The RISKS Digest
Volume 30 Issue 73

Tuesday, 26th June 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tim Cook on Why Apple News Needs Human Editors
The Wrap
Facial Recognition Company Kairos CEO argues that technology's bias and capacity for abuse make it too dangerous for use by law enforcement
Slashdot
Police Use of Facial Recognition With License Databases Spur Privacy Concerns
WSJ via WaPo
Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
NYTimes
Adverse Events in Robotic Surgery: A Retrospective Study of 14 Years of FDA Data
arxiv.org
When the Robot Doesn't See Dark Skin
NY Times
Having better risk-based analysis for your banks and credit cards
Rex Sanders
It's time to stop laughing at Nigerian scammers, because they're stealing billions of dollars
Cleve R. Wootson Jr.
Those Chinese-language robocalls are a scam to get your bank information, officials say
WashPo
How a company outed China's spies: David Sanger
Gabe Goldberg
Chinese Fans Paid Dearly for World Cup Tickets That Never Materialized.
NYTimes
Germany becomes the last big Western power to buy killer robots
Innocence lost—The Economist
Orlando Airport Becomes 1st In US To Require Face Scan Of All International Travelers
Talking Points Memo
Cryptocurrency exchange hacks in 2018
Taipei Times
Bitcoin Could Break the Internet, Central Banks' Overseer Says
Bloomberg
West Virginia Becomes First State to Test Mobile Voting by Blockchain in a Federal Election
GovTech
The Tractors that Turn Farmers into Hackers
Now I Know
"Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware"
Danny Palmer
Hacker figured out how to brute-force iPhone passcode
ZDNet
Supreme Court says police need a warrant for historical cell location records
Zach Whittaker
Why Hackers Aren't Afraid of Us
David E. Sanger
Beijing subways to get bio-ID system
StraitsTimes
Scanning immigrants old fingerprints, U.S. threatens to strip thousands of citizenship
WashPo
M&A isn't what it used to be
Fortune
A new way to do big data with entity resolution
Web Informant
Tesla sues former employee for allegedly stealing gigabytes of data, making false claims to media.
CNBC
Show me the money
Fortune
Visa fingers 'very rare' datacentre switch glitch for payment meltdown
The Register
Recounting Horror Stories? Over Guitar Center's Warranties
NYTimes
The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting 20 Years in Jail
Motherboard
Clarinetist discovers his ex-girlfriend faked a rejection letter from his dream school
The Washington Post
Internet TV firmware update/soft power-switch failure
Richard M Stein
Ghost Cytometry May Improve Cancer Detection, Enable New Experiments
SciAm
Creating bizarre interfaces
Rob Slade
More dodgy numbers - LinkedIn this time
Tony Harminc
Maybe they'll accept postcard calls for help
Gabe Goldberg
Re: Another risk of driverless cars
Ed Ravin
Re: Microsoft, Github, & distributed revision control
Wol
Re: Florida skips gun background checks for a year after employee
R A Lichtensteiger
Gabe Goldberg
Info on RISKS (comp.risks)

Tim Cook on Why Apple News Needs Human Editors (The Wrap)

Lauren Weinstein <lauren@vortex.com>
Tue, 26 Jun 2018 08:41:03 -0700
    [It seems nice to find a use for human Natural Intelligence after all,
    in this era of relying on Artificial Intelligence and Machine Learning.
    PGN]

  Tim Cook wants your news experience to be a little less stressful—and
  that's why Apple is leaning on humans, rather than algorithms, to
  highlight its top stories in Apple News, according to the exec.  "News was
  kind of going a little crazy," said Cook on Monday night at the Fortune
  CEO Initiative conference in San Francisco, explaining Apple's latest
  attempt to curb polarization. Apple's solution, unveiled earlier in the
  day, was a new, curated tab for coverage of the 2018 midterm
  elections. The stories will be picked by human editors, and will offer
  coverage from a variety of viewpoints, from Vox to Fox News.  "For Apple
  News, we felt top stories should be selected by humans," said Cook, "to
  make sure you're not picking content that strictly has the goal of
  enraging people."
https://www.thewrap.com/tim-cook-on-why-apple-news-needs-human-editors-news-was-kind-of-going-a-little-crazy/


Facial Recognition Company Kairos CEO argues that technology's bias and capacity for abuse make it too dangerous for use by law enforcement

Lauren Weinstein <lauren@vortex.com>
Mon, 25 Jun 2018 11:27:38 -0700
  Facial recognition technologies, used in the identification of suspects,
  negatively affects people of color. To deny this fact would be a lie. And
  clearly, facial recognition-powered government surveillance is an
  extraordinary invasion of the privacy of all citizens—and a slippery
  slope to losing control of our identities altogether.

via NNSquad
https://yro.slashdot.org/story/18/06/25/189247/ceo-of-facial-recognition-company-kairos-argues-that-the-technologys-bias-and-capacity-for-abuse-make-it-too-dangerous-for-use-by-law-enforcement


Police Use of Facial Recognition With License Databases Spur Privacy Concerns (WSJ via WaPo)

Richard M Stein <rmstein@ieee.org>
Mon, 18 Jun 2018 08:43:34 -0700
Behind WSJ paywall --
http://www.wsj.com/articles/police-use-of-drivers-license-databases-to-nab-crooks-spurs-privacy-concerns-1529233200

WaPo linkage to WSJ story with commentary quoted below --
http://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/06/18/the-cybersecurity-202-trump-associates-may-need-a-lesson-on-how-to-use-their-encrypted-apps/5b2675f91b326b3967989b28/?utm_term=.908214921adf
(See "Facial recognition versus privacy" in "The Cybersecurity 202," by
Derek Hawkins.)

