RISKS-LIST: Risks-Forum Digest Thursday 20 December 2018 Volume 30 : Issue 97
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.97> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Several approaches to resolve the Emacs/UTF-8/mailer problems. Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA) The GPS wars are here (Foreign Policy) Both engines on Virgin Australia ATR 72 "flame out" (SMH) Drone shatters passenger jet's nose-cone, radar (RT) Uber exec warned of rampant safety problems before fatal crash (Ars Technica) Ingestible Capsule Can Be Controlled Wirelessly (MIT News) How a National Security Investigation of Huawei Set Off an International Incident (NYTimes) Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity) "Market volatility: Fake news spooks trading algorithms" (Tom Foremski) "Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu) New Zealand courts banned naming Grace Millane's accused killer; Google just emailed it out. (The Guardian) Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail (Ars Technica) Turning on 2FA potentially harmful (Toby Douglass) Top 10 worst password FAILS of 2018 (CSO) She'd just had a stillborn child. Tech companies wouldn't let her forget it (Chris Matyszczyk) Thousands of Jenkins servers will let anonymous users become admins (Catalin Cimpanu) "Bing recommends piracy tutorial when searching for Office 2019" (Catalin Cimpanu) "Big Brother is driving with you!" (Rob Hull) Delivery robot bursts into flames at UC Berkeley, students hold it a vigil (SanFranChronicle) Re: Your apps know where you were last night, and they're not (Kelly Bert Manning) Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Kurt Seifried) Re: What Happens When You Reply All to 22,000 State Workers (Amos Shapir) Re: Annoyed Baltimore Drivers Want City To Crack Down On `Squeegee Kids' (Richard M Stein, John R. Levine, David Waitzman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 17 Dec 2018 16:52:35 -0500 From: Gabe Goldberg <[email protected]> Subject: Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA) TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal sanctuary for swearing too much, is using technology to cause even more trouble. The Times of London reports Rocco, an African grey, has been using Amazon Alexa to shop online while his owner was away. His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find that her Amazon account suddenly had pending orders for various snacks, including watermelon and ice cream and also a kettle. “I have to check the shopping list when I come in from work and cancel all the items he's ordered,” Wischnewski told *The Daily Mail*. https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515 [Coyly, that case is the ``real macaw'' (at least in English-speaking idioms, but perhaps not in Macao). However, it reminds me of several very funny parroting jokes -- one that makes sense only when told in German, one about a seemingly very devout parrot who surprisingly turns foul-mouthed, and more. Best wishes for some Holiday Cheer! PGN] ------------------------------ Date: Tue, 18 Dec 2018 11:12:22 -0500 From: Gabe Goldberg <[email protected]> Subject: The GPS wars are here (Foreign Policy) The problem first hit during Russia's September 2017 Zapad military exercise in its western regions, near the Baltic states. Then it happened again in October during NATO’s Trident Juncture exercise, held in Norway. GPS signals across far northern Norway and Finland failed. Civilian airplanes were forced to navigate manually, and ordinary citizens could no longer trust their smartphones. https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/ ------------------------------ Date: Tue, 18 Dec 2018 20:08:03 +0000 From: John Colville <[email protected]> Subject: Both engines on Virgin Australia ATR 72 "flame out" (SMH) https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html Virgin Australia is under investigation after two engines on one of its aircraft "flamed out" during descent and had to be manually re-ignited before the aircraft hit the tarmac. The incident, which involved an ATR 72 twin-engine turboprop aircraft en route from Sydney to Canberra on December 13, has been categorised as "serious" by the Australian Transport Safety Bureau (ATSB). ------------------------------ Date: Fri, 14 Dec 2018 13:34:16 -1000 From: the keyboard of geoff goodfellow <[email protected]> Subject: Drone shatters passenger jet's nose-cone, radar (RT) Imagine if that goes through a window or an engine. https;//www.rt.com/news/446416-plane-drone-collision-mexico/ ------------------------------ Date: Tue, 18 Dec 2018 16:47:16 -0500 From: Gabe Goldberg <[email protected]> Subject: Uber exec warned of rampant safety problems before fatal crash (Ars Technica) "They told me incidents like that happen all of the time," whistleblower wrote. https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/ ------------------------------ Date: Mon, 17 Dec 2018 11:17:19 -0500 From: ACM TechNews <[email protected]> Subject: Ingestible Capsule Can Be Controlled Wirelessly (MIT News) Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018 Researchers at the Massachusetts Institute of Technology (MIT) and Brigham and Women's Hospital have designed an ingestible capsule that can be controlled wirelessly via Bluetooth. The three-dimensionally-printed capsules, which can be customized to dispatch drugs, sense environmental conditions, or both, can remain in the stomach for at least a month, transmitting information and responding to instructions from a smartphone. The capsules also could be used to communicate with other wearable and implantable devices, transmitting their pooled information to the patient or doctor's smartphone. Within