The RISKS Digest
Volume 30 Issue 87

Friday, 19th October 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Election Integrity
The New Yorker Radio Hour
Election Security
Paul Burke
"US voter records from 19 states sold on hacking forum"
ZDNet
Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable to Attack, GAO Says
NPR
US weapons systems can be 'easily hacked'
BBC News
"Why Internet Tech Employees Are Rebelling Against Military Contracts
Lauren Weinstein
Sky battles: Fighting back against rogue drones
bbc.com
"Autonomous cars on US roads with no brake pedals, steering wheels just edged closer"
ZDNet
Why you have (probably) already bought your last car
bbc.com
Ford tests technology that could render traffic lights obsolete
autoblog.com and ieee.org
Amazon Atlas
Gabe Goldberg
Turkey obtains recordings of Saudi journalist's purported killing
Yahoo
Apple VoiceOver iOS vulnerability permits hacker access to user photos
Charlie Osborne
Code Signing: Did Someone Hijack Your Software?
Forbes
When Your Boss Is an Algorithm
The New York Times
Facebook's former security chief warns of plan to help solve negative impacts
WashPost
The Eight Best Smart Plugs to Buy in 2018
Lifewire
The impending war over deepfakes
Axios
What the heck is it with Windows updates?
Computerworld
Proof-of-concept code published for Microsoft Edge remote code execution bug
ZDNet
Donald Daters
Naked Security
Paramedic agrees Apple Watch Series 4 will save lives; false positives not a problem
9to5Mac
Genome Researchers Show No One's DNA Is Anonymous Anymore
Megan Moteni
Algorithms Designed to Fight Poverty Can Actually Make It Worse
Scientific American
Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months
ZDNet
Experian credit freeze unfrozen by hackers?
Veridium
DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House
BuzzfeedNews
I fell for Facebook fake news. Here's why millions of you did, too.
WashPost
Jury duty
Rob Slade
Re: Molecule resonance and cellphone radiation
Richard Stein
Re: Fwd: NYTimes: The Auto Industry's VHS-or-Betamax Moment?
Gabe Goldberg
Re: innumeracy, or More than 250 people worldwide have died taking selfies
John R. Levine
Info on RISKS (comp.risks)

Election Integrity (The New Yorker Radio Hour)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 15 Oct 2018 11:46:47 PDT
I happened to hear Susan Greenhalgh being interviewed by Logan Lamb on *The
New Yorker Radio Hour* on NPR on 13 Oct.  She did a superb job of
summarizing the risks associated with elections.

https://www.wnycstudios.org/story/voting-safe-pod

Also, see Kim Zetter and Denise Merrill on NPR.
http://www.wnpr.org/post/we-may-have-crisis-brewing-security-our-electronic-voting-machines


Election Security

Paul Burke <box1320@gmail.com>
Wed, 10 Oct 2018 08:08:31 -0400
Kim Zetter's article in *The New York Times* (26 Sep 2018) recommends paper
ballots and better security for election machines. Fine, but not a solution.
Counting millions of paper ballots in thousands of locations is not secure
or affordable. Better machine security won't find or stop all bugs, insider
risks, or serious adversaries using zero-days.

  [Machine-readable paper ballots seem to be widely preferred by people with
  an understanding of the risks.  The point has long been noted that
  proprietary direct-recording devices with no paper trail are not an
  adequate solution; even with a voter-verified paper trail they are
  problematic.  PGN]

The following articles recommend security by having multiple officials
re-tally ballots, using independent machines and software. Each re-tally
makes it harder for bugs, insiders and hackers to hide. Scans make
re-tallies cheap, and risk-limiting audits can check the scans' accuracy.

Every jurisdiction can do plenty of checking now, without waiting for
improved election machines.

http://CitizenOversight.blogspot.com/2018/09/whos-counting-our-paper-ballots.html

*Journal of Physical Security*, "Scanners, Hashes and Election Security"
http://rbsekurity.com/JPS%2520Archives/JPS%252011(1).pdf


"US voter records from 19 states sold on hacking forum" (ZDNet)

Gene Wirchenko <genew@telus.net>
Mon, 15 Oct 2018 19:45:16 -0700
Catalin Cimpanu for Zero Day | 15 Oct 2018
Seller is asking $42,200 for all 19 US state voter databases.
https://www.zdnet.com/article/us-voter-records-from-19-states-sold-on-hacking-forum/

The voter information for approximately 35 million US citizens is being
peddled on a popular hacking forum, two threat intelligence firms have
discovered. ...  The two companies said they've reviewed a sample of the
database records and determined the data to be valid with a "high degree of
confidence."


Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable to Attack, GAO Says (NPR)

ACM TechNews <technews-editor@acm.org>
Fri, 12 Oct 2018 12:43:00 -0400
Bill Chappell, National Public Radio (10/09/18), via ACM TechNews,
  12 Oct 2018
https://www.npr.org/2018/10/09/655880190/cyber-tests-showed-nearly-all-new-pentagon-weapons-vulnerable-to-attack-gao-says

Most of the U.S. Department of Defense's (DoD) newest weapons systems are
plagued by security issues, including passwords that took seconds to guess
or were never changed from their factory settings, and cyber vulnerabilities
that were known but never corrected, according to a new Government
Accountability Office report. The study found the Pentagon is "just
beginning to grapple with" the scale of the vulnerabilities to its weapons
systems.  Analysis of data from cybersecurity tests conducted on DoD weapons
systems from 2012 to 2017 found by using simple tools and techniques,
malefactors could hijack systems and largely operate undetected because of
basic vulnerabilities. DoD researchers also interviewed cybersecurity
officials, analyzing how the systems are protected and their responses to
attacks. The report cited "widespread examples of weaknesses in each of the
four security objectives that cybersecurity tests normally examine: protect,
detect, respond, and recover."

  [See also the GAO report:
Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of
Vulnerabilities, GAO, 9 Oct 2018
https://www.gao.gov/products/GAO-19-128
  and
New U.S. Weapons Systems Are a Hackers' Bonanza, Investigators Find
Authorized hackers needed only hours to break into weapons systems the
Pentagon is acquiring, and in many cases teams developing the systems were
oblivious to the hacking.
https://www.nytimes.com/2018/10/10/us/politics/hackers-pentagon-weapons-systems.html
The entire 50-page report is at https://www.gao.gov/assets/700/694913.pdf .
  PGN]


US weapons systems can be 'easily hacked' (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Oct 2018 00:13:02 -0400
[...] That includes the newest F-35 jet as well as missile systems.

The report's main findings were:

* The Pentagon did not change the default passwords on multiple weapons
  systems - and one changed password was guessed in nine seconds.
* A team appointed by the GAO was able to easily gain control of one weapons
  system and watch in real time as the operators responded to the hackers.
* It took another two-person team only one hour to gain initial access to a
  weapons system and one day to gain full control.
* Many of the test teams were able to copy, change or delete system data
  with one team downloading 100 gigabytes of information

https://www.bbc.com/news/technology-45823180


"Why Internet Tech Employees Are Rebelling Against Military Contracts"

Lauren Weinstein <lauren@vortex.com>
Mon, 15 Oct 2018 09:30:57 -0700
via NNSquad
https://lauren.vortex.com/2018/10/15/why-internet-tech-employees-are-rebelling-against-military-contracts

Of late we've seen both leaked and open evidence of many employees at
Internet tech firms in the U.S. rebelling against their firms participating
in battlefield systems military contracts, mostly related to cloud services
and AI systems.

Some reactions I've seen to this include statements like "those employees
are unpatriotic and aren't true Americans!" and "if they don't like the
projects they should just quit the firms!" (the latter as if everybody with
a family was independently wealthy).

Many years ago I faced similar questions. My work at UCLA on the early
ARPANET (a Department of Defense project) was funded by the military, but
was research, not a battlefield system. A lot of very important positive
research serving the world has come from military funding over the years and
centuries.

When I was doing similar work at RAND, the calculus was a bit more complex
since RAND's primary funding back then was also DOD, but RAND provided
analytical reports to decision makers, not actual weapons systems. And RAND
had a well-earned reputation of speaking truth to power, even when that
truth was not what the power wanted hear. I liked that.

But what's happening now is different. The U.S. military is attempting to
expand its traditional "military-industrial" complex (so named during a
cautionary speech by President Eisenhower in 1961) beyond the traditional
defense contractors like Boeing, Lockheed, and Raytheon.

The new battle systems procurement targets are companies like Google,
Amazon, and Microsoft.

