The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 43

Wednesday 25 Sept 2019

Contents

Saudi Arabia oil output takes major hit after apparent drone attacks claimed by Yemen rebels
The WashPost
Exclusive: Russia carried out a 'stunning' breach of FBI communications system, escalating the spy game on U.S. soil
Cryptography
Google CEO Warns of Deepfakes Detection Challenges Ahead
Politico
125 New Flaws Found in Routers and NAS Devices from Popular Brands
TheHackerNews
How Hackers Could Break Into the Smart City
James Rundle
Chicago Man Fraudulently Accrued 42 Million Delta SkyBonus Points
The NYTimes
I create fake videos. Here's why people believe even the obvious ones
Fast Company
I am awesome': How a millennial built a fentanyl empire
WashPost
There Is No Tech Backlash; Worse, we think there is one.
Rob Walker
Your Car. Your Data.
via Gabe Goldberg
When `collect all the data' misses the important data
Arthur T.
Get popcorn for iOS 13's privacy pop-ups of creepy Facebook data grabs
TechCrunch
The children of Donor H898
WashPost
The man-made 'stars' changing the night sky
bbc.com
What Really Brought Down the Boeing 737 Max?
The NYTimes
You watch TV. Your TV watches back.
The Washington Post
Single drivers are taking over Massachusetts carpool lanes
????
False emergency alarms set off in Hawaii, again.
NBC News
Global Preparedness Monitoring Board
Fortune
Instigator of fatal Kansas swatting receives prison sentence
Ars Technica
IoT Security: Now Dark Web Hackers are Targeting Internet-Connected Gas Pumps
Danny Palmer
'Security' Cameras Are Dry Powder for Hackers. Here's Why
Fortune
The iOS 13 Privacy and Security Features You Should Know
WiReD
Two years later, hackers are still breaching local government payment portals
Catalin Cimpanu
Man allegedly used drone to pelt ex-girlfriend's home with bombs
Charlie Osborne
Apple Watch helps save motorcyclist's life
Adiran Kingsley-Hughes
Good Quote from 'The Handmaid's Tale' Author
Chris Drewe
Stanislav Petrov, `The Man Who Saved The World', Dies At 77
NPR
Too Many VPNs Put Our Privacy And Security At Risk
Forbes
Two articles by Bruce Schneier on supply-chain security threats
PGN
Re: Alabama is penalizing students for leaving football games early
Arthur T.
Re: Why a cup of coffee forced a plane to make an unplanned landing
Mark Brader
Info on RISKS (comp.risks)

Saudi Arabia oil output takes major hit after apparent drone attacks claimed by Yemen rebels (The WashPost)

Monty Solomon <monty@roscom.com>
Sat, 14 Sep 2019 22:19:24 -0400
https://www.washingtonpost.com/world/drone-attacks-on-saudi-oil-facilities-spark-explosions-and-fires/2019/09/14/b6fab6d0-d6b9-11e9-ab26-e6dbebac45d3_story.html


Exclusive: Russia carried out a 'stunning' breach of FBI communications system, escalating the spy game on U.S. soil (Cryptography)

Jerry Leichter <leichter@lrw.com>
Mon, 16 Sep 2019 14:31:37 -0400
  From the Cryptography Mailing List <cryptography@metzdowd.com>

Too long to try to summarize.  It looks as if the Russians, starting in
roughly 2010, managed to crack the encryption used on FBI tactical radios.
“A former senior counterintelligence official blamed the compromises on a
`hodgepodge of systems' ineffective beyond the line of sight. The
infrastructure that was supposed to be built, they never followed up, or
gave us the money for it. The intelligence community has never gotten an
integrated system.''

https://news.yahoo.com/exclusive-russia-carried-out-a-stunning-breach-of-fbi-communications-system-escalating-the-spy-game-on-us-soil-090024212.html


Google CEO Warns of Deepfakes Detection Challenges Ahead (Politico)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Sep 2019 10:11:16 PDT
Google CEO Sundar Pichai warned on Tuesday that "detecting deepfakes is one
of the most important challenges ahead of us," and announced the search
giant had released a massive trove of such videos. The goal: to use those
deepfakes as a dataset for researchers working on tools and techniques to
detect these AI-altered, doctored clips. (Earlier this year, Google also
released a dataset of synthetic speech
<https://www.blog.google/outreach-initiatives/google-news-initiative/advancing-research-fake-audio-detection/>
to help researchers working on detecting fake audio.) Google said a blog
post that it has plans to add to the dataset—which is made up of both
real and fake videos produced through deepfake generation methods available
to the public—as the technology becomes more sophisticated. "We firmly
believe in supporting a thriving research community around mitigating
potential harms from misuses of synthetic media," the company said.