the capsule is a device with six arms that fold up before encasement; once swallowed, the capsule dissolves and the arms expand so the device can lodge in the stomach. Said former MIT postdoc Yong Lin Kong, "The self-isolation of wireless signal strength within the user's physical space could shield the device from unwanted connections, providing a physical isolation for additional security and privacy protection." https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d946x2192dfx068970%26 [Risks in ingested capsules? They are not "in jest". Compromised 3-D printing instructions? sharp arms? embedded transmitters? monitoring? interference with brain signals? doping? absorbable toxins triggered remotely? And others left to your imaginations. PGN] ------------------------------ Date: Fri, 14 Dec 2018 22:46:03 -0500 From: Monty Solomon <[email protected]> Subject: How a National Security Investigation of Huawei Set Off an International Incident (NYTimes) https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html The chief financial officer was arrested after a years-long American inquiry into the Chinese telecommunications company. ------------------------------ Date: Fri, 14 Dec 2018 23:18:35 -0500 From: Monty Solomon <[email protected]> Subject: Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity) https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/ ------------------------------ Date: Thu, 13 Dec 2018 09:00:56 -0800 From: Gene Wirchenko <[email protected]> Subject: "Market volatility: Fake news spooks trading algorithms" (Tom Foremski) ZDnet, 10 Dec 2018 Stock trading algorithms know how to read news headlines, but they don't know what's real. https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/ selected text: Fake news and inaccurate headlines may have contributed to recent stock market volatility, as trading algorithms try to interpret market-related news. Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of real and fake news, which makes it easy for others to amplify negative news. The effects can be seen that, in spite of a booming economy and positive signals, the markets are reacting strongly to this mix of negative news. High-speed trading algorithms scan news stories to try and quickly determine if there is any market-moving information that affects their portfolios. It doesn't give them much time to determine which news stories are real. For example, a few years ago stock trading algorithms were buying Berkshire Hathaway stock because actress Anne Hathaway was in the news with a new movie. ------------------------------ Date: Thu, 13 Dec 2018 08:57:02 -0800 From: Gene Wirchenko <[email protected]> Subject: "Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu) ZDNet,12 Dec 2018 Google sued within a day after announcing latest Google+ API leak. https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/ opening text: A day after Google announced a Google+ API leak that could have exposed the personal information of over 52.5 million users, a Rhode Island government entity filed a class-action lawsuit in a California court. ------------------------------ Date: Wed, 12 Dec 2018 20:36:55 -1000 From: geoff goodfellow <[email protected]> Subject: New Zealand courts banned naming Grace Millane's accused killer; Google just emailed it out. (The Guardian) That one of the world's biggest companies rides roughshod over a court order tells you all you need to know about the giants of Silicon Valley EXCERPT: Imagine if a media company told you the name of the man accused of killing Grace Millane. Imagine if, in defiance of a very clear court ruling of interim name suppression, that company told you his name in an email -- spelling it out, even, in the subject header. Unthinkable? That's exactly what happened in the early hours of Tuesday. The media company wasn't (New Zealand's) the Herald or Stuff. It wasn't TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist bloggers to the biggest broadcasters, respected the proscription on naming the accused. Of course they did: they understand consequences for breaching such an order, and in fact spend significant time and resource policing their social media channels to ensure their audience doesn't breach suppression either. Not just because the courts would take action against them for doing so. They understand, too, that it would be morally odious to do so: it could risk damaging the course of justice in an appalling murder that has left a family distraught and sent waves of grief and upset through the country. The company that paid precisely zero heed to all that is a media and technology corporation from Silicon Valley. A global colossus against which all of New Zealand;s media companies combined amount to a dim pixel. The company is Google. Shortly after midnight on Tuesday this week, it delivered to everyone signed up to its `what's trending in New Zealand' email the name of the 26-year-old accused of the most headlined crime in this country in 2018... https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out ------------------------------ Date: Thu, 13 Dec 2018 14:48:52 -0800 From: Lauren Weinstein <[email protected]> Subject: Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail (Ars Technica) (via NNSquad) "In other words, they check victims' usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too," Certfa Lab researchers wrote. https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/ Avoid using text messaging as a second factor whenever possible! ------------------------------ Date: Mon, 17 Dec 2018 19:52:37 +0200 From: Toby Douglass <[email protected]> Subject: Turning on 2FA potentially harmful When you make an account with a username, email address and password, it's