And therein lies the root of the problem.

Projects like Maven and JEDI are not simply research. They are active
battlefield systems. JEDI has been specifically described by one of its top
officials as a program aimed at "increasing the lethality of our
department."

When you sign on for a job at any of the traditional defense contractors,
you know full well that battlefield operational systems are a major part of
the firms' work.

But when you sign on at Google, or Microsoft, or Amazon, that's a different
story.

Whether you're a young person just beginning your career, or an old-timer
long engaged in Internet work, you might quite reasonably expect to be
working on search, or ads, or networking, or a thousand other areas related
to the Net—but you probably did not anticipate being asked or required to
work on systems that will actually be used to kill people.

The arguments in favor of these new kinds of lethal systems are well
known. For example, they're claimed to replace soldiers with AI and make
individual soldiers more effective. In theory, fewer of our brave and
dedicated volunteer military would be injured or killed. That would be great
-- if it were truly accurate and the end of the story.

But it's not. History teaches us that with virtually every advance in
operational battlefield technology, there are new calls for even more
military operations, more "interventions," more use of military power.  And
somehow the promised technological advantages always seem to be somehow
largely canceled out in the end.

So one shouldn't wonder why Google won't renew their participation in Maven,
and has now announced that they will not participate in JEDI—or why many
Microsoft employees are protesting their own firm's JEDI participation.

And I predict that we're now only seeing the beginnings of employees being
unwilling to just "go along" with working on lethal systems.

The U.S. military has made no secret of the fact that they see cloud
environments, AI, robotics, and an array of allied high technology fields as
the future of lethal systems going forward.

It's obvious that we need advanced military systems at least for defensive
purposes in today's world. But simply assuming that employees at firms that
are not traditional defense contractors will just "go along" with work on
lethal systems would be an enormous mistake. Many of these employees are
making much the same sorts of personal decisions as I did long ago and have
followed throughout my life, when I decided that I would not work on such
systems.

The sooner that DOD actually understands these realities and recalibrates
accordingly, the better.


Sky battles: Fighting back against rogue drones (bbc.com)

Richard Stein <rmstein@ieee.org>
Mon, 15 Oct 2018 07:55:51 +0800
https://www.bbc.com/news/business-45824096

Risk: Drone-seeking capture munitions accidentally target low-flying piloted
air vehicles, like traffic observation or police helicopters.


"Autonomous cars on US roads with no brake pedals, steering wheels just edged closer" (ZDNet)

Gene Wirchenko <genew@telus.net>
Thu, 11 Oct 2018 21:50:48 -0700
  [I so love the smell of a live beta in the morning ...]

Liam Tung | October 10, 2018
US paves the way for new rules catering to autonomous vehicles without human
controls.

https://www.zdnet.com/article/autonomous-cars-on-us-roads-with-no-brake-pedals-steering-wheels-just-edged-closer/

opening text:

Road users in the US may soon see self-driving cars without human controls
under a pilot program proposed by the US National Highway Traffic Safety
Administration (NHTSA).

The agency is seeking public feedback on a proposed pilot to test vehicles
"that lack controls for human drivers and thus may not comply with all
existing safety standards" and do so in real-world scenarios, it said in a
document released Thursday.


Why you have (probably) already bought your last car (bbc.com)

Richard Stein <rmstein@ieee.org>
Fri, 12 Oct 2018 09:45:56 +0800
https://www.bbc.com/news/business-45786690

"The company's exponential growth is evidence of how powerful the Uber
business model is.

"Now take out the driver. You've probably cut costs by at least 50%."

And take out pedestrians. Interesting to watch insurance companies and AV
manufacturers, with a helping handout to politicians, compete for favorable
legislation that enables and promotes an silicon-based, AV supreme
environment that indemnifies liability.

Some businesses, lobbyists, and politicians are literally banking on the
idea that the public will become inured to silicon-based AV fatalities and
injuries. Stephen King's "Christine" was a harbinger for this outcome.

The foundation to suppress incident reporting already exists within the
bureaucracy. All that's missing are the "Red Asphalt" streets and wealth
transferred to the few indemnified purveyors and operators of AVs at the
expense of public health.

Oh wait...that situation, courtesy of carbon-based vehicle operators is
manifest, so what's the AV ruckus all about? In a single symbol: $.