Researchers have warned that the volume and sophistication of deepfakes will
continue to climb as the 2020 election approaches, but some are wary that
government regulation of deepfakes would raise First Amendment concerns. "I
don't think [legislation's] a good way to go," Paul Barrett, deputy director
of NYU's Stern Center for Business and Human Rights and the researcher
behind a new report on 2020 disinformation, told your MT host. "The better
alternative is for the companies themselves to devise technology that can
flag potential deepfakes. ... It's incumbent on the companies to invest more
and work harder to make the kind of distinctions that need to be made."


125 New Flaws Found in Routers and NAS Devices from Popular Brands (TheHackerNews)

geoff goodfellow <geoff@iconia.com>
Tue, 17 Sep 2019 09:00:31 -1000
EXCERPT:

The world of connected consumer electronics, IoT, and smart devices
<https://thehackernews.com/2017/08/hacking-track-movements.html> is growing
faster than ever with tens of billions of connected devices streaming and
sharing data wirelessly over the Internet, but how secure is it?

As we connect everything from coffee maker to front-door locks and cars to
the Internet, we're creating more potential—and possibly more dangerous
-- ways for hackers to wreak havoc.

Believe me, there are over 100 ways a hacker can ruin your life just by
compromising your wireless router—a device that controls the traffic
between your local network and the Internet, threatening the security and
privacy of a wide range of wireless devices, from computers and phones to IP
Cameras, smart TVs and connected appliances.
<https://thehackernews.com/2018/10/ghostdns-botnet-router-hacking.html>

In its latest study titled SOHOpelessly Broken 2.0,
<https://www.securityevaluators.com/whitepaper/sohopelessly-broken-2/>
Independent Security Evaluators (ISE) discovered a total of 125 different
security vulnerabilities across 13 small office/home office (SOHO) routers
and Network Attached Storage
<https://thehackernews.com/2019/07/ransomware-nas-devices.html> (NAS)
devices, likely affecting millions.

“Today, we show that security controls put in place by device manufacturers
are insufficient against attacks carried out by remote adversaries. This
research project aimed to uncover and leverage new techniques to circumvent
these new security controls in embedded devices,'' the researchers said.

List of Affected Router Vendors...

https://thehackernews.com/2019/09/hacking-soho-routers.html


How Hackers Could Break Into the Smart City (James Rundle)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 18 Sep 2019 9:29:35 PDT
James Rundle, *The Wall Street Journal*, 12 Sep 2019
via ACM TechNews, 18 Sep 2019

The more connected a smart city is, the greater its vulnerability to
cyberattack, with sensors collecting data from streetlights and buildings
one likely attack vector. Connections to smart grids and water-supply
systems also could be exploited and hijacked, as could connections to
autonomous vehicles. Suggested prevention and mediation strategies include
encrypting data being transmitted over smart city networks, and ensuring
everything is not on the same network. Portland, OR, keeps its sensors
separate from wider urban networks as much as possible; that city also
anonymizes its data and deletes collected video footage immediately after
analysis, under the aegis of the city's Smart City PDX program. Meanwhile,
officials in New York have established a testing laboratory for Internet of
Things devices, which has completed examinations of more than a dozen
devices for performance and vulnerabilities. Said Cesar Cerrudo, founder of
Securing Smart Cities, “If you don't cover security from the very
beginning, then it becomes very difficult to protect it.''


Chicago Man Fraudulently Accrued 42 Million Delta SkyBonus Points (The NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 14 Sep 2019 23:05:38 -0400
https://www.nytimes.com/2019/09/13/travel/delta-skybonus-fraud.html

Gennady Podolsky used his position as a travel agent to cheat Delta Air Lines out of $1.75 million worth of loyalty points, according to an indictment.


I create fake videos. Here's why people believe even the obvious ones (Fast Company)

the keyboard of geoff goodfellow <geoff@iconia.com>
September 15, 2019 6:27:47 JST
People will accept anything as true if it confirms their beliefs --
regardless of whether a video or image has obviously been manipulated

EXCERPT:

Lots of people—including Congress—are worried about fake videos and
imagery distorting the truth, purporting to show people saying and doing
things they never said or did.

