The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 32

Friday 5 July 2019

Contents

FDA recalls insulin pumps because of wireless vulnerability
Paul Burke
FAA Flags New Computer Issue In 737 MAX Testing
PGN
In the Census Case, a Rebuke to Bad-Faith Government
PGN
U.S. Census at risk from glitches and attackers - Chris Hamby
PGN
Could 'fake text' be the next global political threat?
Dewayne Hendricks
Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem
Monty Solomon
7-Eleven Japanese customers lose $500,000 due to mobile app flaw
Gene Wirchenko
Google Maps detour traps drivers in mud
Monty Solomon
"How Hackers Turn Microsoft Excel's Own Features Against It"
PGN
Microsoft Kills Automatic Registry Backups in Windows 10
Gabe Goldberg
Cloudflare stutters and the Internet stumbles - ZDNet
Gabe Goldberg
Superhuman is Spying on You
Gabe Goldberg
Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
Gabe Goldberg
China Is Forcing Tourists to Install Text-Stealing Malware at its
Gabe Goldberg
Line just went Orwellian on Japanese users with its social credit
Geoff Goodfellow
These are the sneaky new ways that Android apps track you
Gabe Goldberg
Re: Autonomous vehicles don't need provisions and protocols: RISKS-31.21"#subj17"> - 30
Chris Drewe
Mobius: A Memoir - Richard Thieme
PGN
Info on RISKS (comp.risks)

FDA recalls insulin pumps because of wireless vulnerability

Paul Burke <box1320@gmail.com>
Fri, 5 Jul 2019 14:25:04 -0700
https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain

I wish more products were recalled for cybersecurity vulnerabilities.

"The potential risks are related to the wireless communication between
Medtronic's MiniMed insulin pumps and other devices such as blood glucose
meters, continuous glucose monitoring systems, the remote controller and
CareLink USB device used with these pumps. The FDA is concerned that, due to
cybersecurity vulnerabilities identified in the device, someone other than a
patient, caregiver or health care provider could potentially connect
wirelessly to a nearby MiniMed insulin pump and change the pump's settings.
This could allow a person to over deliver insulin to a patient, leading to
low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high
blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)...

"Medtronic is unable to adequately update the MiniMed 508 and Paradigm
insulin pumps with any software or patch to address the devices'
vulnerabilities...

"The FDA, an agency within the U.S. Department of Health and Human Services,
protects the public health by assuring the safety, effectiveness, and
security of... medical devices. The agency also is responsible for the
safety and security of our nation's food supply, cosmetics, dietary
supplements, products that give off electronic radiation"

  [Gabe Goldberg noted Hackable Insulin Pumps
https://securityboulevard.com/2019/07/more-medtronic-hack-malarkey-this-time-its-insulin-pumps/
  PGN]


FAA Flags New Computer Issue In 737 MAX Testing

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 27 Jun 2019 8:10:54 PDT
Sean Broderick, *Aviation Week*, 26 Jun 2019

https://aviationweek.com/penton_ur/nojs/user/register?path=node/1963138&nid=1963138&source=email
  See also https://www.bbc.com/news/business-48752932


In the Census Case, a Rebuke to Bad-Faith Government

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 27 Jun 2019 11:22:19 PDT
https://www.nytimes.com/2019/06/27/opinion/census-question-supreme-court.html

*The New York Times*, Editorial Board, 27 Jun 2019

The Supreme Court noted a disconnect between the Trump administration's
stated reason for including a citizenship question on the census form and
the actual rationale for doing so.

In a win for good government, the Supreme Court on Thursday refused to give
its full imprimatur to the Trump administration's irresponsible decision to
add a citizenship question to the 2020 census form.  [...]


U.S. Census at risk from glitches and attackers (Chris Hamby)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 5 Jul 2019 14:27:46 PDT
Chris Hamby, *The New York Times*, 5 Jul 2019 [PGN-ed]
https://www.nytimes.com/2019/07/03/us/2020-census-digital.html

The Census Bureau had turned to Amazon Web Services for computing power
and digital storage, but discovered that access credentials had been "lost"
-- potentially allowing completely uncontrolled access.  That vulnerability
has now purportedly been fixed, but risks seem to remain.

