The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 45

Monday 7 October 2019

Contents

The broken record: Why Barr's call against end-to-end encryption is nuts
Sean Gallagher
Disney World Skyliner Gondola abruptly stops, stranding passengers in air
NYTimes
Volatile compounds? 3D printing has a serious safety problem
Greg Nichols
Decades-old code is putting millions of critical devices at risk
WiReD
Ransomware forces 3 hospitals to turn away all but the most critical patients
Ars Technica
These sneaky email scammers are making it even harder for workers to spot fake invoices
Danny Palmer
This mysterious hacking campaign snooped on a popular form of VoiP software
Danny Palmer
Webkit zero-day exploit besieges Mac and iOS users with malvertising redirects
Ars Technica
Commuters get an eyeful after pair breaks in, uploads porn to Michigan billboard
NBC News
Maine hospital 'Wall of Shame' used records to mock disabled patients
The Boston Globe
How Israeli security services used big data to stop a wave of terrorism
haaretz
Wearable face projector to avoid face recognition
Reddit
Federal government has dramatically expanded exposure to risky mortgages
WashPost
What Is Bitcoin Block Size and Why Does It Matter?
Blocks Decoded
Hacking Of Internet-connected cars big national security threat
Consumer Watchdog
Some of the biggest critics of Waymo and other self-driving cars are the Silicon Valley residents who know how they work
WashPost
10 Tips to Avoid Leaving Tracks Around the Internet
NYTimes
Code 42 Info Requested
Charles Dunlop
NCCIC
Rebecca Mercuri
Look Who's Driving, NOVA, 23 Oct 9 pm EDT
Gabe Goldberg
Info on RISKS (comp.risks)

The broken record: Why Barr's call against end-to-end encryption is nuts (Sean Gallagher)

Richard Forno <rforno@infowarrior.org>
October 5, 2019 at 9:53:15 AM GMT+9
  [Via Dave Farber]

Sean Gallagher, Ars Technica, 4 Oct 2019

Barr, DHS Secretary, UK, and Australia say end-to-end encryption will help
child abusers.

Here we go again.

US Attorney General William Barr is leading a charge to press Facebook and
other Internet services to terminate end-to-end encryption efforts—this
time in the name of fighting child pornography. Barr, acting Secretary of
Homeland Security Kevin McAleenan, Australian Home Affairs Minister Peter
Dutton, and United Kingdom Secretary of State Priti Patel yesterday asked
Facebook CEO Mark Zuckerberg to hold off on plans to implement end-to-end
encryption across all Facebook Messenger services "without including a means
for lawful access to the content of communications to protect our citizens."

https://arstechnica.com/tech-policy/2019/10/the-broken-record-why-barrs-call-against-end-to-end-encryption-is-nuts/


Disney World Skyliner Gondola abruptly stops, stranding passengers in air (NYTimes)

Monty Solomon <monty@roscom.com>
Mon, 7 Oct 2019 00:19:42 -0400
https://www.nytimes.com/2019/10/06/business/disney-skyliner-crash.html

The gondola system, which connects Epcot, Hollywood Studios and several
Disney World resorts, opened on Sept. 29. It has now been shut down.


Volatile compounds? 3D printing has a serious safety problem (Greg Nichols)

Gene Wirchenko <gene@shaw.ca>
Tue, 01 Oct 2019 17:04:26 -0700
Greg Nichols for Robotics, ZDNet, 1 Oct 2019

Dangerous emissions are the dirty little secret of the ballooning 3D
printing industry.
https://www.zdnet.com/article/volatile-compounds-3d-printing-has-a-serious-safety-problem/

selected text:

It's looking more and more certain that 3D printing has a serious safety
problem. Though largely overlooked in the tech press, the problem is
pervasive and could impact millions of students, patients, and employees who
work in non-industrial settings that lack controlled environments.

