Prev Next

RISKS Digest 30.51

Wednesday 19 December 2017

ATL Hartsfield-Jackson Airport loses all power

CNN <neumann@csl.sri.com>

Date: Sun, 17 Dec 2017 14:02:33 PST

http://www.cnn.com/2017/12/17/us/atlanta-airport-power-outage/index.html

[This one is in need of some definitive explanation. There are reports that some Georgia power equipment might have failed, caught fire, and damaged adjacent circuit cables and switches, wiping out redundant backup facilities. If that is the case, this is just one more example of bad system design. PGN]

A more mundane air travel risk

Jeremy Epstein <jeremy.j.epstein@gmail.com>

Date: Thu, 30 Nov 2017 16:52:21 -0500

RISKS includes numerous discussions of air travel risks, from vulnerabilities in airplane software, to crashes in airline reservation systems, pricing errors, etc. This one is more mundane—a bug in American Airlines' pilot scheduling software allowed too many pilots to request vacation during the busy holiday travel season. The result is not enough pilots to fly all the scheduled flights, although the airline and unions disagree on how many flights will be affected.

https://www.washingtonpost.com/news/dr-gridlock/wp/2017/11/30/american-airlines-says-only-a-few-hundred-flights-are-without-pilots-for-christmas-travel/

Claims container ship's navigation system "hacked"

danny burstein <dannyb@panix.com>

Date: Tue, 28 Nov 2017 19:03:59 -0500

[UK news service]

Hackers took 'full control' of container ship's navigation systems for 10 hours

In February 2017 hackers reportedly took control of the navigation systems of a German-owned 8,250 teu container vessel en route from Cyprus to Djibouti for 10 hours. "Suddenly the captain could not manoeuvre," an industry source who did not wish to be identified told Fairplay sister title Safety At Sea (SAS). "The IT system of the vessel was completely hacked."

There are three German shipowners that operate eight vessels between 8,200 and 8,300 teu, according to IHS Markit data, one of which confirmed knowledge of the attack to SAS but denied it was a vessel from their own company.

While details are limited, according to the source, the 10-hour attack was carried out by "pirates" who gained full control of the vessel's navigation system intending to steer it to an area where they could board and take over. The crew attempted to regain control of the navigation system but had to bring IT experts on board, who eventually managed to get them running again after hours of work.

rest: https://www-asket-co-uk.cdn.ampproject.org/c/s/www.asket.co.uk/single-post/2017/11/26/Hackers-took-full-control-of-container-ships-navigation-systems-for-10-hours-AsketOperations-AsketBroker-ELouisv-IHS4SafetyAtSea-TanyaBlake-cybersecurity-piracy-shipping

Commentary on the risks of technology and climate change

Rob Slade <rmslade@shaw.ca>

Date: Fri, 15 Dec 2017 11:34:35 -0800

An amusing observation on Twitter:

https://twitter.com/joelrubin/status/938574971852304384

"The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire."

https://twitter.com/rhenderson/status/938800585553219586

having an algorithm drive you straight into a climate change caused inferno is an extremely 2017 way to go.

rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links

When is Big Automation Too Big for Comfort?

DevOps.com <gabe@gabegold.com>

Date: Tue, 19 Dec 2017 23:34:12 -0500

Yara, a shipping company out of Oslo, Norway, in partnership with Kongsberg <https://www.km.kongsberg.com/>, a maritime engineering group also out of Norway, has created an autonomous container ship, the Yara Birkeland, that is set to hit the high seas in 2018. This ocean-going vessel will be manned by a crew of none. It's completely driverless.

https://devops.com/when-big-automation-too-big-comfort/

The risks? This one's too easy...

Apparent Google update glitch disconnects student Chromebooks in schools across the U.S.

Geekwire <lauren@vortex.com>

Date: Sat, 9 Dec 2017 14:02:30 -0800

via NNSquad https://www.geekwire.com/2017/reported-google-update-glitch-disconnects-student-chromebooks-schools-across-u-s/

Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.

I agree: Requiring large fleets of Chromebooks to be manually re-associated with their Wi-Fi networks cannot be called a practical solution. And of course, most Chromebooks have never been on Ethernet since most people don't have the requisite USB<->Ethernet adapters.

