The RISKS Digest
Volume 32 Issue 82

Friday, 13th August 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

The Chinese smart city that knows people's personal habits
bbc.com
Clearing the heavens of space junk
CBS News
AI wrote better phishing emails than humans in a recent test©
WiReD
Robots are coming for the lawyers
The Conversation
Facebook is reportedly trying to analyze encrypted data without deciphering it
Engadget
We Research Misinformation on Facebook. It Just Disabled Our Accounts.
NYTimes
Brooklyn Tech students uncovered an NYC schools data breach
Brooklyner
Citigroup Center Stilts “ New York, New York
Atlas Obscura
A Critical Random Number Generator Flaw Affects Billions of IoT Devices
The Hacker News
Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic
The Hacker News
‘Tortured phrases’ give away fabricated research papers
Nature
A new flying car illustrates the same old problems
Hackaday
Cryptocurrency debate slows infrastructure bill
WashPost
#DEFCON: Exploiting Vulnerabilities in the Global Food Supply Chain
Infosecurity Magazine
Mesa County Colorado secure election systems passwords posted on political blog
Rod Wilcox
Why you should care about Zoom's $85m privacy lawsuit
Ars Technica
Re: Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan
Dan Jacobson
Re: Apple to Scan iPhones for Child Sex Abuse Images
Ross Anderson via PGN
Re: Cyber-attack against steering of ships?
R A Lichtensteiger
Re: DRM item with an Unreadable Button
David E. Ross
Re: Reading Race: A Remarkable AI/ML Achievement
Michal Pavlovic
Info on RISKS (comp.risks)

The Chinese smart city that knows people's personal habits (bbc.com)

“Richard Stein” <rmstein@ieee.org>
Sun, 8 Aug 2021 12:14:06 +0800

https://www.bbc.com/reel/video/p09rfsk7/the-chinese-smart-city-that-knows-people-s-personal-habits

“As artificial intelligence changes our world, it has sparked a new arms race between China and the US. Both countries are pouring billions into cutting-edge technology. Experts warn that without urgent regulation, we could lose control of AI.”

Chongqing (population ~16M in 2019) is wired with ~300K cameras that continuously surveils the population, applying facial recognition to ensure public order, and to suppress the free expression of ideas that might challenge the supremacy of political governance priorities.

See “Universal Declaration of Human Rights,” retrieved from from https://www.un.org/en/about-us/universal-declaration-of-human-rights on 08AUG2021. Article 2 is most relevant in this case.

A globally enforced treaty that proscribes AI deployment used to suppress human rights would be required. Treaty negotiations among practitioners of political governance philosophies that explicitly marginalize individual freedoms are unlikely to materialize.

Risk: Basic human right to free expression suppressed with AI.

[The BBC video states ~800M CCTV cameras are deployed globally. The PRC deploys more than 50% of this total. Who watches the watchers?]


Clearing the heavens of space junk (CBS News)

geoff goodfellow <geoff@iconia.com>
Sun, 8 Aug 2021 11:48:03 -1000

If you're going to be a character in a space movie, like “Space Cowboys” or “Gravity,” you've got to watch out for space junk; everybody knows that. But what not everyone knows is that that plot twist isn't fiction anymore.

“I got a call from my chief satellite officer, he said, ‘We've lost track of our satellite vehicle number 33 somewhere over Siberia; it may have been hit by something,’” recalled Matt Desch, the CEO of Iridium, whose 66 satellites provide voice and data connections for governments, companies, air traffic and shipping. <https://www.iridium.com/>

In 2009, a defunct Russian satellite crashed into one of Iridium's. <https://www.cbsnews.com/news/us-and-russian-satellites-collide/>

Correspondent David Pogue asked Desch, “So, how bad was the damage?”

“Well, it completely took out our satellite,” he replied.

The Iridium disaster was a wake-up call for the space industry. “There's estimated to be, like, 130 million tiny pieces smaller than the size of your thumb out there,” said Desch. ”And at 17,000 miles an hour, they can do damage.”

