The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 98

Friday 28 December 2018

Contents

Largest car recalls in 2018
Car and Driver
Best Cyber Stories of 2018
Motherboard
How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually.
Geoff Goodfellow
Inspector General audit finds basic cybersecurity lax for US ballistic missile defense systems
Rob Wilcox
Our Cellphones Aren't Safe
Cooper Quintin
The New York Times
Our Cellphones Aren't Safe (2018) and The Electronic Serial Number: A cellular 'sieve'—'spoofers' can defraud users and carriers, June 1987
Geoff Goodfellow
Parachutes are no better than backpacks-- randomized trial
BMJ
Facebook shared even more than previously known
NYTimes
UK security researchers find lax security in app-controlled consumer hot tubs
BBC
Apple Watch ECG is putting a lot of health control in consumers' hands
CNBC
Innovation and Immigration
W.A. Griffin on Wiiliam Kerr
Tesla Mobile Service
Rob Slade
Computers Determine States of Consciousness
Scientific American
Facebook, recidivus—again—and yet again ..
Rob Slade)
IRS Linux move delayed by lingering Oracle Solaris systems
ZDNet
Canada: OPC publishes guidance for organizations and individualso related to protecting personal information collected during cannabis transactions
GC
FCC Launches New Offensive Against Scam, Robo Calls
EWeek
This patent shows Amazon may seek to create a database of suspicious persons using facial-recognition technology
WashPost
Re: Sneaky parrot uses Amazon Alexa to shop ...
danny burstein
Re: Drone shatters passenger jet's nose-cone, radar
Amos Shapir
Re: The GPS wars are here
Erling Kristiansen
Re: "Market volatility: Fake news spooks trading algorithms"
paul wallich
Re: New Zealand courts banned ...; Google just emailed it out.
Dick Mills
Re: Rudy Giuliani Says Twitter Sabotaged His Tweet
Amos Shapir
Re: Risks of `Reply All' and failing to BCC
Paul Robinson
Re: She'd just had a stillborn child. Tech companies wouldn't let her forget it
Amos Shapir
Info on RISKS (comp.risks)

Largest car recalls in 2018 (Car and Driver)

George Sherwood <sherwood@testcover.com>
Wed, 19 Dec 2018 17:33:07 -0500
Annie White lists the 10 largest recalls in Car and Driver's January 2019
issue:

4,846,885 FCA. Cruise control cannot be canceled.

1,619,112 Ford. Fire after seatbelt pretensioner deployment.

1,357,311 Honda. Passenger frontal airbag inflator may explode.

1,301,986 Ford. Steering wheel may detach.

1,282,596 Ford. Stuck canister purge valve may cause stall.

1,149,237 FCA. Tailgate may open unexpectedly.

1,015,918 GM. Temporary loss of electric power steering.

807,329 Toyota. Hybrid system may shut down and cause stall.

691,726 Honda. Passenger frontal airbag inflator may explode.

622,657 Toyota & Pontiac. Passenger frontal airbag inflator may explode.

Recall numbers, listed on page 019, are from January--October 2018.


Best Cyber Stories of 2018 (Motherboard)

Henry Baker <hbaker1@pipeline.com>
Sun, 23 Dec 2018 09:15:42 -0800
Dead CIA agents, ignored whistleblowers, Irresponsible encryption mongers,
what-were-they-thinking ethics failures X N, election hacking,
reaping-what-you-sow govt hacking blowback, Congressional
oversight^H^H^H^H^Hlook, ordinary-citizens-are-human-shields-and- collateral
damage, etc.

In other words, 2018 was a very good year, if you happened to be a
malicious hacker or a govt contractor (but I repeat myself).

https://motherboard.vice.com/en_us/article/xwj38j/motherboard-cybersecurity-jealousy-list-2018

The Cybersecurity Stories We Were Jealous of in 2018

by Lorenzo Franceschi-Bicchierai and Joseph Cox  Dec 21 2018, 7:10am

Here at Motherboard, we are passionate about cybersecurity.

...

here's a very incomplete list of our favorite stories ... that
we wish we had done ourselves.

Kaspersky's 'Slingshot' Report Burned An Isis-focused Intelligence
Operation (Cyberscoop)

https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/

What is a cybersecurity firm's responsibility around not exposing
certain hacking operations?  Here, Cyberscoop showed that sometimes
companies do decide to unmask campaigns targeting arguably legitimate
threats, such as terrorists.  We also explored this dilemma in our
feature on Kaspersky Lab a few weeks after Chis Bing and Patrick
O'Neill's scoop.

The CIA's Communications Suffered A Catastrophic Compromise.
It Started In Iran.  (Yahoo News)

https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html

The US government and its intelligence apparatus suffered a deadly
blow in China in 2011 and 2012, when more than two dozen CIA sources
and informants were killed.  But it all started in Iran in 2009, when
hackers broke into a CIA "Internet-based covert communications
system," as revealed in this bombshell report by Zach Dorfman and
Jenna McLaughlin.

