The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 69

Wednesday 16 May 2018

Contents

America continues to ignore the risks of election hacking
The New Yorker
Russia Tried to Undermine Confidence in Voting Systems, Senators Say
NYTimes
Virginia election officials assigned 26 voters to the wrong district
WashPo
Securing Elections
Bruce Schneier
Australian Emergency Calls Fail due to lightning strike
ABC AU
Self-driving cars' shortcomings revealed in DMV reports
Merc
VW bugs: "Unpatchable" remote code pwnage
TechBeacon
Software bug led to death in Uber's self-driving crash
Ars Technica
Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll
NYT
The risk from robot weapons
via The Statesman/Asia News Network, published in The Straits Times
Is technology bringing history to life or distorting it?
WashPo
2,000 wrongly matched with possible criminals at Champions League
BBC AU
KRACK Wi-Fi vulnerability can expose medical devices, patient records
Osborne
R 30 68
Nigerian Email Scammers Are More Effective Than Ever
WiReD
Dark code
DW
Postmortem of Fortnite Service Outage
Epic Games
Collateral damage
538
Dozens of security cameras hacked in Japan
Mainichi
Technology turns our cities into spies for ICE, whether we like it or not
LATimes
The Digital Vigilantes Who Hack Back
The New Yorker
Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate Staff
EFF
Email Encryption Tools Are No Longer Safe, Researchers Say
Fortune
Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
EFF
Once Again, Activists Must Beg the Government to Preserve the Right to Repair
Motherboard
Widespread Misunderstanding of x86-64 Privileged Instruction Leads to Widespread Escalation Hazard
MITRE CVE 2018-8897
Alexa and Siri Can Hear This Hidden Command Audio Attacks
NYTimes
Buckle Up, Prime Members: Amazon Launches In-Car Delivery
Business Wire
Meant to Monitor Inmates' Calls Could Track You Too
NYTimes
Cell Phone Location data reportedly available to law enforcement without verification/process
Ars Technica
During disasters, active Twitter users likely to spread falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also finds most users fail to correct misinformation
Science Daily
Face recognition police tools 'staggeringly inaccurate'
BBC.com
Intel Documentation Blamed for Multiple Operating System Security Flaws
IT Pro
The Problem with Chinese GPS
Now I Know
U.S. identifies suspect in major leak of CIA hacking tools
WashPo
Info on RISKS (comp.risks)

America continues to ignore the risks of election hacking (The New Yorker)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 7 May 2018 22:11:57 PDT
http://www.newyorker.com/news/news-desk/america-continues-to-ignore-the-risks-of-election-hacking

"America's voting systems are hackable in all kinds of ways. As a case
in point, in 2016, the Election Assistance Commission, the bipartisan
federal agency that certifies the integrity of voting machines, and
that will now be tasked with administering Congress's three hundred
and eighty million dollars, was itself hacked. The stolen data --
log-in credentials of EAC staff members—were discovered, by chance,
by employees of the cybersecurity firm Recorded Future, whose
computers one night happened upon an informal auction of the stolen
passwords. “This guy—we randomly called him Rasputin—was in a
high-profile forum in the darkest of the darkest of the darkest corner
of the dark Web, where hackers and reverse engineers, ninety-nine per
cent of them Russian, hang out,'' Christopher Ahlberg, the CEO of
Recorded Future, told me. “There was someone from another country in
the forum who implied he had a government background, and he wanted to
get his hands on this stuff. That's when we decided we would just buy
it.  So we did, and took it to the government''—the U.S. government
-- “and the sale ended up being thwarted.'' (Ahlberg wouldn't
identify which government agency his company had turned the data over
to. The EAC, in a statement, referred questions about “the
investigation or information shared with the government by Recorded
Future'' to the FBI The FBI, through a Justice Department
spokesperson, declined to comment.)"


Russia Tried to Undermine Confidence in Voting Systems, Senators Say (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 8 May 2018 22:00:18 PDT
http://www.nytimes.com/2018/05/08/us/politics/russia-2016-election-hackers.html


Virginia election officials assigned 26 voters to the wrong district (WashPo)

Monty Solomon <monty@roscom.com>
Mon, 14 May 2018 00:55:08 -0400
More than two dozen voters cast ballots in the wrong race. They were among
6,000 misassigned voters across the state.  It might've cost Democrats a
pivotal race.

http://www.washingtonpost.com/local/virginia-politics/voters-assigned-to-wrong-districts-may-have-cost-democrats-in-pivotal-virginia-race/2018/05/13/09a9dd8a-5465-11e8-a551-5b648abe29ef_story.html


Securing Elections

Bruce Schneier <schneier@schneier.com>
Tue, 15 May 2018 00:07:08 -0500
(PGN-excerpted from Bruce's CRYPTO-GRAM, 15 May 2018)

Elections serve two purposes. The first, and obvious, purpose is to
accurately choose the winner. But the second is equally important: to
convince the loser. To the extent that an election system is not
transparently and auditably accurate, it fails in that second purpose.
Our election systems are failing, and we need to fix them.