I'm part of a larger U.S. government project that is working on developing
ways to detect images and videos that have been manipulated. My team's work,
though, is to play the role of the bad guy. We develop increasingly devious,
and convincing, ways to generate fakes—in hopes of giving other
researchers a good challenge when they're testing their detection methods.

For the past three years, we've been having a bit of fun dreaming up new
ways to try to change the meaning of images and video. We've created some
scenarios ourselves, but we've also had plenty of inspiration from current
events and circumstances of actual bad guys trying to twist public opinion.

I'm proud of the work we've done, and hope it will help people keep track of
the truth in a media-flooded world. But we've found that a key element of
the battle between truth and propaganda has nothing to do with
technology. It has to do with how people are much more likely to accept
something if it confirms their beliefs.

FINDING, AND PUSHING, TECHNICAL BOUNDARIES

When we make our fakes, we start by collecting original, undoctored images
and videos. Those not only offer raw material for us to manipulate the
images but also include the data stored in authentic media files—sort of
like a technical fingerprint that accompanies every piece of media that
describes how and when it was taken, and with what tools...

https://www.fastcompany.com/90404007/i-create-fake-videos-heres-why-people-believe-even-the-obvious-ones


I am awesome': How a millennial built a fentanyl empire (WashPost)

Monty Solomon <monty@roscom.com>
Sun, 15 Sep 2019 18:39:57 -0400
https://www.washingtonpost.com/national/health-science/the-fool-that-fentanyl-made-into-a-millionaire/2019/09/14/dcb696ec-d6f9-11e9-8924-1db7dac797fb_story.html


There Is No Tech Backlash; Worse, we think there is one. (Rob Walker)

Dewayne Hendricks <dewayne@warpspeed.com>
September 15, 2019 22:36:48 JST
Rob Walker, TheNYTimes, 14 Sep 2019

https://www.nytimes.com/2019/09/14/opinion/tech-backlash.html

It's fun, and increasingly fashionable, to complain about technology. Our
own devices distract us, others' devices spy on us, social media companies
poison public discourse, new wired objects violate our privacy, and all of
this contributes to a general sense of runaway change careening beyond our
control. No wonder there's a tech backlash.

But, really, is there? There certainly has been talk of a backlash, for a
couple of years now. Politicians have discussed regulating big tech
companies more tightly. Fines have been issued, breakups called for. A tech
press once dedicated almost exclusively to gadget lust and organizing
conferences that trot out tech lords for the rest of us to worship has taken
on a more critical tone; a drumbeat of exposes reveal ethically and legally
dubious corporate behavior. Novels and movies paint a skeptical or even
dystopian picture of where tech is taking us. We all know people who have
theatrically quit this or that social media service, or announced digital
sabbaticals. And, of course, everybody kvetches, all the time.

However, there is the matter of our actual behavior in the real-world
marketplace. The evidence there suggests that, in fact, we love our devices
as much as ever. There is no tech backlash.

Consider Facebook: It's hard to imagine a more backlashable company.
Facebook is widely associated with data breaches, the spread of dubious
information and a basic deterioration of interpersonal communication. It was
recently fined nearly $5 billion by the Federal Trade Commission for
mishandling its customers' data. And, given its ubiquity, it's also a handy
stand-in for the corporatization of online life in general. If you're going
to make a show of quitting a tech service, Facebook may be your best choice.

But according to its most recent quarterly report, the number of Facebook
accounts used daily (1.59 billion) and monthly (2.4 billion) each increased
by 8 percent over the prior quarter. Despite all the anecdotes you've heard
about people deleting their accounts, the company's flagship app added about
a million new daily users in the United States alone. Revenue was up 28%.
Even factoring in the F.T.C. fine, Facebook recorded a profit of $2.6B.

Facebook is not the only demonized tech platform; social media companies in
general are routinely criticized as toxic swamps full of trolls, liars and
bots. But again, there's no evidence of any exodus. In the same
quarter, Twitter addedfive million new daily users, and Snap reported that
the daily user base of its flagship Snapchat app grew 7 percent, its
best-ever performance as a public company. According to the Pew Research
Center, 72 percent of Americans usesome form of social media, a percentage
that has risen steadily for years and shows no sign of flagging. (The people
I know who quit Facebook all use Facebook-owned Instagram, WhatsApp, or
both.)

Habits die hard. But even more remarkable than our apparent reluctance to
ditch the technologies we love to dis is a fervent embrace of newer new
things that seem, at the very least, worth approaching with caution.

