Prev

RISKS Digest 31.45

Monday 7 October 2019

The broken record: Why Barr's call against end-to-end encryption is nuts

Sean Gallagher <rforno@infowarrior.org>

Date: October 5, 2019 at 9:53:15 AM GMT+9

[Via Dave Farber]

Sean Gallagher, Ars Technica, 4 Oct 2019

Barr, DHS Secretary, UK, and Australia say end-to-end encryption will help child abusers.

Here we go again.

US Attorney General William Barr is leading a charge to press Facebook and other Internet services to terminate end-to-end encryption efforts—this time in the name of fighting child pornography. Barr, acting Secretary of Homeland Security Kevin McAleenan, Australian Home Affairs Minister Peter Dutton, and United Kingdom Secretary of State Priti Patel yesterday asked Facebook CEO Mark Zuckerberg to hold off on plans to implement end-to-end encryption across all Facebook Messenger services "without including a means for lawful access to the content of communications to protect our citizens."

https://arstechnica.com/tech-policy/2019/10/the-broken-record-why-barrs-call-against-end-to-end-encryption-is-nuts/

Disney World Skyliner Gondola abruptly stops, stranding passengers in air

NYTimes <monty@roscom.com>

Date: Mon, 7 Oct 2019 00:19:42 -0400

https://www.nytimes.com/2019/10/06/business/disney-skyliner-crash.html

The gondola system, which connects Epcot, Hollywood Studios and several Disney World resorts, opened on Sept. 29. It has now been shut down.

Volatile compounds? 3D printing has a serious safety problem

Greg Nichols <gene@shaw.ca>

Date: Tue, 01 Oct 2019 17:04:26 -0700

Greg Nichols for Robotics, ZDNet, 1 Oct 2019

Dangerous emissions are the dirty little secret of the ballooning 3D printing industry. https://www.zdnet.com/article/volatile-compounds-3d-printing-has-a-serious-safety-problem/

selected text:

It's looking more and more certain that 3D printing has a serious safety problem. Though largely overlooked in the tech press, the problem is pervasive and could impact millions of students, patients, and employees who work in non-industrial settings that lack controlled environments.

That's according to a two-year study by UL Chemical Safety and Georgia Institute of Technology, which shows that 3D printers emit airborne nanoparticles and volatile organic compounds that can cause cardiovascular and pulmonary issues. The UL/Georgia Tech study details the alarming presence of more than 200 volatile compounds that are detected in environments where a 3D printer is in use, including known irritants and carcinogens.

Decades-old code is putting millions of critical devices at risk

WiReD <gabe@gabegold.com>

Date: Wed, 2 Oct 2019 23:49:58 -0400

Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.

In early August, the enterprise security firm Armis got a confusing call from a hospital that uses the company's security monitoring platform. One of its infusion pumps contained a type of networking vulnerability that the researchers had discovered in a few weeks prior. But that vulnerability had been found in an operating system called VxWorks—which the infusion pump didn't run. <https://www.wired.com/story/vxworks-vulnerabilities-urgent11/>

Hospital representatives wondered if it was just a false positive. But as Armis researchers investigated, they started to see troubling signs of a connection between VxWorks and the infusion pump's operating system. What they ultimately discovered has disturbing implications for the security of countless critical systems—patient monitors, routers, security cameras, and more—across dozens of manufacturers.

Today Armis, the Department of Homeland Security <https://www.us-cert.gov/ics/advisories/icsa-19-274-01>, the Food and Drug Administration and a broad swath of so-called real-time operating system and device companies disclosed that Urgent/11, a suite of network protocol bugs, exist in far more platforms than originally believed. The RTO systems are used in the always-on devices common to the industrial control or health care industries. And while they're distinct platforms, many of them incorporate the same decades-old networking code that leaves them vulnerable to denial of service attacks or even full takeovers. There are at least seven affected operating systems that run in countless IoT devices across the industry. <https://www.fda.gov/medical-devices/safety-communications/urgent11-cybersecurity-vulnerabilities-widely-used-third-party-software-component-may-introduce>, <https://www.armis.com/resources/iot-security-blog/urgent-11-update/>

"It's a mess and it illustrates the problem of unmanaged embedded devices," says Ben Seri, vice president of research at Armis. "The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That's the challenge."