  'A detective fed an image taken from an Instagram picture provided by the
  victim into Maryland's face recognition system and the database returned
  the driver's license photo of the suspect, Elinson writes.  “This
  digital-age crime-solving technique is at the center of a debate between
  privacy advocates and law-enforcement officials: Should police be able to
  search troves of driver's license photos, many who have never been
  convicted of a crime, with facial recognition software?'' Elinson writes.'

Possible 4th amendment violtation of the US Constitution covering
illegal search and seizure. Jacobsen v. United States defined 'search'
and 'seizure' for the 4th amendment:

  "protects two types of expectations, one involving 'searches', the other
  'seizures'. A search occurs when an expectation of privacy that society is
  prepared to consider reasonable is infringed. A seizure of property occurs
  where there is some meaningful interference with an individual's
  possessory interests in that property."

https://en.wikipedia.org/wiki/Search_and_seizure

A blanket search and happenstance match across a unified motor vehicle photo
database apparently violates that standard.


Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Sat, 23 Jun 2018 21:08:14 -0700
http://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

  Their stories are part of a new pattern of behavior in domestic abuse
  cases tied to the rise of smart home technology.  Internet-connected
  locks, speakers, thermostats, lights and cameras that have been marketed
  as the newest conveniences are now also being used as a means for
  harassment, monitoring, revenge and control.  In more than 30 interviews
  with The New York Times, domestic abuse victims, their lawyers, shelter
  workers and emergency responders described how the technology was becoming
  an alarming new tool. Abusers—using apps on their smartphones, which
  are connected to the Internet-enabled devices—would remotely control
  everyday objects in the home, sometimes to watch and listen, other times
  to scare or show power. Even after a partner had left the home, the
  devices often stayed and continued to be used to intimidate and confuse.


Adverse Events in Robotic Surgery: A Retrospective Study of 14 Years of FDA Data (arxiv.org)

Richard M Stein <rmstein@ieee.org>
Tue, 19 Jun 2018 13:53:56 -0700
Homa Alemzadeh, Ravishankar. Iyer, Zbigniew Kalbarczyk, Nancy Leveson, Jai Raman
http://arxiv.org/pdf/1507.03518.pdf

An acquaintance expressed enthusiasm for their forthcoming robotic surgical
procedure. The well-respected Southern California National Cancer Institute
at the City of Hope—a hospital and medical- industrial complex—effused
the benefits of the "world's best robotic surgeon."

Being cautious about a hard-sell, I sent a link to this report with a few
choice questions to inquire about before signing the consent form.  Wonder
what this analysis would show for the past 4+ years of MAUDE data? Similar
trend, better, or worse?

>From the summary page:

  Methods: Weanalyzed the adverse events data related to robotic systems and
  instruments used in minimally invasive surgery, reported to the U.S. Food
  and Drug Administration (FDA) MAUDE database from January 2000 to December
  2013. We determined the number of events reported per procedure and per
  surgical specialty, the most common types of device malfunctions and their
  impact on patients, and the causes for catastrophic events such as major
  complications, patient injuries, and deaths.

  Results: During the study period, 144 deaths (1.4% of the 10,624 reports),
  1,391 patient injuries (13.1%), and 8,061 device malfunctions (75.9%) were
  reported. The numbers of injury and death events per procedure have stayed
  relatively constant since 2007 (mean = 83.4, 95% CI, 74.2 [?]  92.7).
  Surgical specialties, for which robots are extensively used, such as
  gynecology and urology, had lower number of injuries, deaths, and
  conversions per procedure than more complex surgeries, such as
  cardiothoracic and head and neck (106.3 vs. 232.9, Risk Ratio = 2.2, 95%
  CI, 1.9-2.6). Device and instrument malfunctions, such as falling of
  burnt/broken pieces of instruments into the patient (14.7%), electrical
  arcing of instruments (10.5%), unintended operation of instruments (8.6%),
  system errors (5%), and video/imaging problems (2.6%), constituted a major
  part of the reports. Device malfunctions impacted patients in terms of
  injuries or procedure interruptions. In 1,104 (10.4%) of the events, the
  procedure was interrupted to restart the system (3.1%), to convert the
  procedure to non-robotic techniques (7.3%), or to reschedule it to a later
  time (2.5%).

  Conclusions: Despite widespread adoption of robotic systems for minimally
  invasive surgery, a non-negligible number of technical difficulties and
  complications are still being experienced during procedures.  Adoption of
  advanced techniques in design and operation of robotic surgical systems
  may reduce these preventable incidents in the future.


When the Robot Doesn't See Dark Skin (NY Times)

Richard M Stein <rmstein@ieee.org>
Thu, 21 Jun 2018 19:07:21 -0700
http://mobile.nytimes.com/2018/06/21/opinion/facial-analysis-technology-bias.html

A graduate student's testimonial about algorithmic bias, and a
harbinger to corporations that deploy facial recognition to assist
hiring decisions and to enable their revenue capture processes. 


Having better risk-based analysis for your banks and credit cards

"Sanders, Rex" <rsanders@usgs.gov>
Tue, 12 Jun 2018 18:55:01 -0700
One of my back-of-card numbers routes you to a seemingly
infinite-depth tree of `press 1 for another marketing pitch' choices,
which I've never plumbed deep enough to find the fraud department.

I once had the direct line to the fraud department—see RISKS-27.85
for that depressing story. If only I could remember where I kept that
number... Now I just call the local branch and have them route me.

Just checked - the number on the back of my oldest card has rubbed
off. That's OK, I couldn't read it without a magnifying glass
anyway. Maybe better physical protection and larger typefaces for
critically important numbers?

Assuming your bank is halfway competent at simple, non-digital UX is also RISKy.


It's time to stop laughing at Nigerian scammers, because they're stealing billions of dollars (Cleve R. Wootson Jr.)

