The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 49

Wednesday 25 November 2019

Contents

Train door safety interlock based on hanger not actual door position
BBC
Aircraft warning lights system open online
Security Affairs
Tainted Data Can Teach Algorithms the Wrong Lessons (WiReD
????
Finds GPS tracker on his car, removes it, charged with theft
Ars Technica
DMVs profit by selling PII
Vice/Motherboard
Cheap kids smartwatch exposes the location of 5,000+ children
Catalin Cimpanu
More on AI-generated deepfakes
NYTimes
Hidden Cam Above Bluetooth Pump Skimmer
Krebs on Security
Tim Berners-Lee's plan includes framework to protect privacy, personal data
MarketWatch
Independent security researcher discovers information trove
Bloomberg
Investigation finds BC firm delivered micro-targeted political ads without ensuring consent
Kelly Bert Manning
A cautionary tale about IT out sourcing—Landlord finds millions of confidential files left by defunct IT firm
????
This girl hacked 11,000 dogs and cats smart feeders
Information Security Newspaper
Re: How dumb design wwii plane led macintosh
Amos Shapir
Re: A hypothesis on the immediate future of audio scams
Amos Shapir
Re: There's more to the Internet than the DNS, or Internet world despairs ...
John Levine
Re: What happens if your mind lives for ever on the Internet?
Martin Ward
Re: Officials Warn of "Juice Jacking" Scams at USB Charging Stations
Andrew Duane
Info on RISKS (comp.risks)

Train door safety interlock based on hanger not actual door position (BBC)

"paul cornish" <paul.a.cornish@googlemail.com>
Wed, 27 Nov 2019 16:37:41 -0000
>From the BBC web site https://www.bbc.co.uk/news/uk-england-essex-50573800

The actuator moved, the door hanger moved, the micro switch (on the door
hanger) said the door was closed.  But the bolts holding the door onto the
hanger had gone so the door stayed open. 23 minutes at 83 mph before a
passenger told the driver


Aircraft warning lights system open online (Security Affairs)

J Coe <spendday@gmail.com>
Wed, 27 Nov 2019 07:03:39 +0000
Independent researcher Amitay Dan <https://twitter.com/popshark1> discovered
that control panels for aircraft warning lights were exposed to the
Internet, potentially allowing attackers to control them.

https://securityaffairs.co/wordpress/94414/hacking/aircraft-warning-lights-hack.html


Tainted Data Can Teach Algorithms the Wrong Lessons (WiReD

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 27 Nov 2019 9:47:01 PST
  This is joint work of Wenchao Li at Boston University and Susmit Jha at
  SRI and others, on inserting Trojans/backdoors to reinforcement learning
  policy.  Their paper was recently covered by Wired:
    https://www.wired.com/story/tainted-data-teach-algorithms-wrong-lessons/
  and picked up by other outlets such as boingboing:
    https://boingboing.net/2019/11/25/backdooring-ai.html


Finds GPS tracker on his car, removes it, charged with theft (Ars Technica)

danny burstein <dannyb@panix.com>
Mon, 25 Nov 2019 18:46:19 -0500 (EST)
Turns out it was the local constabulary who placed it on his car.  Oh, they
had a warrant.

He found it, took it off, brought it into his house.  It stopped working
(unclear from the stories just why, i.e. did he smash it, remove battery,
hit the "off" button, etc...)

The cops got another warrant to search his home claiming they believed he
had stolen (!!)  the tracker and hid it in his house.  So they entered and
saw drug paraphernalia.

Hillarity is ongoing

https://arstechnica.com/tech-policy/2019/11/man-charged-with-theft-for-removing-police-gps-tracker-from-his-car/


DMVs profit by selling PII (Vice/Motherboard)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 25 Nov 2019 13:30:26 -1000
*A document obtained by Motherboard shows how DMVs sell people's names,
addresses, and other personal information to generate revenue*

The California Department of Motor Vehicles is generating revenue of
$50,000,000 a year through selling drivers' personal information, to a DMV
document obtained by Motherboard.

DMVs across the country are selling data that drivers are required to
provide to the organization in order to obtain a license. This information
includes names, physical addresses, and car registration information.
California's sales come from a state which generally scrutinizes
privacy to a higher degree
<https://techcrunch.com/2019/10/12/californias-privacy-act-what-you-need-to-know-now/> than the rest of the country.