The litter in low Earth orbit has become a constant danger to the International Space Station. In May, astronauts there discovered a hole in the station's giant robotic arm. Fortunately, the arm still works, but it was a lucky strike this time. […]

https://www.cbsnews.com/news/space-junk-damage-international-space-station= / https://www.cbsnews.com/news/clearing-the-heavens-of-space-junk/


AI wrote better phishing emails than humans in a recent test© (WiReD)

“Gabe Goldberg” <gabe@gabegold.com>
Sun, 8 Aug 2021 15:42:33 -0400

Researchers found that tools like OpenAI's GPT-3 helped craft devilishly effective spearphishing messages.

https://www.wired.com/story/ai-phishing-emails/


Robots are coming for the lawyers (The Conversation)

Amos Shapir <amos083@gmail.com>
Wed, 11 Aug 2021 13:24:05 +0300

A report of a research project by lawyers, computer scientists and linguists at MITRE <https://www.mitre.org/> trying to relegate to AI some of the work done by lawyers. The authors note: “One of the first things we learned is that it can be hard to predict which tasks are easily automated”, but suggest that technical tasks like legal research may be automated.

https://theconversation.com/robots-are-coming-for-the-lawyers-which-may-be-bad-for-tomorrows-attorneys-but-great-for-anyone-in-need-of-cheap-legal-assistance-157574

I wonder how long it will be before judges are tempted to use such a system for suggesting an adequate sentence in some cases; and how long after that, it might become common practice to use such suggestions as unquestionable sources of wisdom.


Facebook is reportedly trying to analyze encrypted data without deciphering it (Engadget)

geoff goodfellow <geoff@iconia.com>
Sun, 8 Aug 2021 11:00:03 -1000

The approach could bolster Facebook's ad-targeting efforts

Facebook is reportedly looking into analyzing the content of encrypted data without having to decrypt it. The company is recruiting artificial intelligence researchers to study the matter, according to The Information. <https://www.theinformation.com/articles/facebook-researchers-hope-to-bring-together-two-foes-encryption-and-ads> Their research could pave the way for Facebook to target ads based on encrypted WhatsApp messages. Facebook could also use the findings to encrypt user data without affecting its ad targeting approaches.

This area of research is called “homomorphic encryption,” which relies heavily on mathematics. Microsoft, Amazon and Google are also working on the approach. The aim of homomorphic encryption is to allow companies to read and analyze data while keeping it encrypted to protect information from cybersecurity dangers and to maintain privacy. […]

https://www.engadget.com/facebook-analyze-encrypted-messages-ad-targeting-175739715.html


We Research Misinformation on Facebook. It Just Disabled Our Accounts. (NYTimes)

“Jan Wolitzky” <jan.wolitzky@gmail.com>
Tue, 10 Aug 2021 17:54:08 -0400

<https://www.nytimes.com/2021/08/10/opinion/facebook-misinformation.html>


Brooklyn Tech students uncovered an NYC schools data breach (Brooklyner)

“Gabe Goldberg” <gabe@gabegold.com>
Thu, 12 Aug 2021 19:49:37 -0400

Teachers' social security numbers, student academic records, and families' home addresses are among the dozens of pieces of information a group of tech-savvy high school students stumbled across on Google Drive this year, reports Chalkbeat's Pooja Salhotra.

The documents ” many of which contained confidential information ” were leaked because of a quirk in the education department's Google Drive sharing settings, a group of Brooklyn Technical High School students found.

The students then requested a meeting with a senior staff member at their school, an email obtained by Chalkbeat confirms. At the meeting, the Brooklyn Tech student recalls, the staff member listened as the students walked through a PowerPoint presentation explaining the privacy issues in the education department's Google Drive. The presentation included a slide with photos of some of the shared documents, including a template the students themselves created saying “Brooklyn Tech is better than Stuyvesant.” (Brooklyn Tech and Stuyvesant are two of the city's top high schools.)

https://bklyner.com/brooklyn-tech-students-uncovered-a-nyc-schools-data-breach/

Yay, Tech (my high school)

— Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 LinkedIn: http://www.linkedin.com/in/gabegold Twitter: GabeG0


Citigroup Center Stilts “ New York, New York (Atlas Obscura)

“Gabe Goldberg” <gabe@gabegold.com>
Tue, 10 Aug 2021 16:10:33 -0400

If it hadn't been caught in time, a flaw in the design of this Manhattan skyscraper could have led to its collapse.

https://www.atlasobscura.com/places/citigroup-center-stilts

The risk? Bad design not anticipating Big Bad Wolf huffing and puffing, blowing down the fancy building.