Former Facebook exec says social media is ripping apart society

The Verge <lauren@vortex.com>

Date: Tue, 12 Dec 2017 08:33:14 -0800

NNSquad https://www.theverge.com/2017/12/11/16761016/former-facebook-exec-ripping-apart-society

Another former Facebook executive has spoken out about the harm the social network is doing to civil society around the world. Chamath Palihapitiya, who joined Facebook in 2007 and became its vice president for user growth, said he feels "tremendous guilt" about the company he helped make. "I think we have created tools that are ripping apart the social fabric of how society works," he told an audience at Stanford Graduate School of Business, before recommending people take a "hard break" from social media. Palihapitiya's criticisms were aimed not only at Facebook, but the wider online ecosystem. "The short-term, dopamine-driven feedback loops we've created are destroying how society works," he said, referring to online interactions driven by "hearts, likes, thumbs-up." "No civil discourse, no cooperation; misinformation, mistruth. And it's not an American problem—this is not about Russians ads. This is a global problem."

Hackers halt plant operations in watershed cyber-attack

Jim Finkle <neumann@csl.sri.com>

Date: Fri, 15 Dec 2017 6:57:31 PST

Jim Finkle, Reuters https://reut.rs/2AGTjhA

(Reuters)—Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber-investigators and the firm whose software was targeted.

FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cybersecurity company Dragos said the hackers targeted an organization in the Middle East, while a second firm, CyberX, said it believe the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber-experts said.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety systems could be fooled to indicate that everything is okay even as hackers damage a plant, said Galina Antova, co-founder of cybersecurity firm Claroty.

Searchable database of 1.4 billion stolen credentials found on dark

Steven Cheung <cheung@csl.sri.com>

Date: Tue, 12 Dec 2017 16:32:07 -0800

this has been slashdotted:

https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14

https://www.itworldcanada.com/article/searchable-database-of-1-4-billion-stolen-credentials-found-on-dark-web/399810?sub=&utm_source=263010&utm_medium=dailyitwire&utm_campaign=enews&scid=49d88d60-2122-4bb5-f4b3-4e601d76c6d3

World's biggest botnet sends 12.5 MILLION emails containing ransomware...

Daily Mail via Geoff Goodfellow <geoff@iconia.com>

Date: Mon, 27 Nov 2017 07:23:47 -1000

- *Scarab malware is being sent out by Necurs, the largest email spam botnet ever* - *Infected files are hidden in fake scanned documents that appear to be legitimate* - *Once an attached 7zip is opened, malware takes over your computer and files* - *A text file which then pops up threatens to erase them if the ransom isn't paid*

Millions of computers are at risk of infection by a virulent spam attack that threatens to destroy your files, unless you pay a Bitcoin ransom.

The Scarab malware is being distributed by Necurs, the Internet's largest email spam botnet, which has been used in a number of previous online onslaughts.

Within the first six hours of the attack 12.5 million emails had been distributed, with more than two million messages being sent out per hour at its height. [...]

http://www.dailymail.co.uk/sciencetech/article-5121105/Worlds-biggest-botnet-sent-12-5-million-emails.html

Department of Homeland Security finds government mobile apps lack

Rob Wilcox <robwilcoxjr@gmail.com>

Date: Tue, 19 Dec 2017 06:54:16 -0800

Department of Homeland Security is studying the security and privacy of mobile apps used within federal, state and local government including by first responders.

Of 33 first responder apps studied, 32 had security flaws. Once the flaws were found, the application developers were able to rectify the flaws in about one hour of coding.

Project Website: https://www.dhs.gov/science-and-technology/csd-mobile-app-security

Press Release: https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder

Fun with blockchain

MakeUseOf <gabe@gabegold.com>

Date: Tue, 28 Nov 2017 17:29:38 -0500

3 Blockchain Credit Agencies Changing Our Relationship With Money http://www.makeuseof.com/tag/blockchain-credit-agencies/

Why You Should Keep Your Bitcoin in Cold Storage http://www.makeuseof.com/tag/bitcoin-crypto-cold-wallets/

What could go wrong? Add up all the con arguments. And "con", of course, has multiple meanings.

Initial Coin Offerings Horrify a Former SEC Regulator

The NYTimes via Gabe Goldberg <gabe@gabegold.com>

Date: Sun, 26 Nov 2017 21:22:46 -0500

https://www.nytimes.com/2017/11/26/business/initial-coin-offering-critic.html

As I understand it, in an ICO, you invent a new virtual currency (because there aren't enough of them, yet, and the world needs more) and sell it for Bitcoin or cash or whatever. Hey, I could probably do that.

So this former SEC regulator thinks that maybe this isn't such a good idea:

'ICOs represent the most pervasive, open and notorious violation of federal securities laws since the Code of Hammurabi,' Mr. Grundfest said in an interview.