Take smart speakers — the kind that respond to vocal prompts and
questions — as an example. It's exactly the sort of
technology that gives people pause. Is this thing listening to me all the
time? What about these weird stories of smart speakers laughing or cursing,
or randomly recording a conversation and sending it to the owners'
contacts? The tech press has gotten better and better at chronicling the
latest troubling answers — for instance, people may in fact listen
to your voice activations as part of the process of refining the
device's functionality — and detailing what, if anything,
you can do about it.

Nevertheless: As of last year, a little more than a quarter of American
households owned a smart speaker, according to one estimate. The category
leader is the Amazon Echo, equipped with the Alexa voice-recognition
software; Amazon says it has sold more than 100 million Alexa devices.

Certain tech-use indicators have in fact leveled off in recent years, but
that's mostly because they correspond with categories that are already
thoroughly established and widespread: Around 95 percent of consumers in the
United States say they have or use a cellphone, and 89 percent have or use
the Internet, according to Pew. But dig a little deeper into that data, and
it turns out that *new connected devices continue to emerge* and we continue
to embrace them. In addition to voice assistants, smart TVs and wearable
devices are growing in popularity.

Perhaps most remarkable, if you think we're in the midst of tech backlash,
is the traction of the aggressively hyped smart-home trend, encouraging you
to link your locks and lights and other household infrastructure to the
Internet. Amazon(which intuitively ought to be suffering in a
tech-backlashed environment) recently announced that the record sales on its
most recent Prime Day promotion included “millions of smart home devices.''


Your Car. Your Data.

Gabe Goldberg <gabe@gabegold.com>
Mon, 16 Sep 2019 22:15:20 -0400
Your Car. Your Data. Your Choice. is an Auto Care Association education
initiative created to engage car owners, policymakers and other stakeholders
on car data“  What is it, why it matters, and its implications for consumer
choice.

https://yourcaryourdata.org/


When `collect all the data' misses the important data

"Arthur T." <Risks201909.10.atsjbt@xoxy.net>
Sat, 14 Sep 2019 21:51:01 -0400
Pennsylvania has recent infestations of an invasive insect species (the
spotted lanternfly). It has given a grant to a state university to track
sightings of them, and they're publicizing the tracking very aggressively.

But they won't accept a sighting report unless you first give them your name
and telephone number. There's no indication as to who will have access to
that data, which is especially concerning as it's a government-affiliated
university and possibly susceptible to FOIA requests.

That data would be a major boon for certain vendors and fund-raisers. Who is
paying attention to the environment?  Where do they travel and when? Etc.

So, by collecting data they don't need, they're missing the dozen or so
reports I would have made, and there are probably other non-reports by other
privacy-minded people.


Get popcorn for iOS 13's privacy pop-ups of creepy Facebook data grabs (TechCrunch)

Richard Forno <rforno@infowarrior.org>
September 17, 2019 0:22:22 JST
Privacy-minded changes to smartphone operating systems which foreground the
background activity of third party apps are helping to spotlight more of the
surveillance infrastructure deployed by adtech giants to track and profile
human eyeballs for profit.

To wit: iOS 13, which will be generally released later this week, has
already been spotted catching Facebook's app trying to use Bluetooth
to track nearby users.....

https://techcrunch.com/2019/09/16/get-popcorn-for-ios-13s-privacy-pop-ups-of-creepy-facebook-data-grabs/


The children of Donor H898 (WashPost)

Monty Solomon <monty@roscom.com>
Mon, 16 Sep 2019 21:04:45 -0400
At least a dozen children diagnosed with autism were conceived with
sperm from the same donor.

https://www.washingtonpost.com/health/the-children-of-donor-h898/2019/09/14/dcc191d8-86da-11e9-a491-25df61c78dc4_story.html


The man-made 'stars' changing the night sky (bbc.com)

Richard Stein <rmstein@ieee.org>
Thu, 19 Sep 2019 11:37:05 +0800
http://www.bbc.com/future/story/20190918-is-humanity-changing-the-night-sky-with-artificial-stars

There is already around 8,400 tonnes of debris and junk currently racing
around the Earth as speeds of up to 18,000mph (28,800km/h). This hail of
debris can damage and even destroy satellites if they collide—in 2009, a
defunct Russian satellite smashed into a functioning US commercial
satellite, breaking both spacecraft into at least 2,000 pieces, dramatically
increasing the amount of debris in orbit in the process.

“Nasa currently tracks thousands of pieces of debris down to the size of a
marble and regularly performs avoidance maneuvers to keep its satellites
safe. The International Space Station has also had to make several maneuvers
to avoid debris during its 20 years in orbit.''