usual that a verification email is sent. If the password is later lost, it is again an email which is used to send the password reset link, so here we see the mechanism to make the account is the mechanism to recover the account. If you can make the account, then you possess the means to recover the account. Two factor authentication when enabled guarantees that the person attempting to log in knows the username, email, password and possesses the 2FA device. If the device is lost, email cannot be used for recovery, because then both the password and device can be compromised by access to the email address. The question then is how to recover from loss of the 2FA device, and there is no obviously easy way. It actually seems to come down to methods to obtain a partial or full proof of identity - something, critically, which was *not* required to *enable* 2FA. It is then that the mechanisms to activate and to recover 2FA are not the same, and so it can be one works while the other does not, and so it can be that 2FA is activated, but does not work, and cannot be recovered because the provided mechanisms do not or cannot work, which means the account is inaccessible. Turning on 2FA can be in and of itself a risk. (As you gentle reader may have guessed, this is what happened today, with Amazon. In the light of the recent kernel.org DNS hijack, I activated 2FA on my Amazon account. 2FA activation worked, but log in to Amazon did not, and both the 2FA resync and account recovery pages seemed broken server-side ("internal error"), and 2FA support is only available in the form of Amazon phoning you, and I cannot currently be phoned. I thought then to try my luck with AWS rather than Amazon, log in failed still but the resync page on AWS worked, and having worked, I could log into both retail Amazon and AWS. If AWS resync also had not worked, I would now be locked out of my account.) ------------------------------ Date: Fri, 14 Dec 2018 23:21:54 -0500 From: Monty Solomon <[email protected]> Subject: Top 10 worst password FAILS of 2018 (CSO) https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html ------------------------------ Date: Thu, 13 Dec 2018 09:09:47 -0800 From: Gene Wirchenko <[email protected]> Subject: She'd just had a stillborn child. Tech companies wouldn't let her forget it (Chris Matyszczyk) Technically Incorrect, ZDnet, 13 Dec 2018 A woman pleads with tech companies like Facebook and Twitter to stop serving her ads to intensify her grief. https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/ [A summary would not do this article justice. GW] ------------------------------ Date: Sun, 16 Dec 2018 16:13:41 -0800 From: Gene Wirchenko <[email protected]> Subject: Thousands of Jenkins servers will let anonymous users become admins (Catalin Cimpanu) ZDNet, 16 Dec 2018 Two vulnerabilities discovered and patched over the summer expose Jenkins servers to mass exploitation. https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/ ------------------------------ Date: Sun, 16 Dec 2018 16:09:44 -0800 From: Gene Wirchenko <[email protected]> Subject: "Bing recommends piracy tutorial when searching for Office 2019" (Catalin Cimpanu) ZDNet, 14 Dec 2018 Oh, Bing! Not again! https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/ opening text: Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. This happens every time users search for the term "office 2019 download" on Bing. The result is a Bing search card (highlighted search results) that links to a piracy tutorial. ------------------------------ Date: Sun, 16 Dec 2018 19:55:10 +0000 From: Chris Drewe <[email protected]> Subject: "Big Brother is driving with you!" (Rob Hull) Thisismoney.co.uk, Daily Mail, 5 Dec 2018 Item in newspaper seen this week. There's a lot of debate about driverless vehicles, but how much control will drivers still be allowed to have? And what about older cars (mine was made in 1988) -- will they just be banned, or only allowed on the roads under strict supervision? https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html Big Brother is driving with you! All new cars could be fitted with black boxes to log speed and systems to slow them automatically under EU proposals https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html Big Brother is driving with you! All new cars could be fitted with black boxes to log speed and systems to slow them automatically under EU proposals * The European Council has called for all cars to have data loggers fitted by law * These would be able to record speed and which safety features were activated before, during and after a collision * Proposals also want new cars to have intelligent speed assistance systems and pre-wiring so an in-car breathalyser can be installed * Other requirements for new cars could include lane assist and fatigue monitors ------------------------------ Date: Sun, 16 Dec 2018 11:46:43 -0500 From: Tom Van Vleck <[email protected]> Subject: Delivery robot bursts into flames at UC Berkeley, students hold it a vigil (SanFranChronicle) *The San Francisco Chronicle* website: https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php hmm. [The amount needed to pony up must have been a Vigil-ante. PGN] ------------------------------ Date: Fri, 14 Dec 2018 18:54:09 -0500 From: Kelly Bert Manning <[email protected]> Subject: Re: Your apps know where you were last night, and they're not keeping it secret (NYTimes) If memory serves me correctly, back in the 1950s and 1960s we were told that one of the freedoms we enjoyed in the "Free West" was not having to constantly carry Internal Passports to be produced on demand by police and other officials. Sounded like a Killer Argument to me. What a change. Even if you don't