Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
>From the BBC web site https://www.bbc.co.uk/news/uk-england-essex-50573800
The actuator moved, the door hanger moved, the micro switch (on the door hanger) said the door was closed. But the bolts holding the door onto the hanger had gone so the door stayed open. 23 minutes at 83 mph before a passenger told the driver
Independent researcher Amitay Dan <https://twitter.com/popshark1> discovered that control panels for aircraft warning lights were exposed to the Internet, potentially allowing attackers to control them.
https://securityaffairs.co/wordpress/94414/hacking/aircraft-warning-lights-hack.html
This is joint work of Wenchao Li at Boston University and Susmit Jha at SRI and others, on inserting Trojans/backdoors to reinforcement learning policy. Their paper was recently covered by Wired:
https://www.wired.com/story/tainted-data-teach-algorithms-wrong-lessons/
and picked up by other outlets such as boingboing:
https://boingboing.net/2019/11/25/backdooring-ai.html
Turns out it was the local constabulary who placed it on his car. Oh, they had a warrant.
He found it, took it off, brought it into his house. It stopped working (unclear from the stories just why, i.e. did he smash it, remove battery, hit the “off” button, etc…)
The cops got another warrant to search his home claiming they believed he had stolen (!!) the tracker and hid it in his house. So they entered and saw drug paraphernalia.
Hillarity is ongoing
A document obtained by Motherboard shows how DMVs sell people's names, addresses, and other personal information to generate revenue
The California Department of Motor Vehicles is generating revenue of $50,000,000 a year through selling drivers' personal information, to a DMV document obtained by Motherboard.
DMVs across the country are selling data that drivers are required to provide to the organization in order to obtain a license. This information includes names, physical addresses, and car registration information. California's sales come from a state which generally scrutinizes privacy to a higher degree <https://techcrunch.com/2019/10/12/californias-privacy-act-what-you-need-to-know-now/> than the rest of the country.
In a public record acts request, Motherboard asked the California DMV for the total dollar amounts paid by commercial requesters of data for the past six years. The responsive document shows the total revenue in financial year 2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the financial year 2017/18.
The document doesn't name the commercial requesters, but some specific companies appeared frequently in Motherboard's earlier investigation <https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars> that looked at DMVs across the country. They included data broker LexisNexis and consumer credit reporting agency Experian. Motherboard also found DMVs sold information to private investigators, including those who are hired to find out if a spouse is cheating. It is unclear if the California DMV has recently sold data to these sorts of entities…
Catalin Cimpanu for Zero Day | 25 Nov 2019 Insecure web backend and mobile app let attackers access any kids' details and parent account. https://www.zdnet.com/article/cheap-kids-smartwatch-exposes-the-location-of-5000-children/
A cheap $35 kids' smartwatch made in China was caught exposing the personal details and location information for more than 5,000 children and their parents.
The concept is not new, as there are plenty of similar products on the market, varying in prices from $30 to $200-$300. However, Morgenstern suggests that SMA created one of the most insecure products on the market.
For starters, Morgenstern says anyone can query the smartwatch's backend via a publicly accessible web API. This is the same backend where the mobile app also connects to retrieve the data it shows on parents' phones.
Morgenstern says there's an authentication token in place that's supposedly there to prevent unauthorized access, but attackers can supply any token they like, as the server never verifies its validity.
Morgenstern says that using this technique, his team was able to identify more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts.
[And it gets worse.]
Researchers are creating tools to find AI-generated fake videos before they become impossible to detect. Some experts fear it is a losing battle.
https://www.nytimes.com/2019/11/24/technology/tech-companies-deepfakes.html
Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I'd never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.
Apparently, I'm not alone.
“I believe this is the first time I've seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below…
https://krebsonsecurity.com/2019/11/hidden-cam-above-bluetooth-pump-skimmer/
World Wide Web inventor Tim Berners-Lee released an ambitious rule book for online governance—a bill of rights and obligations for the Internet — designed to counteract the growing prevalence of such anti-democratic poisons as misinformation, mass surveillance and censorship.
The product of a year's work by the World Wide Web Foundation where Berners-Lee is a founding director, the Contract for the Web <https://contractfortheweb.org/>seeks commitments from governments and industry to make and keep knowledge freely available—a digital policy agenda true to the design vision of the 30-year-old web.
The contract is non-binding, however. And funders and partners in the endeavor include Alphabet's Google and Facebook, whose data-collecting business models and sensation-rewarding algorithms have been blamed for exacerbating online toxicity.
“We haven't had a fairly complex, fairly complete plan of action for the web going forward,” Berners-Lee said in an interview. “This is the first time we've had a rule book in which responsibility is being shared.”
Server shut down after FBI contacted about unsecured data
A database aggregating 1.2 billion users' personal information, including social media accounts, email addresses and phone numbers, was discovered unprotected on a server last month. So far, it's not clear how it got there.
Most of the data was collected by a company called People Data Labs, said Vinny Troia, chief executive officer of Night Lion Security, which is based in St. Louis. People Data Labs provides work emails and social media account details for what the company claims is a billion and a half people. That data is scraped from various sources and sold as a way to contact “70%+ decision makers in the US, UK and Canada,” according to the company's website.