What could possibly go wrong?

Bitcoin Exchange Youbit to Declare Bankruptcy After Hack

Coindesk <jidanni@jidanni.org>

Date: Wed, 20 Dec 2017 08:29:21 +0800

https://www.coindesk.com/south-korean-bitcoin-exchange-declare-bankruptcy-hack/ 'The cyber-attack is the second for Youbit, previously known Yapizon. The exchange was previously targeted in April in an attack which South Korean officials believe was conducted with the support of neighboring North Korea. Recent reports indicate that intelligence services in South Korea suspect that North Korea is behind additional attacks against domestic cryptocurrency exchanges, including market-leader Bithumb.'

Bitcoin Investors Resort to Hypnotherapy to Recover Passwords

Fortune <gabe@gabegold.com>

Date: Wed, 20 Dec 2017 14:02:42 -0500

Help is in sight for that batch of early-Bitcoin-adopters who are sitting on untapped bounties because they've forgotten the passwords needed to get into their wallets.

A hypnotist in South Carolina has recently begun offering to help people recall forgotten passwords or find misplaced storage devices. Jason Miller charges one bitcoin plus 5% of the amount recovered—though he claims that rate is flexible.

“I've developed a collection of techniques that allow people to access older memories or see things they've put away in a stashed spot,'' he told
*The Wall Street Journal*.

A number of investors who bet on Bitcoin years ago are now in a painful limbo. In the way that bank accounts are protected by passwords, Bitcoin wallets that use keys to transact are also typically guarded by complex security codes. However, unlike a bank, Bitcoin has no central hotline to call for a reset.

http://fortune.com/2017/12/20/bitcoin-investors-hypnotherapy/

The risks? being human, being careless, being idiotic?

Ethereum cryptocurrency choking on purchases of virtual cats

Taipei Times <eee@dialup4less.com>

Date: Fri, 8 Dec 2017 13:48:09 -0800

CryptoKitties game threatens capacity of Ethereum blockchain.

http://www.taipeitimes.com/News/biz/archives/2017/12/06/2003683493

Many Consumers Lack Understanding of Basic Cyber-Hygiene

Tenable <gabe@gabegold.com>

Date: Wed, 20 Dec 2017 13:09:16 -0500

New Study: Data breaches have been a headache for many years and for a long time there seemed to be a general apathy about them. Our sense was that things may have changed in the wake of the most severe breach ever—the theft of 145 million social security numbers and other sensitive data from Equifax—which leaves most Americans with the burden of having to monitor for identity theft for the rest of their lives.

Against this backdrop, we decided to find out how aware Americans are of cybersecurity threats and risks, how concerned they are about getting their information stolen, and what they might be doing, or more importantly, not doing about it. We also wanted to learn if recent breaches have caused Americans to change their behavior at all. Tenable recently commissioned a survey, conducted online by Harris Poll of more than 2,000 U.S. adults, to determine how data breaches—and media attention around them—are impacting consumers' perceptions about their online security and their behavior.

https://www.tenable.com/blog/new-study-many-consumers-lack-understanding-of-basic-cyber-hygiene

No surprises; chat with nearly any non-tech person to learn this...

McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms"

Gabe Goldberg <gabe@gabegold.com>

Date: Fri, 8 Dec 2017 18:17:06 -0500

McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms" McLean, Va.—*Hilton*, the McLean-based hospitality giant, said on Thursday it plans to begin rolling out what it calls "connected rooms"—high-tech guest rooms that let users control most aspects of their stay from their mobile device. Currently in beta testing, the concept will allow guests to use their Hilton Honors app to manage most things they would traditionally do manually, from controlling the temperature and lighting to the TV and window coverings. Users also will be able to load the most popular streaming media and other accounts to in-room TVs. In the longer-term, Hilton said that guests will be able to use voice commands to control their room or access their content, and to upload their own artwork and photos to display on walls. "The technology we put in hotel rooms has to be intuitive, simple and quick to pick up because guests typically spend a limited amount of time in their rooms," said Joshua Sloser*, the company's senior vice president of digital product. Hilton said it will begin scaling the concept rapidly to hotels across the United States over the coming weeks. http://trk.cp20.com/click/l8ns2-cxcu8y-7fgw0x86/> http://www.businesswire.com/news/home/20171207005545/en/Hilton-Announces-%E2%80%98Connected-Room%E2%80%99-Mobile-Centric-Hotel-Room <http://trk.cp20.com/click/l8ns2-cxcu8z-7fgw0x87/>

What could go wrong? Screaming at your hotel room because it can't understand you—voice control in my car sure isn't 100% accurate/compliant. Hilton app always listening to what goes on in the room. Tech support demands on ... bell staff, maybe.