With a deployed 'man-mad space shield' of this magnitude already
operational, but not readily controllable, there's no need to build a
dedicated space force to defend the planet against extraterrestrial
invasion!


What Really Brought Down the Boeing 737 Max? (The NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Wed, 18 Sep 2019 23:58:13 -0400
https://www.nytimes.com/2019/09/18/magazine/boeing-737-max-crashes.html


You watch TV. Your TV watches back. (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Sep 2019 00:06:00 -0400
In our latest privacy experiment, we tracked how four of the most popular TV
brands record everything we watch.

https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/

I've had a *smart* TV for almost a year; it's not online and I watch cable
TV, DVDs, Roku (channels, Netflix, Amazon prime) just fine.

I ignore its occasional pleas to connect it to the outside world.


Single drivers are taking over Massachusetts carpool lanes (The Boston Globe)

Monty Solomon <monty@roscom.com>
Thu, 19 Sep 2019 08:07:12 -0400
https://www.bostonglobe.com/metro/2019/09/11/single-drivers-are-taking-over-mass-carpool-lanes/a32bKhXxoZNygjnPPjgKvO/story.html


False emergency alarms set off in Hawaii, again. (NBC News)

Monty Solomon <monty@roscom.com>
Thu, 19 Sep 2019 09:12:45 -0400
https://www.nbcnews.com/news/us-news/false-emergency-alarms-set-hawaii-again-n1056281


Global Preparedness Monitoring Board (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Thu, 19 Sep 2019 19:05:13 -0400
What does a worst case scenario look like in public health? If we went the
Hollywood route, you could envision all sorts of disasters. A lone patient
spreading a deadly bug via international travel; a contamination in the food
supply; heck, maybe just the emergence of a superbug resistant to existing
treatments (a potential $100 trillion risk
<https://click.newsletters.fortune.com/?qs=01edd9ca5e91c9d2cacdcadafa419ed0a96e80a0929024416654b57725ebd5101975ad65d20cb5f9b2631e012684a701c448d5f090da8e07>
by some accounts).

The thing is, any sort of pandemic could be catastrophic “ and the world
simply isn't prepared to deal with such an outbreak, according to a
first-of-its-kind report
<https://click.newsletters.fortune.com/?qs=04a8392c00f77920cdb333607274ba4cc389753f201ffb5a822ce09f3d46b8e9f458bab130eb0bab31838c7fec525c8775fa8fd2a5b83d64>
from the Global Preparedness Monitoring Board (GPMB). In fact, as many as 80
million people could die in an outbreak within 36 hours, the authors say, if
an airborne pathogen were to make its way around the globe.

The GPMB was convened by the World Health Organization (WHO) and the World
Bank to investigate these exact kinds of issues. And the initial prognosis
is grim (the report itself is frighteningly titled, `A World At Risk').

Here's just a snippet of what the group had to say: "The central finding of
the report is that the world needs to proactively establish the systems
needed to detect and control potential disease outbreaks. These acts of
preparedness are a global public good that must meaningfully engage
communities, from the local to the international, in preparedness,
detection, response and recovery."

The report outlines the many failures of international governments, from
lackluster public health systems to lapses in communication to a dearth of
drug and vaccine development, to prepare for a major pandemic. (The issue is
serious enough that the World Bank created the first-ever global insurance
market
<https://click.newsletters.fortune.com/?qs=116f9e6ffa6b24f0c4888644a1e6141dfd41b7deeee304c6c77370d904d6564557f54c276ee97bc36a76975bf4152c7e38097a3477c4428d>
for pandemics back in 2016.)

But GPMB also offers some practical solutions. "Investing in health
emergency preparedness will improve health outcomes, build community trust
and reduce poverty, thereby also contributing to efforts to achieve the
United Nations Sustainable Development Goals," the authors wrote.

/From the foreword by Co-Chairs H.E. Dr Gro Harlem Brundtland and Mr Elhadj
As Sy/: "For its first report, the Global Preparedness Monitoring Board
reviewed recommendations from previous high-level panels and commissions
following the 2009 H1N1 influenza pandemic and the 2014-2016 Ebola outbreak,
along with its own commissioned reports and other data.  The result is a
snapshot of where the world stands in its ability to prevent and contain a
global health threat. Many of the recommendations reviewed were poorly
implemented, or not implemented at all, and serious gaps persist. For too
long, we have allowed a cycle of panic and neglect when it comes to
pandemics: we ran.