Ford tests technology that could render traffic lights obsolete (autoblog.com and ieee.org)

Richard Stein <rmstein@ieee.org>
Tue, 16 Oct 2018 10:42:15 +0800
https://www.autoblog.com/2018/10/14/ford-v2v-technology-eliminate-traffic-lights/

An enabler for autonomous vehicle transport ecosystems, "smart
intersections" apparently eliminate traffic signals, and instead substitute
V2V (vehicle-to-vehicle) communications to avoid collisions or even require
a full stop before safely proceeding.

Discussion of "virtual traffic light" technology is fortuitously
published here:
https://spectrum.ieee.org/ns/Blast/Oct18/10_Spectrum_2018_INT.pdf
(pps 25-29).

RISKS reports several intersection control incidents
signaling device overrides for emergency vehicle right-of-way
(https://catless.ncl.ac.uk/Risks/18/94%23subj5.1)
(https://catless.ncl.ac.uk/Risks/24/26%23subj7.1)

Perhaps a pedestrian cellphone app, a V2H or H2V (human-to-vehicle) will be
available from the motor vehicle department? Will a "California Stop"
finally be legalized?  (see
https://www.urbandictionary.com/define.php%3Fterm%3Dcalifornia%2520stop


Amazon Atlas

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Oct 2018 16:04:07 -0400
11 October 2018, WikiLeaks publishes a "Highly Confidential" internal
document from the cloud computing provider Amazon. The document from late
2015 lists the addresses and some operational details of over one hundred
data centers spread across fifteen cities in nine countries. To accompany
this document, WikiLeaks also created a map showing where Amazon's data
centers are located.  ...[t]his came with skepticism that it's really
secret, noting that such data centers can be found in other ways. Pushback
to that said yeah—by region but not by address. Of course, in Ashburn VA
-- throw a rock, hit a data center.

https://wikileaks.org/amazon-atlas/map/


Turkey obtains recordings of Saudi journalist's purported killing (Yahoo)

Jose Maria Mateos <chema@rinzewind.org>
Sat, 13 Oct 2018 08:02:42 -0400
This is some cyberpunk stuff:

“The moments when Khashoggi was interrogated, tortured and murdered were
recorded in the Apple Watch's memory,'' the paper said, adding that the
watch had synched with his iPhone, which his fiancée was carrying outside
the consulate.

https://www.yahoo.com/news/turkey-obtains-recordings-saudi-journalists-purported-killing-paper-081631331--sector.html


Apple VoiceOver iOS vulnerability permits hacker access to user photos (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 16 Oct 2018 19:21:08 -0700
Charlie Osborne for Zero Day | 15 Oct 2018
The bug can be exploited to gain access to photos stored on a user's device.
https://www.zdnet.com/article/apple-voiceover-iphone-vulnerability-permits-access-to-user-photos/


Code Signing: Did Someone Hijack Your Software? (Forbes)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Oct 2018 00:11:31 -0400
https://www.forbes.com/sites/forbestechcouncil/2018/10/09/code-signing-did-someone-hijack-your-software/


When Your Boss Is an Algorithm (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Sat, 13 Oct 2018 16:23:48 -0400
There are nearly a million active Uber drivers in the United States and
Canada, and none of them have human supervisors. It's better than having a
real boss, one driver in the Boston area told me, “except when something
goes wrong.''

When something does go wrong, Uber drivers can't tell the boss or a
co-worker.  They can call or write to `community support'. but the results
can be enraging. Cecily McCall, an African-American driver from Pompano
Beach, Fla., told me that a passenger once called her `dumb' and `stupid',
using a racial epithet, so she ended the trip early. She wrote to a support
rep to explain why and got what seemed like a robotic response: “We're
sorry to hear about this. We appreciate you taking the time to contact us
and share details.''

The rep offered not to match her with that same passenger again.  Disgusted,
Ms. McCall wrote back, “So that means the next person that picks him up he
will do the same while the driver gets deactivated'' ”- fired by the
algorithm -” because of a low rating or complaint from an angry
passenger. “Welcome to America.''

https://www.nytimes.com/2018/10/12/opinion/sunday/uber-driver-life.html


Facebook's former security chief warns of plan to help solve negative impacts (WashPost)

Richard Stein <rmstein@ieee.org>
Thu, 18 Oct 2018 17:04:12 +0800
https://www.washingtonpost.com/technology/2018/10/16/facebooks-former-security-chief-warns-techs-negative-impacts-has-plan-help-solve-them

Dr. Strangelove had a plan too...