Crooks Cash in Stolen Rewards Points for Flights and Hotels

Fortune <gabe@gabegold.com>

Date: Sun, 3 Dec 2017 23:09:29 -0500

It's nice to take a free trip using credit card rewards. Unfortunately, criminal gangs feel the same way and are stealing other people's rewards points—including those for British Airways and booking site Orbitz—in order to resell them on the Internet.

The rewards scam, which began in Russia but has since spread to English and Spanish speaking markets, represents yet another frontier for cybercriminals to make money by hacking consumer accounts.

http://fortune.com/2017/11/27/frequent-flyer-hotel-rewards-scams/

Microsoft Researcher Details Real-World Dangers of Algorithm Bias

Gizmodo <farber@gmail.com>

Date: Sat, 9 Dec 2017 11:49:27 -0500

http://fortune.com/2017/10/30/ai-early-cancer-detection/>, law enforcement <https://www.washingtonpost.com/local/public-safety/police-are-using-software-to-predict-crime-is-it-a-holy-grail-or-biased-against-minorities/2016/11/17/525a6649-0472-440a-aae1-b283aa8e5de8_story.html?utm_term=.37a7d249ff8a>, sex <https://gizmodo.com/the-future-of-online-dating-is-unsexy-and-brutally-effe-1819781116>, etc.—it can't outpace the biases of its creators, humans. Microsoft Researcher Kate Crawford delivered an incredible keynote speech, titled The Trouble with Bias, at Spain's Neural Information Processing System Conference on Tuesday. In Crawford's keynote, she presented a fascinating breakdown of different types of harms done by algorithmic biases.

As she explained, the word "bias" has a mathematically specific definition in machine learning, usually referring to errors in estimation or over/under representing populations when sampling. Less discussed is bias in terms of the disparate impact machine learning might have on different populations. There's a real danger to ignoring the latter type of bias. Crawford details two types of harm: allocative harm and representational harm.

“An allocative harm is when a system allocates or withholds a certain opportunity or resource,'' she began. It's when AI is used to make a certain decision, let's say mortgage applications, but unfairly or erroneously denies them to a certain group. She offered the hypothetical example of a bank's AI continually denying mortgage applications to women. She then offered a startling real world example: a risk assessment AI routinely found that black criminals were a higher risk <https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing> than white criminals. (Black criminals were referred to pre-trial detention more often because of this decision.)

Experts Warn: Terrorists Could Kill Millions by Remotely Hacking

Gabe Goldberg <gabe@gabegold.com>

Date: Mon, 4 Dec 2017 11:40:54 -0500

Cyberterrorists have the potential to put millions of lives at risk by hacking <https://www.thetimes.co.uk/article/hackers-could-take-control-of-cars-and-kill-millions-ministers-warned-fx8gv5sk7> the sophisticated cars on 21st Century roadways, one expert has warned.

The caution comes amid a host of technological advances pervading the automotive industry.

“The current state of vehicles on the road today—the new, modern car, not even self-driving—have become rolling computers,'' said John Simpson, Consumer Watchdog's privacy project director. <http://www.detroitnews.com/story/business/autos/mobility/2017/11/15/carmakers-stuggle-robot-car-hacking-fears/107696450/>

And it's suggested that any computer is open to being hacked. In 2015, the National Highway Traffic Safety Administration recalled nearly 1.5 million vehicles over fears that they could potentially be compromised.

https://www.westernjournal.com/experts-warn-terrorists-kill-millions-remotely-hacking-peoples-cars/

...not exactly news, though useful recap and alert. Interesting appeal at end, hardly related to this article:

The Western Journal strives to achieve the highest conservative values, editorial standards and truth in journalism, all of which are under attack. Your donation funds the fight against mainstream media corruption and helps us reach millions of readers around the world with the truth.