In a public record acts request, Motherboard asked the California DMV for
the total dollar amounts paid by commercial requesters of data for the past
six years. The responsive document shows the total revenue in financial year
2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the
financial year 2017/18.

The document doesn't name the commercial requesters, but some specific
companies appeared frequently in Motherboard's earlier investigation
<https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars>
that looked at DMVs across the country. They included data broker LexisNexis
and consumer credit reporting agency Experian. Motherboard also found DMVs
sold information to private investigators, including those who are hired to
find out if a spouse is cheating. It is unclear if the California DMV has
recently sold data to these sorts of entities...

https://www.vice.com/en_us/article/evjekz/the-california-dmv-is-making-dollar50m-a-year-selling-drivers-personal-information


Cheap kids smartwatch exposes the location of 5,000+ children (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Mon, 25 Nov 2019 11:57:17 -0800
Catalin Cimpanu for Zero Day | 25 Nov 2019
Insecure web backend and mobile app let attackers access any kids' details
and parent account.
https://www.zdnet.com/article/cheap-kids-smartwatch-exposes-the-location-of-5000-children/

A cheap $35 kids' smartwatch made in China was caught exposing the personal
details and location information for more than 5,000 children and their
parents.

The concept is not new, as there are plenty of similar products on the
market, varying in prices from $30 to $200-$300. However, Morgenstern
suggests that SMA created one of the most insecure products on the market.

For starters, Morgenstern says anyone can query the smartwatch's backend via
a publicly accessible web API. This is the same backend where the mobile app
also connects to retrieve the data it shows on parents' phones.

Morgenstern says there's an authentication token in place that's supposedly
there to prevent unauthorized access, but attackers can supply any token
they like, as the server never verifies its validity.

Morgenstern says that using this technique, his team was able to identify
more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts.

      [And it gets worse.]


More on AI-generated deepfakes (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Nov 2019 22:08:02 -0500
Researchers are creating tools to find AI-generated fake videos before
they become impossible to detect. Some experts fear it is a losing battle.

https://www.nytimes.com/2019/11/24/technology/tech-companies-deepfakes.html


Hidden Cam Above Bluetooth Pump Skimmer (Krebs on Security)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 25 Nov 2019 13:13:05 -1000
Tiny hidden spy cameras are a common sight at ATMs that have been tampered
with by crooks who specialize in retrofitting the machines with card
skimmers. But until this past week I'd never heard of hidden cameras being
used at gas pumps in tandem with Bluetooth-based card skimming devices.

Apparently, I'm not alone.

“I believe this is the first time I've seen a camera on a gas pump with a
Bluetooth card skimmer,'' said *Detective Matt Jogodka *of the Las Vegas
Police Department, referring to the compromised fuel pump pictured below...

https://krebsonsecurity.com/2019/11/hidden-cam-above-bluetooth-pump-skimmer/


Tim Berners-Lee's plan includes framework to protect privacy, personal data (MarketWatch)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 25 Nov 2019 13:14:05 -1000
World Wide Web inventor Tim Berners-Lee released an ambitious rule book for
online governance—a bill of rights and obligations for the Internet --
designed to counteract the growing prevalence of such anti-democratic
poisons as misinformation, mass surveillance and censorship.

The product of a year's work by the World Wide Web Foundation where
Berners-Lee is a founding director, the *Contract for the Web*
<https://contractfortheweb.org/>seeks commitments from governments and
industry to make and keep knowledge freely available—a digital policy
agenda true to the design vision of the 30-year-old web.

The contract is non-binding, however. And funders and partners in the
endeavor include Alphabet's  Google and Facebook, whose data-collecting
business models and sensation-rewarding algorithms have been blamed for
exacerbating online toxicity.

“We haven't had a fairly complex, fairly complete plan of action for the
web going forward,'' Berners-Lee said in an interview.  “This is the first
time we've had a rule book in which responsibility is being shared.''

https://www.marketwatch.com/story/web-inventor-unveils-ambitious-rule-book-for-internet-responsibility-2019-11-24


Independent security researcher discovers information trove (Bloomberg)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 25 Nov 2019 13:35:28 -1000
Server shut down after FBI contacted about unsecured data

A database aggregating 1.2 billion users' personal information, including
social media accounts, email addresses and phone numbers, was discovered
unprotected on a server last month. So far, it's not clear how it g ot
there.