How Persian Gulf Rivals Turned US Media Into Their Battleground
(BuzzFeed News)

https://www.buzzfeednews.com/article/kevincollier/qatar-uae-iran-trump-leaks-emails-broidy

Sometimes the best weapon a hacker can use is not an exploit or
phishing kit, but the media.  If you can discredit your enemy through
the relatively cheap method of enticing a journalist with a scoop,
you're onto a winning strategy.  Just look at how Guccifier 2.0--a
persona allegedly created by the Russian government--distributed the
hacked Democrats material too.

Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (Forbes)

https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/

This story broke open an entire avenue of reporting for us and others:
finally, someone was selling relatively cheap tools for unlocking
iPhones, which led to widespread proliferation of the tech not just
among the three-letter intelligence agencies of the world, but also
among state- and local law enforcement.  This has ramifications for
all sorts of things in the so-called Going Dark debate, and kicked off
a new game of security cat-and-mouse between Apple and Grayshift.

FBI Repeatedly Overstated Encryption Threat Figures To Congress,
Public (The Washington Post)

https://www.washingtonpost.com/world/national-security/fbi-repeatedly-overstated-encryption-threat-figures-to-congress-public/2018/05/22/5b68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

The FBI has been complaining about encryption ... well, pretty much
since the 1990s.  And in the last few years, particularly after Apple
refused to help unlock an alleged terrorist's iPhone, the battle has
intensified.  This Washington Post scoop showed that the numbers
trotted out by FBI officials when talking about how damaging strong
encryption is during investigations were overstated and sometimes
incorrect.  In other words, encryption isn't as much of an hurdle as
the FBI would like us to believe.

Google Plans to Launch Censored Search Engine in China, Leaked
Documents Reveal (The Intercept)

https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

Ryan Gallagher not only broke the news that Google was developing a
search engine for China, one that would censor terms around human
rights and protests, but he's also remained on top of the story.  His
reporting sparked widespread protests both internally at Google and
among human rights organizations, questions at a Congressional
hearing, and, just this week, he reported that Google has hit a major
roadblock with the project as disputes have grown internally.  This
story reminded us--once again--that companies that have a good track
record for caring about human rights don't always stay that way, and
that a handful of employees speaking up can change the course of a
multi-billion company.

Google Is Helping the Pentagon Build AI for Drones (Gizmodo)

https://gizmodo.com/google-is-helping-the-pentagon-build-ai-for-drones-1823464533

Speaking of Google employees standing up against a controversial
program, this story about the Internet giant's secret Pentagon
contract broke long before Googlers organized marches to protest their
own company.  Kate Conger's relentless reporting on the story led to
Google shutting down the program and was one of the original stories
that helped kick off a new wave of protests by Silicon Valley
employees against their own companies.

Facebook Is Giving Advertisers Access to Your Shadow Contact
Information (Gizmodo)

https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051

It wasn't a great year for Facebook's bosses either.  Cambridge
Analytica, a constant struggle to moderate content, and some
embarrassing breaches affecting millions of people, among a slew of
seemingly endless scandals.  You may have missed or forgotten this
story, but it's worth your time.  Kashmir Hill, with the help of a
team of smart researchers, proved how Facebook mines your cell phone's
contact data to suggest new friends on the social network, and to
serve you better targeted ads.

Your Apps Know Where You Were Last Night, and They're Not Keeping It
Secret (The New York Times)

https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Speaking of apps that know too much ... there are only a few outlets
with the resources, reach, and dedication to take a story and present
it in such a way that the general public can really understand a
security issue.  This is one of those stories--the sharing of location
data lifted by apps may not be a new phenomenon, but the Times team
produced the definitive piece tangibly explaining what this means for
the privacy of everyone with a smartphone.

Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (The
New York Times)

https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

We've extensively covered how malware is used in cases of domestic
violence, stalking, and abuse.  This Times piece looked at the next
step in that use of technology at home: the Internet of Things.
Definitely worth a read if you are concerned with how technology can
impact the lives of ordinary, non-technical people.  And if you don't,
why are you reading a post about cyber articles?

Russian Troll Farm Hijacked American Teen Girls' Computers for Likes
(The Daily Beast)

https://www.thedailybeast.com/russia-troll-farm-hijacked-american-teen-girls-computers-for-likes

As a hacker, Kevin Poulsen brings some of the coolest technological
approaches into journalism.  Here, Poulsen found a dodgy browser
extension belonging to Russia's controversial troll army, the Internet
Research Agency.  He then bought the domain linked to it, letting him
see what sort of data it was collecting, and from where.  He found the
IRA's software on computers all over the place.  A great reminder to
think how can journalists approach a story from a different,
technological angle.

