonline.com/article/3269297/security/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html If you thought electronic voting machines were insecure, wait until you meet online voting. selected text: A researcher at the University of Melbourne in Australia, Teague has twice demonstrated massive security flaws in the online voting systems used in state elections in Australia—including one of the largest deployments of online voting ever, the 2015 New South Wales (NSW) state election, with 280,000 votes cast online. The response? Official complaints about her efforts to university administrators, and a determination by state election officials to keep using online voting, despite ample empirical proof, she says, that these systems are not secure. While insecure voting machines have received most of the attention since the 2016 U.S. presidential election, states and municipalities continue to use -- even enthusiastically adopt—web-based online voting, including 31 states in the U.S., two provinces in Canada, and two states in Australia. Wales in the UK is pushing hard for online voting. The country of Estonia uses online voting for its national elections. Security researchers point out flaws; election officials get angry and ignore security issues that threaten the integrity of the voting results. Teague's story repeats itself around the world. The NSW state election of 2015 was so insecure that one seat in the upper house of the state parliament may have been decided by hacked votes. In response to the scandal, the electoral commission went to great lengths to avoid transparency regarding the security issues Teague and her team reported, and only revealed the true nature of the problem under close questioning in state parliament a year later. Before the election, the state electoral commission told the Australian Broadcasting Corporation (ABC) that "People's vote is completely secret... It's fully encrypted and safeguarded, it can't be tampered with." Yet it took researchers only a few days to identify fatal flaws in the online voting web application that could have easily been used to spy on and even modify every single vote cast online, and to do so in an undetectable manner. The NSW electoral commission initially reported after the election that there were no anomalies seen while using the online voting platform, but a year later, under questioning in state parliament, admitted that there were, in fact, significant anomalies reported by voters. More than 600 voters who attempted to verify their votes using a rudimentary telephone-based system were unable to do so—a 10 percent failure rate, enough to call into question the voting result of the state election. "That to me is the bottom line," Teague says. "The really important thing is that we didn't find out the truth at the time."
Charlie Osborne for Zero Day, 1 May 2018 http://www.zdnet.com/article/krack-wi-fi-vulnerability-strikes-medical-devices/ selected text: Medical devices produced by Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK bug, potentially exposing patient records. Discovered in October, KRACK, which stands for Key Reinstallation Attack, exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is used to secure modern wireless networks. If exploited, KRACK gives threat actors the key required to join wireless networks which would otherwise require a password for authentication. Once they have joined, they can snoop on network traffic, perform Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send out crafted, malicious network packets. In a security bulletin, BD said that successful exploit in a select range of products could also lead to patient record changes or exfiltration, as well as major IT disruptions.
Zack Whittaker for Zero Day, 2 May 2018 The bug in the industrial control software could leave power and manufacturing plants exposed. A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure. http://www.zdnet.com/article/critical-security-flaw-schneider-industrial-software-power-plants-vulnerabilty/
By Liam Tung | May 3, 2018—12:42 GMT (05:42 PDT) | Topic: Security The moral? Don't roll your own crypto, security researcher tells Oracle. http://www.zdnet.com/article/oracle-access-manager-security-bug-so-serious-it-let-anyone-access-protected-data/ selected text: A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data. However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting. "What's more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM."
The Commonwealth Bank of Australia, who are in enough trouble as it is with major scandals, did not tell its customers that some "tapes" went missing on their way to be destroyed. http://www.smh.com.au/business/banking-and-finance/almost-20-million-bank-account-records-lost-by-commonwealth-bank-20180502-p4zd02.html “The tapes contained customer names, addresses, account numbers and transaction details from 19.8 million accounts spanning 2000 to early 2016. They did not contain passwords, PINs or other data which could be used to enable account fraud, CBA said in a statement on Wednesday night after BuzzFeed broke the story.'' So, plenty of account numbers and transaction details etc, but we've got nothing to worry about, right? Perhaps they should be reading RISKS... Dave Horsfall VK2KFU North Gosford NSW 2250 Australia
Tech insiders have finally started admitting their mistakes—but the solutions they are offering could just help the big players get even more powerful. http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism
Liam Tung, ZDNet, 2 May 2018 The Google Maps URL-sharing feature allows scammers to send victims to any site they choose. Scammers are using the Google Maps URL-sharing feature to direct victims not to Maps but any shady website the crooks want. According to security firm Sophos, scammers are taking advantage of the fact the URL sharing feature in Google Maps isn't an official product and lacks a mechanism to report scammy links. That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be used to conceal links to malware or phishing sites, but also has a simple way for recipients to report scam links. http://www.zdnet.com/article/google-maps-user-beware-attackers-using-url-sharing-to-send-you-to-shady-sites/
http://www.bbc.com/news/technology-43982522 Swarm intelligence is complicated to coordinate. "I believe everything happens for a reason. Usually, the reason is that somebody screwed up." (From Maxine—the Hallmark Shoebox card character on 23JUN2007).
