The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 97

Thursday 20 December 2018

Contents

Sneaky parrot uses Amazon Alexa to shop while owner is away
WFLA
The GPS wars are here
Foreign Policy
Both engines on Virgin Australia ATR 72 "flame out"
SMH
Drone shatters passenger jet's nose-cone, radar
RT
Uber exec warned of rampant safety problems before fatal crash
Ars Technica
Ingestible Capsule Can Be Controlled Wirelessly
MIT News
How a National Security Investigation of Huawei Set Off an International Incident
NYTimes
Apache Misconfig Leaks Data on 120 Million Brazilians
InfoSecurity
"Market volatility: Fake news spooks trading algorithms"
Tom Foremski
"Rhode Island sues Google after latest Google+ API leak"
Catalin Cimpanu
New Zealand courts banned naming Grace Millane's accused killer; Google just emailed it out.
The Guardian
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail
Ars Technica
Turning on 2FA potentially harmful
Toby Douglass
Top 10 worst password FAILS of 2018
CSO
She'd just had a stillborn child. Tech companies wouldn't let her forget it
Chris Matyszczyk
Thousands of Jenkins servers will let anonymous users become admins
Catalin Cimpanu
"Bing recommends piracy tutorial when searching for Office 2019"
Catalin Cimpanu
"Big Brother is driving with you!"
Rob Hull
Delivery robot bursts into flames at UC Berkeley, students hold it a vigil
SanFranChronicle
Re: Your apps know where you were last night, and they're not
Kelly Bert Manning
Re: Rudy Giuliani Says Twitter Sabotaged His Tweet
Kurt Seifried
Re: What Happens When You Reply All to 22,000 State Workers
Amos Shapir
Re: Annoyed Baltimore Drivers Want City To Crack Down On `Squeegee Kids'
Richard M Stein
John R. Levine
David Waitzman
Info on RISKS (comp.risks)

Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA)

Gabe Goldberg <gabe@gabegold.com>
Mon, 17 Dec 2018 16:52:35 -0500
TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
sanctuary for swearing too much, is using technology to cause even more
trouble.  The Times of London reports Rocco, an African grey, has been using
Amazon Alexa to shop online while his owner was away.

His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find
that her Amazon account suddenly had pending orders for various snacks,
including watermelon and ice cream and also a kettle.  "I have to check the
shopping list when I come in from work and cancel all the items he's
ordered," Wischnewski told *The Daily Mail*.

https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515

  [Coyly, that case is the “real macaw'' (at least in English-speaking
  idioms, but perhaps not in Macao).  However, it reminds me of several very
  funny parroting jokes—one that makes sense only when told in German,
  one about a seemingly very devout parrot who surprisingly turns
  foul-mouthed, and more.  Best wishes for some Holiday Cheer!  PGN]


The GPS wars are here (Foreign Policy)

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Dec 2018 11:12:22 -0500
The problem first hit during Russia's September 2017 Zapad military exercise
in its western regions, near the Baltic states. Then it happened again in
October during NATO's Trident Juncture exercise, held in Norway. GPS signals
across far northern Norway and Finland failed.  Civilian airplanes were
forced to navigate manually, and ordinary citizens could no longer trust
their smartphones.

https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/


Both engines on Virgin Australia ATR 72 "flame out" (SMH)

John Colville <John.Colville@uts.edu.au>
Tue, 18 Dec 2018 20:08:03 +0000
https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html

Virgin Australia is under investigation after two engines on one of its
aircraft "flamed out" during descent and had to be manually re-ignited
before the aircraft hit the tarmac.  The incident, which involved an ATR 72
twin-engine turboprop aircraft en route from Sydney to Canberra on December
13, has been categorised as "serious" by the Australian Transport Safety
Bureau (ATSB).


Drone shatters passenger jet's nose-cone, radar (RT)

the keyboard of geoff goodfellow <geoff@iconia.com>
Fri, 14 Dec 2018 13:34:16 -1000
Imagine if that goes through a window or an engine.

https://www.rt.com/news/446416-plane-drone-collision-mexico/


Uber exec warned of rampant safety problems before fatal crash (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Dec 2018 16:47:16 -0500
"They told me incidents like that happen all of the time," whistleblower
wrote.

https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/


Ingestible Capsule Can Be Controlled Wirelessly (MIT News)

ACM TechNews <technews-editor@acm.org>
Mon, 17 Dec 2018 11:17:19 -0500
Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018