A Critical Random Number Generator Flaw Affects Billions of IoT Devices (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Mon, 9 Aug 2021 10:38:40 -1000

A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things (IoT) devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks.

“It turns out that these ‘randomly’ chosen numbers aren't always as random as you'd like when it comes to IoT devices,” Bishop Fox researchers Dan Petro and Allan Cecil said <https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng> in an analysis published last week. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”

Random-number generation (RNG) is a crucial process that undergirds several cryptographic applications, including key generation, nonces, and salting. On traditional operating systems, it's derived from a cryptographically secure pseudorandom number generator (CSPRNG) that uses entropy obtained from a high-quality seed source. <https://en.wikipedia.org/wiki/Random_number_generation>) <https://www.veracode.com/blog/research/cryptographically-secure-pseudo-random-number-generator-csprng>

When it comes to IoT devices, this is supplied from a system-on-a-chip (SoC) that houses a dedicated hardware RNG peripheral called a true random number generator (TRNG) that's used to capture randomness from physical processes or phenomenа.

Stating that the manner in which the peripheral is being current invoked was incorrect, the researchers noted the lack of checks for error code responses across the board, leading to a scenario where the random number generated isn't simply random, and worse, predictable, resulting in partial entropy, uninitialized memory, and even crypto keys containing plain zeros. […] https://thehackernews.com/2021/08/a-critical-random-number-generator-flaw.html


Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Wed, 11 Aug 2021 09:42:23 -1000

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

“We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,” researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said, <https://www.wiz.io/blog/black-hat-2021-dns-loophole-makes-nation-state-level-spying-as-easy-as-registering-a-domain>

Calling it a “bottomless well of valuable intel,” the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations' web domains. The findings were presented at the Black Hat USA 2021 security conference last week. <https://www.blackhat.com/us-21/briefings/schedule/#a-new-class-of-dns-vulnerabilities-affecting-many-dns-as-service-platforms-23563>

“The traffic that leaked to us from internal network traffic provides malicious actors all the intel they would ever need to launch a successful attack,” the researchers added. “More than that, it gives anyone a bird's eye view on what's happening inside companies and governments. We liken this to having nation-state level spying capability — and getting it was as easy as registering a domain.” […]

https://thehackernews.com/2021/08/bugs-in-managed-dns-services-cloud-let.html


‘Tortured phrases’ give away fabricated research papers (Nature)

Monty Solomon <monty@roscom.com>
Sun, 8 Aug 2021 23:53:20 -0400

Analysis reveals that strange turns of phrase may indicate foul play in science.

https://www.nature.com/articles/d41586-021-02134-0


A new flying car illustrates the same old problems (Hackaday)

geoff goodfellow <geoff@iconia.com>
Mon, 9 Aug 2021 11:44:57 -1000

For almost as long as there have been cars and planes, people have speculated that one day we will all get around in flying cars. They'd allow us to “avoid the traffic” by flying through the air instead of sitting in snarling traffic jams on the ground.

The Klein Vision AirCar hopes to be just such a panacea to our modern traffic woes, serving as a transformable flying car that can both soar through the air and drive on the ground. Let's take a look at the prototype vehicle's achievements, and the inherent problems with the underlying flying car concept.

IT FLIES AND DRIVES. […]

https://hackaday.com/2021/08/09/a-new-flying-car-illustrates-the-same-old-problems/


Cryptocurrency debate slows infrastructure bill (WashPost)

“Gabe Goldberg” <gabe@gabegold.com>
Tue, 10 Aug 2021 18:09:31 -0400

The [U.S.] infrastructure bill is in part stalled as negotiations proceed on how closely to regulate the crypto industry

https://www.washingtonpost.com/business/2021/08/07/cryptocurrency-infrastructure-bill-lobby-bitcoin/


#DEFCON: Exploiting Vulnerabilities in the Global Food Supply Chain (Infosecurity Magazine)