Dewayne Hendricks <dewayne@warpspeed.com>
Wed, Jun 13, 2018 at 3:09 AM
Cleve R. Wootson Jr., *The Washington Post*, 12 Jun 2018

http://www.washingtonpost.com/news/business/wp/2018/06/12/its-time-to-stop-laughing-at-nigerian-scammers-because-theyre-stealing-billions-of-dollars/>

By this point, savvy people know it's a bad idea to trust an email from a
Nigerian prince hoping to use their bank account to unload a dead relative's
vast wealth.

And they're just as suspicious of the sudden Internet-based love interest
with questionable grammar who needs a few thousand untraceable dollars to
clear up a passport issue in time for a magical first date.

But in a sophisticated and terrifying evolution of the Nigerian 419 scam,
web-savvy crime syndicates are figuring out ways to bilk U.S. citizens of
billions.

On Monday, the FBI announced the arrest of 74 people across the world --
including 29 people in Nigeria and 41 in the United States—who
authorities say were part of complex international networks that combed
filings by the Securities and Exchange Commission, spoofed CEO emails and
successfully targeted even hardened employees whose jobs are to safeguard
their companies from financial mismanagement.

The recent scams have the same DNA as the poorly worded emails that have
been showing up in people's inboxes since the 1990s. Instead of playing on
hopes of finding love or lust for sudden wealth, they play on fears about
missing a vital company payment or upsetting a boss's boss.

“[Scammers] are doing their research =A6 going onto company websites and
looking for the right people,'' FBI Assistant Director Scott Smith, who
helped lead the investigation, told the Wall Street Journal. “They may even
go as far as pulling annual reports and finding what companies they do
business with and [impersonating] those accounts.''

Adeyemi Odufuye and his team, for example, sifted SEC records, company
websites and other business documents, looking for the names and email
addresses of chief executives, chief financial officers and controllers,
court documents say.

Odufuye, who had a half dozen nicknames, including “Jefe,'' the Spanish
word for “chief'' or “boss,'' led a crew responsible for stealing $2.6
million, including $440,000 from one business in Connecticut, according to
the Justice Department.

The schemes used a variety of tactics to gain people's trust and steal their
money, federal authorities say. They registered website domain names that
were hard to distinguish from the companies they were targeting --
impersonations meant to give emails an air of authenticity. Some of those
emails arrived with malware attachments that would snap images of a victim's
desktop or transmit key log information—a hacker trick for nabbing
someone's password.

They even employed money mules whose sole purpose was to move the ill-gotten
gains from account to account, authorities say, disguising the electronic
paper trail from investigators.

Odufuye was extradited from Britain on Jan. 3. He pleaded guilty to one
count of conspiracy to commit wire fraud and one count of aggravated
identity theft.

The arrests highlighted just how many people are falling for the latest
iterations of the Nigerian hustle, as well as the staggering losses American
businesses are accruing. According to FBI figures obtained by the Journal,
victims of such scams reported $275 million in losses in 2015. By 2017,
reported losses had more than doubled, to $675 million. And in the first
quarter of this year, more than 4,000 victims reported $685 million in
losses. The bureau estimates American businesses have lost more than $3.7
billion as a result of the schemes.  [...]


Those Chinese-language robocalls are a scam to get your bank information, officials say (WashPo)

Monty Solomon <monty@roscom.com>
Mon, 25 Jun 2018 23:01:26 -0400
Chinese-language robocalls deliver news that grabs your attention, but
officials say its a scam.
http://www.washingtonpost.com/technology/2018/06/25/those-chinese-language-robocalls-are-scam-get-your-bank-information-officials-say/


How a company outed China's spies: David Sanger

Gabe Goldberg <gabe@gabegold.com>
Sat, 23 Jun 2018 23:10:23 -0400
David Sanger at the /New York Times/ has out a new book on cyber-espionage
and digital intrigue, /The Perfect Weapon: War, Sabotage, and Fear in the
Cyber Age/
http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b115f4a535e2b485b1789f3f375e1073611e7bd4a8c2e39026a36d168ee80c33101dac76cd060ebedf808eee024af7038d
While I have not yet read it, I did catch an excerpt that has been making
the rounds on Twitter. The passage reveals new details about how Mandiant
http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b1e33dccd1b1b19967fdd3db4d574b14135333f2ccc46d62024c45d534fe899947777dd672ffba305d0eda1a47b626850c
a computer forensics firm founded by Kevin Mandia, a U.S. Air Force veteran,
clinched its landmark linking of a Chinese hacking group that had ravaged
American corporates in years past and Unit 61398 of the Chinese
military. (Hat tip to Thomas Rid, a professor of strategic studies at Johns
Hopkins University's School of Advanced International Studies and author of
another excellent book, /Rise of the Machines: A Cybernetic History/
<http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b15862f33bc618a74cddc338b47e8562192dc1cc88e026527fbc008d819ad9908f1453a14ffe8667be803e821ccf1bfce3

Here's the section in question: “As soon as they detected Chinese hackers
breaking into the private networks of some of their clients—mostly
Fortune 500 companies—Mandia's investigators reached back through the
network to activate the cameras on the hackers' own laptops,'' Sanger
writes. “They could see their keystrokes while actually watching them at
their desks.''