https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/

Ransomware forces 3 hospitals to turn away all but the most critical patients

Ars Technica <monty@roscom.com>

Date: Wed, 2 Oct 2019 09:18:55 -0400

https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/

These sneaky email scammers are making it even harder for workers to spot fake invoices

Danny Palmer <gene@shaw.ca>

Date: Mon, 07 Oct 2019 10:33:44 -0700

Danny Palmer, ZDNet, 2 Oct 2019

By compromising emails between vendors and their clients, scammers can produce exact replicas of expected invoices - and funnel the funds into their own wallets. https://www.zdnet.com/article/these-sneaky-email-scammers-are-making-it-even-harder-for-workers-to-spot-fake-invoices/

opening text:

Email scammers are getting more sophisticated, with one gang showing particularly advanced tactics for stealing from organisations across the world by using stealth, persistence and social engineering to trick firms into paying invoices for legitimate services.

The attacks are different to standard Business Email Compromise (BEC) attacks because rather than using a fake request for a money transfer apparently ordered by a CEO or CFO, this campaign is based around supply chains, espionage and research, with the attackers only cashing in once they're convinced they can successfully dupe the victim by injecting themselves into a legitimate email thread about finance.

This kind of approach makes the attacks very difficult to detect—and often victims will only know they've been scammed when a vendor asks why a payment wasn't received.

This mysterious hacking campaign snooped on a popular form of VoiP software

Danny Palmer <gene@shaw.ca>

Date: Mon, 07 Oct 2019 10:08:48 -0700

Danny Palmer | 4 Oct 2019 Researchers uncover a campaign that is snooping on call data and recordings of conversations - and could even spoof calls. https://www.zdnet.com/article/this-mysterious-hacking-campaign-is-snooping-on-a-popular-form-of-voip-software/

selected text:

Security researchers have traced the initial attacks back to between February and July 2018, when an attacker was performing scans on over 600 companies across the world that use Asterisk FreePBX—a popular form of open source VoiP software.

The attacker then went quiet for months before re-emerging this year, targeting a US-based server owned by an engineering company that provides services to the oil, gas and chemical industries.

Webkit zero-day exploit besieges Mac and iOS users with malvertising redirects

Ars Technica <monty@roscom.com>

Date: Wed, 2 Oct 2019 09:20:09 -0400

https://arstechnica.com/information-technology/2019/09/webkit-zeroday-exploit-besieges-mac-and-ios-users-with-malvertising-redirects/

Commuters get an eyeful after pair breaks in, uploads porn to Michigan billboard

NBC News <monty@roscom.com>

Date: Tue, 1 Oct 2019 19:16:45 -0400

https://www.nbcnews.com/news/us-news/commuters-get-eyeful-after-pair-breaks-uploads-porn-michigan-billboard-n1060581

Maine hospital 'Wall of Shame' used records to mock disabled patients

The Boston Globe <monty@roscom.com>

Date: Sat, 5 Oct 2019 00:29:38 -0400

https://www.boston.com/news/health/2019/10/04/a-maine-hospitals-wall-of-shame-used-private-records-to-mock-disabled-patients-now-officials-are-apologizing

How Israeli security services used big data to stop a wave of terrorism

haaretz <amos083@gmail.com>

Date: Sun, 6 Oct 2019 01:03:42 +0300

During 2015, Israel's security services were faced with a new problem: Dozens of young Palestinians, most of them with no terrorist background, were using whatever was handy—from kitchen knives to cars—to stoke an unusual wave of terror attacks.

These activists were difficult to track down, because most of them were acting alone and were not members of any known organizations. According to an article in the newspaper Haaretz, cyber-experts had used big data gathered from social networks to flag any unusual behavior on the net -- such as access to extremists sites or "Facebook wills"—in order to stop potential terrorists, some of them even before they had carried out any attack.

https://www.haaretz.com/israel-news/.premium-how-israel-stopped-a-third-palestinian-intifada-1.7942355 (may require subscription)

Wearable face projector to avoid face recognition

Reddit <chema@rinzewind.org>

Date: Sun, 6 Oct 2019 11:51:16 -0400

https://www.reddit.com/r/Cyberpunk/comments/ddplms/hk_wearable_face_projector_to_avoid_face/

Found this on Reddit linked to HK protests but, as a commenter says, this is actually an art project. There is more information here: http://jingcailiu.com/?portfolio=wearable-face-projector

Cameras and other technological products make for a better and safer living environment than ever before. Mega databanks and high-resolution cameras in the streets stock hundreds of exabytes a year. But who has access to this data? It is possible that it could have commercial use, hence not only retail companies but also the advertisement industry could be very interested in this data in the coming future. They would hope to gain these personal data and information as much as they can.