Gabe Goldberg <gabe@gabegold.com>
Thu, 12 Aug 2021 19:55:53 -0400

Autonomous farming equipment that can be controlled remotely now helps to feed humanity. But what if that farming equipment were hacked?

https://www.infosecurity-magazine.com/news/defcon-exploiting-vulnerabilities/


Mesa County Colorado secure election systems passwords posted on political blog

Rob Wilcox <robwilcoxjr@gmail.com>
Wed, 11 Aug 2021 23:36:17 -0700

Mesa County is in Western Colorado with the county seat in the city of Grand Junction. Colorado is one of the states that use vote my mail. They use Dominion Systems ballot design, scanners, and tabulation software. Dominion is based in Denver and 62 of 64 Colorado use their systems.

Vote-by-mail is one of the most secure vote tabulation systems. The paper ballots are an enduring record that can be recounted.

The Mesa County Attorney General has launched a criminal investigation of the leak of passwords used for the systems in Mesa County. The Colorado Secretary of State is investigating.

The passwords were spread by a central 8Chan/QAnon figure to the GatewayPundit blog.

Dominion was and continues to be the target of conspiracy theories of election rigging in the 2020 race. As a result, Dominion is suing media outlets FOX, OAN, Newsmax and individuals for defamation.

I led the early Computer Professionals for Social Responsibility (CPSR) project on the security and reliability of elections systems. (PGN has been a central motivating force since those early beginnings. Thanks!)

Elections systems employ overlapping test, audit, chains of custody, employee trust, verification and transparency - human methods, to complement technical methods.

Here, the access logs, physical security, surveillance, and audit trails are being employed to find the source of the purloined passwords, any subsequent systems security breaches, and the involvement of elections professionals.

Such attacks can result in voters distrusting results of elections. We will have to work harder to explain our continuing work in trustworthy vote counting.

One of the great challenges from that early CPSR work, beginning about 1987-88, was to maintain an objective and factual tone when conspiracy theories motivated some of our volunteers.

We look forward to the complete documentation resulting from the investigation.

https://www.9news.com/article/news/local/next/mesa-clerk-passwords-voting-equipment-security-breach-colorado/73-5fce900e-8e45-491a-a86e-71b2c5da98a2 https://denver.cbslocal.com/2021/08/11/mesa-county-voting-system-passwords/ https://coloradosun.com/2021/08/11/tina-peters-mesa-county-passwords-breach/


Why you should care about Zoom's $85m privacy lawsuit (Ars Technica)

geoff goodfellow <geoff@iconia.com>
Thu, 12 Aug 2021 14:32:19 -1000

Zoom has agreed to pay an $85 million settlement <https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-for-lying-about-encryption-and-sending-data-to-facebook-and-google/> after falsely claiming calls were protected with end-to-end encryption and for handing over people's data to Facebook and Google without their consent. This is the latest development in a list of privacy and security issues faced by the video platform that we first wrote about back in March 2020 <https://protonmail.com/blog/zoom-privacy-issues/>.

Why Zoom has agreed to an $85 million settlement

In March 2020, The Intercept reported <https://theintercept.com/2020/03/31/zoom-meeting-encryption/> that Zoom had lied about the encryption used for their video calls. In short, the video communication service claimed that it used end-to-end encryption when it did not. Around the same time, Vice reported <https://www.vice.com/en/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account> that Zoom was also sharing user data with companies, including Facebook and Google, without consent. (Zoom has since fixed <https://blog.zoom.us/zoom-use-of-facebook-sdk-in-ios-client/> these data-sharing practices.)

Zoom also had some major security issues, including default settings that allowed online trolls to take over public calls in an act known as “Zoombombing”, and vulnerabilities that allowed hackers to access people's webcams <https://arstechnica.com/information-technology/2019/07/zoom-makes-it-too-easy-for-hackers-to-access-webcams-heres-what-to-do/>. For more information on Zoom's privacy and security issues, you can read our full breakdown <https://protonmail.com/blog/zoom-privacy-issues/>.

The Federal Trade Commission filed a complaint against Zoom <https://www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement> in November 2020 after The Intercept exposed these holes in Zoom's service. As a result, Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations”. Now, on 7 July 2021, Zoom has also agreed to pay an $85 million settlement, including compensation for those who were affected by these security shortcomings. People who are entitled to compensation will receive between just $15 and $25 each if the settlement is approved in court.