A Quebecer Spoke Out Against The Saudis--Then Learned He Had Spyware
On His iPhone (CBC)

https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179

What's the point of writing about malware, spyware, and hacking if you
can't show readers how the technology affects real people?  Every
great infosec story should have a human angle.  This is a great
example of that.  Former Motherboard editor Matt Braga visited one of
the latest victims of government-sponsored hacking, a growing problem
that's putting regular people all over the world in danger.

Gray Hat--Marcus Hutchins' Profile (New York Magazine)

https://nymag.com/intelligencer/2018/03/marcus-hutchins-hacker.html

The security researcher better known as MalwareTech helped stop
WannaCry, one of the most virally infectious malware outbreaks ever.
Months later, the FBI arrested him for a crime he's accused to have
committed when he was a teen.  This in-depth profile tries to answer a
universal question in the world of cybersecurity: does a hacker hero
always have to have a past?  And if so, what should authorities do
with them?

Service Meant to Monitor Inmates' Calls Could Track You, Too (The New
York Times)

https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

File this under "companies you probably never heard of doing sketchy
things that can affect us all."  The Times scored another huge scoop
revealing that Securus Technologies, a firm that provides and monitors
inmates phone calls, was letting pretty much anyone track people's
cell phones for a fee.  Thanks to Securus, anyone "can find the
whereabouts of almost any cell phone in the country within seconds,"
according to the investigation.  As we found out later, and rather
unsurprisingly, Securus wasn't securing this data at all.

The Crisis of Election Security (The New York Times)

https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html

You've heard about election hacking for years.  Everyone is worried
about it, but seemingly no one is doing anything to prevent it.
Veteran infosec reporter (and Motherboard contributor) Kim Zetter goes
deep into the history and crisis of election security, writing perhaps
the definitive piece about the subject.  A must-read for anyone who
cares about democracy and the integrity of the elections.

The Untold Story Of NotPetya, The Most Devastating Cyberattack In
History (Wired)

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

The outbreak of destructive malware NotPetya never got the attention
it deserved, perhaps because it came a few weeks after the
headline-grabbing WannaCry ransomware outbreak.  Andy Greenberg makes
it justice in this thrilling tale, part of his upcoming book, on how
NotPetya crippled the largest shipping company in the world.  The only
downside of this story is that it will make you want to read more, but
you'll have to wait until the book comes out.

In Leaked Chats, Wikileaks Discusses Preference For Gop Over Clinton,
Russia, Trolling, And Feminists They Don't Like (The Intercept)

https://theintercept.com/2018/02/14/julian-assange-wikileaks-election-clinton-trump/

WikiLeaks and Julian Assange's fall from grace has been documented
over the last few years, but this report built on a treasure trove of
leaked chat logs, felt like the nail in the coffin.  The Intercept
revealed how the secret-spilling organization candidly talked about
their preference for the Republican party to win the 2016 election,
their thoughts on the "bright, well connected, sadistic sociopath"
Hillary Clinton, and some unsavory comments about feminist activists.

Israeli Cyber Firm Negotiated Advanced Attack Capabilities Sale With
Saudis, Haaretz Reveals (Haaretz)

https://www.haaretz.com/israel-news/.premium-israeli-company-negotiated-to-sell-advanced-cybertech-to-the-saudis-1.6680618

The controversial and successful spyware vendor NSO Group has been in
the headlines for a couple of years, after researchers caught
government hackers using sophisticated hacking tools developed by the
company to hack a Dubai-based human rights activist.  This
investigation by Israeli newspaper Haaretz exposed the behind the
scenes story of how Saudi Arabia bought iPhone malware from NSO for
more than $200 million.

Russian Hackers Posed As ISIS To Threaten Military Wives (Associated
Press)

https://apnews.com/4d174e45ef5843a0ba82e804f080988f

The threat of ISIS hackers has often been unjustifiably hyped up.  But
in this deeply reported story, people like Angela Ricketts show that
the threat was real enough for some people.  The AP's Raphael Satter
talked to several people targeted by ISIS sympathizers, putting a face
to the victims of a scary online campaign.  We need more stories that
focus on the victims of hacking, this was a great example of that.
And Satter and his colleagues at the AP have produced several more in
the last few months that are also worth your time.

Living with Depression in Tech (Jonathan Zdziarski's personal blog)

https://www.zdziarski.com/blog//ZUp=7437

Apple security researcher and forensic expert Jonathan Zdziarski here opened
up about an incredibly important and often overlooked topic: mental health
in tech.  Zdziarski powerfully details his own struggle with depression, and
at the same time offers a hopeful tale of overcoming it with a lot of hard
work, introspection, and learning. ...