https://www.washingtonpost.com/business/economy/when-a-stranger-takes-your-face-facebooks-failed-crackdown-on-fake-accounts/2018/05/04/d3318838-4f1a-11e8-af46-b1d6dc0d9bfe_story.html%3Fnoredirect%3Don%26utm_term%3D.fc1e7548ed66 Perhaps a biometric supplement would boost authentication accuracy? Would be good to learn Facebook user profile photo match rate against the FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use Facebook? Given this information, update T&Cs to hedge against authentication theft.
Franklin Foer, *The Atlantic*, May 2018 Issue The digital manipulation of video may make the current era of fake news seem quaint. http://www.theatlantic.com/magazine/archive/2018/05/realitys-end/556877/ EXCERPT: In a dank corner of the Internet, it is possible to find actresses from Game of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to the world the carnal figures look like those actresses, and the faces in the videos are indeed their own. Everything south of the neck, however, belongs to different women. An artificial intelligence has almost seamlessly stitched the familiar visages into pornographic scenes, one face swapped for another. The genre is one of the cruelest, most invasive forms of identity theft invented in the Internet era. At the core of the cruelty is the acuity of the technology: A casual observer can't easily detect the hoax. This development, which has been the subject of much hand-wringing in the tech press, is the work of a programmer who goes by the nom de hack *deepfakes*. And it is merely a beta version of a much more ambitious project. One of deepfakes' compatriots told Vice's Motherboard site in January that he intends to democratize this work. He wants to refine the process, further automating it, which would allow anyone to transpose the disembodied head of a crush or an ex or a co-worker into an extant pornographic clip with just a few simple steps. No technical knowledge would be required. And because academic and commercial labs are developing even more-sophisticated tools for non-pornographic purposes—algorithms that map facial expressions and mimic voices with precision—the sordid fakes will soon acquire even greater verisimilitude. The Internet has always contained the seeds of postmodern hell. Mass manipulation, from clickbait to Russian bots to the addictive trickery that governs Facebook's News Feed, is the currency of the medium. It has always been a place where identity is terrifyingly slippery, where anonymity breeds coarseness and confusion, where crooks can filch the very contours of selfhood. In this respect, the rise of deepfakes is the culmination of the Internet's history to date -- and probably only a low-grade version of what's to come.
http://www.straitstimes.com/singapore/souped-up-smartphones-robots-to-help-police-fight-crime-more-effectively "New technology unveiled on Thursday (May 3) will make it easier for the police to fight crime and enforce the law. "Souped-up smartphones will allow officers to respond faster and more effectively to incidents, as well as call up key information on a case. Robots on patrol can aid in the detection of suspicious activities, and handheld scanners will make it easier to take real- time 3D scans of crime scenes to aid in crime solving." The article has several photos (showing 3 unique autonomous patrol unit configurations) and lists the autonomous patrol unit's h/w specification.
http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/ Zack Whittaker for Zero Day, 1 May 2018 A small but unspecified number of GitHub staff could have seen plaintext passwords. GitHub has said a bug exposed some user passwords—in plaintext.
https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.html “My gamified life may be nutty and sad, but it doesn't hurt anyone. At least that's what I thought until a few months ago, when my new car insurance company, Liberty Mutual, invited me to join a program its website describes this way: Using a small device that observes your driving habits, we'll notice the safe choices you're making on the road and reward you for them. The company promised a rate reduction of at least 5 percent and up to 30 percent, based on driving performance over a three-month period. Best of all, an app would let me track the size of my discount in real time.'' Technology gamifies our lives as consumers—a dopamine burst sustains product interest boosted by a loyalty discount, while data capture algorithms gleefully score your profile. Several economics Nobel prizes attest to reward incentive influence on consumer behavior. Is gamification deployed by social media bots that promote political candidates? Is gamification deployed by industries opposing environmental or health legislation? Has gamification emerged as a new public health threat exploiting the brain's addiction channel? See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The brain-imaging experiment showed how the students concentrated and learned better when studying was part of a game."
http://arstechnica.com/tech-policy/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/ Nice domain you have there. Would be a shame if anything happened to it...