That's according to a two-year study by UL Chemical Safety and Georgia
Institute of Technology, which shows that 3D printers emit airborne
nanoparticles and volatile organic compounds that can cause cardiovascular
and pulmonary issues. The UL/Georgia Tech study details the alarming
presence of more than 200 volatile compounds that are detected in
environments where a 3D printer is in use, including known irritants and
carcinogens.


Decades-old code is putting millions of critical devices at risk (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 2 Oct 2019 23:49:58 -0400
Nearly two decades ago, a company called Interpeak created a network
protocol that became an industry standard. It also had severe bugs that are
only now coming to light.

In early August, the enterprise security firm Armis got a confusing call
from a hospital that uses the company's security monitoring platform.  One
of its infusion pumps contained a type of networking vulnerability that the
researchers had discovered in a few weeks prior.  But that vulnerability had
been found in an operating system called VxWorks—which the infusion pump
didn't run.
<https://www.wired.com/story/vxworks-vulnerabilities-urgent11/>

Hospital representatives wondered if it was just a false positive. But as
Armis researchers investigated, they started to see troubling signs of a
connection between VxWorks and the infusion pump's operating system. What
they ultimately discovered has disturbing implications for the security of
countless critical systems—patient monitors, routers, security cameras,
and more—across dozens of manufacturers.

Today Armis, the Department of Homeland Security
<https://www.us-cert.gov/ics/advisories/icsa-19-274-01>, the Food and Drug
Administration and a broad swath of so-called real-time operating system and
device companies disclosed that Urgent/11, a suite of network protocol bugs,
exist in far more platforms than originally believed. The RTO systems are
used in the always-on devices common to the industrial control or health
care industries. And while they're distinct platforms, many of them
incorporate the same decades-old networking code that leaves them vulnerable
to denial of service attacks or even full takeovers. There are at least
seven affected operating systems that run in countless IoT devices across
the industry.
<https://www.fda.gov/medical-devices/safety-communications/urgent11-cybersecurity-vulnerabilities-widely-used-third-party-software-component-may-introduce>,
<https://www.armis.com/resources/iot-security-blog/urgent-11-update/>

"It's a mess and it illustrates the problem of unmanaged embedded devices,"
says Ben Seri, vice president of research at Armis. "The amount of code
changes that have happened in these 15 years are enormous, but the
vulnerabilities are the only thing that has remained the same. That's the
challenge."

https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/


Ransomware forces 3 hospitals to turn away all but the most critical patients (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 2 Oct 2019 09:18:55 -0400
https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/


These sneaky email scammers are making it even harder for workers to spot fake invoices (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:33:44 -0700
Danny Palmer, ZDNet, 2 Oct 2019

By compromising emails between vendors and their clients, scammers can
produce exact replicas of expected invoices - and funnel the funds into
their own wallets.
https://www.zdnet.com/article/these-sneaky-email-scammers-are-making-it-even-harder-for-workers-to-spot-fake-invoices/

opening text:

Email scammers are getting more sophisticated, with one gang showing
particularly advanced tactics for stealing from organisations across the
world by using stealth, persistence and social engineering to trick firms
into paying invoices for legitimate services.

The attacks are different to standard Business Email Compromise (BEC)
attacks because rather than using a fake request for a money transfer
apparently ordered by a CEO or CFO, this campaign is based around supply
chains, espionage and research, with the attackers only cashing in once
they're convinced they can successfully dupe the victim by injecting
themselves into a legitimate email thread about finance.

This kind of approach makes the attacks very difficult to detect—and
often victims will only know they've been scammed when a vendor asks why a
payment wasn't received.


This mysterious hacking campaign snooped on a popular form of VoiP software (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Mon, 07 Oct 2019 10:08:48 -0700
Danny Palmer | 4 Oct 2019
Researchers uncover a campaign that is snooping on call data and recordings
of conversations - and could even spoof calls.
https://www.zdnet.com/article/this-mysterious-hacking-campaign-is-snooping-on-a-popular-form-of-voip-software/

selected text:

Security researchers have traced the initial attacks back to between
February and July 2018, when an attacker was performing scans on over 600
companies across the world that use Asterisk FreePBX—a popular form of
open source VoiP software.