How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually.

geoff goodfellow <geoff@iconia.com>
Thu, 27 Dec 2018 06:50:35 -1000
In late November, the Justice Department unsealed indictments against eight
people accused of fleecing advertisers of $36 million in two of the largest
digital ad-fraud operations ever uncovered. Digital advertisers tend to want
two things: people to look at their ads and premium websites—i.e.,
established and legitimate publications—on which to host them.

The two schemes at issue in the case, dubbed Methbot and 3ve by the security
researchers who found them, faked both. Hucksters infected 1.7 million
computers with malware that remotely directed traffic to spoofed websites --
empty websites designed for bot traffic.

https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf
that served up a video ad purchased from one of the Internet's vast
programmatic ad-exchanges, but that were designed, according to the
indictments, “to fool advertisers into thinking that an impression of their
ad was served on a premium publisher site,'' like that of *Vogue* or *The
Economist*.  Views, meanwhile, were faked by malware-infected computers with
marvelously sophisticated techniques to imitate humans: bots *faked* clicks,
mouse movements, and social network login information to masquerade as
engaged human consumers
https://cdn2.hubspot.net/hubfs/3400937/WO_Methbot_Operation_WP_01.pdf/

Some were sent to browse the Internet to gather tracking cookies from other
websites, just as a human visitor would have done through regular behavior.
Fake people with fake cookies and fake social-media accounts, fake-moving
their fake cursors, fake-clicking on fake websites—the fraudsters had
essentially created a simulacrum of the Internet, where the only real things
were the ads.

How much of the Internet is fake? Studies generally suggest that, year after
year, less than 60 percent of web traffic is human; some years, according to
some researchers, a healthy majority of it is bot. For a period of time in
2013, *The Times* reported
https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html
this year, a full half of YouTube traffic was `bots masquerading as people',
a portion so high that employees feared an inflection point after which
YouTube's systems for detecting fraudulent traffic would begin to regard bot
traffic as real and human traffic as fake. They called this hypothetical
event *The Inversion*.

In the future, when I look back from the high-tech gamer jail in which
President PewDiePie will have imprisoned me.

http://nymag.com/intelligencer/2018/12/why-pewdiepies-anti-semitic-youtube-jokes-dont-hurt-him.html

http://nymag.com/intelligencer/2018/12/how-much-of-the-internet-is-fake.html


Inspector General audit finds basic cybersecurity lax for US ballistic missile defense systems

Rob Wilcox <robwilcoxjr@gmail.com>
Thu, 20 Dec 2018 22:17:38 -0800
   [Note the cover story in the latest issue of *The Nation*, which
   goes into huge details on related cases.  PGN]

Cabinet departments have Inspectors General (IG) with wide and deep audit
responsibility. Most agencies take IG reports seriously; the IG reports high
in hierarchically-cultured agencies.

The Department of Defense has released an audit of select ballistic missile
defense-related facilities. These facilities manage information and
operations, which if known, would compromise function of these systems. The
IG audited a sample of facilities.

(Longtime RISKS readers may be aware that many believe these systems will
never work as represented. One need only read back to the work of Dr David
Parnas.)

Flaws included lack of two-factor authentication, encryption, intrusion
detection and prevention systems, physical access to servers and least
privilege authorization processes.

“During our site visit, we observed security footage showing that a
representative from the [redacted] gained unauthorized access to the
[redacted] facility by simply pulling the door open. The security camera
footage also showed that although the representative stopped to ask for
directions, the individual she stopped did not request to see her [redacted]
badge or question her facility access. Furthermore, the security footage
showed that the security officer at the front desk also did not request to
see her [redacted] badge.''

Enterprise IT security, credit card security, critical infrastructure,
federal IT standards, NIST and cybersecurity professional NGO entities have
recommended these basic controls for many years.

Unclassified report:
https://media.defense.gov/2018/Dec/14/2002072642/-1/-1/1/DODIG-2019-034.PDF.


Our Cellphones Aren't Safe (Cooper Quintin, The New York Times)

"Peter G. Neumann" <neumann@csl.sri.com>
Thy, 27 Dec 2018 14:59:18 PST
https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

This article my not be new to you, but it raises a plethora of issues with
landline and cellular telephones that have existed for many years, and
indeed many that have been well know—e.g., see Geoff Goodfellow's message
from 1987, which follows this one.  Risks noted in Cooper's article include
fake cell towers siphoning off information, readily available spying tools,
SS7 security weaknesses, governmental desires for easy access, and lots more.
Some of the issues from the Keys Under Doormats report are also present.