  [This is a long item, perhaps intended for non-RISKS readers.
  Nevertheless, it is highly relevant and timely.  The full article is at
    https://www.schneier.com/crypto-gram/
  PGN]


Australian Emergency Calls Fail due to lightning strike (ABC AU)

John Colville <John.Colville@uts.edu.au>
Sun, 6 May 2018 01:54:31 +0000
Calls to 000 (the Australian emergency phone number) failed to large areas of Australia on May 04 2018.

Government to investigate Telstra triple-0 outage after emergency calls go unanswered

http://www.abc.net.au/news/2018-05-04/telstra-triple-zero-outages-several-states-cable-damaged/9725860


Self-driving cars' shortcomings revealed in DMV reports (Merc)

Lauren Weinstein <lauren@vortex.com>
Thu, 3 May 2018 15:51:21 -0700
NNSquad
http://www.mercurynews.com/2018/05/01/self-driving-cars-shortcomings-revealed-in-dmv-reports/

  The disengagement reports themselves identify other problems some
  self-driving vehicles struggle with, for example heavy pedestrian traffic
  or poorly marked lanes.  In describing the events that caused their backup
  drivers to take the controls, the companies have provided a new window
  into the road-worthiness—or not—of their cars and systems.  Baidu, a
  Chinese Internet-search giant, reported a case in which driver had to take
  over because of a faulty steering maneuver by the robot car; several cases
  of "misclassified" traffic lights; a failure to yield for cross traffic;
  delayed braking behind a car that cut quickly in front; drifting out of a
  lane; and delayed perception of a pedestrian walking into the street.


VW bugs: "Unpatchable" remote code pwnage (TechBeacon)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 May 2018 02:29:16 -0400
Two security researchers have excoriated Volkswagen Group for selling
insecure cars. As in: hackable-over-the-Internet insecure.

They broke into a recent-model VW and an Audi, via the cars' Internet
connections, and were able to jump from system to system, running arbitrary
code. Worryingly, they fully pwned the unauthenticated control bus connected
to some safety-critical systems—such as the cruise control.

But VW has no way to push updates to its cars, and won't alert owners to
visit a dealer for an update.

http://techbeacon.com/vw-bugs-unpatchable-remote-code-pwnage


Software bug led to death in Uber's self-driving crash (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 7 May 2018 15:27:41 -0700
NNSquad
http://arstechnica.com/tech-policy/2018/05/report-software-bug-led-to-death-in-ubers-self-driving-crash/

  The fatal crash that killed pedestrian Elaine Herzberg in Tempe, Arizona,
  in March occurred because of a software bug in Uber's self-driving car
  technology, The Information's Amir Efrati reported on Monday. According to
  two anonymous sources who talked to Efrati, Uber's sensors did, in fact,
  detect Herzberg as she crossed the street with her bicycle.
  Unfortunately, the software classified her as a "false positive" and
  decided it didn't need to stop for her.  Distinguishing between real
  objects and illusory ones is one of the most basic challenges of
  developing self-driving car software. Software needs to detect objects
  like cars, pedestrians, and large rocks in its path and stop or swerve to
  avoid them. However, there may be other objects—like a plastic bag in
  the road or a trash can on the sidewalk—that a car can safely ignore.
  Sensor anomalies may also cause software to detect apparent objects where
  no objects actually exist.

   [Also noted by Wendy Grossman: Classic case of where you set the
     positive/negative error rate tradeoffs in the classifier, but with the
     consequences amped up because it's a car on public roads, not a bit of
     software deciding between cats and giraffes: if you set the threshold
     too low the car stops (and jolts its passengers) for every plastic bag
     and shadow. If you set it too high...you get deaths.  I wouldn't really
     call that a bug; I'd call it an experimental error. So besides the
     risks inherent in deciding where you set the threshold, there's the
     risk of allowing companies like Uber to run their experiments on public
     roads.]


Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)

Richard M Stein <rmstein@ieee.org>
Sun, 13 May 2018 13:35:53 -0700
The New York Times
http://mobile.nytimes.com/2018/05/13/business/deadly-convenience-keyless-cars-and-their-carbon-monoxide-toll.html

"It seems like a common convenience in a digital age: a car that can be
powered on and off with the push of a button, rather than the mechanical
turning of a key. But it is a convenience that can have a deadly effect.

"On a summer morning last year, Fred Schaub drove his Toyota RAV4 into the
garage attached to his Florida home and went into the house with the
wireless key fob, evidently believing the car was shut off. Twenty-nine
hours later, he was found dead, overcome with carbon monoxide that flooded
his home while he slept.  '“After 75 years of driving, my father thought
that when he took the key with him when he left the car, the car would be
off,'' said Mr. Schaub's son Doug.'

Adoption of technological convenience carries transition risk. The article
discusses a wrongful death lawsuit boosted by internal Toyota memos that
discovered recommendations to integrate audible and visual warnings when
the engine remains active with no key fob inside the vehicle. This
recommendation was 86'd from implementation. Over 20 people have perished
from vehicle-generated CO poisoning since 2006.


The risk from robot weapons (via The Statesman/Asia News Network, published in The Straits Times)

Richard M Stein <rmstein@ieee.org>
Sun, 13 May 2018 16:34:51 -0700
http://www.straitstimes.com/asia/south-asia/the-risk-from-robot-weapons-the-statesman-contributor

'A letter warning against the coming race of these weapons was signed in
2015 by over 1,000 AI experts.'

'Peter Singer, an expert on future warfare at 'New America", a think tank,
has said that very powerful forces propel the AI arms race - geopolitical
compulsions, scientific advances and profit-seeking high technology
companies.

'Scharre has also raised the possibility that perhaps because of badly
written codes or perhaps because of cyber attack by an adversary, military
use autonomous systems can malfunction, raising possibilities of attack on
people or soldiers on the same side, or escalating conflicts or killing to
unintended, highly exaggerated levels.'

Numerous public proclamations admonishing on AV weapon risks are
insufficient to deter investment and capability pursuit. There's apparently
too much momentum among businesses and governments to deflect this
juggernaut.

With the Manhattan Project, scientific leadership recognized the risks
nuclear weapons raised. Some scientists argued for a demonstration, rather
than deployment, to compel quick Japanese surrender. Nagasaki and Hiroshima
were destroyed to temporarily establish and project US nuclear hegemony as a
deterrent.

Aggressive international diplomacy among progressive governments might
negotiate an non-proliferation of autonomous weaponry treaty (NPAWT), like
the Treaty on the Non-Proliferation of Nuclear Weapons (NPT).  However,
an enforceable and verifiable treaty is unlikely to timely emerge given
historical human proclivity and myopia, despite empirical evidence that
argues for deliberate restraint and negotiation.

  [A timely reminder on the importance of negotiation to cut the risk of
  war can be found here
   (http://www.nytimes.com/2018/05/11/opinion/nuclear-doomsday-denial.html).]


Is technology bringing history to life or distorting it? (WashPo)

Richard M Stein <rmstein@ieee.org>
Sun, 13 May 2018 17:22:56 -0700
  *The Washington Post*

http://www.washingtonpost.com/news/retropolis/wp/2018/05/10/is-technology-bringing-history-to-life-or-distorting-it/

  "Whatever its shortcomings, the Kennedy speech is just the latest way that
  history is being digitally re-created, updated and manipulated as never
  before. From meticulously colorized photographs to immersive
  virtual-reality battlefields, scholars, artists and entrepreneurs are
  dragging the old days into the computer age. And scholastic standards are
  straining to keep up.

  "The U.S. Military Academy is working on a phone-based app along the lines
  of Pokemon Go that will let visitors see how George Washington's troops
  strung a massive iron chain across the Hudson River. A team in North
  Carolina has synthesized an important but unrecorded 1960 speech by Martin
  Luther King Jr., acoustically accurate down to the echoes in the Durham
  church."

Simulation capability has improve to the point where a political leader can
be used to construct a fictitious speech which appears authentic, with the
power to convince an enraptured audience. This capability, if exploited by
mendacious political entities, can accelerate democracy's decline.

Publication of false and misleading political speech, especially by elected
authorities, empowers authoritarianism. Current political discourse in the
US is heavy with misleading facts and falsehoods that confuse public
sentiment. This manipulation distracts attention from government's intent to
apparently conceal a hidden political agenda.  Exactly what the agenda is,
beyond "pay for play," is difficult to divine.