The attacker then went quiet for months before re-emerging this year,
targeting a US-based server owned by an engineering company that provides
services to the oil, gas and chemical industries.


Webkit zero-day exploit besieges Mac and iOS users with malvertising redirects (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 2 Oct 2019 09:20:09 -0400
https://arstechnica.com/information-technology/2019/09/webkit-zeroday-exploit-besieges-mac-and-ios-users-with-malvertising-redirects/


Commuters get an eyeful after pair breaks in, uploads porn to Michigan billboard (NBC News)

Monty Solomon <monty@roscom.com>
Tue, 1 Oct 2019 19:16:45 -0400
https://www.nbcnews.com/news/us-news/commuters-get-eyeful-after-pair-breaks-uploads-porn-michigan-billboard-n1060581


Maine hospital 'Wall of Shame' used records to mock disabled patients (The Boston Globe)

Monty Solomon <monty@roscom.com>
Sat, 5 Oct 2019 00:29:38 -0400
https://www.boston.com/news/health/2019/10/04/a-maine-hospitals-wall-of-shame-used-private-records-to-mock-disabled-patients-now-officials-are-apologizing


How Israeli security services used big data to stop a wave of terrorism (haaretz)

Amos Shapir <amos083@gmail.com>
Sun, 6 Oct 2019 01:03:42 +0300
During 2015, Israel's security services were faced with a new problem:
Dozens of young Palestinians, most of them with no terrorist background,
were using whatever was handy—from kitchen knives to cars—to stoke an
unusual wave of terror attacks.

These activists were difficult to track down, because most of them were
acting alone and were not members of any known organizations.  According to
an article in the newspaper Haaretz, cyber-experts had used big data
gathered from social networks to flag any unusual behavior on the net --
such as access to extremists sites or "Facebook wills"—in order to stop
potential terrorists, some of them even before they had carried out any
attack.

https://www.haaretz.com/israel-news/.premium-how-israel-stopped-a-third-palestinian-intifada-1.7942355
(may require subscription)


Wearable face projector to avoid face recognition (Reddit)

José María Mateos <chema@rinzewind.org>
Sun, 6 Oct 2019 11:51:16 -0400
https://www.reddit.com/r/Cyberpunk/comments/ddplms/hk_wearable_face_projector_to_avoid_face/

Found this on Reddit linked to HK protests but, as a commenter says, this is
actually an art project. There is more information here:
http://jingcailiu.com/?portfolio=wearable-face-projector

Cameras and other technological products make for a better and safer living
environment than ever before. Mega databanks and high-resolution cameras in
the streets stock hundreds of exabytes a year. But who has access to this
data? It is possible that it could have commercial use, hence not only
retail companies but also the advertisement industry could be very
interested in this data in the coming future. They would hope to gain these
personal data and information as much as they can.

In the future, the advertisement could call your name when you walk along
the streets. The companies would know your personal interests and may set
different retail strategies for you. It could be convenient for customers,
but personal thoughts and opinions should be kept private.  This product
protects you from this privacy violation.

Concept:

Wearable face projector: A small beamer projects a different appearance on
your face, giving you a completely new appearance.


Federal government has dramatically expanded exposure to risky mortgages (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Oct 2019 17:29:49 -0400
“There is a point here where, in an effort to create access to
homeownership, you may actually be doing it in a manner that isn't
sustainable and it's putting more people at risk,'' said David Stevens, a
former commissioner of the Federal Housing Administration who led the
Mortgage Bankers Association until last year. “Competition,
particularly in certain market conditions, can lead to a false narrative,
like `housing will never go down' or `you
will never lose on mortgages.' ''

https://www.washingtonpost.com/business/economy/federal-government-has-dramatically-expanded-exposure-to-risky-mortgages/2019/10/02/d862ab40-ce79-11e9-87fa-8501a456c003_story.html

  The risks? Human nature, greed, stupidity, unwillingness to learn from
  history. The usual.