http://apps.who.int/gpmb/annual_report.html

Plus: We Are All Pawns in a Mosquito's World

https://www.sierraclub.org/sierra/we-are-all-pawns-mosquitos-world


Instigator of fatal Kansas swatting receives prison sentence (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 20 Sep 2019 11:14:12 -0400
https://arstechnica.com/tech-policy/2019/09/man-behind-deadly-kansas-swatting-sentenced-to-15-months-in-prison/


IoT Security: Now Dark Web Hackers are Targeting Internet-Connected Gas Pumps (Danny Palmer)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 21 Sep 2019 2:20:36 PDT
Danny Palmer, ZDNet, 10 Sep 2019

Researchers at Trend Micro have found that cyber criminals are increasingly
focusing their attention on hacking Internet of Things (IoT) devices. While
routers remain the top target for IoT-based attacks, Internet-connected gas
pumps are becoming a focal point as well. The researchers came to this
conclusion after examining Dark Web marketplaces in five different
languages: Russian, Portuguese, English, Arabic, and Spanish. They found the
Russian market is the most sophisticated of the underground communities,
with cyber criminals there ready to make money from attacks and exploits.
Trend Micro's Bharat Mistry said operators of Internet-connected gas pumps
and similar devices should have their default passwords changed, and
“should also think about using features such as VPNs to encrypt the
traffic, and mutual authentication, whereby both the device and the user
validate one other before continuing.''
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-219dax21dd15x069949&


'Security' Cameras Are Dry Powder for Hackers. Here's Why (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sat, 21 Sep 2019 19:50:05 -0400
https://fortune.com/2019/09/19/security-cameras-are-dry-powder-for-hackers-heres-why/


The iOS 13 Privacy and Security Features You Should Know (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 22 Sep 2019 23:38:29 -0400
Your iPhone just got a major security upgrade. Here are all the ins and
outs.

If you own a relatively new iPhone
<https://www.wired.com/review/apple-iphone-11/>, this week you should have
received a notification that the latest iOS 13 update
<https://www.wired.com/story/apple-ios-13-arrives/> is ready to
download. Besides the more obvious additions—like the introduction of
dark mode, and the unexpected joys of Apple Arcade
<https://www.wired.com/story/apple-arcade-reshape-mobile-gaming/>—it also
features a raft of security and privacy enhancements.

The reputation of iOS security may have taken some dings
<https://www.wired.com/story/ios-security-imessage-safari/> of late, but
it's still one of the most secure consumer operating systems available.
Here are all the ways the latest version keeps you even more protected.

https://www.wired.com/story/ios-13-security-privacy-features-settings/

...complicated, sigh.


Two years later, hackers are still breaching local government payment portals (Catalin Cimpany)

Gene Wirchenko <gene@shaw.ca>
Mon, 23 Sep 2019 11:49:42 -0700
Catalin Cimpanu for Zero Day | 19 Sep 2019
New 20,000 batch of payment card details found on the dark web and traced
back to new Click2Gov hacks.
https://www.zdnet.com/article/two-years-later-hackers-are-still-breaching-local-government-payment-portals/

opening text:

Two years after hackers first started targeting local government payment
portals, attacks are still going on, with eight cities having had their
Click2Gov payment portals compromised in the last month alone, security
researchers from Gemini Advisory have revealed in a report shared with ZDNet
today.

These new hacks have allowed hackers to get their hands on over 20,000
payment card details belonging to US citizens, which are now being traded on
the dark web, the cyber-security firm said.


Man allegedly used drone to pelt ex-girlfriend's home with bombs (Charlie Osborne)

Gene Wirchenko <gene@shaw.ca>
Mon, 23 Sep 2019 11:53:51 -0700
Charlie Osborne for Zero Day | 20 Sep 2019
Charges now include unregistered drone operation, meth use, and unlawfully
owning firearms.
https://www.zdnet.com/article/man-allegedly-used-drones-to-pelt-ex-girlfriends-home-with-bombs/

In the aftermath of a breakup, people can lose all reason and taking
irresponsible action—whether it be cutting up an ex-partner's clothes,
throwing out their possessions, or scratching their car.

In extreme cases, drones, otherwise known as unmanned aerial vehicles
(UAVs), may also allegedly become weaponized.

According to US prosecutors, a 43-year-man used a DJI Phantom 3 drone to
drop homemade bombs on a previous girlfriend's property.