The introduction of bots applied for this purpose introduces an asymmetric
multiplier for dissembled political discourse. By the time a policy becomes
apparent through executive enforcement, the bots will have buried the policy
agenda into a messaging morass that will potentially overwhelm any
independent observer's (the free press) ability to analyze. The result is
likely to suppress litigation that thwarts ill-conceived public policy that
exclusively benefits "payers."


2,000 wrongly matched with possible criminals at Champions League (BBC AU)

Alberto Cammozzo <ac+nexa@zeromx.net>
Sat, 5 May 2018 11:51:07 +0200
(via Diego Latella)
http://www.bbc.com/news/uk-wales-south-west-wales-44007872

More than 2,000 people were wrongly identified as possible criminals by
facial scanning technology at the 2017 Champions League final in Cardiff.
South Wales Police used the technology as about 170,000 people were in
Cardiff for the Real Madrid v Juventus game.  But out of the 2,470 potential
matches with custody pictures - 92% - or 2,297 were wrong.

Chief Constable Matt Jukes said officers "did not take action" and no one
was wrongly arrested.

South Wales Police have made 450 arrests in the last nine months using the
automatic facial recognition (AFR) software, which scans faces comparing
them to about 500,000 custody images

http://www.bbc.co.uk/news/technology-39735637Cdf0d5bf31bb44f614f0908d5b45569c1%7C40779d3379c44626b8bf140c4d5e9075%7C1


KRACK Wi-Fi vulnerability can expose medical devices, patient records (Osborne, R 30 68)

Wols Lists <antlists@youngman.org.uk>
Sun, 6 May 2018 15:15:31 +0100
Actually, I believe it exploits a flaw in the most common IMPLEMENTATION
of the protocol.

For security reasons, once the key has been checked the first time, the
recipient forgets it (over-writes it with 0s), so if the attacker can
interrupt the handshake at that point, they can resend a key of all zeros
and authenticate.

The receiver should either abort the handshake completely, or not
forget the key until the handshake is complete.


Nigerian Email Scammers Are More Effective Than Ever (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 6 May 2018 22:54:59 -0400
You would think that after decades of analyzing and fighting email spam,
there'd be a fix by now for the Internet's oldest hustle—the Nigerian
Prince scam. There's generally more awareness that a West African noble
demanding $1,000 in order to send you millions is a scam, but the underlying
logic of these 00 pay a little, get a lot-- schemes, also known as 419
fraud, still ensnares a ton of people. In fact, groups of fraudsters in
Nigeria continue to make millions off of these classic cons. And they
haven't just refined the techniques and expanded their targets—they've
gained minor celebrity status for doing it.

http://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever


Dark code (DW)

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Sun 6 May 2018 11:12:58 -0000
In the way of the TSB computing disaster (which DW has a long piece on the
legacy code that runs banking systems, so old that no one understands it any
more. The problem: you can't stay in business without updating, and updating
it breaks things.

Ellen Ullman has often written about this—see for example 1997's Close to
the Machine and her more recent sort-of-sequel.

http://m.dw.com/en/fail-by-design-bankings-legacy-of-dark-code/a-43645522


Postmortem of Fortnite Service Outage (Epic Games)

Monty Solomon <monty@roscom.com>
Sun, 6 May 2018 13:36:41 -0400
On 11 Apr 2018, we experienced an extended outage coinciding with the
release of Fortnite 3.5. The outage blocked all logins for all players to
our platform. We know many millions of you were excited about dropping from
the Battle Bus with your friends, and it was a long time to wait to check
out our 3.5 release. We sincerely apologize for the downtime.

We're sharing more technical details in this post to give you a better
understanding about what went wrong, what we did to fix it, and how we can
prevent future issues like this from happening again.

http://www.epicgames.com/fortnite/en-US/news/postmortem-of-service-outage-4-12


Collateral damage (538)

Mark Thorson <eee@dialup4less.com>
Sun, 6 May 2018 16:31:20 -0700
You can't opt out from other people sharing data about you, such as the
relative of the Golden State Killer who put DNA data on a website.

http://fivethirtyeight.com/features/you-cant-opt-out-of-sharing-your-data-even-if-you-didnt-opt-in/


Dozens of security cameras hacked in Japan (Mainichi)

George Mannes <gmannes@gmail.com>
Mon, 7 May 2018 16:16:28 -0400
from Mainichi.jp English-language site:
http://mainichi.jp/english/articles/20180507/p2g/00m/0dm/063000c%23cxrecs_s

TOKYO (Kyodo)—Dozens of Canon Inc.'s security cameras connected to the
Internet have been hacked across Japan, making them uncontrollable at
waterways, a fish market, and a care facility among other places, users said
Monday.  Over 60 cameras nationwide are believed to have been illegally
accessed so far. ...