Researchers at the Massachusetts Institute of Technology (MIT) and Brigham
and Women's Hospital have designed an ingestible capsule that can be
controlled wirelessly via Bluetooth. The three-dimensionally-printed
capsules, which can be customized to dispatch drugs, sense environmental
conditions, or both, can remain in the stomach for at least a month,
transmitting information and responding to instructions from a smartphone.
The capsules also could be used to communicate with other wearable and
implantable devices, transmitting their pooled information to the patient or
doctor's smartphone. Within the capsule is a device with six arms that fold
up before encasement; once swallowed, the capsule dissolves and the arms
expand so the device can lodge in the stomach. Said former MIT postdoc Yong
Lin Kong, "The self-isolation of wireless signal strength within the user's
physical space could shield the device from unwanted connections, providing
a physical isolation for additional security and privacy protection."

https://news.mit.edu/2018/ingestible-pill-controlled-wirelessly-bluetooth-1213

  [Risks in ingested capsules?  They are not "in jest".  Compromised 3-D
  printing instructions?  sharp arms?  embedded transmitters?  monitoring?
  interference with brain signals?  doping?  absorbable toxins triggered
  remotely?  And others left to your imaginations.  PGN]


How a National Security Investigation of Huawei Set Off an International Incident (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 14 Dec 2018 22:46:03 -0500
https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html

The chief financial officer was arrested after a years-long American inquiry
into the Chinese telecommunications company.


Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity)

Monty Solomon <monty@roscom.com>
Fri, 14 Dec 2018 23:18:35 -0500
https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/


"Market volatility: Fake news spooks trading algorithms" (Tom Foremski)

Gene Wirchenko <genew@telus.net>
Thu, 13 Dec 2018 09:00:56 -0800
ZDnet, 10 Dec 2018
Stock trading algorithms know how to read news headlines, but they don't
know what's real.

https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/

selected text:

Fake news and inaccurate headlines may have contributed to recent stock
market volatility, as trading algorithms try to interpret market-related
news.

Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan
Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of
real and fake news, which makes it easy for others to amplify negative
news. The effects can be seen that, in spite of a booming economy and
positive signals, the markets are reacting strongly to this mix of negative
news.

High-speed trading algorithms scan news stories to try and quickly determine
if there is any market-moving information that affects their portfolios. It
doesn't give them much time to determine which news stories are real.

For example, a few years ago stock trading algorithms were buying Berkshire
Hathaway stock because actress Anne Hathaway was in the news with a new
movie.


"Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Thu, 13 Dec 2018 08:57:02 -0800
ZDNet,12 Dec 2018
Google sued within a day after announcing latest Google+ API leak.
https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/

opening text:

A day after Google announced a Google+ API leak that could have exposed the
personal information of over 52.5 million users, a Rhode Island government
entity filed a class-action lawsuit in a California court.


New Zealand courts banned naming Grace Millane's accused killer; Google just emailed it out. (The Guardian)

geoff goodfellow <geoff@iconia.com>
Wed, 12 Dec 2018 20:36:55 -1000
That one of the world's biggest companies rides roughshod over a court order
tells you all you need to know about the giants of Silicon Valley

EXCERPT:

Imagine if a media company told you the name of the man accused of killing
Grace Millane. Imagine if, in defiance of a very clear court ruling of
interim name suppression, that company told you his name in an email --
spelling it out, even, in the subject header.

Unthinkable? That's exactly what happened in the early hours of Tuesday.

The media company wasn't (New Zealand's) the Herald or Stuff.  It wasn't
TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist
bloggers to the biggest broadcasters, respected the proscription on naming
the accused. Of course they did: they understand consequences for breaching
such an order, and in fact spend significant time and resource policing
their social media channels to ensure their audience doesn't breach
suppression either.

Not just because the courts would take action against them for doing so.
They understand, too, that it would be morally odious to do so: it could
risk damaging the course of justice in an appalling murder that has left a
family distraught and sent waves of grief and upset through the country.

The company that paid precisely zero heed to all that is a media and
technology corporation from Silicon Valley. A global colossus against which
all of New Zealand;s media companies combined amount to a dim pixel. The
company is Google. Shortly after midnight on Tuesday this week, it delivered
to everyone signed up to its `what's trending in New Zealand' email the name
of the 26-year-old accused of the most headlined crime in this country in
2018...

https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out


Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Thu, 13 Dec 2018 14:48:52 -0800
 (via NNSquad)

  "In other words, they check victims' usernames and passwords in realtime
  on their own servers, and even if 2 factor authentication such as text
  message, authenticator app or one-tap login are enabled they can trick
  targets and steal that information too," Certfa Lab researchers wrote.

https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/

Avoid using text messaging as a second factor whenever possible!