Dangers of dynamic road trip mapping applications

danny burstein <dannyb@panix.com>

Date: Wed, 6 Dec 2017 23:59:21 -0500

One unanticipated effect of combining trip-planning applications that use "real time" data with disaster events such as the yuge fire in the LA area:

"The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire."

http://www.latimes.com/local/california/la-me-southern-california-wildfires-live-firefighters-attempt-to-contain-bel-air-1512605377-htmlstory.html

Large wildfires vs. navigation apps for drivers

David Tarabar <dtarabar@acm.org>

Date: Thu, 7 Dec 2017 17:46:08 -0500

"The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire."

iOS 11 leaves iOS devices more vulnerable to edge-case attacks, says phone-cracking company ElcomSoft

9to6mac via Geoff Goodfellow <geoff@iconia.com>

Date: Mon, 4 Dec 2017 09:39:14 -1000

https://9to5mac.com/guides/ios-11/>

Want to break into a house? Just type in its address...

Dave Horsfall <dave@horsfall.org>

Date: Wed, 6 Dec 2017 16:49:50 +1100

http://www.smh.com.au/technology/consumer-security/aami-suncorp-suspend-online-insurance-quote-feature-over-burglary-fears-20171204-gzyo1c.html

“One of Australia's largest home and contents insurers has suspended a new online feature that made private details about the security of peoples' homes publicly accessible, including whether monitored alarm systems were installed on their premises.''

It seems that those seeking quotes for their address found that some fields were pre-filled from a previous quote, all in the name of making it easy, of course. Well, it sure made it easy for any potential burglars interested in knocking that place over, such as whether deadlocks were likely fitted, burglar alarms, etc.

Gadzooks; didn't anyone think?

Dave Horsfall, North Gosford NSW 2250, Australia

Improving election integrity/security/???

Politico <neumann@csl.sri.com>

Date: Mon, 18 Dec 2017 9:02:50 PST

ACTION AT LAST ON ELECTION SECURITY?—After months of debate but little action, there appears to be a modicum of momentum building on Capitol Hill to address some of the security shortcomings that voting integrity experts say threaten to undermine the upcoming midterm elections. Several lawmakers made public pleas for movement on Friday and a bipartisan group of senators are expected to drop an election security bill this week.

THE BILL: The upcoming legislation is aimed at greasing the information-sharing channels that connect the Homeland Security Department, the intelligence community and state election offices. Election officials said an inability to effectively swap data on hacker threats during the 2016 election left many in the dark about the digital invaders that were probing the country's election networks. The proposed bill—backed by Republicans Sens. Lindsey Graham and James Lankford, as well as Democrats Sens. Kamala Harris and Amy Klobuchar—would also earmark additional resources for states to bolster their digital defenses, according to an aide to one of the lawmakers. The group is eager to get the legislation passed before the 2018 midterm primaries, the aide said.

The Germans have no word for "Entscheidungsproblem"

Catalin Cimpanu via Henry Baker <hbaker1@pipeline.com>

Date: Wed, 06 Dec 2017 16:36:39 -0800

nor any word for "irony". :-)

https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

Catalin Cimpanu 5 Dec 2017 Germany Preparing Law for Backdoors in Any Type of Modern Device

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.

Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND).

Difficulties in investigating modern crime, terrorist attacks

The man supporting this proposal is Thomas de Maizi

Have You Ever Felt Sorry for the IRS? Now Might Be the time

The NYTimes <gabe@gabegold.com>

Date: Tue, 19 Dec 2017 10:22:59 -0500

Already struggling with its workload, the agency must start adapting systems to the new tax code while processing returns under the old one.

https://www.nytimes.com/2017/12/18/business/irs-tax-bill.html

The risk? Starving IT infrastructure and staffing while expecting everything to work just fine.

Also, of course, nonsense reporting like:

Updating the agency's vast computer system is also a gargantuan undertaking. The IRS (along with much of the federal government and major financial institutions) uses a computer programming language called Cobol, developed almost 60 years ago. Almost every coding change will, in effect, have to be entered by hand.

...disparaging Cobol because it's been used for a while (and sounding like it's unchanged since initial development), and being alarmed at making coding changes "by hand". As opposed to how?

Car theft "relay crime"

Sky <gabe@gabegold.com>

Date: Wed, 29 Nov 2017 01:36:41 -0500

More than a third of U.S. federal websites are missing key elements of online security architecture, according to a report released Monday by the Information Technology & Innovation Foundation (ITIF).

Out of 469 government websites surveyed by ITIF, just 36% passed the test for both Domain Name System Security (DNSSEC) and Secure Sockets Layer (SSL) certificates.

These two security features are crucial elements of online security, without which browsing can be insecure. Federal government websites still require significant improvement. Doing so will help ensure that the many Americans who routinely use the Internet to access government services and information can continue to do so.

http://fortune.com/2017/11/28/us-federal-websites-security-test-failure/

The risk? Things don't change much.