While it remains unclear why Canon cameras have been targeted, the city of
Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture,
which lost control of the cameras for monitoring the levels of their
waterways, said they had failed to reset the cameras' default passwords.....

Hackings were also reported at other locations including a fish market in
Hiroshima, a care facility for the disabled in Kobe, and a Naha branch of a
company based in Saitama Prefecture....

[This news item seems custom-designed for a classic-style PGN joke linking
fishy business at the market, constant comp.risks complaints about poor
password management, and Hiroshima's hometown baseball team, the Carp. Have
at it.]

  [OK.  Carpe Diem?  I had dinner in Kobe's in Lahaina (Maui) last night.  I
  have no beef with this item, even if it might smell fishy.  “If you knew
  Sushi like I knew Sushi,'' oh, whatta place...  “She shells seashells by
  the seashore.''  PGN]


Technology turns our cities into spies for ICE, whether we like it or not (LATimes)

Gabe Goldberg <gabe@gabegold.com>
Wed, 9 May 2018 23:53:49 -0400
There are more than 30 Oakland Police Department patrol cars roaming the
city with license plate readers, specialized cameras that can scan and
record up to 60 license plates per second. Meanwhile, the Alameda County
Sheriff's Office maintains a fleet of six drones to monitor crime scenes
when it sees fit. The Alameda County district attorney's office owns a
StingRay, a device that acts as a fake cell tower and forces phones to give
up their location. And that's just in one little corner of California.

Just as consumer electronics continually get faster, cheaper, smaller, and
more sophisticated, so too do the tools law enforcement uses to spy on
us. What once demanded significant money and manpower can be accomplished
easily by machine. This advanced technology is hurtling toward us so fast
that privacy laws can't keep up.

http://www.latimes.com/opinion/op-ed/la-oe-farivar-surveillance-tech-20180502-story.html


The Digital Vigilantes Who Hack Back (The New Yorker)

Gabe Goldberg <gabe@gabegold.com>
Sun, 6 May 2018 22:22:09 -0400
American companies that fall victim to data breaches want to retaliate
against the culprits. But can they do so without breaking the law?

http://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back


Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate Staff (EFF)

Gabe Goldberg <gabe@gabegold.com>
Wed, 9 May 2018 23:57:31 -0400
Electronic Frontier Foundation

Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door
briefing for Senate staff about the realities of device encryption. While
policymakers hear frequently from the FBI and the Department of Justice
about the dangers of encryption and the so-called Going Dark problem, they
very rarely hear from actual engineers, cryptographers, and computer
scientists. Indeed, the usual suspects testifying before Congress on
encryption are nearly the antithesis of technical experts.

The all-star lineup of panelists included Dr. Matt Blaze, professor of
computer science at the University of Pennsylvania, Dr. Susan Landau,
professor of cybersecurity and policy at Tufts University; Erik
Neuenschwander, Apple's manager of user privacy; and EFF's tech policy
director Dr. Jeremy Gillula.

http://www.eff.org/deeplinks/2018/05/bring-nerds-eff-introduces-actual-encryption-experts-us-senate-staff

  [Incidentally, this is the 20th anniversary of the famous L0pht testimony
  from Mudge's team, which immediately followed my testimony for the
  U.S. Permanent Subcommittee on Investigations of the Senate Committee on
  Governmental Affairs included in Weak Computer Security in Government: Is
  the Public at Risk?  <http://www.csl.sri.com/neumann/senate98.html>  PGN]


Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Mon, 14 May 2018 15:06:45 -0400
Throughout the many arguments over encrypted communications, there has been
at least one constant: the venerable tools for strong email encryption are
trustworthy. That may no longer be true.

On Tuesday, well-credentialed cybersecurity researchers will detail what
they call critical vulnerabilities in widely-used tools for applying PGP/GPG
and S/MIME encryption. According to Sebastian Schinzel, a professor at the
M√ľnster University of Applied Sciences in Germany, the flaws could reveal
the plaintext that email encryption is supposed to cover up—in both
current and old emails.

