The RISKS Digest
Volume 32 Issue 01

Tuesday, 16th June 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

Russia Exploits Conspiracy Mill Americans Built
Nicole Perlroth
Fox News runs digitally altered images in coverage of Seattle's protests in the Capitol Hill Autonomous Zone
sundry sources
Harassment and cyberstalking
Travis Andersen
Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found
WashPost
Digitality, Personal Security & Privacy Risks
Robert Mathews
South African bank to replace 12M cards after employees stole master key
ZDNet
Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room
The Hacker News
Feds allege eBay terror campaign against Natick publishers of articles the company didn't like
Universal Hub
USA T-Mobile Hit by Widespread Voice and Data Outage
jonathan spira
Google is messing with the address bar again—new experiment hides URL path
Ars Technica
30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial Recognition Test
Medium
Joanna Hoffman: Facebook is peddling ‘an addictive drug called anger’
CNBC
Why jK8v!ge4D isn't a good password
Toward Data Science
IoT Nutrition Labels
Keith Medcalf
What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests
npr.org
Re: Election fiasco: Georgia on my mind
Bob Brown
Re: Multiple US agencies have purchased this mysterious mobile
Steve Singer
Info on RISKS (comp.risks)

Russia Exploits Conspiracy Mill Americans Built (Nicole Perlroth)

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 16 Jun 2020 11:55:14 PDT

The New York Times front page today 16 Jun 2020 [PGN-ed]

This is a remarkably comprehensive take on the saga that began in the Iowa caucuses in February 2016, Robby Mook (who was falsely accused of developing the app that came from Shadow Inc.), the Kremlin-backed Russian Internet Research Agency, and more that continues today.

Clint Watts, former FBI special agent: “The Kremlin doesn't need to make fake news any more. It's all American made.”

Russians have concluded that it is easier to identify divisive content from real Americans [rather than masquerading as real Americans] and help it spread through low-profile networks of social media accounts.

Cindy Otis, former CIA analyst: “Russia's trolls learned it is far more effective to find the sore spots and amplify content by native English speakers than it is to spin out their own wackadoodle conspiracy theories.”

@DanRadov [who had earlier promulgated various Russian fake news as formerly @DanWals83975326, and who is still active]: “U.S. has long been in the position when one spark can burn the whole country down and all of the United West for that matter. Buckle your seatbelts people. We are up for a rough ride.”


Fox News runs digitally altered images in coverage of Seattle's protests in the Capitol Hill Autonomous Zone (sundry sources)

Monty Solomon <monty@roscom.com>
Mon, 15 Jun 2020 19:19:11 -0400

Fox News published digitally altered and misleading photos on stories about Seattle's Capitol Hill Autonomous Zone (CHAZ) in what photojournalism experts called a clear violation of ethical standards for news organizations.

As part of a package of stories Friday about the zone, where demonstrators have taken over several city blocks on Capitol Hill after Seattle police abandoned the East Precinct, Fox's website for much of the day featured a photo of a man standing with a military-style rifle in front of what appeared to be a smashed retail storefront.

The image was actually a mashup of photos from different days, taken by different photographers ” it was done by splicing a Getty Images photo of an armed man, who had been at the protest zone June 10, with other images from May 30 of smashed windows in downtown Seattle. Another altered image combined the gunman photo with yet another image, making it appear as though he was standing in front of a sign declaring “You are now entering Free Cap Hill.”

https://www.seattletimes.com/seattle-news/politics/fox-news-runs-digitally-altered-images-in-coverage-of-seattles-protests-capitol-hill-autonomous-zone/

Fox News Removes a Digitally Altered Image of Seattle Protests Fox News acknowledged that one photo was a combination of several images, and a second was taken in a different city. https://www.nytimes.com/2020/06/13/business/media/fox-news-george-floyd-protests-seattle.html

Fox News Removes Digitally Altered, Misleading Photos of Seattle ‘Autonomous Zone’ From Website https://time.com/5853408/fox-news-altered-photo-seattle/

Fox News removes altered images from Seattle protest https://www.axios.com/fox-news-removes-seattle-protest-altered-images-dfad3cf6-3784-4eaf-89e8-896705387d64.html


Harassment and cyberstalking (Travis Andersen)