The unprotected data didn't reside on a People Data Labs' server, but was on a Google Cloud server, Troia said. Google didn't respond to a request for comment about who was renting the server.
Sean Thorne, People Data Labs' co-founder and chief executive officer, said some, but not all, of the data came from his company and suspects it was being aggregated by another firm merging various data points…
https://www.newsmax.com/finance/streettalk/billion-data-unprotected-google/2019/11/22/id/942975/
A joint investigation by the Canadian Federal Privacy Commission and BC Office of the Information and Privacy Commissioner has issued a Press Release regarding their investigation of Cambridge Analytica associate Aggregate IQ.
“Joint investigation finds failings in political consultancy's consent practices for uses and disclosures of personal information and in its security safeguard practices.”
VANCOUVER, British Columbia, November 26, 2019”
https://priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_191126/ https://www.oipc.bc.ca/news-releases/2364
“When one of Gregg Patterson's commercial tenants packed up and moved out in the middle of the night, leaving behind hard drives, computer servers and bankers boxes full of documents, he could have just dumped it all at the curb.”
25 Oct 2019
Cybersecurity incidents can affect many aspects of our lives, including issues related to our pets. A few months ago, Xiaomi, in collaboration with the company Furrytail, launched a crowd funding project consisting of an Internet-connected pet feeder controlled through an app, which was sold on Youpin, Xiaomi's official store.
Anna Prosvetova, a well-known Russian hacker, claims to have hacked thousands of Furrytail Pet Smart Feeder devices, accessing any data related to its use. The hacker states that it is even possible to manipulate the operation of the device remotely.
According to cybersecurity experts, this device is basically an Internet-connected food depot capable of feeding pets when their master is away from home, setting schedules to deliver a previously determined food load. The project had a more than acceptable response in the fundraising process, so it was launched almost immediately and released earlier this year.
The application described would create a very stable cruise, no user might wander off the beaten path or stumble—which would make it the most boring travel experience ever…
The most exciting experiences often occur when we stumble upon something unexpected; such an application would essentially eliminate such moments!
This scam is nothing new; in fact, it's as old as recording devices.
For example this movie: https://letterboxd.com/film/the-great-telephone-robbery/ was made in 1972 following a real event in which criminals used low-tech means to connect to a bank's phone line and impersonate the manager.
>https://www.theregister.co.uk/2019/11/20/org_registry_sale_shambles/?page=1
This is a classic Register article. Many of the purported facts are correct but the conspiracy theory they hint at is not. The arguments are entirely about the purported effects of implausibly large price increases on .org registrants, most of whom are in North America and other developed countries. It has a bunch of questions at the end for Ethos, the buyer, and says “We will update this story if and when they respond.” Ethos did, at https://www.keypointsabout.org/ and at http://www.circleid.com/posts/20191125_showing_our_ethos_with_org/ The Register hasn't updated the story, but that's classic, too.
Moreover, there are on the order of 4 billion Internet users, of whom perhaps 0.1% are .org domain registrants. Most of that other 99.9% does not live in developed countries. The point of selling the registry is to have a more stable income to support the Internet Society's programs that benefit that 99.9% as well as the 0.1%. The risk here is to assume that the technical concerns of your friends and people who look like you are the ones that matter.
Claimer: I'm a member of the ISOC board, we reviewed the various proposals to buy PIR in detail, and we voted unanimously for the one we accepted.
In the 1940's, Turing wrote about his famous Test, and predicted that within 20 years we would have machines as intelligent as humans.
In the 1960's, when AI research was just beginning, researchers predicted that within the next 20 years we would have machines as intelligent as humans. I remember reading some of these predictions in the 1970's and wondering…
In the 1980's, I read Douglas Hofstadter's brilliant book “Godel, Escher, Bach” in which he predicted that within the next 20 years we would have machines as intelligent as humans. At that point, I made my own prediction: “In 20 years time people will still be predicting that in 20 years time we would have machines as intelligent as humans!”
In 1999 Ray Kurzweil published “The Age of Spiritual Machines” and Hans Moravec published “Robot”, which proposed that perhaps even as early as 2020 to 2030 we will create silicon evolutionary spaces that will develop higher-level intelligence.
Bill Gates said “Twenty years from now, predicts Ray Kurzweil, $1,000 computers will match the power of the human brain.”
It seems that my prediction was fulfilled! :-)
Some tentative conclusions:
“… In a scam called ‘juice jacking,’ criminals load malware onto charging stations or cables they leave plugged in at the stations, infecting the phones and other electronic devices of unsuspecting users…”
This is exactly why I have always labeled and carried power-only micro-USB cables that don't even have data wires inside them. They used to be widely available for my old micro-USB phones and tablets, but I have not seen them for my new and (not even remotely) improved USB-C cables or my wife's Apple Lightning cables.
My workaround for the new phones is to carry a wireless charging pad. Even though they are far less convenient, I assume malware can't be transmitted over Qi-charging. Should that last sentence end with the word “yet”?
Please report problems with the web pages to the maintainer