More Than a Third of Federal Websites Just Failed a Major Security

Fortune <ross.stapletongray@gmail.com>

Date: December 13, 2017 at 12:45:17 PM EST

[via David Farber]

So, yet another issue to give us angst: how to take it when your car becomes more popular than you are?

As I read this, the researchers are proposing that it would be helpful if your car were socially networked, i.e., more readily communicated with cars where past history and interests suggested common concerns, value of informational leads, etc. Lots of exercises left to the reader, e.g., a ton of privacy implications, opportunities for marketing (think cars whose owners are being paid to "push" specific routing/destinations as better than others... in the olden days, when Jeb suggests the best route into town is to pass the Kroger, and not the K-Mart...), etc.

https://www.nsf.gov/awardsearch/showAward?AWD_ID=1761641

> Award Abstract #1761641 > NeTS: EAGER: Intelligent Information Dissemination in Vehicular > Networks based on Social Computing

NSF-funded research on vehicular social networking

Ross Stapleton-Gray <Neumann@csl.sri.com>

Date: Sun, 26 Nov 2017 15:05:27 -0800

http://news.sky.com/story/any-11145015 http://www.itv.com/news/central/2017-11-26/police-release-footage-of-relay-crime/

Also, from Gabe Goldberg: Watch thieves steal car using technology instead of keys http://www.cnn.com/videos/world/2017/11/27/relay-box-auto-theft-orig-trnd-lab.cnn

Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS

Cory Doctorow <dewayne@warpspeed.com>

Date: November 25, 2017 at 3:21:12 PM EST

Cory Doctorow, BoingBoing, 25 Nov 2017 <https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html>

Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of invasive, dangerous "trackers" hidden in common Android apps was generated by writing code that spied on their target devices' internal operations, uncovering all manner of sneaking trickery.

it would be great if we had effective regulatory oversight and the power to seek legal relief from these companies for lying to us and/or sneaking spyware into our lives; but every bit as important is the right to independently audit their actions (as Privacy Lab and Exodus have done) and to install code that overrides the undesirable functions of this spyware -- for example, by blocking its communications or chaffing it with plausible garbage data.

The Exodus Privacy app's functionality is key to attaining the first goal , gathering independent evidence about the conduct of mobile firms and app providers. Without that evidentiary basis, there's no way to know you need self-help measures, nor is there any way to convince regulators to take action, nor is there the possibility of creating public clamor for competing products that would spur investors and entrepreneurs to make tools that let you reclaim control over your device.

As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it's a felony—punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located—to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform.

It's true that the US Copyright Office gave us a soon-to-expire exemption to this rule that started in 2016, but that exemption only allows Exodus to use that tool; it doesn't allow Exodus to make that tool, or to distribute it so independent researchers can investigate iOS.

Overseas customers left behind in clearXchange to Zelle conversion

Dan Jacobson <jidanni@jidanni.org>

Date: Thu, 30 Nov 2017 02:00:41 +0800

>>>>> "SC" == S..., C.. <...@earlywarning.com> writes:

SC> Yes, the Zelle app is [available only] in the US right now.

Well that creates a huge problem for many citizens who happen to be out of the country at the moment and suddenly are cut off from their funds.

It would have been more wise to first introduce the app, and then three months later after all users are safely moved over to it, only then have them close down their clearXchange accounts.

But following the instructions, we all first close our clearXchange accounts in order to move over to the app.

This seems a classic risk right out of ACM Risks Digest.

Wrong number: Are Israel's phone companies systematically overcharging

Gabe Goldberg <gabe@gabegold.com>

Date: Sun, 26 Nov 2017 21:36:47 -0500

Consumer groups report endless complaints from Israelis who say they are mischarged, lied to, pushed into debt, and even stopped at the airport for fees they never agreed to.

https://www.timesofisrael.com/wrong-number-are-israels-phone-companies-systematically-overcharging/

Go figure: an abusive, arrogant, crooked phone company. What next, inadequate consumer protections?!

Warn that results are not necessarily in order

Dan Jacobson <jidanni@jidanni.org>

Date: Thu, 07 Dec 2017 06:00:08 +0800

I think the atq(1) command should order its results. I mean that is what "queues" are about, order.

"atq—lists the user's pending jobs, unless the user is the superuser; in that case, everybody's jobs are listed. The format of the output lines (one for each job) is: Job number, date, hour, queue, and username."