  [Note: I started writing this while reading *The Times* over breakfast,
  and revised it after reading Geoff's item this afternoon.  PGN]


Our Cellphones Aren't Safe (2018) and The Electronic Serial Number: A cellular 'sieve'—'spoofers' can defraud users and carriers (June 1987)

geoff goodfellow <geoff@iconia.com>
Thu, 27 Dec 2018 09:56:49 -1000
Cooper Quintin (EFF), *The New York Times*, 27 December 2018 Security flaws
threaten bank accounts.  So why aren't we fixing them?
https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

EXCERPT:

America's cellular network is as vital to society as the highway system
and power grids. Vulnerabilities in the mobile phone infrastructure threaten
not only personal privacy and security, but also the country's. According to
intelligence reports, spies are eavesdropping on President Trump's cellphone
conversations and using fake cellular towers in Washington to intercept
phone calls. Cellular communication infrastructure, the system at the heart
of modern communication, commerce and governance, is woefully insecure. And
we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and
industry leaders have been nearly silent on the issue. While government
officials are looking the other way, an increasing number of companies are
selling products that allow buyers to take advantage of these
vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site
simulators (commonly known by the brand name Stingray), which trick
cellphones into connecting with them without the cellphone owners'
knowledge. Sophisticated programs can exploit vulnerabilities in the
backbone of the global telephone system (known as Signaling System 7, or
SS7) to track mobile users, intercept calls and text messages, and disrupt
mobile communications.

These attacks have real financial consequences. In 2017, for example,
criminals took advantage of SS7 weaknesses to carry out financial fraud by
redirecting and intercepting text messages containing one-time passwords for
bank customers in Germany. The criminals then used the passwords to steal
money from the victims' accounts.

How did we get here, and why is our cellular infrastructure so insecure?...

[...]

  [And, PGN notes, here is Geoff's excerpt from something he wrote
  originally in 1985]

> Date: 12 Jun *1987* 13:40-PDT
> From: Geoffrey S. Goodfellow <Geoff@CSL.SRI.COM>
> Subject: Article on Cellular [in]security.

The following is reprinted from the *November 1985* issue of Personal
Communications Technology magazine by permission of the authors and
the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
Fairfax, VA  22032, 703/352-1200.
Copyright 1985 by FutureComm Publications Inc.   All rights reserved.

          THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
              'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS

   by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.

What's the greatest security problem with cellular phones? Is it privacy of
communications?  No.

Although privacy is a concern, it will pale beside an even greater problem:
spoofing.

  [*Security flaws threaten our privacy and bank accounts. So why aren't we
  fixing them?*]

'Spoofing' is the process through which an agent (the 'spoofer') pretends to
be somebody he isn't by proffering false identification, usually with intent
to defraud.  This deception, which cannot be protected against using the
current U.S. cellular standards, has the potential to create a serious
problem—unless the industry takes steps to correct some loopholes in the
present cellular standards.

Compared to spoofing, the common security concern of privacy is not so
severe.  Most cellular subscribers would, at worst, be irked by having their
conversational privacy violated.  A smaller number of users might actually
suffer business or personal harm if their confidential exchanges were
compromised.  For them, voice encryption equipment is becoming increasingly
available if they are willing to pay the price for it.

Thus, even though technology is available now to prevent an interloper from
overhearing sensitive conversations, cellular systems cannot—at any cost
-- prevent pirates from charging calls to any account. This predicament is
not new to the industry.  Even though cellular provides a modern,
sophisticated quality mobile communications service, it is not fundamentally
much safer than older forms of mobile telephony.

History of Spoofing Vulnerability...  [...]

http://massis.lcs.mit.edu/archives/cellular/cellular.sieve

  [When will they ever learn?  (Little boxes made of Ticky-Tacky.)  PGN]


Parachutes are no better than backpacks-- randomized trial (BMJ)

Rob Slade <rmslade@shaw.ca>
Sat, 22 Dec 2018 09:36:40 -0800
The actual paper: Parachute use to prevent death and major trauma when
jumping from aircraft: randomized controlled trial.
https://www.bmj.com/content/363/bmj.k5094

An article explaining the situation in a slightly more readable fashion.
https://www.npr.org/sections/health-shots/2018/12/22/679083038/researchers-show-parachutes-dont-work-but-there-s-a-catch

The point being: be careful when relying on the outcome of studies.


Facebook shared even more than previously known (NYTimes)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 19 Dec 2018 9:49:49 PST
Facebook network gave Microsoft, Amazon, Spotify and others far greater
access to people's data than it has disclosed.

https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html


UK security researchers find lax security in app-controlled consumer hot tubs (BBC)

Rob Wilcox <robwilcoxjr@gmail.com>
Tue, 25 Dec 2018 05:26:55 -0800
About 30,000 hot tubs are controlled by Balboa Water App. The app uses a
cloud service to access a WiFi controller attached to the hot tub through
the consumer's Internet-connected home network. The researchers explored and
found common IOT (Internet of Things) security flaws.

- Simplified setup of the WiFi network made it susceptible to hackers within
  local range. There was no MAC-level security.

- One of those modes allowed the controllers to be discoverable by anyone on
  the Internet.

