The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 78

Wednesday 1 August 2018

Contents

Facebook says it has uncovered a coordinated disinformation operation ahead of the 2018 midterm elections
WashPo
How Silicon Valley Became a Den of Spies
Zach Dorfman
Amazon Face Recognition Falsely Matches 28 Lawmakers With Mugshots, ACLU Says
Sam Levin
Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security
SSRN
The robot chemist that does its own research
bbc.com
How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers
Motherboard
How Cryptojacking Can Corrupt the Internet of Things
Scientific American
Cyberinsurance
Rob Slade
Vaginal Laser Treatments Can Cause Burns and Scarring, the FDA Says
New York Times
Federal judge blocks posting of blueprints for 3-D printed guns hours before they were to be published.
WashPo
Re: "I hacked your webcam and have naughty videos of you" scam
Jose Maria Mateos
Re: The Ordinary License Plate's Days May Be Numbered
Amos Shapir
Re: Robo-calls are getting worse.
Chris Drewe
I did not say that
Dimitri Maziuk
Info on RISKS (comp.risks)

Facebook says it has uncovered a coordinated disinformation operation ahead of the 2018 midterm elections (WashPo)

Lauren Weinstein <lauren@vortex.com>
Tue, 31 Jul 2018 10:07:47 -0700
https://www.washingtonpost.com/technology/2018/07/31/facebook-says-it-has-uncovered-coordinated-disinformation-operation-ahead-midterm-elections/

  Facebook said Tuesday that it had discovered a sophisticated coordinated
  disinformation operation on its platform involving 32 false pages and
  profiles engaging in divisive messaging ahead of the U.S. midterm
  elections.  The social media company that it couldn't tie the activity to
  Russia, which interfered on its platform around the 2016 presidential
  election. But Facebook said the profiles shared a pattern of behavior with
  the previous Russian disinformation campaign, which was led by a group
  with Kremlin ties called the Internet Research Agency.


How Silicon Valley Became a Den of Spies (Zach Dorfman)

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Mon, 30 Jul 2018 13:03:52 -0700
Zach Dorfman, Politico, 27 Jul 2018
The West Coast is a growing target of foreign espionage. And it's not ready
to fight back.

https://www.politico.com/magazine/story/2018/07/27/silicon-valley-spies-china-russia-219071


Amazon Face Recognition Falsely Matches 28 Lawmakers With Mugshots, ACLU Says (Sam Levin)

ACM TechNews <technews-editor@acm.org>
Wed, 1 Aug 2018 11:47:23 -0400
Sam Levin, *The Guardian*, 26 July 2018, via ACM TechNews, 1 Aug 2018

A test of Amazon's facial recognition software incorrectly matched the faces
of 28 U.S. legislators to images in a mugshot database, with people of color
misidentified disproportionately, according to the American Civil Liberties
Union (ACLU). The organization assembled a face database and search tool
from 25,000 public arrest photos, then cross-referenced that data with
public photos of every member of Congress. Eleven of the misidentified
lawmakers were people of color, representing nearly 40% of those wrongly
matched, even though minorities comprise only 20% of those in Congress. Says
the ACLU Foundation of Northern California's Jacob Snow, "Our test
reinforces that face surveillance is not safe for government use." Amazon
said the test's results could "probably be improved" by increasing
"confidence thresholds."

http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1c33ax21689cx072376%26

  [Lillie Coney reported: Amazon's facial-recognition tool misidentified 28
  lawmakers as people arrested for a crime, study finds
https://www.washingtonpost.com/amphtm/technology/2018/07/26/amazons-facial-recognition-tool-misidentified-lawmakers-people-arrested-crime-study-finds/
  PGN]


Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security (SSRN)

Jose Maria Mateos <chema@rinzewind.org>
Tue, 31 Jul 2018 13:01:16 -0400
Robert Chesney and Danielle Keats Citron (SSRN)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=3213954

"Harmful lies are nothing new. But the ability to distort reality has taken
an exponential leap forward with *deep fake* technology. This capability
makes it possible to create audio and video of real people saying and doing
things they never said or did. Machine learning techniques are escalating
the technology's sophistication, making deep fakes ever more realistic and
increasingly resistant to detection. Deep-fake technology has
characteristics that enable rapid and widespread diffusion, putting it into
the hands of both sophisticated and unsophisticated actors."