The researchers are advising everyone to temporarily stop using plugins for
mail clients like Microsoft Outlook and Apple Mail that automatically
encrypt and decrypt emails—at least until someone figures out how to
remedy the situation. Instead, experts say, people should switch to tools
like Signal, the encrypted messaging app that's bankrolled by WhatsApp
co-founder Brian Acton.

http://fortune.com/2018/05/14/email-encryption-tool-vulnerability-cybersecurity-warning/


Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)

Dewayne Hendricks <dewayne@warpspeed.com>
Tue, May 15, 2018 at 12:38 AM
Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

Don't panic! But you should stop using PGP for encrypted email and switch
to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of
serious vulnerabilities in PGP (including GPG), the most popular email
encryption standard. The new paper includes a proof-of-concept exploit that
can allow an attacker to use the victim's own email client to decrypt
previously acquired messages and return the decrypted content to the
attacker without alerting the victim. The proof of concept is only one
implementation of this new type of attack, and variants may follow in the
coming days.

Because of the straightforward nature of the proof of concept, the severity
of these security vulnerabilities, the range of email clients and plugins
affected, and the high level of protection that PGP users need and expect,
EFF is advising PGP users to pause in their use of the tool and seek other
modes of secure end-to-end communication for now.

Because we are awaiting the response from the security community of the
flaws highlighted in the paper, we recommend that for now you uninstall or
disable your PGP email plug-in. These steps are intended as a temporary,
conservative stopgap until the immediate risk of the exploit has passed and
been mitigated against by the wider community. There may be simpler
mitigations available soon, as vendors and commentators develop narrower
solutions, but this is the safest stance to take for now. Because sending
PGP-encrypted emails to an unpatched client will create adverse ecosystem
incentives to open incoming emails, any of which could be maliciously
crafted to expose ciphertext to attackers.

While you may not be directly affected, the other participants in your
encrypted conversations are likely to be. For this attack, it isn't
important whether the sender or the receiver of the original secret message
is targeted. This is because a PGP message is encrypted to both of their
keys.

At EFF, we have relied on PGP extensively both internally and to secure
much of our external-facing email communications. Because of the severity
of the vulnerabilities disclosed today, we are temporarily dialing down our
use of PGP for both internal and external email.

Our recommendations may change as new information becomes available, and we
will update this post when that happens.

How The Vulnerabilities Work

PGP, which stands for Pretty Good Privacy, was first released nearly 27
years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
transformed the level of privacy protection available for digital
communications, and has provided tech-savvy users with the ability to
encrypt files and send secure email to people they've never met. Its strong
security has protected the messages of journalists, whistleblowers,
dissidents, and human rights defenders for decades. While PGP is now a
privately-owned tool, an open source implementation called GNU Privacy
Guard (GPG) has been widely adopted by the security community in a number
of contexts, and is described in the OpenPGP Internet standards document.

The paper describes a series of vulnerabilities that all have in common
their ability to expose email contents to an attacker when the target opens
a maliciously crafted email sent to them by the attacker. In these attacks,
the attacker has obtained a copy of an encrypted message, but was unable to
decrypt it.

The first attack is a direct exfiltration attack that is caused by the
details of how mail clients choose to display HTML to the user. The
attacker crafts a message that includes the old encrypted message. The
new message is constructed in such a way that the mail software
displays the entire decrypted message—including the captured
ciphertext—as unencrypted text. Then the email client's HTML parser
immediately sends or exfiltrates the decrypted message to a server
that the attacker controls.

The second attack abuses the underspecification of certain details in the
OpenPGP standard to exfiltrate email contents to the attacker by modifying
a previously captured ciphertext. Here are some technical details of the
vulnerability, in plain-as-possible language:

When you encrypt a message to someone else, it scrambles the information
into ciphertext such that only the recipient can transform it back into
readable plaintext.  But with some encryption algorithms, an attacker can
modify the ciphertext, and the rest of the message will still decrypt back
into the correct plaintext. This property is called malleability. This
means that they can change the message that you read, even if they can't
read it themselves.

To address the problem of malleability, modern encryption algorithms add
mechanisms to ensure integrity, or the property that assures the recipient
that the message hasn't been tampered with. But the OpenPGP standard says
that it's ok to send a message that doesn't come with an integrity check.
And worse, even if the message does come with an integrity check, there are
known ways to strip off that check. Plus, the standard doesn't say what to
do when the check fails, so some email clients just tell you that the check
failed, but show you the message anyway. ...

http://dewaynenet.wordpress.com/feed/


Once Again, Activists Must Beg the Government to Preserve the Right to Repair (Motherboard)

Gabe Goldberg <gabe@gabegold.com>
Wed, 9 May 2018 23:50:09 -0400
The excruciating DMCA section 1201 exemption process is upon us again,
and the right to repair tractors, cars, and electronics is at stake.

http://motherboard.vice.com/en_us/article/mbxzyv/dmca-1201-exemptions


Widespread Misunderstanding of x86-64 Privileged Instruction Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897)

Bob Gezelter <gezelter@rlgsc.com>
Thu, 10 May 2018 04:34:02 -0700
Apparently, a large number kernel-level developers have misunderstood the
documentation concerning the interruptability of an x86-64 instruction. This
misunderstanding has made many major operating systems on the x86-64
platform vulnerable to a privilege escalation hazard.

