The RISKS Digest
Volume 30 Issue 37

Friday, 14th July 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

DIY devices let car owners add autonomous features to vehicles
Carolyn Said via PGN
Kaspersky in the crosshairs
Engadget
Requested voter details may be gold for cybercriminals
John Wildermuth
On the request for states to provide all personal info on voters
The Washington Post
FTC Halts Operation That Unlawfully Shared and Sold Consumers' Sensitive Data
FTC
Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case
DoJ
The White House just posted the emails of critics without censoring sensitive personal information
Vox via Lauren Weinstein
Beware of a new scam involving "relatives" and gift cards
CBS
Computerization and overnight train service
Mark Brader
Why fact-checking 'fake news' stories is a waste of time
WeForum
Web gets built-in copy protection hooks with a few key flaws
Engadget
"Charging Phone Kills 14-Year-Old Girl in Bathtub"
Harriet Sinclair
Funny how these articles are all the same...
Gabe Goldberg
Woman's selfie causes $200,000 of damage to LA art exhibit
Pamela Ng
FDA Deal Would Relax Rules on Reporting Medical Device Problems
The New York Times
Judges refuse to order fix for court software that put people in jail by mistake
Ars Technica
Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
UpGuard
Backdoor built in to widely used tax app seeded last week's NotPetya outbreak
Ars Technica
Hackers have been stealing credit card numbers from Trump's hotels for months
The Washington Post
Everybody lies: how Google search reveals our darkest secrets
The Guardian
Re: Volvo admits its self-driving cars are confused by kangaroos
Dave Horsfall
Re: Western tech firms bow to Russian demands to share cybersecrets
Anthony Youngman
Press kits or other publications on thumb drives?
Gabe Goldberg
Info on RISKS (comp.risks)

DIY devices let car owners add autonomous features to vehicles

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 12 Jul 2017 16:33:21 PDT
Carolyn Said, San Francisco Chronicle, Business Report, C1, 7 Jul 2017
(PGN-ed)

The original goal of some developers was to provide kits to enable owners to
retrofit conventional cars to be self-driving.  The article mentions Panda,
OpenPilot, Chffr, Cabana, Comma, Neodriven, and more.  “The adaptive
cruise-control from Honda Sensing is almost embarrassing in bumper-to-bumper
traffic; it drives just like a 16-year-old just learning.''  Fascinating
article, but lacking in assurance that nothing bad is likely to happen.

Risks (totally unmentioned, and often left to the imagination of RISKS
readers) might include (for example),

* Tinkering with (enhancing) the kits

* Disabling kit-provided safety features, intentionally or unintentionally?

* Providing new or augmented kits that can alter the hardware and software
  of off-the-shelf kit-based hand-tinkered conventional cars, or in emerging
  self-driving cars

* Disrupting surrounding vehicles (e.g., passing in heavy traffic, or
  jamming communications of neighboring vehicles), circumventing rules and
  regulations, and lots more.


Kaspersky in the crosshairs (Engadget)

Lauren Weinstein <lauren@vortex.com>
Fri, 14 Jul 2017 15:25:05 -0700
via NNSquad
https://www.engadget.com/2017/07/14/kaspersky-in-the-crosshairs/ Kaspersky
  is in what you might call "a bit of a pickle."  The Russian cybersecurity
  firm, famous for its antivirus products and research reports on active
  threat groups is facing mounting accusations of working with, or for, the
  Russian government.  These accusations have been made in press and infosec
  gossip for years. In the past month there's been more scuttlebutt in the
  press, an NSA probe surfaced, and the Senate got involved by pushing for a
  product ban. This week things reached a peak with fresh accusations from
  Bloomberg and a surprising attack from the Trump administration. Which is
  odd, considering how eager the current regime is to please and grease the
  wheels of its Russian counterparts.  Either way, Kaspersky is really in a
  tight spot this time. The hammer dropped Tuesday when Bloomberg published
  Kaspersky Lab Has Been Working With Russian Intelligence. It comes from
  the same reporters who started 2015's "banyagate," in which Kaspersky Lab
  Has Close Ties to Russian Spies alleged CEO Eugene Kaspersky colluded with
  Russian intel in secret sauna meetings.


Requested voter details may be gold for cybercriminals (John Wildermuth)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 7 Jul 2017 7:49:57 PDT
John Wildermuth, *San Francisco Chronicle*, front page, 7 Jul 2017

The article caption tells it all for RISKS readers.

  "Kobach could be setting up a one-stop shop of personal information that
  would be a treasure trove not only for shady online entrepeneurs, but also
  for identity thieves and criminal hackers."