“If you wanted to provoke fears among the population as to how the census
data could be used, the American population is fertile ground right now for
conspiracy theories and manipulation.''  Nathaniel Persily, Stanford Law
School professor.


Could 'fake text' be the next global political threat? (Oscar Schwartz)

Dewayne Hendricks <dewayne@warpspeed.com>
July 6, 2019 5:12:33 JST
  [via Dave Farber] 4 Jul 2019

An AI fake text generator that can write paragraphs in a style based on just
a sentence has raised concerns about its potential to spread false
information

https://www.theguardian.com/technology/2019/jul/04/ai-fake-text-gpt-2-concerns-false-information

Earlier this month, an unexceptional thread appeared on Reddit announcing
that there is a new way “to cook egg white[s] without a frying pan.  As so
often happens on this website, which calls itself “the front page of the
internet'', this seemingly banal comment inspired a slew of responses.
“I've never heard of people frying eggs without a frying pan,'' one
incredulous Redditor replied.  “I'm gonna try this,'' added another. One
particularly enthusiastic commenter even offered to look up the scientific
literature on the history of cooking egg whites without a frying pan.

Every day, millions of these unremarkable conversations unfold on Reddit,
spanning from cooking techniques to geopolitics in the Western Sahara to
birds with arms. But what made this conversation about egg whites noteworthy
is that it was not taking place among people, but artificial intelligence
(AI) bots.

The egg whites thread is just one in a growing archive of conversations on a
subreddit—a Reddit forum dedicated to a specific topic—that is made up
entirely of bots trained to emulate the style of human Reddit contributors.
This simulated forum was created by a Reddit user called disumbrationist
using a tool called GPT-2, a machine learning language generator that was
unveiled in February by OpenAI, one of the world's leading AI labs.

Jack Clark, policy director at OpenAI, told me that chief among these
concerns is how the tool might be used to spread false or misleading
information at scale. In a recent testimony given at a House intelligence
committee hearing about the threat of AI-generated fake media, Clark said he
foresees fake text being used “for the production of [literal] `fake news',
or to potentially impersonate people who had produced a lot of text online,
or simply to generate troll-grade propaganda for social networks''.

GPT-2 is an example of a technique called language modeling, which involves
training an algorithm to predict the next most likely word in a
sentence. While previous language models have struggled to generate coherent
longform text, the combination of more raw data—GPT-2 was trained on 8m
online articles—and better algorithms has made this model the most robust
yet.

It essentially works like Google auto-complete or predictive text for
messaging. But instead of simply offering one-word suggestions, if you prompt
GPT-2 with a sentence, it can generate entire paragraphs of language in that
style. For example, if you feed the system a line from Shakespeare, it
generates a Shakespeare-like response. If you prompt it with a news headline,
it will generate text that almost looks like a news article.

Alec Radford, a researcher at OpenAI, told me that he also sees the success
of GPT-2 as a step towards more fluent communication between humans and
machines in general. He says the intended purpose of the system is to give
computers greater mastery of natural language, which may improve tasks like
speech recognition, which is used by the likes of Siri and Alexa to
understand your commands; and machine translation, which is used to power
Google Translate.

But as GPT-2 spreads online and is appropriated by more people like
disumbrationist—amateur makers who are using the tool to create
everything from Reddit threads, to short stories and poems, to restaurant
reviews—the team at OpenAI are also grappling with how their powerful
tool might flood the internet with fake text, making it harder to know the
origins of anything we read online.

Clark and the team at OpenAI take this threat so seriously that when they
unveiled GPT-2 in February this year, they released a blogpost alongside it
stating that they weren't releasing the full version of the tool due to
“concerns about malicious applications''. (They have since released a
larger version of the model, which is being used to create the fake Reddit
threads, poems and so on.)


Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

Monty Solomon <monty@roscom.com>
Fri, 5 Jul 2019 12:10:38 -0400
A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem.

https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem


7-Eleven Japanese customers lose $500,000 due to mobile app flaw

Gene Wirchenko <gene@shaw.ca>
Fri, 05 Jul 2019 09:42:37 -0700
Catalin Cimpanu for Zero Day (Jul 4 2019)

https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/

Hackers exploit 7-Eleven's poorly designed password reset function to make
unwanted charges on 900 customers' accounts (and the equivalent of $.5M)
after hackers hijacked their 7pay app accounts and made illegal charges in
their names.

The incident was caused by an appalling security lapse in the design of the
company's 7pay mobile payment app, which 7-Eleven Japan launched in the
country on Monday, July 1.

However, in a mind-boggling turn of events, the app contained a password
reset function that was incredibly poorly designed. It allowed anyone to
request a password reset for other people's accounts, but have the password
reset link sent to their email address, instead of the legitimate account
owner.

A hacker only needed to know a 7pay user's email address, date of birth, and
phone number. An additional field in the password reset section allowed the
hacker to request that the password reset link be sent to a third-party
email address (under the hacker's control), with no need to dig through the
app's code or tamper with HTTP requests, like most of these hacks involve.

Furthermore, if the user didn't enter their date of birth, the app would use
a default of January 1, 2019, making some attacks even easier, according to
a report in Yahoo Japan.


Google Maps detour traps drivers in mud

Monty Solomon <monty@roscom.com>
Wed, 26 Jun 2019 21:12:37 -0400
Denver drivers followed Google's detour down a dirt road

A crash on the main road to Denver's airport led to hour-long delays this
week.  When Google Maps offered a quick detour, nearly a hundred drivers
were led into trouble.

https://www.bbc.com/news/av/world-us-canada-48779516/denver-drivers-followed-google-s-detour-down-a-dirt-road


"How Hackers Turn Microsoft Excel's Own Features Against It"

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 28 Jun 2019 9:28:34 PDT
Lily Hay Newman, WiReD, 27 Jun 2019 via ACM TechNews; Friday, June 28, 2019

Researchers at threat intelligence company Mimecast have found that a
feature in Microsoft's Excel spreadsheet program can be exploited to
orchestrate Office 365 system hacks. Excel's Power Query permits the
combination of data from various sources via a spreadsheet, which can be
manipulated to connect to a malicious Webpage hosting malware. Said
Mimecast's Meni Farjon, "The exploit will work in all the versions of Excel
as well as new versions, and will probably work across all operating
systems, programming languages, and sub-versions, because it's based on a
legitimate feature." Farjon thinks a Power Query connection to a malicious
site could enable attacks similar to a Dynamic Data Exchange
exploit. Meanwhile, Microsoft's security intelligence warns of another Excel
hack, which uses malicious macros to compromise Windows systems, even with
the newest security updates.
3Dhttps://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-20693x21cae2x069960&


Microsoft Kills Automatic Registry Backups in Windows 10

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jul 2019 13:22:44 -0400
https://www.forbes.com/sites/gordonkelly/2019/06/29/microsoft-windows-10-upgrade-registry-warning-upgrade-windows/#6f92a9b971ef

https://www.extremetech.com/computing/294290-microsoft-kills-automatic-registry-backups-in-windows-10


Cloudflare stutters and the Internet stumbles (ZDNet)

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jul 2019 00:14:16 -0400
An internal Cloudflare problem caused websites to fall bringing some parts
of the internet to a crawl. ...