Turning on 2FA potentially harmful

Toby Douglass <risks@winterflaw.net>
Mon, 17 Dec 2018 19:52:37 +0200
When you make an account with a username, email address and password, it's
usual that a verification email is sent.  If the password is later lost, it
is again an email which is used to send the password reset link, so here we
see the mechanism to make the account is the mechanism to recover the
account.  If you can make the account, then you possess the means to recover
the account.

Two factor authentication when enabled guarantees that the person attempting
to log in knows the username, email, password and possesses the 2FA device.
If the device is lost, email cannot be used for recovery, because then both
the password and device can be compromised by access to the email address.

The question then is how to recover from loss of the 2FA device, and there
is no obviously easy way.  It actually seems to come down to methods to
obtain a partial or full proof of identity - something, critically, which
was *not* required to *enable* 2FA.

It is then that the mechanisms to activate and to recover 2FA are not the
same, and so it can be one works while the other does not, and so it can be
that 2FA is activated, but does not work, and cannot be recovered because
the provided mechanisms do not or cannot work, which means the account is
inaccessible.

Turning on 2FA can be in and of itself a risk.

(As you gentle reader may have guessed, this is what happened today, with
Amazon.  In the light of the recent kernel.org DNS hijack, I activated 2FA
on my Amazon account.  2FA activation worked, but log in to Amazon did not,
and both the 2FA resync and account recovery pages seemed broken server-side
("internal error"), and 2FA support is only available in the form of Amazon
phoning you, and I cannot currently be phoned.  I thought then to try my
luck with AWS rather than Amazon, log in failed still but the resync page on
AWS worked, and having worked, I could log into both retail Amazon and AWS.
If AWS resync also had not worked, I would now be locked out of my account.)


Top 10 worst password FAILS of 2018 (CSO)

Monty Solomon <monty@roscom.com>
Fri, 14 Dec 2018 23:21:54 -0500
https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html


She'd just had a stillborn child. Tech companies wouldn't let her forget it (Chris Matyszczyk)

Gene Wirchenko <genew@telus.net>
Thu, 13 Dec 2018 09:09:47 -0800
Technically Incorrect, ZDnet, 13 Dec 2018

A woman pleads with tech companies like Facebook and Twitter to stop serving
her ads to intensify her grief.

https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/

      [A summary would not do this article justice.  GW]


Thousands of Jenkins servers will let anonymous users become admins (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Sun, 16 Dec 2018 16:13:41 -0800
ZDNet, 16 Dec 2018
Two vulnerabilities discovered and patched over the summer expose Jenkins
  servers to mass exploitation.
https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/


"Bing recommends piracy tutorial when searching for Office 2019" (Catalin Cimpanu)

Gene Wirchenko <genew@telus.net>
Sun, 16 Dec 2018 16:09:44 -0800
ZDNet, 14 Dec 2018
Oh, Bing! Not again!
https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/

opening text:

Microsoft is sending users who search for Office 2019 download links via its
Bing search engine to a website that teaches them the basics about pirating
the company's Office suite.

This happens every time users search for the term "office 2019 download" on
Bing. The result is a Bing search card (highlighted search results) that
links to a piracy tutorial.


"Big Brother is driving with you!" (Rob Hull)

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 16 Dec 2018 19:55:10 +0000
Thisismoney.co.uk, Daily Mail, 5 Dec 2018

Item in newspaper seen this week.  There's a lot of debate about driverless
vehicles, but how much control will drivers still be allowed to have?  And
what about older cars (mine was made in 1988)—will they just be banned,
or only allowed on the roads under strict supervision?

https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html

  Big Brother is driving with you! All new cars could be fitted with black
  boxes to log speed and systems to slow them automatically under EU
  proposals
  https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html

  Big Brother is driving with you! All new cars could be fitted with black
  boxes to log speed and systems to slow them automatically under EU
  proposals

  * The European Council has called for all cars to have data loggers
     fitted by law
  * These would be able to record speed and which safety features were
     activated before, during and after a collision
  * Proposals also want new cars to have intelligent speed assistance
     systems and pre-wiring so an in-car breathalyser can be installed
  * Other requirements for new cars could include lane assist and
     fatigue monitors


Delivery robot bursts into flames at UC Berkeley, students hold it a vigil (SanFranChronicle)

Tom Van Vleck <thvv@multicians.org>
Sun, 16 Dec 2018 11:46:43 -0500
*The San Francisco Chronicle* website:
https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php

hmm.

  [The amount needed to pony up must have been a Vigil-ante.  PGN]


Re: Your apps know where you were last night, and they're not keeping it secret (NYTimes)

Kelly Bert Manning <bo774@freenet.carleton.ca>
Fri, 14 Dec 2018 18:54:09 -0500
If memory serves me correctly, back in the 1950s and 1960s we were told that
one of the freedoms we enjoyed in the "Free West" was not having to
constantly carry Internal Passports to be produced on demand by police and
other officials. Sounded like a Killer Argument to me.