On the request for states to provide all personal info on voters

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 10 Jul 2017 17:43:57 PDT
https://www.washingtonpost.com/local/public-safety/trump-voting-panel-tells-states-to-hold-off-sending-data-while-court-weighs-privacy-impact/2017/07/10/c4c837fa-6597-11e7-a1d7-9a32c91c6f40_story.html

Trump voting panel tells states to hold off sending data while court weighs
privacy impact

President Trump's voting commission on Monday asked states and the District
to hold off submitting the sweeping voter data the panel had requested until
a federal judge in Washington decides whether the White House has done
enough to protect Americans' privacy.

The Electronic Privacy Information Center (EPIC), a watchdog group, has
asked U.S. District Judge Colleen Kollar-Kotelly to block the commission's
data request, arguing that the panel had not conducted the full privacy
impact statement required by federal law for new government electronic
data-collection systems.

Separately Monday, two civil liberties groups filed lawsuits to prevent the
commission from holding its first scheduled meeting next week, alleging that
the panel had been working in secret and in violation of government
regulations on public transparency.

The two new lawsuits add to the potential roadblocks faced by the
commission, whose request for voting information from more than 150 million
registered voters has drawn bipartisan criticism across the states as an
assault on privacy and states' rights and a stealth attempt at voter
suppression.  [...]


FTC Halts Operation That Unlawfully Shared and Sold Consumers' Sensitive Data (FTC)

Monty Solomon <monty@roscom.com>
Fri, 7 Jul 2017 10:29:26 -0400
Lead generation firm earned millions by falsely promising to match consumers
with low-rate loans
https://www.ftc.gov/news-events/press-releases/2017/07/ftc-halts-operation-unlawfully-shared-sold-consumers-sensitive


Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case (DoJ)

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Jul 2017 20:31:36 -0400
WASHINGTON – Two former staff employees of a member of the U.S. House of
Representatives have been indicted following an investigation into the
circulation of private, nude images and videos of the member and the
member's spouse, announced U.S. Attorney Channing D. Phillips and Matthew
R. Verderosa, Chief of the United States Capitol Police. ...

The indictment alleges that, during the course of his employment, McCullum
offered in March 2016 to assist the House member in repairing the member’s
malfunctioning, password-protected cellular iPhone by taking the device to a
local Apple store. According to the indictment, the House member provided
McCullum with the device solely to have the iPhone repaired. McCullum was
not given permission to take, copy, or distribute any of the contents of the
iPhone. The iPhone contained the private, nude images and videos.

https://www.justice.gov/usao-dc/pr/two-former-employees-house-member-indicted-federal-charges-cyberstalking-case

  Well, of course—what could go wrong?


The White House just posted the emails of critics without censoring sensitive personal information

Lauren Weinstein <lauren@vortex.com>
July 14, 2017 at 4:31:10 PM EDT
INCOMPETENT and ILLEGAL!
https://www.vox.com/policy-and-politics/2017/7/14/15973464/white-house-election-integrity-doxx

  The White House just responded to concerns it would release voters'
  sensitive personal information by releasing a bunch of voters' sensitive
  personal information.  Last month, the White House's "election integrity"
  commission sent out requests to every state asking for all voters' names,
  party IDs, addresses, and even the last four digits of their Social
  Security numbers, among other information.  The White House then said this
  information would be made available to the public.  A lot of people did
  not like the idea, fearing that their personal information could be made
  public. So some sent emails to the White House, demanding that it rescind
  the request.  This week, the White House decided to make those emails from
  concerned citizens public through the commission's new website. But the
  administration made a big mistake: It didn't censor any of the personal
  information—such as names, email addresses, actual addresses, and phone
  numbers—included in those emails.  In effect, the White House just
  released the sensitive personal information of a lot of concerned citizens
  giving feedback to their government. That's made even worse by the fact
  that the White House did this when the thing citizens were complaining
  about was the possibility that their private information would be made
  public.  As of Friday afternoon, the emails are still uncensored and
  available on the White House's website. They include all sorts of
  feedback, from concerns about privacy to outright insults of the Trump
  administration. One email just links to an image of the terrifying
  pornographic meme Goatse. (Do not Google this if you value your eyes.)


Beware of a new scam involving "relatives" and gift cards (CBS)

Monty Solomon <monty@roscom.com>
Fri, 7 Jul 2017 09:04:03 -0400
In a new twist on an old phone scam, criminals are preying on family ties by
asking people to buy gift cards to help relatives they falsely claim are in
trouble.

http://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/


Computerization and overnight train service

Mark Brader
Sun, 9 Jul 2017 00:11:51 -0400 (EDT)
Once upon a time, if you were operating a train service and you decided
to extend its operating hours to run all night, your only concerns would
be finding the staff to operate it, and what to do about maintenance that
formerly occurred during the nightly downtime.