When Mandiant released its report
<http://click.email.fortune.com/%3Fqs%3D9fd3c66c5fd258b134d0686d1809e54df0439805a9d31442058231d86692283d911a1d54b32b5acb7a4899f461362a1eafd6018485d37e07>
on the hacking group, so-called Advanced Persistant Threat 1, or “APT1,''
the paper was a bombshell. Now five years later, the firm's methodology, as
revealed by Sanger, has resulted in a second bombshell. If accurate—and
it seems to be, given that Sanger describes personally watching over the
shoulders of Mandiant's crew while it spied on the spies—the anecdote
suggests that Mandiant engaged, even if mildly, in a “hack back,'' a highly
controversial and legally dubious countermeasure.  (The firm did not
immediately respond to /Fortune's/ request for comment about the incident on
Saturday afternoon.)

http://view.email.fortune.com/%3Fqs%3De36c55d435df1a4da802a828235a31d7640ebe0e56daa04d722e64c7c27f5d83576c8f8fa4ccb939566f599751947197e3c8b49489ddc97cff62553d68593c70e2199e1a46148814


Chinese Fans Paid Dearly for World Cup Tickets That Never Materialized. (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 22 Jun 2018 00:01:27 -0400
The New York Times, 21 Jun 2018
http://www.nytimes.com/2018/06/21/world/asia/china-world-cup-ticket-scam-anzhi.html

Thousands of Chinese soccer fans may have been victims of a ticketing swindle allegedly orchestrated by a Moscow company.


Germany becomes the last big Western power to buy killer robots (Innocence lost—The Economist)

Jose Maria Mateos <chema@rinzewind.org>
Fri, 22 Jun 2018 10:16:33 -0400
http://www.economist.com/europe/2018/06/23/germany-becomes-the-last-big-western-power-to-buy-killer-robots%3Ffsrc%3Drss%257Ceur

To the relief of commanders and the dismay of pacifists, Germany's armed
forces have crossed a threshold. On June 13th a Bundestag committee voted to
approve the spending of nearly $1.1bn to lease from Israel five drones which
can be equipped with deadly weapons. Hitherto Germany has been the only big
Western country not to buy “killer robots''. In part this reflects
antipathy to America's use of remotely controlled missiles for “targeted
killings'' of terrorist suspects (and the people standing next to them) in
places like Pakistan and Yemen.

What a relief, yes.

http://rinzewind.org/blog-es


Orlando Airport Becomes 1st In US To Require Face Scan Of All International Travelers (Talking Points Memo)

Jose Maria Mateos <chema@rinzewind.org>
Fri, 22 Jun 2018 10:17:51 -0400
http://talkingpointsmemo.com/news/orlando-international-airport-face-scan-requirement

Florida's busiest airport is becoming the first in the nation to require a
face scan of passengers on all arriving and departing international flights,
including U.S. citizens, according to officials there.

The expected announcement Thursday at Orlando International Airport alarms
some privacy advocates who say there are no formal rules in place for
handling data gleaned from the scans, nor formal guidelines on what should
happen if a passenger is wrongly prevented from boarding.

https://rinzewind.org/blog-es


Cryptocurrency exchange hacks in 2018 (Taipei Times)

Mark Thorson <eee@dialup4less.com>
Wed, 20 Jun 2018 13:58:49 -0700
The second in two weeks in South Korea:

http://www.taipeitimes.com/News/biz/archives/2018/06/21/2003695228

In January, a Japanese exchange was hacked for nearly USD$500 million.
The market prices for various cryptocurrencies appear to have declined
in response to these events.


Bitcoin Could Break the Internet, Central Banks' Overseer Says (Bloomberg)

Gabe Goldberg <gabe@gabegold.com>
Sun, 17 Jun 2018 20:03:42 -0400
http://www.bloomberg.com/news/articles/2018-06-17/bitcoin-could-break-the-internet-central-banks-overseer-says

Bitcoin Could Break the Internet, Central Banks' Overseer Says

Swiss-based BIS says cryptocurrencies have design flaws

Blockchain can't handle or replace current payment system load

The Bank of International Settlements just told the cryptocurrency world
it's not ready for prime time—and as far as mainstream financial services
go, may never be.

In a withering 24-page article released Sunday as part of its annual
economic report, the BIS said Bitcoin and its ilk suffered from `a range of
shortcomings' that would prevent cryptocurrencies from ever fulfilling the
lofty expectations that prompted an explosion of interest—and investment
-- in the would-be asset class.


West Virginia Becomes First State to Test Mobile Voting by Blockchain in a Federal Election (GovTech)

Gabe Goldberg <gabe@gabegold.com>
Thu, 14 Jun 2018 11:36:22 -0400
West Virginia has become the first state to allow Internet voting by
blockchain, offering the technology to deployed and overseas military
service members and their families in two counties.

The pilot test is in place for the state's May 8 primary elections and is
very limited in scope—West Virginia Secretary of State Mac Warner said
maybe a couple dozen voters will participate. But if it goes well, the state
wants to try allowing all eligible military voters statewide to use it
during the November general elections.

“I'm really not concerned about numbers.  We're really just looking at the
technology.''

http://www.govtech.com/biz/West-Virginia-Becomes-First-State-to-Test-Mobile-Voting-by-Blockchain-in-a-Federal-Election.html


The Tractors that Turn Farmers into Hackers (Now I Know)

Gabe Goldberg <gabe@gabegold.com>
Wed, 13 Jun 2018 15:57:06 -0400
So farmers are fighting back. First, they're filing lawsuits, challenging
the application of the DMCA. Second, they're lobbying state governments as
well as the federal government, seeking protection from the DMCA in this
fashion. (There's a growing movement
http://www.fastcompany.com/40518779/right-to-repair-legislation-has-now-been-introduced-in-17-states
for states to adopt a *right to repair*, for example.) John Deere is
challenging those efforts, and they're slow to come about anyway.  Urgency
demanded an immediate response. The result: As Motherboard reports,
<http://motherboard.vice.com/en_us/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware>
tractor hacking is growing increasingly popular.

The Motherboard reporter made his way to an online message board where
unauthorized copies of John Deere software are for sale. There, he found
dozens of threads from farmers desperate to fix and modify their own
tractors. According to people on the forums and the farmers who use it, much
of the software is cracked in Eastern European countries such as Poland and
Ukraine and then sold back to farmers in the United States.