In the future, the advertisement could call your name when you walk along the streets. The companies would know your personal interests and may set different retail strategies for you. It could be convenient for customers, but personal thoughts and opinions should be kept private. This product protects you from this privacy violation.

Concept:

Wearable face projector: A small beamer projects a different appearance on your face, giving you a completely new appearance.

Federal government has dramatically expanded exposure to risky mortgages

WashPost <gabe@gabegold.com>

Date: Thu, 3 Oct 2019 17:29:49 -0400

“There is a point here where, in an effort to create access to homeownership, you may actually be doing it in a manner that isn't sustainable and it's putting more people at risk,'' said David Stevens, a former commissioner of the Federal Housing Administration who led the Mortgage Bankers Association until last year. “Competition, particularly in certain market conditions, can lead to a false narrative, like `housing will never go down' or `you will never lose on mortgages.' ''

https://www.washingtonpost.com/business/economy/federal-government-has-dramatically-expanded-exposure-to-risky-mortgages/2019/10/02/d862ab40-ce79-11e9-87fa-8501a456c003_story.html

The risks? Human nature, greed, stupidity, unwillingness to learn from history. The usual.

[It's a good think RISKS does not have a requirement for only *new topics*. “When will they ever learn.'' (The old song, Little Boxes on the Hillside'' [and they all look just the same] seems relevant here. PGN]

What Is Bitcoin Block Size and Why Does It Matter?

Blocks Decoded <gabe@gabegold.com>

Date: Thu, 3 Oct 2019 17:55:50 -0400

However, that 1MB block size limit also restricts the number of transactions the Bitcoin network processes. With a 1MB block size limit, the Bitcoin network processes a maximum of around seven transactions per second (there are anomalies). For comparison, Ethereum processes about 15 transactions per second, Bitcoin Cash process around 65 transactions per second, and the Visa network can process over 1,700 fiat transactions per second.

You see, then, that the Bitcoin block size has a direct effect on Bitcoin transaction speed.

https://blocksdecoded.com/what-bitcoin-block-size/

Using some fraction of the world's electricity to process ... seven transactions/second?

Hacking Of Internet-connected cars big national security threat

Consumer Watchdog <monty@roscom.com>

Date: Sat, 5 Oct 2019 10:42:43 -0400

Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off https://www.consumerwatchdog.org/privacy-technology/report-finds-hacking-internet-connected-cars-big-national-security-threat https://www.consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19.pdf

Some of the biggest critics of Waymo and other self-driving cars are the Silicon Valley residents who know how they work

WashPost <gabe@gabegold.com>

Date: Thu, 3 Oct 2019 17:26:34 -0400

SUNNYVALE, Calif. Karen Brenchley is a computer scientist with expertise in training artificial intelligence, but this longtime Silicon Valley resident has pangs of anxiety whenever she sees Waymo self-driving cars maneuver the streets near her home.

The former product manager, who has worked for Microsoft and Hewlett-Packard, wonders how engineers could teach the robocars operating <https://www.washingtonpost.com/local/trafficandcommuting/waymo-launches-nations-first-commercial-self-driving-taxi-service-in-arizona/2018/12/04/8a8cd58a-f7ba-11e8-8c9a-860ce2a8148f_story.html?tid=lk_inline_manual_4> on her tree-lined streets to make snap decisions, speed and slow with the flow of traffic and yield to pedestrians coming from the nearby park. She has asked her husband, an award-winning science-fiction author who doesn't drive, to wear a shiny vest while cycling to ensure autonomous vehicles spot him in a rush of activity.

The problem isn't that she doesn't understand the technology. It's that she does, and she knows how flawed nascent technology can be. ... <https://www.washingtonpost.com/business/driverless-cars/2018/10/26/d141ee32-d926-11e8-8384-bcc5492fef49_story.html?tid=lk_inline_manual_6>.

Silicon Valley types can be most skeptical of advanced technology because they know how it works and what its risks are. Parents with experience at large tech firms have famously cracked down on screen time for their children. Some tech executives won't let female family members ride alone at night with ride-sharing cars. Others keep their kids off social media indefinitely.