Stamos proposes establishing "The Stanford Internet Observatory," a forum to
debate and assess technology's potential downsides, but behind The Hoover
Institution's closed doors.  "The Hoover Institution seeks to improve the
human condition by advancing ideas that promote economic opportunity and
prosperity, while securing and safeguarding peace for America and all
mankind."  https://www.hoover.org/library-archives/about/our-mission

If the technology is classified, closed doors are essential to protect
national security. Technology for-profit that potentially jeopardizes public
health, safety, or institutional trust mandates transparent discussion to
reveal risks, and assess mitigation prior to deployment.

Would the Observatory disclose findings that dissuade future investments
into, or deployment of injurious, capriciously governed, and exploitable
technology that promotes addiction, weakens democracy, but generates
"boxcar" investor returns?

Public injury is one technological downside that has been neglected for too
long. Jurisprudence offers a certain remedy to redress injury.

Contractual liability exemptions proliferate, especially for technology
(principally stacks of software). An indemnification privilege/right often
appears in user license agreements.  https://policies.google.com/terms and
search for "indemnify" for example.

Restrict indemnification from user contracts/licenses, and the business
incentive to publish stacks that injure persons, property, or public trust,
though unintentional, will diminish. Few organizations possess sufficient
confidence or maturity to publish software without it.

One possible alternative to the indemnification privilege might be for a
software publisher to voluntarily disclose, for independent inspection,
certain software life cycle collateral: Test plans, test results, defect
logs, COTS or open source dependencies, product risk and mitigation
registry, etc. can provide valuable insight into the organizational rigor
applied to qualify publication viability or fitness.

An informed body of experts, a technology publication viability board
(TPVB), can independently assess release readiness and provide an opinion of
production software life cycle maturity, compare the product to known Common
Vulnerabilities and Exposures (CVE) records, and offer guidance or a rating
about potential public impact prior to publication deployment.

A TPVB enfranchised as a public, non-profit, conflict-free rating agency can
offer an assessment based on evidence of publication merit that exceeds a
business' motive to release at all costs and subject to their license terms
and conditions. No bureaucrats on the TPVB. These investigators must possess
exceptional interdisciplinary software, hardware, and triage skills. Funding
might be derived from a flat corporate tax based on product usage
consumption and public impact, ecosystem size deployment, or stack
complexity.

Questions to ask about a TPVB:

Would the TPVB be similar to the rating agencies that were "shopped" by Wall
Street bond sellers, a key contributor to the 2008 financial crisis? How to
suppress institutional corruption, manipulation, and preserve TPVB
independence and integrity?

What would be the TPVB's mission scope, priorities, and governing
parameters? How do existing or forecast user base/audience or access size,
license price, deployment target by industry or economic segment: critical
infrastructure, transportation, public service/elections/entitlements,
entertainment/gaming, medical/hospital/life critical, etc. apply to TPVB's
operation and mandate?

Would TPVB grant rating exemptions for "grandfathered" stacks or ecosystems,
like OS360 or legacy stacks like a Fortran II compiler?

What standards and industry best practices should the TPVB apply for
stack/ecosystem evaluation? What weights should be assigned to any
evaluation factors given the stack's stated business purpose? What
evaluation factors would represent public interest, health, safety or be
relevant for institutional trust preservation? What weight would these
factors deserve and how would they be factored?

What collateral content items are required to initiate evaluation?  Should
this content use standardized templates to simplify inspection and rating
determination? Should the TPVB publish a simulator to enable business
"self-assessment" before submission? Should the TPVB be subject to an
assessment completion SLA?

What commercial interfaces/contacts and communication protocols are
permitted/prohibited during consultation prior to rating determination?

What criteria would TPVB to generate a public-friendly rating? What
constraints would be placed on an assigned rating to aid consumer
interpretation?

How would financial markets interpret a negative TPVB information and factor
it into forward earning projections?