- The tub controller authentication to the cloud uses a static
  username/password sent in the clear and easily discoverable (now
  published.)  There is no authentication of the user to the mobile app.

- Software quality poor and poor vendor response to the threat.

All those resulted in the capability to compromise the clock, temperature
and pumps.

Interestingly, the programmers used a faulty conversion between Fahrenheit
and Celsius!

The whole story is a fascinating read: humorous, for the researchers
justifying buying a hot tub and controller to their management - then
photographing themselves in Santa caps using the tub; and sad ,because the
vendor only returned calls to the researchers after the BBC broke the story.

The system vendor has been very naughty this year. We hope this story brings
a smile (and maybe a groan) to Risks readers! And we wish you all a secure
new year!

https://www.pentestpartners.com/security-blog/hackers-in-hot-water-pwning-smart-hot-tubs-yes-really/

https://www.bbc.com/news/technology-46674706

  [Richard Stein noted the BBC item and commented, “The home is a castle,
  unless connected to The Internet of Mistakes.''  PGN]


Apple Watch ECG is putting a lot of health control in consumers' hands (CNBC)o

Gabe Goldberg <gabe@gabegold.com>
Fri, 21 Dec 2018 17:16:01 -0500
As more people have access to an ECG, doctors are being inundated with
patient data, and it's not all good.

Apple says users of its watch should still consult their doctor.

https://www.cnbc.com/2018/12/19/apple-watch-ecg-is-putting-a-lot-of-health-control-in-consumers-hands.html


Innovation and Immigration (W.A. Griffin on William Kerr)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 24 Dec 2018 12:00:20 PST
The Innovation Engine, an article in the Jan-Feb 2019 Harvard Magazine by
William A. Griffin discusses research by Professor William Kerr, and makes
some interesting points regarding innovation and immigration.  For example,

  * 33% of U.S. Nobel Laureates since 1901 have been immigrants.

  * 40% of American doctoral degrees were awarded to noncitizens.

  * More than 25% of American entrepeneurs were born overseas.

Kerr is quoted: “powerful ideas are the main force behind long-term
economic growth.''

  [Xenophobia involves less logic than Zeno's paradoxes, and might
  be mistaken for Zenophobia, PGN]


Tesla Mobile Service

Rob Slade <rmslade@shaw.ca>
Fri, 21 Dec 2018 16:15:22 -0800
So, I saw a car labeled "Tesla Mobile Service."

Do they go to where a driver is in trouble, unplug the car, and plug it in
again?


Computers Determine States of Consciousness (Scientific American)

Richard Stein <rmstein@ieee.org>
Thu, 20 Dec 2018 11:09:43 +0800
https://www.scientificamerican.com/article/computers-determine-states-of-consciousness/

In "Google is training machines to predict when a patient will die"
(http://catless.ncl.ac.uk/Risks/30/74%23subj22.1, we learned that
physiological measurements might be someday be applied by a machine-based
algorithm to assess "death likelihood," and possibly advise a hastening or
postponement of palliative healthcare treatment.  Basically, Google's gizmo
will yield a number of sorts indicative of a patient's viability to sustain
biological activity.

Now add in another data point via a machine capability based on the
"DOC-Forest" algorithm trained to interpret EEG signals and conclude a value
for "Disorder of Consciousness."

https://en.wikipedia.org/wiki/Disorders_of_consciousness identifies several
states of consciousness: locked in syndrome, minimally conscious, persistent
vegetative, chronic coma, and brain death.

Apparently, neurologists are sometimes challenged to accurately determine
patient consciousness level (based on arousal and awareness): can they hear
spoken words or music? Feel a touch though they don't react? Or smell odors?
If yes, what does this imply about patient recovery and rehabilitation
potential?

Medical imaging (MRI, PET, CT, etc.) may yield inconclusive evidence, or are
difficult to assess for an unconscious patient's brain state and recovery
likelihood.

If two points determine a line, would this hypothetical line's 1st
derivative (the slope) imply "terminate life support" or "sustain life
support"?

Risk: Medical practice decision support via black box, inexplicable AI.

Might be time to add a "Black Box" warning to some medical technology.
See https://www.fda.gov/downloads/ForConsumers/ConsumerUpdates/UCM107976.pdf


Facebook, recidivus—again—and yet again ...

Rob Slade <rmslade@shaw.ca>
Thu, 20 Dec 2018 11:05:48 -0800
Facebook exposes your pics.  And sells the phone number you gave them for
security purposes.  And tries to predict your movements.  And has breaches
they try to hide.  And tries to ad-block even when it hurts you.  And gives
you a VPN that spies on you.

None of this is new, of course.  Those of us in the security field are
possibly getting a wee bit tired of continuing "news" of Facebook's
misdeeds.  (And probably expect to be hearing the same of Instagram and
Whatsapp at any moment.)