Most of the data was collected by a company called People Data Labs, said
Vinny Troia, chief executive officer of Night Lion Security, which is based
in St. Louis. People Data Labs provides work emails and social media account
details for what the company claims is a billion and a half people.  That
data is scraped from various sources and sold as a way to contact “70%+
decision makers in the US, UK and Canada,'' according to the company's
website.

The unprotected data didn't reside on a People Data Labs'
server, but was on a Google Cloud server, Troia said. Google didn't
respond to a request for comment about who was renting the server.

Sean Thorne, People Data Labs' co-founder and chief executive officer, said
some, but not all, of the data came from his company and suspects it was
being aggregated by another firm merging various data points...

https://www.newsmax.com/finance/streettalk/billion-data-unprotected-google/2019/11/22/id/942975/

https://www.bloomberg.com/news/articles/2019-11-22/a-billion-people-s-data-left-unprotected-on-google-cloud-server


Investigation finds BC firm delivered micro-targeted political ads without ensuring consent

Kelly Bert Manning <bo774@freenet.carleton.ca>
Tue, 26 Nov 2019 22:51:43 -0500 (EST)
A joint investigation by the Canadian Federal Privacy Commission and BC
Office of the Information and Privacy Commissioner has issued a Press
Release regarding their investigation of Cambridge Analytica associate
Aggregate IQ.

"Joint investigation finds failings in political consultancy's consent
practices for uses and disclosures of personal information and in its
security safeguard practices.

VANCOUVER, British Columbia, November 26, 2019"

https://priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_191126/
https://www.oipc.bc.ca/news-releases/2364


A cautionary tale about IT out sourcing—Landlord finds millions of confidential files left by defunct IT firm

Kelly Bert Manning <bo774@freenet.carleton.ca>
Tue, 26 Nov 2019 22:57:09 -0500 (EST)
"When one of Gregg Patterson's commercial tenants packed up and moved out in
the middle of the night, leaving behind hard drives, computer servers and
bankers boxes full of documents, he could have just dumped it all at the
curb."

https://www.cbc.ca/news/canada/ottawa/fly-by-night-it-company-leaves-10-million-digital-files-cautionary-tale-1.5365619


This girl hacked 11,000 dogs and cats smart feeders (Information Security Newspaper)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Wed, 27 Nov 2019 11:42:06 -0700
https://www.securitynewspaper.com/2019/10/25/this-girl-hacked-11000-dogs-and-cats-smart-feeders-would-she-dare-to-harm-your-pets/

25 Oct 2019

  Cybersecurity incidents can affect many aspects of our lives, including
  issues related to our pets. A few months ago, Xiaomi, in collaboration
  with the company Furrytail, launched a crowd funding project consisting of
  an Internet-connected pet feeder controlled through an app, which was sold
  on Youpin, Xiaomi's official store.

  Anna Prosvetova, a well-known Russian hacker, claims to have hacked
  thousands of Furrytail Pet Smart Feeder devices, accessing any data
  related to its use. The hacker states that it is even possible to
  manipulate the operation of the device remotely.

  According to cybersecurity experts, this device is basically an
  Internet-connected food depot capable of feeding pets when their master is
  away from home, setting schedules to deliver a previously determined food
  load. The project had a more than acceptable response in the fundraising
  process, so it was launched almost immediately and released earlier this
  year.


Re: How dumb design wwii plane led macintosh (RISKS-31.48)

Amos Shapir <amos083@gmail.com>
Tue, 26 Nov 2019 18:20:16 +0200
The application described would create a very stable cruise, no user might
wander off the beaten path or stumble—which would make it the most boring
travel experience ever...

The most exciting experiences often occur when we stumble upon something
unexpected; such an application would essentially eliminate such moments!


Re: A hypothesis on the immediate future of audio scams (RISKS-31.48)

Amos Shapir <amos083@gmail.com>
Tue, 26 Nov 2019 18:25:35 +0200
This scam is nothing new; in fact, it's as old as recording devices.

For example this movie:
https://letterboxd.com/film/the-great-telephone-robbery/ was made in 1972
following a real event in which criminals used low-tech means to connect to
a bank's phone line and impersonate the manager.


