The RISKS Digest
Volume 31 Issue 98

Friday, 12th June 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

Election fiasco: Georgia on my mind
NYTimes via PGN
Babylon Health app error allowed UK users to watch videos of other patients' private doctor visits
CBC-CA
How his photo ended up breaking Android phones
BBC News
Unusual rodent engine problem has suddenly become ‘super common’
Freep
Honda confirms its network has been hit by cyber-attack
ZDNet
New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs
ZDNet
Australian beverage company hit by cyber-attack
SHM-AU
UPnP flaw exposes millions of network devices to attacks over the Internet
Ars Technica
IoT Security Is a Mess. Privacy ‘Nutrition’ Labels Could Help
WiReD
Apple publishes free resources to improve password security
ZDNet
Satellites Are Capturing the Protests, and Just About Everything Else on Earth
Bloomberg
Multiple US agencies have purchased this mysterious mobile eavesdropping device
TechRadar
Telecom security firm flags ‘potentially huge’ vulnerabilities in Internet infrastructure
Laurens Cerulus
FBI warns hackers are targeting mobile banking apps
The Hill
OpenAI's Text Generator Is Going Commercial
WiReD
Zoom disables accounts of former Tiananmen Square student leader
FT
Amazon bans police use of face recognition tech for one year
CNBC
Data from 15M phones shows some Americans are gathering at pre-pandemic levels
NBC News
The hidden detectors looking for guns and knives
BBC
Trump Order Confronts Big Tech Bias
Lauren Weinstein
Info on RISKS (comp.risks)

Election fiasco: Georgia on my mind

“Peter G. Neumann” <neumann@csl.sri.com>
Fri, 12 Jun 2020 14:09:25 PDT

Nick Corasaniti and Stephanie Saul, In Georgia Election Havoc, a Costly Bet on Tech Led to Meltdown The New York Times front page and page A16, 12 Jun 2020

“As Georgia election officials prepared to roll out an over-$100M high-tech voting system last year, good-government groups, a federal judge and election security experts warned of its perils. The new system, they argued, was too convoluted, too expensive, too big—and was still insecure.”

“The problem seems to have been a perfect storm (overused metaphor, but apt here) of new equipment, hasty training and a crush of tasks associated with both getting the mail ballots out the door and processed AND with running an in-person voting operation.” (Charles Stewart III)

“A lot of people saw this coming … There are a lot more things that can go wrong.” (Andrew Appel)

“A Rube Goldberg contraption” (Marilyn Marks)

This is just one more fiasco in a year already marked by fiascos. November does not augur well.

This election might remind RISKS readers of Murphy's Law. However, in this case

“Anything that can go wrong will go wrong.”

might be recast as

“Everything that can go wrong did go wrong.”

So, asks a long-time RISKS reader,

“What's wrong with hand-marked paper ballots?”

Babylon Health app error allowed UK users to watch videos of other patients' private doctor visits (CBC-CA)

“Matthew Kruk” <mkrukg@gmail.com>
Tue, 9 Jun 2020 22:53:41 -0600

https://www.cbc.ca/news/canada/calgary/babylon-health-app-1.5605570


How his photo ended up breaking Android phones (BBC News)

Gabe Goldberg <gabe@gabegold.com>
Wed, 10 Jun 2020 14:34:21 -0400

Gaurav Agrawal, a scientist and amateur photographer living in San Diego, couldn't believe it when he suddenly started seeing a photograph he took last summer popping up on the news. He took it at St Mary Lake in Glacier National Park, Montana, one “magical evening” in August 2019. He shared the snap on photo platform Flickr and thought no more about it.

However, a glitch meant that when the image was set as wallpaper, it caused some Android phones to fail. The handsets would switch on and off repeatedly, requiring a factory reset which meant all data on them was wiped.

https://www.bbc.com/news/technology-52978884


Unusual rodent engine problem has suddenly become ‘super common’ (Freep)

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 9 Jun 2020 10:21:50 -1000

There was once a little mouse that caused a big problem.