By and large, the solution seems to work—for now at least. Forbes warns
that this third-party software may contain malware: “It's possible infected
farm equipment might participate in illegal botnets, or worse, the malware
might impact the safety of the operators.'' So there is some risk
involved. On the other hand, there's risk at doing nothing. As one farmer
using Ukrainian software told Motherboard, there's always a chance that John
Deere (or a successor company) will just declare the tractor obsolete. And
in that case, he asked, “What happens [then]? Are we supposed to throw the
tractor in the garbage, or what?''
http://www.forbes.com/sites/jasonbloomberg/2017/04/30/john-deeres-digital-transformation-runs-afoul-of-right-to-repair-movement/%236e56ffcb5ab9
http://nowiknow.com/the-tractors-that-turn-farmers-into-hackers/


"Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware" (Danny Palmer)

Gene Wirchenko <genew@telus.net>
Mon, 25 Jun 2018 18:41:07 -0700
Danny Palmer, ZDNet, 22 June 2018
http://www.zdnet.com/article/three-month-old-drupal-vulnerability-is-being-used-to-deploy-cryptojacking-malware/

The update was deemed critical, but users who haven't applied the patch are
being targeted by attackers deploying cryptocurrency miners.

Drupal's content management software is a popular tool for building
websites, but this popularity, combined with the critical vulnerability
(dubbed 'Drupalgeddon 2' by some), means that attackers have found a way to
make a profit.

The vulnerability is being used to deliver cryptojacking malware, which
quietly uses the power of the Drupal user's machine to mine for Monero,
depositing it into wallets run by the attackers. The only side effects a
victim might notice is that their system is running slower, or the fan is
doing more work than usual. The secretive nature of cryptojacking has helped
bolster its popularity among attackers during the course of the year. [...]


Hacker figured out how to brute-force iPhone passcode (ZDNet)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 22 Jun 2018 18:57:12 PDT
https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/


"Supreme Court says police need a warrant for historical cell location records" (Zach Whittaker)

Gene Wirchenko <genew@telus.net>
Mon, 25 Jun 2018 18:42:51 -0700
Zack Whittaker for Zero Day, 22 Jun 2018
The case was one of the long-awaited privacy legal decisions of the year.
http://www.zdnet.com/article/supreme-court-search-warrant-cell-location-records


Why Hackers Aren't Afraid of Us (David E. Sanger)

Dewayne Hendricks <dewayne@warpspeed.com>
June 24, 2018 at 04:29:47 GMT+9
David E. Sanger, *The New York Times*, 16 Jun 2018
The United States has the most fearsome cyberweaponry on the planet,
  but we won't use it for fear of what will come next

http://www.nytimes.com/2018/06/16/sunday-review/why-hackers-arent-afraid-of-us.html

WASHINGTON—Ask finance ministers and central bankers around the world
about their worst nightmare and the answer is almost always the same:
Sometime soon the North Koreans or the Russians will improve on the two huge
cyberattacks they pulled off last year. One temporarily crippled the British
health care system and the other devastated Ukraine before rippling across
the world, disrupting shipping and shutting factories—a billion-dollar
cyberattack the White House called “the most destructive and costly in
history.''

The fact that no intelligence agency saw either attack coming—and that
countries were so fumbling in their responses—led a group of finance
ministers to simulate a similar attack that shut down financial markets and
froze global transactions. By several accounts, it quickly spun into farce:
No one wanted to admit how much damage could be done or how helpless they
would be to deter it.

Cyberattacks have been around for two decades, appearing in plotlines from
“Die Hard'' movies to the new novel by Bill Clinton and James
Patterson. But in the real world, something has changed since 2008, when the
United States and Israel mounted the most sophisticated cyberattack in
history on Iran's nuclear program, temporarily crippling it in hopes of
forcing Iran to the bargaining table. (The two countries never acknowledged
responsibility for the attack.)

As President Barack Obama once feared, a cyberarms race of historic but
hidden proportions has taken off. In less than a decade, the sophistication
of cyberweapons has so improved that many of the attacks that once shocked
us—like the denial-of-service attacks Iran mounted against Bank of
America, JPMorgan Chase and other banks in 2012, or North Korea's hacking of
Sony in 2014—look like tiny skirmishes compared with the daily
cybercombat of today.

Yet in this arms race, the United States has often been its own worst
enemy. Because our government has been so incompetent at protecting its
highly sophisticated cyberweapons, those weapons have been stolen out of the
electronic vaults of the National Security Agency and the C.I.A. and shot
right back at us. That's what happened with the WannaCry ransomware attack
by North Korea last year, which used some of the sophisticated tools the
N.S.A. had developed. No wonder the agency has refused to admit that the
weapons were made in America: It raised the game of its attackers.

Nuclear weapons are still the ultimate currency of national power, as the
meeting between President Trump and Kim Jong-un in Singapore last week
showed. But they cannot be used without causing the end of human
civilization—or at least of a regime. So it's no surprise that hackers
working for North Korea, Iran's mullahs, Vladimir V. Putin in Russia and the
People's Liberation Army of China have all learned that the great advantage
of cyberweapons is that they are the opposite of a nuke: hard to detect,
easy to deny and increasingly finely targeted. And therefore,
extraordinarily hard to deter.

That is why cyberweapons have emerged as such effective tools for states of
all sizes: a way to disrupt and exercise power or influence without starting
a shooting war. Cyberattacks have long been hard to stop because determining
where they come from takes time—and sometimes the mystery is never
solved. But even as the United States has gotten better at attributing
attacks, its responses have failed to keep pace.