Now 15 years later I think they at least should warn on the man page that the results are not necessarily in order.

The RISK is someone might just happen to get ordered results a few times, and then build a program to process the results based on this assumption.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183583

Upside of multiple-choice security questions

Ed Ravin <eravin@panix.com>

Date: Sun, 10 Dec 2017 15:47:23 -0500

Found this on a website on the account setup page—finally, a halfway-reasonable explanation for why so many sites use multiple-choice security questions:

Your account must include five security questions. [...] We provide predefined questions and answers because we've found that the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.

You can log into macOS High Sierra as root with no password

The Register <geoff@iconia.com>

Date: Tue, 28 Nov 2017 15:24:55 -1000

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings.

If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen.

The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended, nor allow remote desktop access, until you can fix the problem. [...] http://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

Feds in Two Minds About Artificial Intelligence Defense

Meritalk <gabe@gabegold.com>

Date: Wed, 29 Nov 2017 15:08:16 -0500

As Feds get smarter about Artificial Intelligence on the cyber-frontier, seems agencies' IT defenders are suffering from schizophrenia about cybercyborgs. That's the topline takeaway from the new MeriTalk Federal Cyber-AI IQ Test study. Where 90 percent of cyberfolks swoon about AI as the fix for the cybersieve, almost half of Feds suffer AI anxiety disorder. With the exponential increase in cyber-attacks and insider-threat nightmares, now is a fascinating time to consider AI's role in cybersecurity. We see Kevin Cox and the CDM program office exploring AI and every cyber-vendor's touting its new AI pixie dust. So, what's the state of Fed's AI IQ and what's the path forward?

https://www.meritalk.com/articles/feds-in-two-minds-about-artificial-intelligence-defense/

The risk? Aside from sophomoric and over-the-top writing, the risk is—as usual—talking around and generalizing about a technology without defining -- or, likely understanding—what it is. Or putting it in the context of whatever is being discussed—here, cybersecurity. The article would make as much sense with "AI" replaced by "walnuts".

Australian man uses snack bags as Faraday cage to block tracking by employer

Sean Gallagher <jjreisert@alum.mit.edu>

Date: Thu, 30 Nov 2017 17:53:17 -0700

Sean Gallagher, Ars Technica, 29 Nov 2017 https://arstechnica.com/information-technology/2017/11/australian-man-uses-snack-bags-as-faraday-cage-to-block-tracking-by-employer/

A 60-year-old electrician in Perth, Western Australia had his termination upheld by a labor grievance commission when it was determined he had been abusing his position and technical knowledge to squeeze in some recreation during working hours. Tom Colella used mylar snack bags to block GPS tracking via his employer-assigned personal digital assistant to go out to play a round of golf—more than 140 times—while he reported he was offsite performing repairs.

White House Weighs Personal Mobile Phone Ban for Staff

Bloomberg <gabe@gabegold.com>

Date: Tue, 28 Nov 2017 14:14:42 -0500

https://www.bloomberg.com/politics/articles/2017-11-27/white-house-is-said-to-weigh-personal-mobile-phone-ban-for-staff

Horse, barn door? Maybe make entire White House a Faraday cage?

Re: Singapore MRT signaling fault injures 29

Richard M Stein <rmstein@ieee.org>

Date: Tue, 19 Dec 2017 09:58:48 +0800

Straits Times, 19 Dec 2017 http://www.straitstimes.com/singapore/transport/simulation-facility-to-test-new-mrt-signalling-system

"A simulation facility will be built for the East-West Line's (EWL) new signaling system to undergo extra tests before it is rolled out, in a move to beef up safety and not disrupt train services. The facility will be set up by French firm Thales, which aims to deliver the new signaling system for the EWL by next June. It is the first of its kind testing facility outside Toronto and Paris, where the firm is based."

Given Thales' prior release history, is it advisable to build the stack, and also build the simulation? Recall

Re: Web Browser JavaScript Woes

Chris Drewe <e767pmk@yahoo.co.uk>

Date: Thu, 23 Nov 2017 22:00:27 +0000

You've probably had submissions on this already; hardly end-of-the-world stuff, though may be of interest. I surf the web with Firefox on a Windows 7 laptop, and following advice on this very forum, I usually have JavaScript disabled. Allegedly this avoids possible security problems, but the big advantage is that web pages load in a flash, *and* there's no problem with loads of unwanted stuff wasting my monthly bandwidth allowance. Some web sites, particularly important ones like on-line bill payment or web e-mail access, need JavaScript, so I manually enable this when required.