carry an electronic ball and chain your movements could be tracked by licence plate scanners or by facial recognition. Seems more and more like Moscow or Beijing during the Cold War to me. Greyhound recently ceased operation in Western Canada, but the last time I used it in 2005 I saw someone being released from handcuffs after Vancouver Police decided that him giving the same name as a fugitive to the bus ticket agent was just a coincidence. I have never had a personal wireless digital device, so the main exposure would probably be if I bought a new automobile with some sort of wireless "feature / vulnerability". I would like to see wireless access in autos made modular, pull the module and carry on without it. Connect a plug to the engine interface for diagnosis and firmware updating. I use 100 mpbs wired ethernet for my home network, not WiFi. At home web pages ask permission to find the location of my PC. I just say NO. I have a used laptop with wireless that started out with XP Professional, but it usually boots with Linux. For the 2015 Victoria Privacy and Security conference one of the presenters did the usual live demonstration of a Pineapple type attack. I mentioned my laptop during the Q&A session, and the fact that I had booted it with Tails from an optical disk instead of Linux from the hard drive. Such conferences are places where someone might see a challenge or an opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a demo of caller ID spoofing during a previous conference. Back when I had to carry a work phone I turned off the WiFi and GPS to make the battery life last longer. I am aware that GPS can be turned on again problematically. Calling 911 turns on GPS if it has been disabled. Our current auto is more than 10 years old and lacks that "feature". At least the e-trike I bought in 2016 does not have wireless, although it does have a USB port for powering a wireless or other device. https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM ------------------------------ Date: Wed, 12 Dec 2018 22:22:04 -0700 From: Kurt Seifried <[email protected]> Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96) In all the twitter clients/web interface I use, if I type text it is black, until twitter or the client make it a link and then it's blue. Just like in literally every GUI piece of software I've used for 20+ years that auto-creates hyperlinks based on what you type. If you are typing text and some of it turns blue... it's probably because it's now a hyperlink. Attach it as a text file. ------------------------------ Date: Sat, 15 Dec 2018 11:26:33 +0200 From: Amos Shapir <[email protected]> Subject: Re: What Happens When You Reply All to 22,000 State Workers (RISKS-30.96) This looks less like a case of recipients using "Reply to All" -- which is the default mode in many mailers, making mistakes unavoidable -- and more a case of senders who do not know how to use "Bcc" when sending to a large list of recipients. ------------------------------ Date: Thu, 13 Dec 2018 12:57:32 +0800 From: Richard M Stein <[email protected]> Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (Levine, RISKS-30.06) John -- You might be right: the AV idles until the way forward is obstacle-free. We'll have to wait this trolley problem outcome. Alternatively, Waymo in Chandler, AZ could share a live scenario demo with the world to prove that "My Mother the Car" is sharp enough to respectfully manage hostile pedestrian interaction. I'd put my money on the vehicle occupants, if present, to issue one or more verbal command overrides or set a new destination with their hailing application if the squeegee crew acts aggressively. If AV is payload empty, an infinite standoff might manifest at the intersection/stop point...or not -- low fuel or diminished reserve power-level might compel AV return to depot to refuel rather than exhaust reserves and wait AAA for a tow. Suppose the AV is stuck due to obstacles that shuffle around it and otherwise impede forward motion -- and possibly at a controlled intersection or behind another vehicle. I wonder if it'll try to rabbit should the signal light change to green or remain neutralized until obstacles clear? Possibly, AV depot control will sense a "help me I am stuck" signal and call the cops to intervene and run the squeegees off? ------------------------------ Date: 13 Dec 2018 08:28:23 -0500 From: "John R. Levine" <[email protected]> Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (Stein, RISKS-30.97) Having been in NYC when it had squeegee guys, this isn't the trolley problem. They dart out when the light is red, they don't deliberately block traffic, since that would get them arrested instantly. ------------------------------ Date: Sun, 16 Dec 2018 15:51:37 -0500 From: David Waitzman <[email protected]> Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids' (npr.org) I would not feel safe, in Baltimore particularly, of rolling down my car windows for a squeegee kid nor anyone else. Jacquelyn Smith was killed on December 1st in Baltimore when she "and her husband saw a woman asking for money. She rolled down her car window to hand over some cash when her husband said a man approached the car, reached inside to try to take Smith’s purse and necklace before stabbing her. She later died at the hospital." https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html ------------------------------ Date: Tue, 5 May 2018 11:11:11 -0800 From: [email protected] Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to [email protected] with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks have done to URLs. I have tried to extract the essence. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.97 ************************