Today cyberattackers believe there is almost no risk that the United States
or any other power would retaliate with significant sanctions, much less
bombs, troops or even a counter cyberattack. And though Secretary of Defense
Jim Mattis has said the United States should be prepared to use nuclear
weapons to deter a huge non-nuclear attack, including using cyberweapons,
against its electric grid and other infrastructure, most experts consider
the threat hollow.

At his confirmation hearings in March to become director of the N.S.A. and
commander of the United States Cyber Command, Gen. Paul Nakasone was asked
whether our adversaries think they will suffer if they strike us with
cyberweapons. “They don't fear us,'' General Nakasone replied.


Beijing subways to get bio-ID system (StraitsTimes)

Richard M Stein <rmstein@ieee.org>
Tue, 19 Jun 2018 14:47:36 -0700
http://www.straitstimes.com/asia/east-asia/beijing-subways-to-get-bio-id-system

  "BEIJING (CHINA DAILY/ASIA NEWS NETWORK) - The Beijing subway system plans
  to introduce bio-recognition technology at stations this year to improve
  transport efficiency and reduce costs, a senior manager said.

  "Two bio-recognition technologies - facial recognition and palm touch -
  are being considered, said Zhang Huabing, head of enterprise development
  for Beijing Subway, the operator of most lines in the city, during the
  International Metro Transit Exhibition in Beijing last Thursday (June 14).

  "Facial recognition technology can track passenger movements with cameras
  connected to online networks that recognise people when they enter a
  station, potentially allowing them to bypass traditional ticketing."

A 21st century city needs a 21st century infrastructure. Tracking and
surveillance of citizens is routine for an authoritarian government.  Two
systems, each keyed to a distinct biometric signature, increase correlation
potential, and minimize false-positive/false-negative matches. Hope the
reference compare files are consistent and accurate to avoid "rounding up
the usual suspects." One step closer to P.K. Dick's "Minority Report"
panoptic surveillance.


Scanning immigrants old fingerprints, U.S. threatens to strip thousands of citizenship (WashPo)

Richard M Stein <rmstein@ieee.org>
Wed, 13 Jun 2018 19:48:20 -0700
http://www.washingtonpost.com/world/national-security/scanning-immigrants-old-fingerprints-us-threatens-to-strip-thousands-of-citizenship/2018/06/13/2230d8a2-6f2e-11e8-afd5-778aca903bbe_story.html

  "The report said U.S. Immigration and Customs Enforcement (ICE) has
  315,000 old fingerprint records being digitized and uploaded to the
  Homeland Security IDENT database.

  "Those prints can be compared with those already in the database.
  Foreigners who obtained American citizenship years ago and have been
  otherwise living quietly in the United States could be at risk of a knock
  at their doors."

Biometrics, like other digital personal identifying information, are
easy to store and retrieve for comparison purposes, though they can be
forged (see http://catless.ncl.ac.uk/Risks/30/28%23subj5.1)

Judicial findings against ICE's IDENT DB matches will be difficult to
overturn until an independent audit discovers a content and/or metadata
discrepancy that halts expulsions.


M&A isn't what it used to be (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Jun 2018 11:43:36 -0400
*Good help is hard to find.* One of the leading cryptocurrency producers,
*Stellar*, is in talks to acquire *Chain*, the San Francisco-based startup
building blockchain technology for the financial industry, for $500 million,
to be paid in in Stellar's digital currency Lumens. The acquisition may be
motivated more by the need to get Chain's engineering talent rather than its
products—a classic acquire, *Fortune* reports.
http://click.email.fortune.com/%3Fqs%3D25e1b6512ea240afe48d4576335322695209118da8fd0311c5031a7f0a69ffd8b262e779eea1f42ce349d175d731870ed2c2254f314c2c7c

I guess I'll create a digital currency, surely my broker will let me invest
that.  I'll mine a couple trillion dollars of it on my spare PC.


A new way to do big data with entity resolution (Web Informant)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Jun 2018 17:15:01 -0400
I have this hope that most of you reading this post aren't criminals, or
terrorists. So this might be interesting to you, if you want to know how
they think and carry out their business. Their number one technique is
called channel separation, the ability to use multiple identities to prevent
them from being caught.

Let's say you want to rob a bank, or blow something up. You use one identity
to rent the getaway car. Another to open an account at the bank. And other
identities to hire your thugs or whatnot. You get the idea. But in the
process of creating all these identities, you aren't that clever: you leave
some bread crumbs or clues that connect them together, as is shown in the
diagram.

http://blog.strom.com/wp/%3Fp%3D6586

Tradecraft.


Tesla sues former employee for allegedly stealing gigabytes of data, making false claims to media. (CNBC)

Monty Solomon <monty@roscom.com>
Wed, 20 Jun 2018 21:49:28 -0400
http://www.cnbc.com/2018/06/20/tesla-sues-former-employee-for-allegedly-stealing-gigabytes-of-data-making-false-claims-to-media.html


Show me the money (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Sun, 24 Jun 2018 11:45:50 -0400
*Show me the money*. Authors, software developers, and other creators could
track and collect royalty payments directly using a new blockchain
technology
https://click.email.fortune.com/%3Fqs%3D25e1b6512ea240afb6961cb4545ed51c4253472d66d62cf90bcc10f9f08ed6f1e389bc9d06850a04292bb27cb946de9572d9b3a6b4b7ead4
announced by *Microsoft* and consulting firm *EY* on Wednesday. "The scale,
complexity and volume of digital rights and royalties transactions makes
this a perfect application for blockchains," Paul Brody, EY's global
innovation leader for blockchain, tells /Fortune/.

...because blockchains are so much simpler and better understood.


Visa fingers 'very rare' datacentre switch glitch for payment meltdown (The Register)

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Jun 2018 00:19:11 -0400
Visa has said a `very rare' partial network switch failure in one of its two
data centres led to the fiasco earlier this month that caused millions of
transactions in Europe to be declined.

http://www.theregister.co.uk/2018/06/19/visa_pins_payment_problems_on_very_rare_fault_in_data_centre_switch/

Dang those partial failures—so much worse than total failures.