The thing is, Facebook keeps on promising to do better, but actions that
they take appear to be minimal and feckless.  When Facebook is caught out,
they seem to immediately want to turn the tables and say it is the fault of
the users (or someone else).  But, if you can find actual facts, Facebook
never seems to come out clean.

Some have posited that Facebook's whole structure and business model is
simply inherently bad.  Whether that is true or not, unethical behaviour is
deeply entrenched at Facebook, and, in corporations, ethics always derive
from the top.  Some companies, even with deep problems with misfeasance (if
not malfeasance) do manage to turn things around, but only with a
housecleaning at the top.  Facebook seems completely unwilling to take the
necessary steps.

https://lite.cnn.io/en/article/h_d6f18ad97cce69b248364fa11ff2902c

If you want to get at the reports behind some of the items mentioned, see
https://community.isc2.org/t5/Industry-News/Facebook-recidivus-again-and-yet-again/m-p/17181 or https://is.gd/zoHD6G


IRS Linux move delayed by lingering Oracle Solaris systems (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Wed, 19 Dec 2018 20:13:08 -0500
The auditors missed two reasons why this migration has gone so wrong:
Politics and funding. Rep. Gerry Connolly (D-Va) told NextGov, a federal
technology news publication, "Since Republicans gained control of the House
of Representatives in 2010, their partisan attacks have left the IRS with
nearly 10,000 fewer customer service representatives to assist taxpayers and
a patchwork of IT systems, some dating back to the Kennedy Administration,
which is ultimately harming all taxpayers."

Or, as IRS CTO Terence Milholland told Congress in 2016, "The situation is
analogous to operating a 1960s automobile with the original chassis, two
suspension and drivetrain, but with a more modern engine, satellite radio,
and a GPS navigation system. It runs better than the original model but not
nearly as efficiently as a system bought today."

More recently, Nina Olson, the IRS national taxpayer advocate, told
Congress, "Since FY 2010, the IRS budget has been reduced by 20 percent on
an inflation-adjusted basis, and the IRS workforce has declined by about the
same percentage. These reductions have led to significant cuts in taxpayer
service levels and have prevented the IRS from deploying new technology that
would improve the taxpayer experience."

Linux could improve technology and save funding, but to save money, first
you have to spend money. If, and only if, the IRS can modernize its systems
can Linux show what it can do for both the agency and the American taxpayer.

https://www.zdnet.com/article/irs-linux-move-delayed-by-lingering-oracle-solaris-systems/


Canada: OPC publishes guidance for organizations and individuals related to protecting personal information collected during cannabis

Kelly Bert Manning <bo774@freenet.carleton.ca>
Wed, 19 Dec 2018 11:06:31 -0500
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an 181217/
https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_can_201812/

"Cannabis is illegal in most jurisdictions outside of Canada. The personal
information of cannabis users is therefore very sensitive.  For example,
some countries may deny entry to individuals if they know they have
purchased cannabis, even lawfully."

https://www.oipc.bc.ca/guidance-documents/2248

The bottom line seems to be use cash, not a bank card, to limit the data
trail. Not using pot might be an even better idea if you plan to travel to
other countries in the future.

This seems to be directed at people who will be buying pot now that it is
legal in Canada. It is a non-issue for the rest of us who do not use pot.

Apparently we can expect higher produce prices as greenhouses convert from
tomatoes, peppers and lettuce to pot. I don't recall that being mentioned
previously as a likely outcome of pot legalization.

https://www.ctvnews.ca/canada/what-does-cannabis-cost-across-canada-1.4138585


FCC Launches New Offensive Against Scam, Robo Calls (EWeek)

Gabe Goldberg <gabe@gabegold.com>
Wed, 19 Dec 2018 10:10:11 -0500
Carriers were required to explain their plans for comprehensive call
blocking on 19 Nov, with the ability to be in place in 2019.

http://www.eweek.com/networking/fcc-launches-new-offensive-against-scam-robo-calls

The risk? Security better late than never. But very late.


This patent shows Amazon may seek to create a database of suspicious persons using facial-recognition technology (WashPost)

Richard Stein <rmstein@ieee.org>
Wed, 19 Dec 2018 12:52:49 +0800
https://www.washingtonpost.com/technology/2018/12/13/this-patent-shows-amazon-may-seek-create-database-suspicious-persons-using-facial-recognition-technology

The patent application proposes to use doorbell camera photo-capture with
resident approval/disapproval input supplements to compile an "Ok to pass"
and "Not ok to pass" database shared among neighbors, a digitally-surveilled
'Neighborhood Watch' program. This database would be shared with local law
enforcement community.

"An algorithm shouldn't be deciding whether someone is suspicious," he
said. "We're [Jake Snow of ACLU Northern California] calling on Amazon to be
more thoughtful of the consequences of their technology being deployed in
communities and to put people before profit."