    [It's a good think RISKS does not have a requirement for only *new
    topics*.  “When will they ever learn.''  (The old song, Little Boxes on
    the Hillside'' [and they all look just the same] seems relevant here.
    PGN]


What Is Bitcoin Block Size and Why Does It Matter? (Blocks Decoded)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Oct 2019 17:55:50 -0400
However, that 1MB block size limit also restricts the number of transactions
the Bitcoin network processes. With a 1MB block size limit, the Bitcoin
network processes a maximum of around seven transactions per second (there
are anomalies). For comparison, Ethereum processes about 15 transactions per
second, Bitcoin Cash process around 65 transactions per second, and the Visa
network can process over 1,700 fiat transactions per second.

You see, then, that the Bitcoin block size has a direct effect on Bitcoin
transaction speed.

https://blocksdecoded.com/what-bitcoin-block-size/

Using some fraction of the world's electricity to process ... seven
transactions/second?


Hacking Of Internet-connected cars big national security threat (Consumer Watchdog)

Monty Solomon <monty@roscom.com>
Sat, 5 Oct 2019 10:42:43 -0400
Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off
https://www.consumerwatchdog.org/privacy-technology/report-finds-hacking-internet-connected-cars-big-national-security-threat
https://www.consumerwatchdog.org/sites/default/files/2019-07/KILL SWITCH  7-29-19.pdf


Some of the biggest critics of Waymo and other self-driving cars are the Silicon Valley residents who know how they work (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Thu, 3 Oct 2019 17:26:34 -0400
SUNNYVALE, Calif.  Karen Brenchley is a computer scientist with expertise in
training artificial intelligence, but this longtime Silicon Valley resident
has pangs of anxiety whenever she sees Waymo self-driving cars maneuver the
streets near her home.

The former product manager, who has worked for Microsoft and
Hewlett-Packard, wonders how engineers could teach the robocars operating
<https://www.washingtonpost.com/local/trafficandcommuting/waymo-launches-nations-first-commercial-self-driving-taxi-service-in-arizona/2018/12/04/8a8cd58a-f7ba-11e8-8c9a-860ce2a8148f_story.html?tid=lk_inline_manual_4>
on her tree-lined streets to make snap decisions, speed and slow with the
flow of traffic and yield to pedestrians coming from the nearby park. She
has asked her husband, an award-winning science-fiction author who doesn't
drive, to wear a shiny vest while cycling to ensure autonomous vehicles spot
him in a rush of activity.

The problem isn't that she doesn't understand the technology.  It's that she
does, and she knows how flawed nascent technology can be. ...
<https://www.washingtonpost.com/business/driverless-cars/2018/10/26/d141ee32-d926-11e8-8384-bcc5492fef49_story.html?tid=lk_inline_manual_6>.

Silicon Valley types can be most skeptical of advanced technology because
they know how it works and what its risks are. Parents with experience at
large tech firms have famously cracked down on screen time for their
children. Some tech executives won't let female family members ride alone at
night with ride-sharing cars. Others keep their kids off social media
indefinitely.

That same skepticism has landed on Silicon Valley streets. Residents are
showing up to community meetings to express their concern about driverless
cars, even though they still have safety drivers in the front seat. Posts on
community site Nextdoor debate safety risks.

https://www.washingtonpost.com/technology/2019/10/03/silicon-valley-pioneered-self-driving-cars-some-its-tech-savvy-residents-dont-want-them-tested-their-neighborhoods/

  [Also noted by Richard Stein.  PGN]


10 Tips to Avoid Leaving Tracks Around the Internet (NYTimes)

Monty Solomon <monty@roscom.com>
Sun, 6 Oct 2019 16:29:37 -0400
https://www.nytimes.com/2019/10/04/smarter-living/10-tips-internet-privacy-crowdwise.html

Some of these suggestions are more aggressive, and make using the web less
convenient, but they'll definitely protect your privacy.