Recounting Horror Stories? Over Guitar Center's Warranties (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Tue, 12 Jun 2018 23:30:03 -0400
Former employees and customers at the giant music retailer described
problems with how it sells protection plans, particularly in Puerto Rico.

Guitar Center said in a statement for this article that it had been “made
aware of an issue with some third-party protection plans that were sold in
Puerto Rico over the past 30 months.''

“We found that—despite our policies and systems in place --
approximately 100 transactions including at least a protection plan have
been made with Puerto Rican addresses.''

The company said the transactions represented “a tiny fraction'' of the
warranties that it sells.

It blamed a “glitch in our computer system in 2017 that inadvertently
allowed orders with Puerto Rican addresses to have protection plans
processed,'' as well as “a few employees acting outside of our longstanding
policy.''

http://www.nytimes.com/2018/06/07/business/guitar-center-warranty.html

Yeah, the system did it. That's the ticket, blame the evil system...


The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting 20 Years in Jail (Motherboard)

"Matthew Kruk" <mkrukg@gmail.com>
Mon, 18 Jun 2018 20:20:21 -0600
How a meme and a failed armed robbery gave a whole new meaning to 'domain
hijacking.'
http://motherboard.vice.com/en_us/article/pavwj8/armed-robbery-domain-website-gunpoint-doitforstate


Clarinetist discovers his ex-girlfriend faked a rejection letter from his dream school (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Jun 2018 23:31:23 -0400
By this point, he and his girlfriend had already been broken up for more
than a year. Even so, it did not occur to him that she could be responsible
for impersonating him.  “I never would've even considered that the person I
trusted the most would have done something like this to me.''

But then one of his friends suggested the possibility thathis ex-girlfriend
could be responsible. After all, when they dated, Abramovitz essentially
lived with her, leaving his computer easily accessible to her. She knew his
passwords and could have easily logged on to his email.

In May 2016, Abramovitz and his friend tried logging on to the email account
that sent the fake rejection letter, giladyehuda09@gmail.com.  Abramovitz
remembered an old password the ex-girlfriend used for Facebook, “and sure
enough, we got right in.''  The ex-girlfriend's contact information appeared
clearly in the email account. The only exchange in the Inbox was the
rejection letter sent to Abramovitz.

http://www.washingtonpost.com/news/morning-mix/wp/2018/06/15/clarinetist-discovers-his-ex-girlfriend-faked-a-rejection-letter-from-his-dream-school/

Yeah, risks...


Internet TV firmware update/soft power-switch failure

Richard M Stein <rmstein@ieee.org>
Mon, 18 Jun 2018 17:52:12 -0700
While on vacation near Palm Springs, CA, the home we rented was equipped
with all manner of internet of mistakes devices, including a Samsung
SmartTV.

At 0200 one morning, it switched on suddenly. Apparently, the owners—out
of convenience or pure ignorance—elected for firmware auto-updates.

The family was startled, as the volume had been boosted by the flash memory
save and reboot; the legacy off-state was not restored. The line-of-sight TV
controls remained operative.

Although the Samsung SmartTV possesses an "Eco Solution" feature that
auto-detects inactivity after 4 hours, or extended loss of signal, I cannot
help imaging if the upgrade either bricked these soft switches, or it
possessed a "thermal runaway" virus maliciously designed to ignite the unit.


Ghost Cytometry May Improve Cancer Detection, Enable New Experiments (SciAm)

Richard M Stein <rmstein@ieee.org>
Thu, 14 Jun 2018 17:26:29 -0700
http://www.scientificamerican.com/article/ghost-cytometry-may-improve-cancer-detection-enable-new-experiments/

A fascinating discussion on a new cell sorting technique to
characterize morphology—shape and type—for disease detection.

  They tweaked the typical cytometry setup and added a single-pixel detector
  --a camera that images one pixel at a time rather than thousands at once
 —creating a device that can generate a unique signature for
  fluorescently labeled cells based on the light they emit. Essentially this
  approach produces a ghost depiction of a cell's structure, an identifiable
  pseudo-image based on the activated light particles.

  A machine-learning algorithm then uses these ghost images to categorize
  the cells in real time, and another device sorts the incoming cells into
  separate compartments.

  Although some flow cytometers have been able to image cells for several
  years, “this is the first instrument that allows the physical sorting of
  cells based on their morphology,'' Anne Carpenter, a computational
  biologist at the Broad Institute of MIT and Harvard who was not involved
  in the work, wrote in an e-mail.  “This is revolutionary.''

No mention of the learning algorithm training regimen—possibly steepest
descent, and the potential to get trapped at a false optimization point.

One needs to ask what the certification/license requirements are to market
this device. Do the certification requirements mirror that for embedded
medical devices, where a manufacturer only has to show "similarity" to
legacy equivalent products, and skip random control trials?


Creating bizarre interfaces

Rob Slade <rmslade@shaw.ca>
Mon, 18 Jun 2018 17:27:00 -0700
It used to be called human-factors engineering when I went to school.
Making sure that the system was as obvious and transparent as possible for
the user.

Since somewhat prior to the assassination of the CISSPforum by ISC2 (no, I'm
not bitter.  Why do you ask?), I've been exploring the interface for the new
"community."  One of the topics has been "labels," and particularly
searching for labels.

http://community.isc2.org/t5/Customer-Support/What-s-the-difference-between-labels-and-tags/m-p/11584 or
http://is.gd/jgVt7

SamanthaO_isc2 has been helpful, and wrote:

"I wanted to provide an update to you about searching and labels. We have
enabled a filter for labels on the search page. While this does not allow
you to search for labels directly, here is where you can see the various
labels used throughout the Community, and filter results by certain labels."