The critter crawled up in the wheel well of a parked car, made his way over the brakes and up into the engine. Most rodents would stop there, it's a nice nesting spot. But this fella had other plans.

He kept going until he was inside the dashboard and couldn't get out. There, he died (I didn't say it would be a happy story). The rancid and revolting odor compelled the car owner to bring it to Avis Ford in Southfield, where service technicians made the unsavory discovery.

“Usually you find a wiring harness for the engine or the fuel injection system that is all chewed up,” said Avis Ford's Service Manager Larry Sirgany. “We'll find a car that's been sitting for a couple weeks and it will have a big nasty nest in there too.”

Over the years, Sirgany has found plenty of flora and fauna in car engines. There are grass and twig nests and dead—sometimes alive—vermin and lots of chewed wires. The resulting damage is costly to fix.

But this spring, amid the stay home order during the coronavirus pandemic, the rodent ruination to engines has been exceptionally high in some places.

“I've seen a solid dozen to 15 cars with damage in the last six weeks,” Sirgany said. “Typically, I would have two per month this time of year.”

Hundreds in repairs […]

https://www.freep.com/story/money/cars/2020/06/09/rats-rodents-nest-parked-cars-coronavirus/3156961001/


Honda confirms its network has been hit by cyber-attack (ZDNet)

Dave Farber <farber@gmail.com>
Wed, 10 Jun 2020 03:01:48 +0900

https://www.zdnet.com/article/honda-confirms-its-network-has-been-hit-by-cyber-attack/


New CrossTalk attack impacts Intel's mobile, desktop, and server CPUs (ZDNet)

Monty Solomon <monty@roscom.com>
Tue, 9 Jun 2020 20:19:15 -0400

Academics detail a new vulnerability named CrossTalk that can be used to leak data across Intel CPU cores.

https://www.zdnet.com/article/new-crosstalk-attack-impacts-intels-mobile-desktop-and-server-cpus/


Australian beverage company hit by cyber-attack (SHM-AU)

John Colville <John.Colville@uts.edu.au>
Tue, 9 Jun 2020 22:06:35 +0000

http://www.smh.com.au/technology/drinks-giant-lion-hit-by-cyber-attack-as-hackers-target-corporate-australia-20200609-p550pu.html


UPnP flaw exposes millions of network devices to attacks over the Internet (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 12 Jun 2020 07:40:11 -0400

Unsafe for more than a decade, universal plug and play strikes again.

https://arstechnica.com/information-technology/2020/06/upnp-flaw-exposes-millions-of-network-devices-to-attacks-over-the-internet/


IoT Security Is a Mess. Privacy ‘Nutrition’ Labels Could Help (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 9 Jun 2020 20:08:12 -0400

Just like with foods that display health information the package, researchers are exploring a tool that details how connected devices manage data.

The Internet-of-things security crisis has been building for more than a decade, with unprotected, unpatchable gadgets fueling botnets, getting attacked for nation state surveillance, and just generally being a weak link for networks. Given that IoT security seems unlikely to magically improve anytime soon, researchers and regulators are rallying behind a new approach to managing IoT risk. Think of it as nutrition labels for embedded devices.

https://www.wired.com/story/iot-security-privacy-labels/


Apple publishes free resources to improve password security (ZDNet)

Monty Solomon <monty@roscom.com>
Tue, 9 Jun 2020 20:19:02 -0400

The new tools are meant to help the developers of password managers and Apple hopes the tools will reduce the instances where users chose their own password rather than rely on the password manager.

https://www.zdnet.com/article/apple-publishes-free-resources-to-improve-password-security/


Satellites Are Capturing the Protests, and Just About Everything Else on Earth (Bloomberg)

geoff goodfellow <geoff@iconia.com>
Wed, 10 Jun 2020 09:43:53 -1000

This year has brought immense change, much of it immortalized in high-resolution images from space.