Patches have reportedly been issued. Intel has also re-issued its x86-64
Software Development Manuals.

A description of the vulnerability can be found at:
http://cve.mitre.org/cgi-bin/cvename.cgi%3Fname%3DCVE-2018-8897

  [For those of you following the CVE list, it has just exceeded 100,000 CVE
  entries.  This should be a warning for anyone reading RISKS who believes
  our computer systems are secure.  PGN]


Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 10 May 2018 18:01:36 -0400
http://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html

Researchers can now send secret audio instructions undetectable to the human
ear to Apple's Siri, Amazon's Alexa and Google's Assistant.


Buckle Up, Prime Members: Amazon Launches In-Car Delivery (Business Wire)

Gabe Goldberg <gabe@gabegold.com>
Fri, 11 May 2018 11:15:06 -0400
Millions of Prime members with Chevrolet, Buick, GMC, Cadillac and Volvo
cars can now use Amazon Key to have their Amazon packages delivered inside
their vehicle parked at home, work or near other locations in their address
book

In-car delivery is available at no extra cost for Prime members—customers
simply download the Amazon Key App, link to their connected car and start
ordering on Amazon.com; no additional hardware or devices required

To get started, customers download the Amazon Key App and then link their
Amazon account with their connected car service account. Once setup is
complete and the delivery location has been registered, customers can shop
on Amazon.com and select the In-Car delivery option at checkout.

On delivery day, the Amazon Key App lets customers check if they've parked
within range of the delivery location, and provides notifications with the
expected 4-hour delivery time window. The App also notifies customers when
the delivery is on its way, and the package has been delivered. Customers
can track when their car was unlocked and relocked in the App's activity
feed, and rate their in-car delivery.

http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery


Meant to Monitor Inmates' Calls Could Track You Too (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sat, 12 May 2018 02:30:18 -0400
http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

A company catering to law enforcement and corrections officers has raised
privacy concerns with a product that can locate almost anyone's cellphone
across the United States.


Cell Phone Location data reportedly available to law enforcement without verification/process (Ars Technica)

Bob Gezelter <gezelter@rlgsc.com>
Sat, 12 May 2018 06:38:12 -0700
Ars Technica is reporting that a service meant for use with prison phone
systems lacks authentication and safeguards. It has reportedly already been
used to track people without legal jurisdiction.

Access to non-anonymized geolocation data for mobile devices by third
parties is a serious privacy hazard. The article does not indicate the
degree of reporting or other measures undertaken to ensure accountability.
In this context, even advertising delivered to a identifiable device is a
hazard.

http://arstechnica.com/tech-policy/2018/05/senator-furious-at-polices-easy-ability-to-get-real-time-mobile-location-data/


During disasters, active Twitter users likely to spread falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also

Gabe Goldberg <gabe@gabegold.com>
Sun, 13 May 2018 11:08:59 -0400S
http://www.sciencedaily.com/releases/2018/05/180512190537.htm


"Warning: Dangerous Fake Emails About Google Privacy Changes"

Lauren Weinstein <lauren@vortex.com>
Sun, 13 May 2018 10:01:11 -0700
(Lauren's Blog)
http://lauren.vortex.com/2018/05/13/warning-dangerous-fake-emails-about-google-privacy-changes

If you use much of anything Google, by now you've likely gotten at least one
email from Google noting various privacy-related changes.  They typically
have the Subject:

    Improvements to our Privacy Policy and Privacy Controls

and tend to arrive not from the expected simple "google.com" domain but
rather from unusual appearing Google subdomains, with addresses like:

    privacy-noreply@www3.l.google.com

The notice also includes a bunch of links to various relevant privacy pages
and/or systems at Google.

All of this is in advance of the effective date for the European Union's
"GDPR" laws. If you're not familiar with the GDPR, it's basically the latest
hypocritical move by the EU on their relentless march toward dictating the
control of personal data globally and to further their demands to become a
global censorship czar—with the ability to demand the deletion of any
search engine results around the world that they find inconvenient. Joseph
Stalin would heartily approve.