Apple Watch helps save motorcyclist's life (Adiran Kingsley-Hughes)

Gene Wirchenko <gene@shaw.ca>
Mon, 23 Sep 2019 12:12:42 -0700
Adrian Kingsley-Hughes for Hardware 2.0 | 23 Sep 2019
A Washington man credits the Apple Watch with helping to save his father's
life following a biking accident that left him unconscious.
https://www.zdnet.com/article/apple-watch-helps-save-motorcyclists-life/

The Apple Watch 4 and later contains a sensor that is continually looking
out for the wearer suffering a hard fall that could render them unconscious
and summon emergency help. This is exactly what happened to Gabe Burdett's
father.


Good Quote from 'The Handmaid's Tale' Author

Chris Drewe <e767pmk@yahoo.co.uk>
Mon, 23 Sep 2019 22:28:28 +0100
Last Saturday's newspaper featured an interview (couldn't find it on-line)
with Margaret Atwood, author of `The Handmaid's Tale' and more recently `The
Testaments'.  This included her saying: “Like any human technology, there's
a plus side, a minus side, and a stupid side that you didn't anticipate.
Pick out any technology, it's true of them all.''

  So it looks unlikely for RISKS to run short of source material any time
  soon...


Stanislav Petrov, `The Man Who Saved The World', Dies At 77 (NPR)

Richard Forno <rforno@infowarrior.org>
September 24, 2019 6:23:18 JST
  [via Dave Farber]

Greg Myre Facebook Twitter

https://www.npr.org/sections/thetwo-way/2017/09/18/551792129/stanislav-petrov-the-man-who-saved-the-world-dies-at-77

Stanislav Petrov, a former Soviet military officer, poses at his home in
2015 near Moscow. In 1983, he was on duty when the Soviet Union's early
warning satellite indicated the U.S. had fired nuclear weapons at his
country. He suspected, correctly, it was a false alarm and did not
immediately send the report up the chain of command. Petrov died at age 77.

Stanislav Petrov was a lieutenant colonel in the Soviet Union's Air Defense
Forces, and his job was to monitor his country's satellite system, which was
looking for any possible nuclear weapons launches by the United States.

He was on the overnight shift in the early morning hours of 26 Sep 1983,
when the computers sounded an alarm, indicating that the U.S. had launched
five nuclear-armed intercontinental ballistic missiles.  “The siren howled,
but I just sat there for a few seconds, staring at the big, back-lit, red
screen with the word 'launch' on it,'' Petrov told the BBC in 2013.

It was already a moment of extreme tension in the Cold War. On Sept. 1 of
that year, the Soviet Union shot down a Korean Air Lines plane that had
drifted into Soviet airspace, killing all 269 people on board, including a
U.S. congressman. The episode led the U.S. and the Soviets to exchange
warnings and threats.

Petrov had to act quickly. U.S. missiles could reach the Soviet Union in
just over 20 minutes.  “There was no rule about how long we were allowed to
think before we reported a strike,'' Petrov told the BBC.  “But we knew
that every second of procrastination took away valuable time, that the
Soviet Union's military and political leadership needed to be informed
without delay. All I had to do was to reach for the phone; to raise the
direct line to our top commanders—but I couldn't move. I felt like I was
sitting on a hot frying pan.''

Petrov sensed something wasn't adding up.  He had been trained to expect an
all-out nuclear assault from the U.S., so it seemed strange that the
satellite system was detecting only a few missiles being launched. And the
system itself was fairly new. He didn't completely trust it.

Arms control expert Jeffrey Lewis recalled the episode in an interview last
December on NPR:

  “[Petrov] just had this feeling in his gut that it wasn't right. It was
  five missiles. It didn't seem like enough. So even though by all of the
  protocols he had been trained to follow, he should absolutely have
  reported that up the chain of command and, you know, we should be talking
  about the great nuclear war of 1983 if any of us survived.''

After several nerve-jangling minutes, Petrov didn't send the computer
warning to his superiors. He checked to see if there had been a computer
malfunction.

He had guessed correctly.  “Twenty-three minutes later I realized that
nothing had happened,'' he said in 2013. “If there had been a real strike,
then I would already know about it. It was such a relief.''

That episode and the 1962 Cuban Missile Crisis are considered to be the
closest the U.S. and the Soviets came to a nuclear exchange. And while the
Cuban Missile Crisis has been widely examined, Petrov's actions have
received much less attention.

Petrov died on 19 May 2019, at age 77, in a suburb outside Moscow, according
to news reports Monday. He had long since retired and was living alone. News
of his death apparently went unrecognized at the time.