As protesters gathered in Washington over the weekend, their march across the city was documented by photography satellites flying overhead. One particular image stood out and made its way to various television newscasts. It showed the the bright yellow Black Lives Matter mural that had been painted on two blocks of asphalt near the White House. It was visual proof that the protests and their message had, in a sense, made their way to space.

The company that took the photo, Planet Labs Inc., has hundreds of satellites floating around Earth, enough that it can snap at least one photo of every spot on the planet every day, according to the startup. Such imagery used to be rare, expensive and controlled by governments. Now, Planet has built what amounts to a real-time accounting system of the earth that just about anyone can access by paying a fee.

Over the next couple months, Planet is embarking on a project that will dramatically increase the number of photos it takes and improve the quality of the images by 25% in terms of resolution. To do that, the company is lowering the orbits of some of its larger, high-resolution satellites and launching a half-dozen more devices. As a result, Planet will go from photographing locations twice a day to as many as 12 times a day in some places.

Customers will also be able to aim the satellites where they want using an automated system developed by Planet. “The schedule is shipped to the satellite, and it knows the plan it needs to follow,” said Jim Thomason, the vice president of products at Planet.

Advancements like this in satellite imaging would have seemed unbelievable to the folks who started working on such research in earnest in the 1960s. Back then, the U.S. had a top-secret operation that entailed putting satellites into orbit, snapping pictures and then ejecting canisters of film from the satellites that tumbled back to Earth to be caught midair by a plane. Analysts would then develop the film and pore over the images looking for Soviet missile sites and other military operations. This Rube Goldbergian process didn't always work well, but it did ultimately result in the U.S. learning that the Russian missile program was not as advanced as officials had feared. […]

https://www.bloomberg.com/news/articles/2020-06-09/black-lives-matter-dc-street-art-captured-by-satellite-in-orbit https://www.msn.com/en-us/news/technology/satellites-are-capturing-the-protests-and-just-about-everything-else-on-earth/ar-BB15eV19


Multiple US agencies have purchased this mysterious mobile eavesdropping device (TechRadar)

geoff goodfellow <geoff@iconia.com>
Wed, 10 Jun 2020 09:44:50 -1000

Multiple US federal agencies have obtained a mysterious new eavesdropping device thought to be designed to monitor 4G-enabled mobile phones.

Very little is known about the Crossbow device, other than it iterates on the Stingray ISMI-catchers manufactured by Harris, used to trace location data and listen in on phone calls. <https://www.techradar.com/news/governments-will-use-location-data-to-map-spread-of-coronavirus>

While devices of this kind are used by law enforcement and intelligence across the globe, the air of mystery around the kit and a lack of transparency over the way in which it is being deployed has given rise to concern it could be used to infringe upon civil liberties.

Procurement documents show the US Marshals placed an order with Harris for Crossbow devices worth $1.7 million, while the US Army and Navy made similar purchases worth circa $380,000.

Mobile surveillance

ISMI-catchers, or international mobile subscriber identity-catchers, are able to mimic the qualities of a cellphone tower and, by this mechanism, record the SIM card identity, eavesdrop on calls, access text messages and capture location data. […]

https://global.techradar.com/en-za/news/multiple-us-agencies-have-purchased-this-mysterious-mobile-eavesdropping-device


Telecom security firm flags ‘potentially huge’ vulnerabilities in Internet infrastructure (Laurens Cerulus)

“Peter G. Neumann” <neumann@csl.sri.com>
Wed, 10 Jun 2020 14:41:00 PDT

Laurens Cerulus, Politico

BRUSSELS—A key protocol for Internet traffic is riddled with vulnerabilities that pose risks to telecom operators, including the potential to bring down websites and allow fraudsters to set up fake traffic, a telecom security firm said Wednesday.