One can assume that Google's privacy team has been putting in yeoman's
service to meet the EU's dictatorial demands, and it's logical that Google
decided to make other changes in their privacy ecosystem at the same time,
and now is informing users about those changes.

Unfortunately, phishing crooks are apparently already taking advantage of
this situation—in particular several aspects of these Google notification
emails.

First, the legitimate Google privacy emails going out recently and
currently are a veritable flood. It appears that Google is sending
these out to virtually every email address ever associated with any
Google account since perhaps the dawn of time. I've already received
approximately 1.3E9 of them. OK, not really that many, but it FEELS
like that many.

Some of these are coming in to addresses that I don't even recognize.
This morning one showed up to such a strange address that I had to go
digging in my alias databases to figure out what it actually was. It
turned out to be so ancient that cobwebs flew out of my screen at me
when I accessed its database entry.

Seriously, these are one hell of a lot of emails, and the fact that
they come from somewhat unusual looking google subdomains and include
links has made them fodder for the crooks.

You can guess what's happening. Phishing and other criminal types are
sending out fraudulent emails that superficially appear to be the same
as these legit Google privacy policy notification emails. Of course,
some or all of the links in the phishing emails lead not to Google but
to various evil traps and personal data stealing tricks.

So please, be extraordinarily careful when you receive what appear to be
these privacy notices from Google. With so many real ones going out—with
multiples often ending up at the same individual via various redirects and
forwarding addresses—it's easy for fake versions to slip in among the
real ones, and clicking on the links in the crooked ones or opening
attachments that they include can seriously ruin your day, to say the very
least.

Take care, all.


Face recognition police tools 'staggeringly inaccurate' (BBC.com)

Richard M Stein <rmstein@ieee.org>
Mon, 14 May 2018 18:12:34 -0700
http://www.bbc.com/news/technology-44089161

  'The Metropolitan Police used facial recognition at London's Notting Hill
  carnival in 2016 and 2017 and at a Remembrance Sunday event.  'Its system
  incorrectly flagged 102 people as potential suspects and led to no
  arrests.  'In figures given to Big Brother Watch, South Wales Police said
  its technology had made 2,685 "matches" between May 2017 and March 2018 -
  but 2,451 were false alarms.  'Big Brother Watch also raised concerns that
  photos of any "false alarms" were sometimes kept by police for weeks.'

Perhaps the UK should import and deploy PRC cameras per RISKS-30.65.


Intel Documentation Blamed for Multiple Operating System Security Flaws (IT Pro)

Gabe Goldberg <gabe@gabegold.com>
Tue, 15 May 2018 13:25:53 -0400
Anybody who's been involved with tech for a while has most likely come
across the expression "RTFM" on more than one occasion. Usually delivered
with a degree of snark, if not downright hostility, the initialism stands
for "read the ... manual," with an added expletive added for good
measure. As is often pointed out, the advice is not only rude, it's also
often not helpful. Sometimes there is no documentation to read and if there
is, it's poorly written and difficult to understand.

The latter seems to be the case with CVE-2018-8897, the latest operating
system vulnerability.

On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of
triplefault.io, made public a research paper that revealed all major
operating systems—Linux, Apple, Windows and BSD—to be affected by a
flaw that can allow authenticated users to read data in memory or control
low-level OS functions. The good news is that the researchers notified
software developers of the problem on April 30, and by the time it was made
public, patches were at the ready.

http://www.itprotoday.com/endpoint-security/intel-documentation-blamed-multiple-operating-system-security-flaw


The Problem with Chinese GPS (Now I Know)

Gabe Goldberg <gabe@gabegold.com>
Tue, 15 May 2018 17:52:40 -0400
If you're in a foreign country and try to read a map, you may find it
difficult—unless your host nation's language is the same as your home
nation's, the words are going to be different and, assuming you're not
bilingual, will require some translation. But the locations of the roads,
rivers, buildings, and the like should be the same, regardless of whether
the map is in English, Spanish, or Chinese, right? Language aside, Google
Maps should work the same everywhere, right?

Well, no.

http://nowiknow.com/the-problem-with-chinese-gps/


U.S. identifies suspect in major leak of CIA hacking tools (WashPo)

Monty Solomon <monty@roscom.com>
Tue, 15 May 2018 19:06:04 -0400
The former agency employee is being held in a Manhattan jail on unrelated
charges.

http://www.washingtonpost.com/world/national-security/us-identifies-suspect-in-major-leak-of-cia-hacking-tools/2018/05/15/5d5ef3f8-5865-11e8-8836-a4a123c359ab_story.html

Please report problems with the web pages to the maintainer

Top