Last year the London Underground began two nights per week of all-night
operations on some lines, with continuous service from Friday morning
through Sunday evening.  And according to Mark Curran in the June
issue of "Modern Railways" magazine:

|  The greatest single cost in implementing Night Tube has been
|  modifications to the signalling systems, which were not designed
|  to operate through the end/beginning of the traffic day at 03:00.
|  The next day's timetables are uploaded around this time and the
|  signalling and control systems undertake various test routines.
|
|  The typical issues were self-tests bringing all trains to
|  a halt... loss of train control data... loss of any customer
|  information on the train or platform, and extended periods when
|  trains would need to be manually signalled.
|
|  ...The ticketing system on the Underground was also not designed to
|  operate through the end/beginning of the ticketing day at 04:30...
|  a customer touching in at 04:15 and out at 04:45 would be charged
|  two incomplete single journeys...

Of course the systems would not have been designed this way if overnight
service had already been contemplated when they were introduced.


Why fact-checking 'fake news' stories is a waste of time (WeForum)

Lauren Weinstein <lauren@vortex.com>
Mon, 10 Jul 2017 16:41:35 -0700
via NNSquad
https://www.weforum.org/agenda/2017/07/why-fact-checking-fake-news-stories-is-a-waste-of-time

  A new study suggests that fact-checking has little influence on what
  online news media covers, and fact-checks of false news stories spreading
  online--"fake news"--may use up resources newsrooms could better use
  covering substantive stories.

Don't bother fact checking them.  When they're clearly false by reasonable
objective measures, delete them—or alternatively, de-rank them into
oblivion in search results and post surfacing algorithms.


Web gets built-in copy protection hooks with a few key flaws

Lauren Weinstein <lauren@vortex.com>
Sat, 8 Jul 2017 11:10:45 -0700
via NNSquad
https://www.engadget.com/2017/07/08/w3c-approves-built-in-web-copy-protection-hook/

  Like it or not, the web is getting some built-in padlocks. The World Wide
  Web Consortium has decided to publish Encrypted Media Extensions, a
  standard for hooking copy protection into web-based streaming video,
  without making significant changes to a version agreed to in March.  While
  it's not perfect, the W3C argues (you still need to deal with a vendor's
  content decryption module), it's purportedly better than the
  make-it-yourself approach media providers have to deal with right now.
  There do appear to be some improvements to the status quo for digital
  rights management. However, there are more than a few detractors—there
  are concerns that the W3C simply ignored concerns in the name of
  expediency.

This really has become necessary.


"Charging Phone Kills 14-Year-Old Girl in Bathtub" (Harriet Sinclair)

Gene Wirchenko <genew@telus.net>
Wed, 12 Jul 2017 19:38:55 -0700
[There is something to be said for understanding the basics of technology. GW]

Harriet Sinclair, *Newsweek*, 11 Jul 2017
http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208

opening text:

A teenager has been killed after using her cell phone in the bath and
suffering an electric shock.  Madison Coe, 14, died at her father's home in
Lovington, New Mexico, on Sunday in an accident her family said took place
when she either plugged in her phone or reached for a phone that was already
plugged into the wall while she was in the bath.


Funny how these articles are all the same...

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Jul 2017 17:34:05 -0400
https://www.linkedin.com/pulse/realizing-potential-blockchain-don-tapscott

...repeating "It's wonderful" with no details how it works.  An
encryption-savvy colleague has said this quickly gets into the weeds—but
how about clues on how (for example (quoting):

Realizing the Potential of Blockchain

Innovators are programming this new digital ledger to record anything of
value to humankind – birth and death certificates, marriage licenses, deeds
and titles of ownership, rights to intellectual property, educational
degrees, financial accounts, medical history, insurance claims, citizenship
and voting privileges, location of portable assets, provenance of food and
diamonds, job recommendations and performance ratings, charitable donations
tied to specific outcomes, employment contracts, managerial decision rights
and anything else that we can express in code.

---

It's always proof by assertion with NO insight how these wildly different
functions will be implemented. And regarding this idea—give me a break,
put everyone's IoT online for sharing? What could go wrong with THAT? The
emperor may actually have a fine wardrobe but I'm awaiting the fashion show.

Paul Brody, principal and global innovation leader of blockchain technology
at Ernst & Young, thinks that all our appliances should donate their
processing power to the upkeep of a blockchain: “Thanks to the smartphone
business driving very low-cost systems, your lawnmower or dishwasher is
going to come with a CPU that is probably a thousand times more powerful
than it actually needs, so why not have the appliance mine? Not to make
money, but to contribute to the security and viability of the blockchain as
a whole,” he said.