The protocol “contains a number of vulnerabilities threatening both mobile operators and their clients. As a result, attackers can interfere with network equipment and leave an entire city without communications, impersonate users to access various resources, and use network services at the expense of the operator or subscribers,” Positive Technologies said in a new report. <https://www.politico.eu/wp-content/uploads/2020/06/POLITICO-Positive-Technologies-report-Threat-vector-GTP-June-2020.pdf>

The widespread GTP protocol is used across the board by telecom companies and Internet service providers to manage Internet traffic. It is also used in core parts of Internet networks, meaning the vulnerabilities are likely to persist in coming years as operators build new 5G infrastructure that still relies on 4G core networks.

“It's not like vulnerabilities in software. In the case of GTP, it is a kind of architectural deficiency. It's harder to eliminate,” said Dmitry Kurbatov, chief technology officer at Positive Technologies. The firm performed security tests on dozens of networks in 2018-2019 and found “every network tested was vulnerable” to exploits through the protocol.

The vulnerabilities can be used to target servers with denial-of-service attacks, allow hackers to set up so-called man-in-the-middle attacks that trick people into thinking they are visiting legitimate websites, and even allow operators to send fraudulent traffic to other operators, Kurbatov said.


FBI warns hackers are targeting mobile banking apps (The Hill)

geoff goodfellow <geoff@iconia.com>
Thu, 11 Jun 2020 09:57:09 -1000

The FBI on Wednesday warned that malicious cyber actors were targeting mobile banking apps in an attempt to steal money as more Americans have moved to online banking during the coronavirus pandemic.

In a public service announcement, the FBI noted it expects to see hackers exploit mobile banking platforms, which have seen a 50 percent surge in use since the beginning of the pandemic. <https://www.ic3.gov/media/2020/200610.aspx>

“With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations. The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.”

The FBI specifically pointed to threat of banking trojans, which involve a malicious virus hiding on a user's mobile device until a legitimate banking app is downloaded. Once the real app is on the device, the banking trojan then overlays the app, tricking the user into clicking on it and inputting their banking login credentials.

Fake banking apps were also cited as a threat, with users in danger of being tricked into downloading malicious apps that also steal sensitive banking information.

In order to combat these threats, the FBI recommended that Americans only download banking apps from official app stores or from banking websites and that banking app users enable two-factor authentication on their accounts and use strong passwords. […] https://thehill.com/policy/cybersecurity/502148-fbi-warns-hackers-are-targeting-mobile-banking-apps


OpenAI's Text Generator Is Going Commercial (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jun 2020 19:41:13 -0400

The research institute was created to steer AI away from harmful uses. Now it's competing with tech giants to sell a cloud-computing service to businesses.

Last spring, artificial intelligence research institute OpenAI said it had made software so good at generating text”including fake news articles — that it was too dangerous to release. That line in the sand was soon erased when two recent master's grads recreated the software and OpenAI released the original, saying awareness of the risks had grown and it hadn't seen evidence of misuse.

Now the lab is back with a more powerful text generator and a new pitch: Pay us to put it to work in your business. Thursday, OpenAI launched a cloud service that a handful of companies are already using to improve search or provide feedback on answers to math problems. It's a test of a new way of programming AI and the lab's unusual business model.

https://www.wired.com/story/openai-text-generator-going-commercial/


Zoom disables accounts of former Tiananmen Square student leader

geoff goodfellow <geoff@iconia.com>
Thu, 11 Jun 2020 09:58:10 -1000

Chinese dissidents in US targeted after announcing plans for video call commemorating 1989 massacre

Zoom disabled the accounts of a group of Chinese dissidents in the US after they used its video conference service to commemorate the Tiananmen Square massacre.

Zoom's role in shutting down the meeting, which was hosted and organised by activists in the US but included participants dialing in from China, will increase fears about the platform's security and how it will respond to government censorship requests.