Re: There's more to the Internet than the DNS, or Internet world despairs

"John Levine" <johnl@iecc.com>
26 Nov 2019 17:40:08 -0500
>https://www.theregister.co.uk/2019/11/20/org_registry_sale_shambles/?page=1

This is a classic Register article.  Many of the purported facts are correct
but the conspiracy theory they hint at is not.  The arguments are entirely
about the purported effects of implausibly large price increases on .org
registrants, most of whom are in North America and other developed
countries.  It has a bunch of questions at the end for Ethos, the buyer, and
says "We will update this story if and when they respond."  Ethos did, at
https://www.keypointsabout.org/ and at
http://www.circleid.com/posts/20191125_showing_our_ethos_with_org/ The
Register hasn't updated the story, but that's classic, too.

Moreover, there are on the order of 4 billion Internet users, of whom
perhaps 0.1% are .org domain registrants. Most of that other 99.9% does not
live in developed countries.  The point of selling the registry is to have a
more stable income to support the Internet Society's programs that benefit
that 99.9% as well as the 0.1%.  The risk here is to assume that the
technical concerns of your friends and people who look like you are the ones
that matter.

Claimer: I'm a member of the ISOC board, we reviewed the various proposals
to buy PIR in detail, and we voted unanimously for the one we accepted.


Re: What happens if your mind lives for ever on the Internet?

Martin Ward <martin@gkc.org.uk>
Wed, 27 Nov 2019 10:18:17 +0000
In the 1940's, Turing wrote about his famous Test, and predicted that within
20 years we would have machines as intelligent as humans.

In the 1960's, when AI research was just beginning, researchers predicted
that within the next 20 years we would have machines as intelligent as
humans.  I remember reading some of these predictions in the 1970's and
wondering...

In the 1980's, I read Douglas Hofstadter's brilliant book "Godel, Escher,
Bach" in which he predicted that within the next 20 years we would have
machines as intelligent as humans.  At that point, I made my own prediction:
"In 20 years time people will *still* be predicting that in 20 years time we
would have machines as intelligent as humans!"

In 1999 Ray Kurzweil published "The Age of Spiritual Machines" and Hans
Moravec published "Robot", which proposed that perhaps even as early as 2020
to 2030 we will create silicon evolutionary spaces that will develop
higher-level intelligence.

Bill Gates said "Twenty years from now, predicts Ray Kurzweil, $1,000
computers will match the power of the human brain."

It seems that *my* prediction was fulfilled! :-)

Some tentative conclusions:

(1) Twenty years is just about as far ahead as anyone can imagine.

(2) "Moore's Law", observed in 1965 that computer power doubles every two
years.  This "law" continued to hold for many decades, yet despite these
huge technological gains since Turing's paper in the 1940's, human
intelligence is still just as far away as it ever was.  It is as if despite
building bigger and bigger ladders, we are getting no closer to Andromeda
galaxy!

(3) This suggests that in reality, human intelligence is *infinitely* far
removed from machine intelligence: in other words, that there really is some
*qualitative* difference between man and machine, and not just a
quantitative gap which can be bridged with a few more transistors and a
better programming language.  You simply cannot get to Andromeda by climbing
a ladder.  If this is the case, then, a fortiori, you cannot duplicate a
human mind within a machine.

(4) In this context, the arguments about a "Technological Singularity" begin
to look more like a "reductio ad absurdum" proof that machine intelligence
will *never* surpass human intelligence.  (Since the superintelligent
machine will be able to design a still more intelligent machine, and so on
ad infinitum.  Quod est absurdum).


Re: Officials Warn of "Juice Jacking" Scams at USB Charging Stations (RISKS-31.48)

Andrew Duane <e91.waggin@gmail.com>
Wed, 27 Nov 2019 12:20:01 -0500
"... In a scam called "juice jacking," criminals load malware onto charging
stations or cables they leave plugged in at the stations, infecting the
phones and other electronic devices of unsuspecting users..."

This is exactly why I have always labeled and carried power-only micro-USB
cables that don't even have data wires inside them. They used to be widely
available for my old micro-USB phones and tablets, but I have not seen them
for my new and (not even remotely) improved USB-C cables or my wife's Apple
Lightning cables.

My workaround for the new phones is to carry a wireless charging pad. Even
though they are far less convenient, I assume malware can't be transmitted
over Qi-charging. Should that last sentence end with the word "yet"?

Please report problems with the web pages to the maintainer

Top