I couldn't find what she was talking about.  So she posted a screen shot
which showed that you could search on location ("board"), label, author,
date, metadata, type of post, and contents with a series of buttons or drop
downs.  But these didn't show up when I went to the search page, so *I*
posted a screen shot, showing that the buttons weren't there.

And then denbesten posted:

"If my window is 27cm wide, it looks like @rslade's screenshot.  If 28cm, it
looks like @SamanthaO_isc2's."

He's right.  (Well, pretty much right: the measurement on my screen seems
slightly less, so I think it has to do with pixels, but ...)  That *never*
would have occurred to me.

Given the lack of privacy (see
http://catless.ncl.ac.uk/Risks/30/71%23subj23). you can test it out
for yourself at
http://community.isc2.org/t5/forums/searchpage/tab/message

Of course, now that it's been pointed out, I can see that you might want to
reduce the complexity of the screen for mobile devices.  But you might want
to do it in such a way that it was obvious something was hidden or missing.

I think I'll go back to researching security implications of quantum
computing.  It's simpler ...

(So, if I put the window in the top left corner of the screen does it change
languages?)


More dodgy numbers - LinkedIn this time

Tony Harminc <tharminc@gmail.com>
Thu, 14 Jun 2018 13:42:39 -0400
LinkedIn shows my age (for advertising purposes) as 55-2147483647.

They are not wrong.


Maybe they'll accept postcard calls for help

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Jun 2018 09:28:23 -0400
*This is a message from Fairfax Alerts*

Verizon Wireless is experiencing an outage affecting 9-1-1 and ten-digit
dialing.  Fairfax County residents can text 9-1-1 from a Verizon phone as an
alternate.


Re: Another risk of driverless cars (PGN, RISKS-30.72)

Ed Ravin <eravin@panix.com>
Thu, 21 Jun 2018 22:16:06 -0400
You don't need to drive to an area without coverage to give your cell phone
a denial-of-service attack—cell service is subject to many other modes of
interference. For example, the Evanston, Illinois incident described in
RISKS-29.88, where a faulty neon sign power supply emitted RF signals
sufficient to block cell service in the immediate area (and also block car
owners from using their wireless dongles, which is what made that item
RISKS-worthy).  Stingray-style devices can also target individual phones (or
vehicles with built-in phones) and block or corrupt their outgoing calls.

I'm looking forward to the presentation at Black Hat 2025, where researchers
will show how to subvert every current model of driverless vehicle with a
combination of wireless network attacks, cell phone interference to block
the remote emergency "driver", LIDAR attacks like those described in
http://eprint.iacr.org/2017/613 and spoofed law-enforcement overrides.
It's going to be such a mess we're going to need a new name for it, maybe
"the Internet of Things, on wheels".


Re: Microsoft, Github, & distributed revision control (Ohno)

"Wol's lists" <antlists@youngman.org.uk>
Wed, 13 Jun 2018 14:36:29 +0100
This completely misunderstands what git and github are - the whole point of
git is that every developer has an identical copy of the source
repository. "Migrating away" in this sense is as simple as creating an
account on another central service and doing a push.

The problem is that Github does a lot more than just host your program - it
provides all the infrastructure behind it like bug tracking, enhancement
requests, communications forum etc. THIS is value-add which git does not
provide, and THIS is what is not easy to migrate from one central service to
another.


Re: Florida skips gun background checks for a year after employee forgets login (Goldberg, RISKS-30.82)

R A Lichtensteiger <risks@throwawaydomain.com>
[lost]
This blog post is incorrect and misleading.

The Florida Department of Agriculture Licensing department did, in fact,
perform the required background checks on applicants for licenses to carry
concealed weapons or firearms.  According to later news reports checks were
done through FCIC (Florida Criminal Information Computer system) and NCIC
(National Criminal Information Computer system—the national FBI
fingerprint data base) and they also did a NICS check (National Instant
Check System), which is the name-based background check system.

What did NOT happen was that 365 applications where the background check
flagged one or more disqualifiers were not immediately rejected.  That is a
problem.  But it is NOT the same problem as claiming that the checks weren't
done.  It's also 0.001% of the applications processed during that time
period.

It should also be noted that this was on LICENSE APPLICATIONS, not purchases
of firearms.  So 365 people who shouldn't have gotten licenses did.  When
the failure was discovered, those 365 licenses were reviewed (as they should
have been initially). 74 were cleared and 291 still had disqualifiers.

As a final observation, the same NICS check that was part of the background
check for the application is done, per federal law, at EVERY sale at a gun
dealer, so any PURCHASES by these people whould have been flagged by ATF and
denied.

http://www.orlandoweekly.com/Blogs/archives/2018/06/11/florida-revoked-291-concealed-weapons-permits-after-putnams-office-failed-to-review-background-checks

The risks?  Myriad

   1) Relying on a cybersecurity blog for mainstream news
   2) Rushing to be the first one to post on Risks and not
      waiting until the facts were reported.
   3) Drawing Risks into US gun politics.


Re: Florida skips gun background checks for a year after employee forgets login (Lichtensteiger)

Gabe Goldberg <gabe@gabegold.com>
Wed, 13 Jun 2018 13:40:59 -0400
0. Thanks for your response.
1. Often cybersecurity blogs are only place reporting cybersecurity
   risks—at first, or (sometimes) ever.
2. Ditto. Posting isn't "rushing", it's reporting on what's been seen.
   Then come responses.
3. Rather than related to gun politics, this was reported as a forgotten
   password issue. It could have been a state DMV or NRA. It happened to be
   related to firearms—but that doesn't make it off topic/limits.

Please report problems with the web pages to the maintainer

x
Top