Last year, to my dismay a Firefox update removed the option to disable JavaScript from the list, but I quickly found a 3rd-party add-on to put this in the Tools menu (phew!). Then last week Firefox updated to 57.0 ("Quantum") which (according to the 'what's new' info) disables unauthorised add-ons including this one, so I was stuck without JavaScript with no choice...

Oh well, at least there's good old Internet Explorer 11 which I've hardly ever used... but it runs without JavaScript as well?!? I couldn't even find any references to JavaScript in any of the set-up options either, and when I tried the on-line help feature, this said "needs JavaScript to run"! (Sounds like that old joke about 'the instructions for the microfilm reader are on microfilm'.) I don't recall ever changing this, but must have disabled scripting when I first got the laptop to avoid any security issues. Sigh...

To cut a long story short, A Google search (at least this doesn't need JavaScript!) showed (a) IE actually uses the term 'Active scripting' for this, with radio buttons for Disable/Prompt/Enable, so that fixed that, and (b) Firefox set-up can be accessed via 'about:config' and the "I promise to be good" screen. What I plan to do is use IE for sites where JavaScript is needed, and Firefox for everything else.

Re: Taser Company Ignored SEC Emails ... In a Spam Folder

John Levine <johnl@iecc.com>

Date: Fri, 24 Nov 2017 04:08:59 +0000

... the implicit assumption—that if ISPs just delivered all the mail things would be fine—is quite false.

Most mail systems see about 90% spam. An ISP like World that's been around for a long time probably gets even more. That means there are about ten spam messages for every real one. Even if your ISP spent the extra money for the extra bandwidth and storage to receive and deliver all the spam, your mail would be unusable, with the trickle of real mail hidden in the torrent of junk. I once met a person at the EFF who had a principled unfiltered mailbox, and she said that every day she manually deleted 3000 messages from her inbox. I don't know how she got any work done, and how many of those 3000 were real.

You don't want mail systems to send non-delivery notices for all the mail they don't deliver, since most of the return addresses are fake, and that would just be more spam to the holders of the fake addresses. Enough systems do this that it has a name, blowback spam, and on my system I have special rules to try and deal with the blowback spam I get to a few domains that seem particularly popular with spammers.

The original problem, an SEC notification misfiled in a spam folder, was clearly due to a bug in the spam filtering. The SEC does not send out notices at random, so the recipient must have given the SEC the address they sent it to. If the spam filters for that mailbox weren't set to deliver mail from the SEC, which is not hard to recognize, that's just a bug.

What's much harder are bulk legal notices, such as ones notifying members of a proposed class action. Those are bulk mail sent to people who didn't ask for it, typically from a sending system that's never sent them mail before, which makes it technically identical to spam. (Some people would say it is spam.) You can't just whitelist anything that looks like a legal notice since spammers, not being totally stupid, would make their spam look like legal notices. Bulk mail services try to tell public blacklists when they plan to do a run, and the blacklists tend to be cooperative, but even so, when automated systems see a blast of unfamiliar mail, they tend to treat it unfavorably.

The actual unsurprising moral here is that spammers ruin things for everyone.

Re: Taser Company Ignored SEC Emails ... In a Spam Folder

Mark Kramer <c28f62@theworld.com>

Date: Sat, 9 Dec 2017 23:29:36 -0500

> This is true, but the implicit assumption that it ISPs just delivered > all the mail things would be fine is quite false.

I never made such an assumption. I stated a fact: email is not a reliable communications medium. There is no means of making it that way. Having a government that punishes people for not receiving their Very Important Email is a Bad Thing.

I received an email reply from someone who demanded the right to be a "nomad" who has no snail mail access but does have email. I would say that if you choose a lifestyle with known limitations, you have that right.

Re: Are you aware that Comcast is injecting 400+ lines of JavaScript

geoff goodfellow <geoff@iconia.com>

Date: Mon, 11 Dec 2017 23:30:34 -1000

Comcast replies, plus a Wyoming ISP chimes in:

https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/5:25/20171210204407:C4C2CB62-DE14-11E7-AAAD-B8E98D242E52/

https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/2:25/20171211135436:B9BBFC1C-DEA4-11E7-ABD4-C4D067573D43/

On Sun, Dec 10, 2017 at 2:33 PM, the keyboard of geoff goodfellow < geoff@iconia.com> wrote:

https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/2:19/20171210105448:70B9CD24-DDC2-11E7-8953-E97FD683EF5B/