That same skepticism has landed on Silicon Valley streets. Residents are showing up to community meetings to express their concern about driverless cars, even though they still have safety drivers in the front seat. Posts on community site Nextdoor debate safety risks.

https://www.washingtonpost.com/technology/2019/10/03/silicon-valley-pioneered-self-driving-cars-some-its-tech-savvy-residents-dont-want-them-tested-their-neighborhoods/

[Also noted by Richard Stein. PGN]

10 Tips to Avoid Leaving Tracks Around the Internet

NYTimes <monty@roscom.com>

Date: Sun, 6 Oct 2019 16:29:37 -0400

https://www.nytimes.com/2019/10/04/smarter-living/10-tips-internet-privacy-crowdwise.html

Some of these suggestions are more aggressive, and make using the web less convenient, but they'll definitely protect your privacy.

Code 42 Info Requested

Charles Dunlop <cdunlop@umich.edu>

Date: Sun, 6 Oct 2019 21:41:49 -0400

A former student of mine recently took a job in a lab that required him to install "Code 42" software on his personal computer. This software apparently backs up any lab-related data, and flags situations in which the data is deleted or copied or moved to other media. He was told that he could opt to back up only the lab folder on his MacBook; however, the IT folks informed him that if he elected that option, his entire computer would be backed up.

I hadn't heard of this software before, and there doesn't seem to be a lot of good information about it online. Prima facie, it raises some serious privacy issues. Any information about this would be appreciated.

NCCIC

Rebecca Mercuri <notable@mindspring.com>

Date: Fri, 4 Oct 2019 04:30:16 -0400

Those who are not already familiar with NCCIC (the U.S. National Cybersecurity and Communications Integrations Center) may find this informational brochure to be of interest. <https://www.us-cert.gov/sites/default/files/publications/NCCIC_Year_in_Review_2017_Final.pdf>

In the face of increasingly sophisticated threats, NCCIC stands on the front lines of the Federal Government's efforts to defend the Nation's most essential cyber- and communications networks. Every day brings challenges and opportunities. Our work inspires us, and we pursue it with a single-minded purpose: create a more secure and resilient cyber- and communications infrastructure. In pursuit of this goal, NCCIC will listen to customers, operational partners, and other stakeholders, remaining attentive and responsive to their needs. We need and will encourage active stakeholder participation.

In our information sharing programs to limit the likelihood and severity of incidents. We will emphasize utility, speed, and accuracy in the information we provide, and we will share as broadly as possible, while protecting confidentiality and privacy. We will continuously assess and optimize the way we perform as an integrated organization across all locations and refine our processes, technologies, and organizational structure to best execute our mission and serve our customers. NCCIC will remain a leader in the cybersecurity field by recruiting the best and brightest people, and by remaining agile and leaning forward to tackle current and future threats.

[Rebecca gave the URL for the 2017 report, whose conclusions I have added to her message. The following URL she cited is more recent. PGN]

More about NCCIC can be found here: <https://www.dhs.gov/cisa/national-cybersecurity-communications-integration-center>

Look Who's Driving, NOVA, 23 Oct 9 pm EDT

Gabe Goldberg <gabe@gabegold.com>

Date: Fri, 4 Oct 2019 15:08:24 -0400

After years of anticipation, autonomous vehicles are now being tested on public roads around the world. Dozens of startups have sprung up alongside established auto and tech giants—which are also testing the waters—to form what many hope will be a transformative new industry. But as innovators rush to cash in on what they see as the next high-tech pot of gold, some experts warn there are still daunting challenges to overcome—like how to train computers to make life-and-death decisions as well as humans can. NOVA peers under the hood of the autonomous vehicle industry to investigate how driverless cars work, how they may change the way we live, and whether we will ever be able to entrust them with our lives. NOVA /Look Who's Driving/ premieres Wednesday, October 23, 2019 at 9 p.m. ET/8C on PBS.

How can we train artificial intelligence to be better than humans at making life-and-death decisions? How do self-driving cars work? How close are we to large-scale deployment of them? Join us for a special screening of this fascinating documentary followed by our panel of pioneering company leaders and academic experts who will tackle not just these technical issues, but some of the potential economic and social implications. This panel discussion will be streamed live on our Facebook page. <https://www.facebook.com/pg/computerhistory/videos/?ref=page_internal>

https://computerhistory.org/events/look-whos-driving/