Academic paper, very in-depth exploration of the underlying issues.


The robot chemist that does its own research (bbc.com)

Richard M Stein <rmstein@ieee.org>
Wed, 01 Aug 2018 17:23:56 +0800
https://www.bbc.co.uk/news/uk-scotland-44872432

  "When the robot had been trained for about 10% of all the tasks, it then
  was able to predict, without the human being, which experiments it should
  do next.  "Writing in the journal Nature, Prof Cronin's team say the robot
  has already synthesised more than 1,000 new chemicals and reactions,
  including one with a distinctive 3D structure that is among the top 1%
  most "peculiar" molecules yet known.  "The team says the robot's
  predictions have so far proved 80% accurate. It'll learn to do better."

Wonder if the chembot can determine if a hypergolic reaction will arise, and
safely abort?  [hyperbolic?  hyperlogic?  hypergolem?  PGN]


How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers (Motherboard)

Lauren Weinstein <lauren@vortex.com>
Mon, 30 Jul 2018 11:16:51 -0700
via NNSquad
https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping

  California authorities say a 20-year-old college student hijacked more
  than 40 phone numbers and stole $5 million, including some from
  cryptocurrency investors at a blockchain conference Consensus.


How Cryptojacking Can Corrupt the Internet of Things (Scientific American)

Richard M Stein <rmstein@ieee.org>
Tue, 31 Jul 2018 22:45:04 +0800
IoT devices hijacked crypto-currency mining purposes.

https://www.scientificamerican.com/article/how-cryptojacking-can-corrupt-the-internet-of-things/


Cyberinsurance

Rob Slade <rmslade@shaw.ca>
Tue, 31 Jul 2018 16:57:32 -0700
Still need convincing that cyberinsurance (computer loss insurance, data
breach insurance, whatever) is a bad idea?

Talk to National Bank of Blacksburg.
https://slate.com/technology/2018/07/cyberinsurance-company-refuses-to-pay-out-full-amount-to-bank-after-hacking.html
or https://is.gd/PTbH3F

Executives had had the foresight to purchase insurance, actually a rider,
against computer and electronic crime.  The bank had two breaches, one in
2016, and one again the following year, for a total loss of 2.4 million
dollars.

The insurer, Everest National Insurance Co., offered $50,000 as settlement.

The insurer claims that the loss was a debit card loss, even though malware
was installed on a bank server via a phishing attack.  ATMs and cards were
used, but only a lawyer could make that kind of claim.  That's why insurance
companies employ lots of lawyers.

If you read the details of the article, it sounds very likely that the
insurer will win and the bank will lose.  I'm unsurprised: this kind of
weaseling by insurance companies is exactly the type of thing I've been
thinking in regard to cyberinsurance since I first heard of the idea thirty
years ago.


Vaginal Laser Treatments Can Cause Burns and Scarring, the FDA Says (New York Times)

Richard M Stein <rmstein@ieee.org>
Tue, 31 Jul 2018 12:14:08 +0800
https://www.nytimes.com/2018/07/30/health/vaginal-laser-fda.html

  "The F.D.A. said the full extent of the risks is unknown, but that
  the agency has found cases of vaginal burns, scarring, and lasting
  pain following the treatments. The agency has received 14 report of
  adverse events related to the treatments, including burning
  sensations and significant pain."

Off-label use of an infra-red laser (probably CO2) for cosmetic surgery.
Not a "Therac-25," but a nasty 3rd-degree burn can arise if the dosage
editor malfunctions, or if treatment is improperly administered.