The maximum compensation of $25 doesn't reflect the extent to which Zoom misled the people who used its services, nor the gravity of the potential consequences of doing so. Is this proposed settlement enough to make tech companies start taking user privacy and security seriously? And what can we do to better protect our data?. […] https://protonmail.com/blog/zoom-85-million-settlement/


Re: Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (RISKS-32.81)

“積丹尼 Dan Jacobson” <jidanni@jidanni.org>
Thu, 12 Aug 2021 03:43:18 +0800

Going beyond https://www.youtube.com/watch?v=8pjhJz3vQZc , the authorities say a chair flipped the switch, but legislators say there is no way that chair could have flew up and reached the switch. And the power company said no video is kept, due to “worker privacy issues.”

So somebody is 烏白講 (黑白講) (telling tall tales.)

Maybe some international investigation is needed to find out why the reactor got shut.

All in Chinese. But do look at the photos: https://www.mirrormedia.mg/story/20210810edi028/ https://www.facebook.com/NuclearMythbusters/posts/1692435327610706 https://udn.com/news/story/7238/5662400 https://www.chinatimes.com/realtimenews/20210810004096-260407 https://www.setn.com/News.aspx?NewsID=980104 https://www.youtube.com/watch?v=_0F3Mm1u4XE (discussion, Chinese.)


Re: Apple to Scan iPhones for Child Sex Abuse Images (RISKS-32.81)

Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Sun, 8 Aug 2021 14:36:53 -0700

https://www.lightbluetouchpaper.org/2021/08/08/is-apples-neuralmatch-searching-for-abuse-or-for-people/


Re: Cyber-attack against steering of ships? (RISKS-32.81)

“R A Lichtensteiger” <rali@tifosi.com>
Sun, 8 Aug 2021 00:44:53 -0400
> Smells like a cyber-attack

> The six vessels announced around the same time via their Automatic
> Identification System trackers that they were “not under command,” according
> to MarineTraffic.com. That typically means a vessel has lost power and can
> no longer steer.

This is the key paragraph. It was not a cyberattack on the vessels, it was a data spoofing attack on the website that presents AIS data.

There have been a spate of such attacks on MarineTraffic.com and similar sites over the past years. In no way do these attacks impact actual safe navigation of the vessels involved. AIS transmission is short range VHF radio and displays on other vessels (typically) on their navigation systems (GPS chartplot).

What you see on MarineTraffic et al. is VHF AIS signals picked up by various sources and then pushed into their servers.

Most interestingly, a number of those spoofs have involved warships:

https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/

>  “At the same time, if they are in the same vicinity and in the same place,
>  then very rarely that happens,” said Ranjith Raja, an oil and shipping
>  expert with data firm Refintiv. “Not all the vessels would lose their
>  engines or their capability to steer at the same time.”

Not much of an expert if he wasn't aware of AIS spoofing (and some piss poor journalism, to boot).


Re: DRM item with an Unreadable Button

“David E. Ross” <david@rossde.com>
Sun, 8 Aug 2021 12:46:02 -0700

RISKS-32.81 had the item “DRM on hand power tools”, which contained a link to the full TechDirt article. When I selected the article, there was a banner across the bottom that said “This site, like most other sites on the web, uses cookies. For more information, see our privacy policy.” At the right of the banner was a rectangle. Only after I disabled the Web page's colors did I see that the rectangle was a button to dismiss the banner.

The button was pale orange. The “GOT IT” text in the button was white, which made it invisible against the pale orange. Obviously, no one at TechDirt understands basic principles of Web design.


Re: Reading Race: A Remarkable AI/ML Achievement (RISKS-32.81)

“Pavlovic, Michal” <Michal.Pavlovic@newayselectronics.com>
Mon, 9 Aug 2021 12:25:07 +0000

The medical AI system learned to recognize the self-reported racial identity of medical patients by analyzing their X-rays(!). Even more remarkable, it has thus far proven infeasible to discover how it does so, in part because humans are unable to perform the same feat.

If it has proven infeasible, it is matter of money or bad documentation, but either is risky of course.

Please report problems with the web pages to the maintainer

x
Top