Zoom's video chat service has exploded in popularity since lockdowns were introduced across the globe to slow the spread of Covid-19. The company, which is listed on Nasdaq, has a large operation in China: almost a third of its workers are based in the country and much of its research and development takes place there. It also has servers in China.

The annual Tiananmen Square commemoration was hosted on Zoom by a group of Chinese activists in the US, including Wang Dan, one of the most prominent leaders of the pro-democracy student movement that was crushed by the Chinese army in Beijing on June 4 1989.

Mr Wang's team shared screenshots with the Financial Times of his Zoom call being canceled twice and two of his team's paid Zoom accounts being disabled. The cancellations started just as the meetings were due to begin on the morning of June 4 in Washington, where Mr Wang is based. He added that as of Thursday, the accounts remained disabled. […]

https://www.ft.com/content/f24bc9c6-ed95-4b31-a011-9e3fcd9cf006


Amazon bans police use of face recognition tech for one year (CNBC)

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Jun 2020 14:48:44 -0700

https://www.cnbc.com/2020/06/10/amazon-bans-police-use-of-facial-recognition-technology-for-one-year.html


Data from 15M phones shows some Americans are gathering at pre-pandemic levels (NBC News)

Monty Solomon <monty@roscom.com>
Thu, 11 Jun 2020 22:04:53 -0400

Cellphone location data shows where people are leaving home and coming near other people.

https://www.nbcnews.com/news/us-news/analysis-data-15m-phones-shows-some-americans-are-gathering-pre-n1229636


The hidden detectors looking for guns and knives (BBC)

Richard Stein <rmstein@ieee.org>
Fri, 12 Jun 2020 11:53:42 +0800

https://www.bbc.com/news/business-52734768

Security screens are inconvenient; they slow consumer foot traffic to benefit public safety.

Enter real-time AI to assess the shape and density of concealed objects in high-foot traffic areas (transportation terminals, entertainment venues, office doorways). Potted plants frequently conceal metal and temperature detectors. Some detectors apply passive (non-ionizing) radiation to resolve features.

Add facial recognition to auto-profile using Clearview AI to resolve (erroneously or not, given unknown false{positive, negative}) a name, address, social media linkage, etc.

Significant, possibly panoptic, auto-profile ingress/egress go/no-go processing can promote complacency among security personnel, and raise alarm fatigue risk. Reducing human security footprint (aka business operational expense) is apparently a key motive fueling the business.

Surveillance-enabling technologies seek to displace Barney beagle and other manual inspection deterrents. Over-reliance on deployed technology, without demonstrable public safety benefits (as measured by false positive/negative outcome, etc. versus human inspection) may prove catastrophic.


Trump Order Confronts Big Tech Bias (Whitehouse)

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Jun 2020 14:55:24 -0700

<https://www.whitehouse.gov/presidential-actions/executive-order-preventing-online-censorship/>*

President Trump finally issued an *Executive Order targeting viewpoint discrimination by Big Tech social media companies. The Order grows out of Trump's summit on this thorny issue last July. Topping the list of targets are Facebook, Twitter, Instagram, YouTube and Google, but there are many other possibilities.

This form of discrimination is very much uncharted legal territory. The chosen central concept for Big Tech wrongdoing is censorship, as the EO is titled Executive Order on Preventing Online Censorship. This choice in itself is a strategic legal decision.

The Order is basically a hunting license for federal agencies. There are two distinct parts. The first is basically laying out a number of legal arguments. If you are not familiar with the legal issues this may seem like empty rhetoric, but it is actually the opposite. The lawyers who wrote this order are preparing to stand before a judge.

In fact the Order begins by focusing on the present law, which protects Big Tech from liability when they publish someone else's content. Here is the opening paragraph on that legal issue. Note that it is presented as a Federal policy. […]

https://papundits.wordpress.com/2020/06/11/trump-order-confronts-big-tech-bias/

Please report problems with the web pages to the maintainer

Top