Risk: False-positive profiling potential and 'suspicious label' attribution
via algorithmic physical appearance interpretation.

Perhaps the algorithm may be more effective if it applied tactile phrenology
as an image capture supplement?


Re: Sneaky parrot uses Amazon Alexa to shop ...

danny burstein <dannyb@panix.com>
Thu, 20 Dec 2018 19:44:25 -0500
TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
sanctuary for swearing too much, is using technology to cause even more
trouble.  The Times of London reports Rocco, an African grey, has been using
Amazon Alexa to shop online while his owner was away.

[snip]

The default "wake up" call to the Alexa Echo Spybot is the word "Alexa".
However, you can change it to "Echo" and a couple of others.

Yeah, it's a pain to do so, involving pulling up the Alexa application on
your phone and going through a bunch of menus, but it would solve this
specific problem.


Re: Drone shatters passenger jet's nose-cone, radar (RISKS-30.97)

Amos Shapir <amos083@gmail.com>
Sat, 22 Dec 2018 11:22:29 +0200
This incident, and the one in Gatwick yesterday, raise the notion that it's
time to require that each drone over a certain size carry an ID chip, and
have these registered somewhere; this way a drone's owner could be
identified in case of an incident.

Such regulations are in effect for dogs in many jurisdictions, it seems
that drones need an even stricter supervision.


Re: The GPS wars are here

Erling Kristiansen <erling.kristiansen@xs4all.nl>
Fri, 21 Dec 2018 11:04:44 +0100
I wonder how future AVs (autonomous vehicles) will react to GPS jamming. And
GPS spoofing, making the AV think it is in a different place, might be even
more fun.


Re: "Market volatility: Fake news spooks trading algorithms"

paul wallich <pw@panix.com>
Thu, 20 Dec 2018 19:46:28 -0500
[all about how the market has been so volatile downward because of
high-speed trading algorithms getting suckered by fake news]

Don't blame the algorithm, blame the training set. The kinds of
news-scanning programs described are ultimately trying to get ahead of what
their programmers/trainers/historical data say human traders would do in a
similar situation. And pretty much since the founding of markets, human
traders have been making ill-informed hair-trigger trades based on faulty
analysis of rumors or questionable headlines. The pattern has been around in
all the decades I've been watching: some piece of news or non-news triggers
a spike in buying or selling of a particular company's stock, and then
within hours or days the stock is back to its previous value/trend. The
money that's made in these swings comes from figuring out what all the other
lemmings (apology to the real rodents in question) are going to do, and
doing it faster or in the other direction.

So the algorithms are just being thoughtlessly greedy faster and with more
resources at their command. (Once again, a computer can make a mistake in
microseconds that would take humans working with paper and pencil several
minutes to make).


Re: New Zealand courts banned ...; Google just emailed it out. (RISKS-30.97)

Dick Mills <dickandlibbymills@gmail.com>
Sun, 23 Dec 2018 15:37:05 -0500
I have two problems with that report.

   1. It is a disturbing trend when every local judge in every country
   issues orders that he expects to be enforced globally.  By what authority
   do they claim that power? Can a Russian judge order silence about hacking
   elections?

   2. Google is not an originator of news.  In all likelihood, the name of
   the accused was being discussed openly in NZ sources, and was indeed
   "trending" as Google said.   Only American firms are accused of evil
   behavior, while home-grown companies, forums, and news sources get a free
   pass.

I expect that we'll see the day when The Guardian UK editorializes about
how evil Google is for indexing an article from The Guardian web site.


Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)

Amos Shapir <amos083@gmail.com>
Sat, 22 Dec 2018 11:10:45 +0200
Thanks for this, and many other answers I have received, but they all refer
to *outgoing* mail; my question was how to stop Google from inserting links
into *incoming* mail, over whose contents and format I have no control.


Re: Risks of `Reply All' and failing to BCC (Shapir, RISKS-30.97)

Paul Robinson <paul@paul-robinson.us>
Wed, 26 Dec 2018 22:11:56 +0000 (UTC)
I've seen it myself. I was on the mailing list for potential suppliers to
the Washington Metropolitan Area Transit Authority (the Washington, DC bus
and rail transit provider) a few years ago when they sent out a notice of an
upcoming request for bid to me and the other 1645 subscribers to that
mailing list, because whoever sent it out posted all 1646 names in the "To;"
field. The message header ran for 75 screens; the message was one screen,
about 10-15 lines.


Re: She'd just had a stillborn child. Tech companies wouldn't let her forget it (RISKS-30.97)

Amos Shapir <amos083@gmail.com>
Sat, 22 Dec 2018 11:15:20 +0200
This reminds me of the story (urban legend?) about a search site's
algorithm which noticed that some people who had searched for a certain
cancer medicine, also searched later for funeral homes and tombstones...

Please report problems with the web pages to the maintainer

Top