Woman's selfie causes $200,000 of damage to LA art exhibit (Pamela Ng)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 14 Jul 2017 12:14:21 -0600
Pamela Ng, Fox News, 14 Jul 2017

http://www.foxnews.com/tech/2017/07/14/womans-selfie-causes-200000-damage-to-la-art-exhibit.html

  A woman taking a selfie at a Los Angeles art exhibit sent shockwaves
  around the room after knocking over several displays, causing $200,000 in
  damage.

  The unidentified woman was at The 14th Factory for the "Hypercaine"
  installation when she appeared to crouch down in front of one of the
  displays for a photo and fall backwards, video of the incident shows.


FDA Deal Would Relax Rules on Reporting Medical Device Problems

Monty Solomon <monty@roscom.com>
Thu, 13 Jul 2017 23:14:05 -0400
The makers of cardiac defibrillators, insulin pumps, breast implants and
other devices will be able to delay the reporting of malfunctions under an
agreement headed to Congress.

https://www.nytimes.com/2017/07/11/health/fda-medical-device-problems-rules.html


Judges refuse to order fix for court software that put people in jail by mistake (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 28 Jun 2017 23:42:34 -0400
https://arstechnica.com/tech-policy/2017/06/appeals-court-public-defender-lacks-standing-in-dispute-over-court-software/


Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard)

Monty Solomon <monty@roscom.com>
Fri, 14 Jul 2017 09:49:54 -0400
https://www.upguard.com/breaches/verizon-cloud-leak


Backdoor built in to widely used tax app seeded last week's NotPetya outbreak

Monty Solomon <monty@roscom.com>
Mon, 10 Jul 2017 08:39:12 -0400
Operation that hit thousands was “thoroughly well-planned and well-executed.”
https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/


Hackers have been stealing credit card numbers from Trump's hotels for months

Monty Solomon <monty@roscom.com>
Wed, 12 Jul 2017 21:53:50 -0400
This is the third cybersecurity breach to hit the luxury hotel chain since 2014.
https://www.washingtonpost.com/news/business/wp/2017/07/11/hackers-have-been-stealing-credit-card-numbers-from-trumps-hotels-for-months/


Everybody lies: how Google search reveals our darkest secrets (The Guardian)

Monty Solomon <monty@roscom.com>
Sun, 9 Jul 2017 09:53:26 -0400
https://www.theguardian.com/technology/2017/jul/09/everybody-lies-how-google-reveals-darkest-secrets-seth-stephens-davidowitz


Re: Volvo admits its self-driving cars are confused by kangaroos (The Guardian)

Dave Horsfall <dave@horsfall.org>
Wed, 12 Jul 2017 10:06:48 +1000 (EST)
A colleague told me that the vehicle determines the distance to the object
by the apparent height above ground from the camera's point of view, thus a
mid-air roo appears to be further away than it really is.  And when it
lands...

Dave Horsfall, Unit 13, 79 Glennie St, North Gosford NSW 2250, Australia


Re: Western tech firms bow to Russian demands to share cybersecrets (Ward, RISKS-30.35)

Anthony Youngman <antlists@youngman.org.uk>
Fri, 7 Jul 2017 20:15:43 +0100
Unfortunately, formal methods also lead you to the proof that your formal
proof is worthless ... to many people believe (Godel's proof to the contrary
notwithstanding) that it is possible to guarantee that systems are bug-free.

A formal proof is mathematics. It is only as good as its axioms (which by
definition are unprovable). And, as we keep on discovering, all too often
reality has a habit of saying "you've got the wrong axioms". To say nothing
of Godel's proof that you can NOT get all your axioms right even within the
world of logic, let alone align them correctly with reality.

Then of course, there is the little problem that any program of any size
will likely exhibit knapsack complexity, ie an automated proof would take
longer than the universe has existed.

That's not to decry formal proofs, or even the attempt thereat. They are a
very useful tool, but you need to remember that they *guarantee* *nothing*
in reality.

  [Reality guarantees nothing in reality either.  It's the total system that
  counts, including squirrels, cosmic rays, and whatever might bite you.
  PGN]


Press kits or other publications on thumb drives? [RE:????]

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Jul 2017 17:41:24 -0400
Interesting comments on material distributed that way:

  (E.g., "Blue Cross wants you to insert this USB card into your computer.
  You'd be safer inserting it into your you-know-what.)

https://plus.google.com/+LaurenWeinstein/posts/4TS3iRwjXuo

...of course, how do you check out shrink-wrapped commercial thumb drives
products without potentially compromising your systems?

Please report problems with the web pages to the maintainer

x
Top