Monty Solomon <monty@roscom.com>
Mon, 15 Jun 2020 14:30:48 -0400

‘We are going to crush this lady’: Six former eBay employees charged in federal cyberstalking case targeting Natick couple

Travis Andersen, The Boston Globe, 15 Jun 2020

Six eBay employees including a former police captain in California last year engaged in a relentless campaign of harassment and cyberstalking of a Natick couple that published a newsletter critical of the online retailer, sending items including fly larvae, live spiders, and a bloody pig mask to their home and traveling to Massachusetts to conduct surveillance of the victims in an effort to get them to stop publishing, authorities alleged Monday.

https://www.bostonglobe.com/2020/06/15/metro/six-former-ebay-employees-charged-federal-cyberstalking-case-targeting-natick-couple/


Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found (WashPost)

Monty Solomon <monty@roscom.com>
Tue, 16 Jun 2020 10:33:59 -0400

The publication of ‘Vault 7’ cyber tools by WikiLeaks marked the largest data loss in agency history, a task force concluded.

https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html


Digitality, Personal Security & Privacy Risks (sundry sources)

“Robert Mathews (OSIA)” <mathews@hawaii.edu>
Fri, 12 Jun 2020 17:20:10 -0700 (PDT)

Who are their targets? NGOs, Journalists, Activists for now…. but, literally, ANYONE and EVERYONE are at risk … Immediately following are TWO VERY different reports that represent TWO very DIFFERENT angles and hazards to personal safety, personal security and personal privacy in the digital universe.

John Scott-Railton, Adam Hulcoop, Bahr Abdul Razzak, Bill Marczak, Siena Anstis, and Ron Deibert, Dark Basin, Uncovering a Massive Hack-For-Hire Operation, THE CITIZEN LAB, 9 Jun 2020 https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/

and… “The thrill of the hunt”… except, in this case… the fox may not have a tail, be red… or even be a fox! …

MISTAKEN IDENTITY Olivia Nuzzi, New York Magazine - Intelligencer, 8 Jun 2020 What It's Like to Get Doxed for Taking a Bike Ride

https://nymag.com/intelligencer/2020/06/what-its-like-to-get-doxed-for-taking-a-bike-ride.html

Sasha Ingber, Newsy, 11 Jun 2020 Former Air Force Officer Fears Intelligence Collected On Protesters

https://www.newsy.com/stories/surveillance-planes-above-floyd-protests/


South African bank to replace 12M cards after employees stole master key (ZDNet)

“Peter G. Neumann” <neumann@csl.sri.com>
Mon, 15 Jun 2020 10:33:31 PDT
[Thanks to Gene Spafford]

https://www.zdnet.com/article/south-african-bank-to-replace-12m-cards-after-employees-stole-master-key/


Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Sun, 14 Jun 2020 11:04:02 -1000

You might not believe it, but it's possible to spy on secret conversations happening in a room from a nearby remote location just by observing a light bulb hanging in there—visible from a window—and measuring the amount of light it emits.

A team of cybersecurity researchers has developed and demonstrated a novel side-channel attacking technique that can be applied by eavesdroppers to recover full sound from a victim's room that contains an overhead hanging bulb.

The findings were published in a new paper by a team of academics—en Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov—from the Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of Science, which will also be presented at the Black Hat USA 2020 conference later this August. <https://www.blackhat.com/us-20/briefings/schedule/index.html#lamphone-real-time-passive-reconstruction-of-speech-using-light-emitted-from-lamps-20599>

The technique for long-distance eavesdropping, called “Lamphone <https://www.nassiben.com/lamphone>,” works by capturing minuscule sound waves optically through an electro-optical sensor directed at the bulb and using it to recover speech and recognize music.

How Does the ‘Lamphone Attack’ Work?. […] https://thehackernews.com/2020/06/lamphone-light-bulb-spy.html


Feds allege eBay terror campaign against Natick publishers of articles the company didn't like (Universal Hub)

Monty Solomon <monty@roscom.com>
Mon, 15 Jun 2020 21:30:29 -0400

https://www.universalhub.com/2020/feds-allege-ebay-terror-campaign-against-natick


USA T-Mobile Hit by Widespread Voice and Data Outage

<jonathan.spira@accuramediagroup.com>
June 16, 2020 at 10:07:52 GMT+9

This has been driving us crazy all day…

T-Mobile Hit by Widespread Voice and Data Outage

“T-Mobile customers across the country are reporting issues placing and receiving calls as well as when using data services. The self-proclaimed Uncarrier said it began to experience an unspecific network outage that is impacting hundreds of thousands of customers starting in the early afternoon.”