Karl Schumacher, a German political activist who had highlighted Petrov's
actions in recent years, tried to contact Petrov earlier this month to wish
him a happy birthday. Instead, he reached Petrov's son, Dmitri, who said his
father had died in May.

Petrov said he received an official reprimand for making mistakes in his
logbook on Sept. 26, 1983.

His story was not publicized at the time, but it did emerge after the Soviet
Union collapsed. He received a number of international awards during the
final years of his life. In 2015, a docudrama about him featuring Kevin
Costner was called The Man Who Saved The World.

But he never considered himself a hero.

“That was my job.  But they were lucky it was me on shift that night.''

Greg Myre is a national security correspondent. Follow him @gregmyre1.


Too Many VPNs Put Our Privacy And Security At Risk (Forbes)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 23 Sep 2019 14:14:05 -1000
Virtual private networks: they help you sidestep geographical media
restrictions, and they keep your web browsing private, right? Well, not
always, because even if the best VPNs add a welcome layer of security to our
web setups, cybersecurity experts are warning that there are just as many
VPN applications that expose their trusting users to surveillance and
cyberattacks.

According to a broad range of specialists, many free and mobile VPNs on the
market use unsafe protocols and log user activity, while even good virtual
private networks can't always guarantee to protect their users from the
prying eyes of a jealous government or its intelligence agencies. That's why
it's vitally important that we not only choose the most reliable and robust
VPNs available, but that we also learn how to configure and run them to
their full potential. Otherwise, we may find ourselves in a similar
situation to users of Fortigate and Pulse Secure, two VPNs which were
targeted by cyberattackers last month.

Normally, VPNs are very useful and dependable tools, with 30% of all
Internet users employing a VPN at least once a month.  “Generally speaking,
a modern online VPN is a service that is designed to encrypt your entire
computer's traffic and at the same time hide your identity by routing your
(now encrypted) traffic through one or more anonymous routers,'' explains
Yaniv Balmas, the head of cyber research at Check Point.  “Assuming that
the VPN provider uses up-to-date encryption methods and frequently changes
its routing points, this service should provide a secure and robust
service.''

However, Balmas adds that “the devil lies in the details,'' with poorly
implemented virtual private networks causing “more harm than good for its
users.''  In fact, the scale of the problem is actually more extensive than
most people realise, because in many cases VPNs—and particularly free
and/or mobile VPNs—not only don't work as advertised, but also leave
users open to viruses and privacy violations.

“We tested the top 150 free VPN Android apps and found that many had
serious security flaws and performance issues,'' warns Callum Tennent, a VPN
expert and the site editor at Top10VPN.com. Referring to a study his website
conducted in February, Tennent alarmingly reveals that 18% of the tested
VPNs contained potential malware or viruses, 85% featured excessive
permissions or functions that could put a user's privacy at risk, and 25%
exposed a user's traffic to DNS leaks and other leaks...

https://www.forbes.com/sites/simonchandler/2019/09/23/too-many-vpns-put-our-privacy-and-security-at-risk/


Two articles by Bruce Schneier on supply-chain security threats

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 25 Sep 2019 2:59:40 PDT
https://www.nytimes.com/2019/09/25/opinion/huawei-internet-security.html

https://edition.cnn.com/2019/09/21/opinions/chinese-spy-trains-are-not-a-credible-threat-schneier/index.html


Re: Alabama is penalizing students for leaving football games early (RISKS-31.42)

"Arthur T." <Risks201909.10.atsjbt@xoxy.net>
Fri, 13 Sep 2019 20:31:50 -0400
The Washington Post's headline is seriously misleading. The story text says
that students “earn 100 points for attending a home game and then get an
additional 250 if they're still in attendance by the fourth quarter.''  To
me, not rewarding someone is very different from penalizing them. The story
(as opposed to the headline) implies that a student is always better off
attending a game, even if the student leaves early.


Re: Why a cup of coffee forced a plane to make an unplanned landing (WashPost via Solomon, RISKS-31.42)

Mark Brader <msb@vex.net>
Fri, 13 Sep 2019 19:20:45 -0400
> A new safety bulletin from the British government shows that an unplanned
> landing in Ireland was caused by coffee that spilled on a control panel in
> the cockpit.

Life imitates fiction!  This is exactly the cause identified for a plane
crash in the movie *Fate is the Hunter*—in 1964.

  [There's no crying over spilled milk, but spilled coffee is different.
  The diverted aircraft resulted in a new form of diverticulitis for every
  passenger and crew member.  PGN]

Please report problems with the web pages to the maintainer

Top