The Eight Best Smart Plugs to Buy in 2018 (Lifewire)

Gabe Goldberg <gabe@gabegold.com>
Wed, 10 Oct 2018 18:00:20 -0400
https://www.lifewire.com/best-smart-plugs-4163001

Welcome to basic home automation—but I'm still not ready to put home IoT
devices online.

  [Imagine every wall plug in your house or office supposedly being as smart
  as you are with AI controlling every IoT device, but perhaps much dumber
  with respect to risks.  Security?  Integrity?  Surveillance?  Privacy
  problems?  Fire hazards?  Sounds like overkill to me.  PGN]


The impending war over deepfakes (Axios)

geoff goodfellow <geoff@iconia.com>
Sun, 14 Oct 2018 19:58:41 -1000
https://www.axios.com/the-impending-war-over-deepfakes-b3427757-2ed7-4fbc-9edb-45e461eb87ba.html

   [AND DON'T MISS THE TWO LINKS AT THE END OF THE ARTICLE!)

EXCERPT:

Researchers are in a pitched battle against deepfakes, the artificial
intelligence algorithms that create convincing fake images, audio and
video, but it could take years before they invent a system that can sniff
out most or all of them, experts tell Axios.

Why it matters: A fake video of a world leader making an incendiary threat
could, if widely believed, set off a trade war—or a conventional
one. Just as dangerous is the possibility that deepfake technology spreads
to the point that people are unwilling to trust video or audio evidence.

The big picture: Publicly available software makes it easy to create
sophisticated fake videos without having to understand the machine learning
that powers it. Most software swaps one person's face onto another's body,
or makes it look like someone is saying something they didn't.

This has ignited an arms race between fakers and sleuths.


"What the heck is it with Windows updates?" (Computerworld)

Gene Wirchenko <genew@telus.net>
Sat, 13 Oct 2018 21:50:29 -0700
Steven J. Vaughan-Nichols, *Computerworld*, Oct 10 2018
Lately, it's been difficult to update Windows systems without running
into some showstopping bugs. WTH is going on?
https://www.computerworld.com/article/3312796/microsoft-windows/what-the-heck-is-it-with-windows-updates.html

selected text:

The story, Microsoft now admits, is that the 1809 release erases, for some
people, all files in the \Documents, \Pictures, \Music, and \Videos folders.
The folders are still there, but nothing's left in them. It's sort of the
neutron bomb of Windows updates.

How could this happen? Seriously, how can you have a release that does this
to users? Where was the quality assurance team? Where were all those Windows
10 Insider Preview users? Oh, wait. The brave beta users had seen this
problem! ZDNet's Ed Bott reported last week that he'd found a report from
three months ago from a tester who said that "my Documents folder had been
overwritten with a new Documents folder, complete with custom icon. All
contents were gone."

Once more, and with feeling: WTH, Microsoft!

How hard is this really, Microsoft? You literally have millions of Preview
users.  At least one of them spotted this newest bug months before release.
There may not be many people running into this problem, but anything bad
enough to destroy users' files should be a red-letter, fix-it-now bug. It
has proved bad enough that Microsoft has stopped the 1809 upgrade in its
tracks until the problem gets resolved.


"Proof-of-concept code published for Microsoft Edge remote code execution bug" (ZDNet)

Gene Wirchenko <genew@telus.net>
Thu, 11 Oct 2018 22:29:53 -0700
Catalin Cimpanu for Zero Day | October 12, 2018
The PoC can be hosted on any website and requires that users press the Enter
key just once.

https://www.zdnet.com/article/proof-of-concept-code-published-for-microsoft-edge-remote-code-execution-bug/

selected text:

A security researcher has published today proof-of-concept code which an
attacker can use to run malicious code on a remote computer via the
Microsoft Edge browser.

Such PoCs are usually quite complex, but Al-Qabandi's code is only HTML and
JavaScript, meaning it could be be hosted on any website.

According to the researcher, all the attacker needs to do is trick a user
into accessing a malicious website hosting the PoC via an Edge browser, and
then press the Enter key. Once the user lets go of the Enter key, the PoC
runs and executes a Visual Basic script via the Windows Script Host (WSH)
default application.


Donald Daters (Naked Security)

Rob Slade <rmslade@shaw.ca>
Thu, 18 Oct 2018 09:25:39 -0700
  [When I typed in that subject line into the input field on the ISC2
  "community," one of the suggestions that came up was "Twitter and hate
  speech" ...]