What a change. Even if you don't carry an electronic ball and chain your
movements could be tracked by licence plate scanners or by facial
recognition. Seems more and more like Moscow or Beijing during the Cold War
to me. Greyhound recently ceased operation in Western Canada, but the last
time I used it in 2005 I saw someone being released from handcuffs after
Vancouver Police decided that him giving the same name as a fugitive to the
bus ticket agent was just a coincidence.

I have never had a personal wireless digital device, so the main exposure
would probably be if I bought a new automobile with some sort of wireless
"feature / vulnerability". I would like to see wireless access in autos made
modular, pull the module and carry on without it. Connect a plug to the
engine interface for diagnosis and firmware updating. I use 100 mpbs wired
ethernet for my home network, not WiFi.

At home web pages ask permission to find the location of my PC. I just say
NO. I have a used laptop with wireless that started out with XP
Professional, but it usually boots with Linux.

For the 2015 Victoria Privacy and Security conference one of the presenters
did the usual live demonstration of a Pineapple type attack. I mentioned my
laptop during the Q&A session, and the fact that I had booted it with Tails
from an optical disk instead of Linux from the hard drive.

Such conferences are places where someone might see a challenge or an
opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a
demo of caller ID spoofing during a previous conference.

Back when I had to carry a work phone I turned off the WiFi and GPS to make
the battery life last longer. I am aware that GPS can be turned on again
problematically. Calling 911 turns on GPS if it has been disabled.

Our current auto is more than 10 years old and lacks that "feature".

At least the e-trike I bought in 2016 does not have wireless, although
it does have a USB port for powering a wireless or other device.

https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM


Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)

Kurt Seifried <kurt@seifried.org>
Wed, 12 Dec 2018 22:22:04 -0700
In all the twitter clients/web interface I use, if I type text it is black,
until twitter or the client make it a link and then it's blue. Just like in
literally every GUI piece of software I've used for 20+ years that
auto-creates hyperlinks based on what you type. If you are typing text and
some of it turns blue... it's probably because it's now a hyperlink.

Attach it as a text file.


Re: What Happens When You Reply All to 22,000 State Workers (RISKS-30.96)

Amos Shapir <amos083@gmail.com>
Sat, 15 Dec 2018 11:26:33 +0200
This looks less like a case of recipients using "Reply to All"—which is
the default mode in many mailers, making mistakes unavoidable—and more a
case of senders who do not know how to use "Bcc" when sending to a large
list of recipients.


Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (Levine, RISKS-30.06)

Richard M Stein <rmstein@ieee.org>
Thu, 13 Dec 2018 12:57:32 +0800
John—You might be right: the AV idles until the way forward is
obstacle-free.

We'll have to wait this trolley problem outcome. Alternatively, Waymo in
Chandler, AZ could share a live scenario demo with the world to prove that
"My Mother the Car" is sharp enough to respectfully manage hostile
pedestrian interaction.

I'd put my money on the vehicle occupants, if present, to issue one or more
verbal command overrides or set a new destination with their hailing
application if the squeegee crew acts aggressively. If AV is payload empty,
an infinite standoff might manifest at the intersection/stop point...or not
-- low fuel or diminished reserve power-level might compel AV return to
depot to refuel rather than exhaust reserves and wait AAA for a tow.

Suppose the AV is stuck due to obstacles that shuffle around it and
otherwise impede forward motion—and possibly at a controlled intersection
or behind another vehicle. I wonder if it'll try to rabbit should the signal
light change to green or remain neutralized until obstacles clear? Possibly,
AV depot control will sense a "help me I am stuck" signal and call the cops
to intervene and run the squeegees off?


Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (Stein, RISKS-30.97)

"John R. Levine" <johnl@iecc.com>
13 Dec 2018 08:28:23 -0500
Having been in NYC when it had squeegee guys, this isn't the trolley
problem.  They dart out when the light is red, they don't deliberately block
traffic, since that would get them arrested instantly.


Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (npr.org)

David Waitzman <dwaitzman@gmail.com>
Sun, 16 Dec 2018 15:51:37 -0500
I would not feel safe, in Baltimore particularly, of rolling down my car
windows for a squeegee kid nor anyone else.

Jacquelyn Smith was killed on December 1st in Baltimore when she "and her
husband saw a woman asking for money.  She rolled down her car window to
hand over some cash when her husband said a man approached the car, reached
inside to try to take Smith's purse and necklace before stabbing her. She
later died at the hospital."

https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html

Please report problems with the web pages to the maintainer

Top