University of California, San Diego (04/24/18) Ioana Patringenaru via ACM TechNews, Wednesday, 2 May 2018 Researchers at the University of California, San Diego and the University of California, Berkeley have created a nearly-transparent eel-like robot that can swim silently in salt water using artificial muscles. Critical to the new technology is the use of the salt water in which the robot swims, to generate the electrical forces that propel it. The robot delivers negative charges to the water just outside itself, and positive charges inside the robot to trigger its muscles to bend, creating the robot's swimming motion. The charges carry very little current, making them safe for marine life. The technology is an important step toward a future when soft robots can swim in the ocean alongside fish and invertebrates without harming them, the researchers say. http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1b1b0x215c58x070332%26 [The technology is fascinating, with lots of opportunities here. Risks? Sharks might devour but not digest the robots, heat-sensing creatures might cuddle up to them, or even befriend them, or redirect robots that are stealthy torpedos to another target! PGN]
http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html The British man was barred from driving for 18 months after being videotaped sitting with his hands behind his head, cruising at 40 miles per hour in *heavy* traffic.
http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html Smart-house technology has made it easier to turn on the lights and set the thermostat, but sometimes objects go rogue.
http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html Sapna Maheshwari, who covers advertising for The Times, discusses how she tracks the online ads that track us.
Criminals have discovered another use for drones—to distract and spy on law enforcement. They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the FBI's operational technology law unit, said this week, according to a report by news site Defense One. Mazel, speaking at the AUVSI Xponential drone conference in Denver, said that criminals launched a swarm of drones at an FBI rescue team during an unspecified hostage situation near a large U.S. city, confusing law enforcement. The criminals flew the drones at high speed over the heads of FBI agents to drive them away while also shooting video that they then uploaded to YouTube as a way to alert other nearby criminal members about law enforcement's location. http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/
via NNSquad http://www.washingtonpost.com/news/the-switch/wp/2018/05/03/facebooks-dating-service-is-a-chance-to-meet-the-catfisher-advertiser-or-scammer-of-your-dreams/ The love-seeking singles of Facebook's new dating service, privacy experts say, may not be prepared for what they'll encounter: sham profiles, expanded data gathering and a new wave of dating fraud. Facebook—under fire for viral misinformation, fake accounts and breaches of tr[sic]
Nathaniel Popper, The New York Times, 29 Apr 2018 http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html EXCERPT: Russian interest in the technology surrounding virtual currencies, like in this crypto-mining operation in Moscow, is growing. Last year, employees of Russia's spy agency attended a meeting where international standards for the so-called blockchain were discussed. Andrey Rudakov/Bloomberg SAN FRANCISCO—Last year, representatives of 25 countries met in Tokyo to work on setting international standards for the blockchain, the technology that was introduced by the virtual currency Bitcoin and has ignited intense interest in corporate and government circles. Some of the technologists at the meeting of the International Standards Organization were surprised when they learned that the head of the Russian delegation, Grigory Marshalko, worked for the FSB, the intelligence agency that is the successor to the KGB. They were even more surprised when they asked the FSB agent why the Russians were devoting such resources to the blockchain standards. “Look, the Internet belongs to the Americans—but blockchain will belong to us,'' he said, according to one delegate who was there. The Russian added that two other members of his country's four-person delegation to the conference also worked for the FSB. Another delegate who had a separate conversation with the head of the Russian group remembers a slightly different wording: “The Internet belonged to America. The blockchain will belong to the Russians.'' Both of the delegates who recounted their conversations did so on the condition of anonymity, because discussions at the International Standards Organization are supposed to be confidential. Neither the Russian organizations overseeing the delegation to the ISO nor the Russian delegates responded to requests for comment.
Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution] http://medium.com/%40kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdec Blockchain is not only crappy technology but a bad vision for the future. Its failure to achieve adoption to date is because systems built on trust, norms, and institutions inherently function better than the type of no-need-for-trusted-parties systems blockchain envisions. That's permanent: no matter how much blockchain improves it is still headed in the wrong direction. This December I wrote a widely-circulated article on the inapplicability of blockchain to any actual problem. People objected mostly not to the technology argument, but rather hoped that decentralization could produce integrity. [...]