How could this simple mistake cause so many problems? Cloudflare operates an
extremely popular content delivery network (CDN). When it works right, its
services protect website owners from peak loads, comment spam attacks, and
Distributed Denial of Service (DDoS) attacks.  When it doesn't work right,
well, we get problems like this one.

https://www.zdnet.com/article/cloudflare-stutters-and-the-internet-stumbles/


Superhuman is Spying on You

Gabe Goldberg <gabe@gabegold.com>
Wed, 3 Jul 2019 12:58:21 -0400
Over the past 25 years, email has weaved itself into the daily fabric of
life. Our inboxes contain everything from very personal letters, to work
correspondence, to unsolicited inbound sales pitches. In many ways, they are
an extension of our homes: private places where we are free to deal with
what life throws at us in whatever way we see fit. Have an inbox zero
policy? Thatâs up to you. Let your inbox build into the thousands and only
deal with what you can stay on top of?  Thatâs your business too.

It is disappointing then that one of the most hyped new email clients,
Superhuman, has decided to embed hidden tracking pixels inside of the emails
its customers send out. Superhuman calls this feature Read Receipts consent
of its recipients, so you have most likely have been conditioned to believe
its a simple [text garbled]

https://mikeindustries.com/blog/archive/2019/06/superhuman-is-spying-on-you

  ...FAR too long for the simple point: it's secretly monitoring recipients'
  behavior/locations.


Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye Contact During FaceTime Calls (MacRumors)

Gabe Goldberg <gabe@gabegold.com>
Wed, 3 Jul 2019 16:31:39 -0400
A new feature in the latest iOS 13 beta makes users appear as if they're
looking directly at the camera to make eye contact during FaceTime calls,
when actually they're looking away from the camera at the image of the other
person on their screen.

https://www.macrumors.com/2019/07/03/ios-13-beta-has-facetime-attention-correction/

...what else can this "feature" do?


China Is Forcing Tourists to Install Text-Stealing Malware at its Border (Vice)

Gabe Goldberg <gabe@gabegold.com>
Wed, 3 Jul 2019 16:36:19 -0400
The malware downloads a tourist's text messages, calendar entries, and phone
logs, as well as scans the device for over 70,000 different files.

https://www.vice.com/amp/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware


Line just went Orwellian on Japanese users with its social credit scoring system

the keyboard of geoff goodfellow <geoff@iconia.com>
Thu, 27 Jun 2019 08:30:08 -1000
EXCERPT:

It appears other countries besides China are heading toward a bleak
dystopian future where a human being is scored by their online activities.
Only this time, it's a tech company and not a government implementing the
social credit score. While not as bleak as China's social credit system,
today Line, Japan's dominant social media company, introduced a slew of new
products—the most alarming among them, Line Score, reports the *Verge*
https://www.theverge.com/2019/6/27/18760928/line-conference-2019-score-sticker-vision-mini-app-tokyo?utm_campaign=theverge&utm_content=chorus&utm_medium=social&utm_source=twitter

Line Score will use AI to give a social credit score to Line users. The
strength of their social credit score will allow them to get access to
better special deals and offers that Line users with lower social credit
scores will not have access to.

While the new product is unnerving, it's not completely out of character for
Line. Recently the company has been positioning itself as a fintech
provider, and its Line Pay digital wallet system is wildly popular in
Japan. Line Pay also allows users to shop for insurance and allows them to
invest in personal portfolios. Line Score builds on top of Line Pay by
offering those with higher scores better perks.

However, before George Orwell rolls over in his grave, it's important to
note that Line stresses Line Score is opt-in only and that the company will
never share a user's Line Score with third parties without the user's
permission and it will not read a user's online chats to determine their
Line Score. Still, it's unnerving that tech companies seem to think that
social credit ratings are the next big thing for now. Hopefully, this is a
trend that will not catch on.

https://www.fastcompany.com/90370203/line-just-went-orwellian-on-japanese-users-with-its-social-credit-scoring-system


These are the sneaky new ways that Android apps track you

Gabe Goldberg <gabe@gabegold.com>
Thu, 4 Jul 2019 00:12:40 -0400
Google's operating system manages access to your personal information.  But
what happens when apps refuse to play by the rules?

https://www.fastcompany.com/90372033/these-are-the-sneaky-new-ways-that-android-apps-are-tracking-you


Re: Autonomous vehicles don't need provisions and protocols (RISKS-31.21-30).