“Our engineers are working to resolve the widespread voice and text issue,” the company said on its website. It went on to recommend that customers use third-party messaging.


Google is messing with the address bar again—new experiment hides URL path (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 15 Jun 2020 11:44:50 -0700

[BAD IDEA!]

I've noted in the past why this is a TERRIBLE idea. Yes, URLs can be long and messy, but they frequently provide critical cues that you're on the correct pages. Further tampering with them is an invitation to new kinds of confusion and hack attacks.

Google is messing with the address bar again—new experiment hides URL path

https://arstechnica.com/gadgets/2020/06/google-is-messing-with-the-address-bar-again-new-experiment-hides-url-path/


30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial Recognition Test (Medium)

Lauren Weinstein <lauren@vortex.com>
Fri, 12 Jun 2020 16:49:18 -0700

https://onezero.medium.com/90-000-unsuspecting-rose-bowl-attendees-were-scooped-up-in-a-facial-recognition-test-18c843909858


Joanna Hoffman: Facebook is peddling ‘an addictive drug called anger’ (CNBC)

Dave Farber <farber@gmail.com>
Sat, 13 Jun 2020 17:23:32 +0900

https://www.cnbc.com/2020/06/12/joanna-hoffman-facebook-is-peddling-an-addictive-drug-called-anger.html


Why jK8v!ge4D isn't a good password (Toward Data Science)

Monty Solomon <monty@roscom.com>
Sat, 13 Jun 2020 11:57:13 -0400

There's a fundamental issue with password validation

https://towardsdatascience.com/why-password-validation-is-garbage-56e0d766c12e


IoT Nutrition Labels

“Keith Medcalf” <kmedcalf@dessus.com>
Sat, 13 Jun 2020 08:33:52 -0600

The major items missing from the “Nutrition Label” is whether or not the “Thing” will still “Thing” when the “Internet” is not and never has been present.

Without that information it is impossible for any rational decision to be made and one must assume that the “Thing” will not “Thing” and is therefore completely unsuitable for use.


What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests (npr.org)

Richard Stein <rmstein@ieee.org>
Tue, 16 Jun 2020 09:03:14 +0800

https://www.npr.org/sections/health-shots/2020/06/15/871186164/what-zebra-mussels-can-tell-us-about-errors-in-coronavirus-tests

Good discussion of false negative/positive outcomes for polymerase chain reaction (PCR) diagnostic tests.

“The PCR tests, when done perfectly, do boast a very low false-positive rate. But they're not always done perfectly.

“Certified labs like hers use procedures to reduce the risk of false test results, since a false-positive test can lead to a medical misdiagnosis. But slip-ups are inevitable.

“Most errors are caused by poor sample handling or other errors even before a sample gets to the lab, she says.

“And PCR is so incredibly sensitive, contamination is a particular concern. Even the tiniest amount of stray material in a lab can spell trouble, Pritt says.”


Re: Election fiasco: Georgia on my mind (RISKS-31.99)

Bob Brown <Bob.Brown@EmoryCottage.net>
Fri, 12 Jun 2020 21:19:33 -0400

Every registered voter in Georgia received an absentee ballot request form. While the voter still had to return the form to receive an absentee ballot, every Georgia voter had an opportunity to vote using an hand-marked paper ballot submitted by postal mail.


Re: Multiple US agencies have purchased this mysterious mobile eavesdropping device (RISKS-31.98)

Steve Singer <sws@dedicatedresponse.com>
Sat, 13 Jun 2020 10:09:56 -0400

The only way to view site content is to disable ad blocking or more generally, script blocking—and I find that unappealing, even temporarily.

A business model apparently overrides any information-providing mission. My personal vote is thumbs-down; others are free to choose differently.

- - - - -

“AD BLOCKER INTERFERENCE DETECTED

Thank you for visiting this site. Unfortunately we have detected that you might be running custom adblocking scripts or installations that might interfere with the running of the site.

We don't mind you running adblocker, but could you please either disable these scripts or alternatively whitelist the site, in order to continue. Thanks for your support”

Please report problems with the web pages to the maintainer

Top