Code 42 Info Requested

Charles Dunlop <cdunlop@umich.edu>
Sun, 6 Oct 2019 21:41:49 -0400
A former student of mine recently took a job in a lab that required him to
install "Code 42" software on his personal computer.  This software
apparently backs up any lab-related data, and flags situations in which the
data is deleted or copied or moved to other media.  He was told that he
could opt to back up only the lab folder on his MacBook; however, the IT
folks informed him that if he elected that option, his entire computer
would be backed up.

I hadn't heard of this software before, and there doesn't seem to be a lot
of good information about it online.  Prima facie, it raises some serious
privacy issues.  Any information about this would be appreciated.


NCCIC

Rebecca Mercuri <notable@mindspring.com>
Fri, 4 Oct 2019 04:30:16 -0400
Those who are not already familiar with NCCIC (the U.S. National
Cybersecurity and Communications Integrations Center) may find this
informational brochure to be of interest.
<https://www.us-cert.gov/sites/default/files/publications/NCCIC_Year_in_Review_2017_Final.pdf>

  In the face of increasingly sophisticated threats, NCCIC stands on the
  front lines of the Federal Government's efforts to defend the Nation's
  most essential cyber- and communications networks. Every day brings
  challenges and opportunities. Our work inspires us, and we pursue it with
  a single-minded purpose: create a more secure and resilient cyber- and
  communications infrastructure.  In pursuit of this goal, NCCIC will listen
  to customers, operational partners, and other stakeholders, remaining
  attentive and responsive to their needs. We need and will encourage active
  stakeholder participation.

  In our information sharing programs to limit the likelihood and severity
  of incidents. We will emphasize utility, speed, and accuracy in the
  information we provide, and we will share as broadly as possible, while
  protecting confidentiality and privacy. We will continuously assess and
  optimize the way we perform as an integrated organization across all
  locations and refine our processes, technologies, and organizational
  structure to best execute our mission and serve our customers. NCCIC will
  remain a leader in the cybersecurity field by recruiting the best and
  brightest people, and by remaining agile and leaning forward to tackle
  current and future threats.

    [Rebecca gave the URL for the 2017 report, whose conclusions I have
    added to her message.  The following URL she cited is more recent.  PGN]

More about NCCIC can be found here:
<https://www.dhs.gov/cisa/national-cybersecurity-communications-integration-center>


Look Who's Driving, NOVA, 23 Oct 9 pm EDT

Gabe Goldberg <gabe@gabegold.com>
Fri, 4 Oct 2019 15:08:24 -0400
After years of anticipation, autonomous vehicles are now being tested on
public roads around the world. Dozens of startups have sprung up alongside
established auto and tech giants—which are also testing the waters—to
form what many hope will be a transformative new industry. But as innovators
rush to cash in on what they see as the next high-tech pot of gold, some
experts warn there are still daunting challenges to overcome—like how to
train computers to make life-and-death decisions as well as humans can. NOVA
peers under the hood of the autonomous vehicle industry to investigate how
driverless cars work, how they may change the way we live, and whether we
will ever be able to entrust them with our lives. NOVA /Look Who's Driving/
premieres Wednesday, October 23, 2019 at 9 p.m. ET/8C on PBS.

How can we train artificial intelligence to be better than humans at making
life-and-death decisions? How do self-driving cars work? How close are we to
large-scale deployment of them? Join us for a special screening of this
fascinating documentary followed by our panel of pioneering company leaders
and academic experts who will tackle not just these technical issues, but
some of the potential economic and social implications. This panel
discussion will be streamed live on our Facebook page.
<https://www.facebook.com/pg/computerhistory/videos/?ref=page_internal>

https://computerhistory.org/events/look-whos-driving/

Please report problems with the web pages to the maintainer

Top