Someone made an app for dating Trump followers.  (No, not carbon dating.  An
actual dating app for supporters of Donald Trump, so they could find and
date other followers of Donald Trump.)  It was open to everyone on Monday
morning.

https://nakedsecurity.sophos.com/2018/10/17/donald-daters-app-for-pro-trump-singles-exposes-users-data-at-launch/
or https://is.gd/hIr01d

A little more open than the creators intended (unless the creators are a
secret cabal of Democrats, wanting information on all of The Donald's
supporters).  The database of pretty much all information, including names,
profile info and photos, private messages, and session tokens (so that you
could take over accounts).


Paramedic agrees Apple Watch Series 4 will save lives; false positives not a problem (9to5Mac)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Oct 2018 16:35:53 -0400
https://9to5mac.com/2018/10/09/paramedic/


Genome Researchers Show No One's DNA Is Anonymous Anymore (Megan Moteni)

ACM TechNews <technews-editor@acm.org>
Fri, 12 Oct 2018 12:43:00 -0400
Megan Molteni, WiReD, 11 Oct 2018, via ACM TechNews, Friday, 12 Oct 2018

Researchers at Columbia University and the Hebrew University of Jerusalem in
Israel collaborated with MyHeritage chief science officer Yaniv Erlich, a
computational biologist, to determine a majority of Americans with European
ancestry can be identified through their DNA via open genetic genealogy
databases. The team analyzed MyHeritage's dataset of 1.28 million anonymous
persons, tallying the number of relatives with large segments of matching
DNA to find 60% of searches returned a third cousin or closer. Further
examination of 30 genetic profiles with the GEDmatch open data personal
genomics database and genealogy website could make similar identification of
relatives at a rate of 76%, yielding a list of about 850 individuals that
could be narrowed down using basic demographic information. Erlich says he
expects accurate identity searches in genetic databases to be possible on
anyone who leaves even traces of DNA behind relatively soon.

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1cc1cx217d2fx068985%26


Algorithms Designed to Fight Poverty Can Actually Make It Worse (Scientific American)

Richard Stein <rmstein@ieee.org>
Wed, 17 Oct 2018 15:47:11 +0800
https://www.scientificamerican.com/article/algorithms-designed-to-fight-poverty-can-actually-make-it-worse/

The Nov 2018 issue of *Scientific American* has a special section on "The
Science of Inequality." The referenced article presents an in depth
discussion and investigation of algorithms applied for entitlement
allocation and tracking/reporting, aka "Poverty Analytics."

"The rise of automated eligibility systems, algorithmic decision making and
predictive analytics is often hailed as a revolution in public
administration. But it may just be a digitized return to the
pseudoscience-backed economic rationing of the past."

Risk: Data collection, analysis, and reporting algorithm bias
disenfranchises elderly, needy, and disabled populations.


Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months (ZDNet)

Gene Wirchenko <genew@telus.net>
Wed, 17 Oct 2018 18:57:51 -0700
Catalin Cimpanu for Zero Day | 17 Oct 2018
https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/

"RID Hijacking" technique lets hackers assign admin rights to guest and
other low-level accounts.

opening text:

A security researcher from Colombia has found a way of gaining admin rights
and boot persistence on Windows PCs that's simple to execute and hard to
stop --all the features that hackers and malware authors are looking for
from an exploitation technique.

What's more surprising, is that the technique was first detailed way back in
December 2017, but despite its numerous benefits and ease of exploitation,
it has not received either media coverage nor has it been seen employed in
malware campaigns.


Experian credit freeze unfrozen by hackers? (Veridium)

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Oct 2018 13:54:46 -0400
Stop using PINs and passwords!

Another week, another sorry tale of poor identification. This time, it's
Experian that failed to properly secure users' PINs.

People who froze their credit reports discovered hackers could unfreeze them
-- even though a PIN was supposed to stop that. But Experian says it's
“confident that our authentication is secure.''  OK then.

It turns out Experian had a bug in its PIN-recovery system. This was a bug
so simple to exploit, it was barely a speedbump to a hacker who wanted to
open credit in a victim's name.

https://www.veridiumid.com/blog/experian-credit-freeze-unfrozen-by-hackers/

I guess it wasn't a SAFETY PIN.


DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House (BuzzfeedNews)

Gabe Goldberg <gabe@gabegold.com>
Thu, 18 Oct 2018 13:57:40 -0400
ICIT bills itself as "America's Cybersecurity Think Tank." But BuzzFeed News
found it's running fake Twitter accounts and its top expert has questionable
credentials.

https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube


I fell for Facebook fake news. Here's why millions of you did, too. (WashPost)

Monty Solomon <monty@roscom.com>
Fri, 19 Oct 2018 02:12:31 -0400
Everyone now knows the Web is filled with lies. So then how do fake Facebook
posts, YouTube videos and tweets keep making suckers of us?

https://www.washingtonpost.com/technology/2018/10/18/i-fell-facebook-fake-news-heres-why-millions-you-did-too/


Jury duty

Rob Slade <rmslade@shaw.ca>
Fri, 19 Oct 2018 11:27:44 -0700
I've just got a summons for jury duty.  Jury selection starts Nov. 5 and
goes all week or until empaneled (with the trial starting as soon as
empaneled).  If I can't get myself disqualified, the trial lasts about 3
months.  So, I may miss both BC Security Day *and* SecSIG due to jury
selection process alone, and more if I can't get myself kicked off the jury.

In my standard conference presentation on presenting technical evidence in
court I always point out the difficulty of giving complicated technical
evidence, pointing out that you have to convince two lawyers, who are smart
and knowledgeable enough to have passed law school but don't necessarily
know technology; plus a judge, who is, by definition, an *old* lawyer; plus
twelve people who were, you will note, too *stupid* to find a way to get
disqualified from jury duty.  My joke is coming back to haunt me ...

  [On the other hand, serving is a civic duty, and perhaps a lesson in the
  workings of the law.  PGN]


Re: Molecule resonance and cellphone radiation (Stein, RISKS-30.85)

Richard Stein <rmstein@ieee.org>
Fri, 12 Oct 2018 10:03:16 +0800
Alan—Resonance is exactly what happens to water molecules inside a
microwave oven. They are subject to vibration and rotation—that's what
the energy of a microwave can achieve, and hence the heating effect arising
from friction between the rotating/vibrating molecules.

Biological molecules also rotate and vibrate at room temperature.  Microwave
radiation (~100 micro-eVolts) from a cellphone is ~250 times less energetic
than room temperature heat as shown below.

At room temperature (~298 Kelvins == ~25 degrees Celsius == ~78 degrees
Fahrenheit), per E = kT (where k is Boltzmann's constant, ~8.61×10âˆ'5),
yields:

E = 25.7 meV (25 milli-eVolts). That's ~4 orders of magnitude lower than the
ionization energy of hydrogen, carbon. and oxygen (~13 eVolts).

Ionization from ultraviolet radiation is another matter: chemical bonds are
busted clean and can reform incorrectly. Rather dangerous during DNA
replication when a transcription error might arise that presages cancer
formation (melanoma, for instance).


Re: Fwd: NYTimes: The Auto Industry's VHS-or-Betamax Moment? (R 30 86)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Oct 2018 00:36:17 -0400
Ned Ludd would also dislike auto manufacturers pushing vehicle software
updates over the air when they please.

What could go wrong? If you like Windows running updates when you're
presenting, you'll LOVE your car updating while you're driving ("Car will
reboot in 30 seconds").


Re: innumeracy, or More than 250 people worldwide have died taking selfies (Stein, RISKS-30.86)

"John R. Levine" <johnl@iecc.com>
13 Oct 2018 10:37:05 -0400
About 150,000 people die every day worldwide from all causes.  If 250 people
have died over six years from selfie-immolation, that is roughly 1/9 person
per day out of that 150,000, or roughly 0.00008% of them.

While it is unfortunate and unnecessary that those 250 people died, it is
absurd to call it a "major public health problem".  It's not even a rounding
error.

The CDC says 9 people per day die in the US from mobile device distracted
accidents.  That is not the same order of magnitude, it's at least two
orders more, since the 9 people are just in the US but the 1/9 is worldwide.
Numbers from the NHTSA say about 10% of all US fatal accidents and 15% of
injury accidents are due to mobile distraction, so that really is a major
public health problem.

https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/812_381_distracteddriving2015.pdf

Please report problems with the web pages to the maintainer

x
Top