Federal judge blocks posting of blueprints for 3-D printed guns hours before they were to be published. (WashPo)

Monty Solomon <monty@roscom.com>
Tue, 31 Jul 2018 22:41:24 -0400
U.S. District Judge Robert Lasnik in Seattle issued the order Tuesday.
Several state attorneys general on Monday filed a lawsuit in the Western
District of Washington against Defense Distributed, the Second Amendment
Foundation, the State Department and other federal agencies regulating
weapons.  The filing requested a nationwide injunction. [...]

https://www.washingtonpost.com/news/morning-mix/wp/2018/07/31/in-last-minute-lawsuit-states-say-3-d-printable-guns-pose-national-security-threat/


Re: "I hacked your webcam and have naughty videos of you" scam

Jose Maria Mateos <chema@rinzewind.org>
Mon, 30 Jul 2018 17:48:42 -0400
The blackmailing scam consisting on hacking a user's webcam while he or she
is involved in interacting with pornographic material and threatening with
the publication of the recordings unless a payment is made has not only been
reported in the past ([1, 2]) but has inspired some recent fiction works
(Black Mirror - "Shut up and dance").

We have also seen the next iteration of this scam, in which, while no
recording is available, the attacker tries to fool the victim by offering a
recognizable password, and implying that a hacking operation took place
([3]).

I wonder if we are yet to see another step further: from having the
recording, to pretending to have the recording, to be able to fool the
victim's contacts and make *them* believe a recording is available. I can
only expect this to happen as the skills and technologies for this attack to
become readily available at a scale:

1. Find victim.
2. Obtain pictures and videos from the public Facebook database.
3. Generate a *deepfakes* video of the kind mentioned above.
4. Proceed with the blackmailing scam as before, now armed with a
   recording that, while not legit, might look as such to third parties.

[1]
https://www.computerweekly.com/news/2240209018/US-teen-hacker-pleads-guilty-to-webcam-blackmail
[2]
https://arstechnica.com/tech-policy/2016/11/webcam-blackmail-cases-double-uk-suicides/
[3]
https://www.schneier.com/blog/archives/2018/07/reasonably_clev.html


Re: The Ordinary License Plate's Days May Be Numbered (RISKS-30.77)

Amos Shapir <amos083@gmail.com>
Tue, 31 Jul 2018 18:09:53 +0300
"When the vehicle is parked, businesses can display advertisements on the
plate, even targeting a vehicle's particular location because the plate is
connected to GPS."

Let me get that right: This device enables third parties (possibly without
the owner's control) to change the car's license plate—which is
essentially its legal identity!

If you thought license-plate readers were a problem, how about remote
license-plate writers?  (Beside GPS tracking, which is a rather old issue by
now)

This is not a matter of "What could possibly go wrong" any more; everything
just did!


Re: Robo-calls are getting worse. (Jeff Jonas, R 30 76)

Chris Drewe <e767pmk@yahoo.co.uk>
Wed, 01 Aug 2018 22:27:15 +0100
About 5-10 years ago I was deluged by annoying junk telephone calls, so did
what a lot of people do and got a simple answering machine and let this take
all calls.  If I want to speak to the caller I pick up the phone, and if
not, I don't; my regular callers know this.  It's also handy for taking
messages if I can't get to the phone.  :o)

I have to declare an interest here as I used to work in telecomms, so those
**** are at least paying for their calls answered by my machine and thus
helping to support my previous employer's pension fund...  Strangely, the
number of calls has greatly reduced in recent years; I don't know if this is
due to stricter regulations nowadays (junk callers have to maintain opt-in
lists), or if it's just a symptom of landline phones no longer being
considered as mainstream communications.


I did not say that (Re: Fenichel, RISKS-30.77)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Mon, 30 Jul 2018 15:19:01 -0500
> Dmitri Maziuk says "I'm not quite sure what makes med AI coders so
> different" from medical researchers,

No, I didn't.

I never said that and I would like this and every subsequent RISKS issue
referencing that thread to prominently feature the phrase

  'Dmitri Maziuk never said "I'm not quite sure what makes med AI coders so
  different from medical researchers".'

Because while I have said and done plenty of seriously dumb things in my
life, this one is way too idiotic even for me.

Please report problems with the web pages to the maintainer

Top