Bitcoins remind me of a story from the late chair of the Princeton U. astronomy department. In 1950 Immanuel Velikovsky published "Worlds in Collision", a controversial best selling book that claimed that 3500 years ago Venus and Mars swooped near the earth, causing `catastrophes that were passed down in religions and mythologies. The astronomer was talking to an anthropologist at a party and the book came up. "The astronomy is nonsense," said the astronomer, "but the anthropology is really interesting." "Funny," replied the anthropologist, "I was going to say almost the same thing." Bitcoin and blockchains lash together an unusual distributed database with a libertarian economic model. People who understand databases realize that blockchains only work as long as there are incentives to keep a sufficient number of non-colluding miners active, preventing collusion is probably impossible, and that scaling blockchains up to handle an interesting transaction rate is very hard, but that no-government money is really interesting. People who understand economics and particularly economic history understand why central banks manage their currencies, thin markets like the ones for cryptocurrencies are easy to corrupt, and a payment system nees a way to undo bogus payments, but that free permanent database ledger is really interesting. Not surprisingly, the most enthusiastic bitcoin and blockchain proponents are the ones who understand neither databases nor economics.
Or not. http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956 There's an essential mistake that almost every social media platform makes -- one inherited from marketing (where it makes some sense), and one that is mostly unexamined and unaccounted-for even in otherwise fairly socially-conscious projects like Mastodon and Diaspora. In almost every one of these systems, incentives exist that confuse popularity with value. I call this *trendism*—the belief that an already-trending topic deserves to be promoted. In marketing, because the piece of information being spread is intended to sell a product, the spread of that information is, in fact, theoretically proportional to its value. In social media, the information being spread is not a piece of advertising, and while most of these systems have revenue models based on advertising, that advertising is generated on the fly based on the viewer's browsing history and has nothing to do with the content of the piece of information being spread. The thing is, ideas travel in packs. When we encounter one idea, we tend to see its nearest neighbours also. When we find out something new, our friends hear about it too. So, trending posts are rarely surprising: by the very nature of their popularity, they are already familiar in their essence to most of the people who are directed toward them. The information content of a message, in Claude Shannon's formulation, is proportional to its deviation from expectation—information is surprise. Kolgorov's [Kolmogorov? PGN] formulation is similar: information content proportional to the smallest possible message that could say the same thing (which, of course, includes references to earlier messages or prior knowledge as a possible tactic). In other words, from an information-theoretic perspective, a post that only tells you things you already know is worthless. Yet, trending content is almost always composed solely of things the viewer has already seen. There's one piece of information that a copy of a viral post actually has -- the association between the content of the post and the person posting it. We share posts we've already seen as a way of expressing our identity, both personally and within a group. That is the only form of information valued by trending-oriented systems: tribal affiliation. If we want to force our social media platforms into information-rich environments and lower the amount of tribal rivalry we are exposed to, there are a couple general-purpose solutions, and they all come down to kneecapping the machinery of trendism. 1. Rather than block political content (only one kind of tribalist content, and one that is at least theoretically grounded in genuine philosophical differences about the ideal shape of the world, rather than geography or social groups), we should block all shared content. Remove retweets and shares from your feed entirely. Most of them are things you have already seen, and most of the rest don't contain meaningful or useful information. 2. Emotionally-manipulative posts get the most engagement, and are therefore ranked higher in feeds. (I don't want to be emotionally manipulated. Do you?)* To defeat this ranking, force your feed to reverse-chronological order. To filter out emotionally-manipulative posts, filter out anything with more than a set number of interactions. 3. Avoid being part of the problem. Before sharing, determine: is the information true? Is it new? Is it playing mostly on my emotions? If possible, delay your sharing for a long period of time—read an article, and then wait a few hours, or even a few days, before deciding whether or not it is of sufficient quality to actually re-post. 4. Identify when you are being drawn into heated arguments, and ignore them. In the heat of the moment, you're not actually making good points anyhow, and you're more likely to misunderstand or misrepresent your opponent. The suggestions from #3 apply here too for comments—make sure your comments are accurate, informative, and cool, even if that means waiting several days to respond. Never let the system rush you. 5. Visible metrics gamify trendism. Remove them. Most social media platforms don't make it easy to follow this advice. Mastodon is closest—it hides metrics from the timeline by default, supports only reverse-chronological post ordering, and allows you to filter all boosts from your timeline. For everything else, you will need to use browser extensions. Facebook Demetricator ... and Twitter Demetricator [...] [Truncated for RISKS. PGN]
Your otherwise-excellent article on data-hoovering connected cars doesn't mention the downside of manufacturers being able to update automobile software: risking bad updates and (worse) hackers abusing update mechanisms. Anyone who's endured PC/phone/tablet problems with vendor patches—even had devices "bricked" (made useless)—should be terrified of car updates made without owner permission. And everyone aware of today's hacking environment should refuse to purchase anything without understanding and consenting to its update mechanism.
Please report problems with the web pages to the maintainer