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 27 Jun 2019 22:02:39 +0100
Not sure if this is relevant here, but one example which comes to mind is
just around the corner from my house.  There's a crossroads where a main
road and residential street meet.  At each side of the junction, the main
road is divided into three lanes: left-hand lane (this is in drive-on-left
Britain) is for turning left or driving straight on, with traffic lights on
the left-hand side of the road; middle lane is for turning right, with a
traffic light on the right-hand side of the road; and the right-hand lane is
for traffic coming in the opposite direction.

Drivers unfamiliar with the area are occasionally confused by separate
traffic lights on each side of the road, so presumably autonomous vehicles
may also have the same problem unless they can distinguish the small green
arrows indicating the permitted direction.  A possible additional
complication is the red and green pushbutton-controlled lights for
pedestrians and cyclists mounted on the traffic light posts at shoulder
height.

Personally I feel that the simplest solution would be to have some sort of
radio/wi-fi signal for autonomous vehicles (and maybe to conventional
vehicles with driver-information systems) giving them an unambiguous warning
of the traffic light indication ("OK for northbound-to-westbound turns, stop
otherwise") rather than expecting them to figure out visual signs intended
only for humans, but then that would mean special provision for them..?


Mobius: A Memoir (Richard Thieme)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 3 Jul 2019 9:40:55 PDT
  [Richard Thieme, a long-time friend, invites interested parties to review
  small pieces of his novel in progress as it comes off the line, offering
  suggestions. He's been around this `space' for a long time, not as long as
  I have, but at least a quarter century.  I believe he has friends who may
  have worked in hidden places, but I don't believe he actually did.  On the
  other hand, creative fiction sometimes bears a remarkable resemblance to
  reality.  If you are interested, e-mail him at rthieme@thiemeworks.com, or
  check him out at www.thiemeworks.com.  PGN]

Mobius: A Memoir
by
Richard Thieme
A Note from the Author

All CIA officers, as a condition of employment, sign the standard CIA
secrecy agreement when entering on duty.  This agreement requires submission
of all written and spoken material to the Publications Review Board for
approval. The absence of such submission in this instance indicates clearly
that while some of the allusions in this memoir are to that agency, some are
to other agencies, and some are to fictional agencies. That mashup is
intentional. The account has been fictionalized to (1) avoid publication
review which can drag on for years and (2) protect identities, sources and
methods. This memoir is accordingly like a reflection in a fun-house mirror:
recognizable but distorted, unlike agency-redacted materials which are
distorted but unrecognizable.

That said, the following holds true:

While the author told the least untruthful things he could say about his
work, this memoir is a work of fiction. Names of characters, places, and
incidents are either the product of the author's imagination or are used
fictitiously. Any resemblance to actual persons, living or dead, or to
locales is entirely coincidental. In addition, the names of the author's
colleagues have been changed to protect their identities. In particular,
`Penny' does not refer to a specific person but is a conflation of a number
of relationships the author had over several decades. That accounts for
seeming contradictions and omissions.

The author is grateful to all of his colleagues who contributed to this
memoir. He must single out `Jamison' who willingly provided details of how
he was taught to torture prisoners and to one physician in particular,
referred to as `Brooks', who acknowledged that his monitoring of torture,
learning from same, and bringing those hard-won lessons to the next session,
might in fact constitute violations of international law dating back to
Nuremberg and account for our withdrawal from the proceedings of the
International Criminal Court lest the law be applied equally to all. Special
thanks to Fatou Bensouda (not his real name, because it can't be, right?)
for his insights in this matter.

The incidents in this memoir took place over half a century in two dozen
countries. The author's long-term memories are crisp despite his advanced
age.  His sleep continues to be disturbed by some of the reported incidents
and his `partner' frequently shakes him awake when he cries out during
nightmares.  (It is a false rumor that he has sixteen flashlights in
strategic locations in his home. He has only two and both are in bedside
drawers).

Richard Thieme

Please report problems with the web pages to the maintainer

Top