• Risks Digest 31.32

    From RISKS List Owner@21:1/5 to All on Fri Jul 5 18:31:44 2019
    RISKS-LIST: Risks-Forum Digest Friday 5 July 2019 Volume 31 : Issue 32

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.32>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    FDA recalls insulin pumps because of wireless vulnerability
    FAA Flags New Computer Issue In 737 MAX Testing
    In the Census Case, a Rebuke to Bad-Faith Government
    U.S. Census at risk from glitches and attackers (Chris Hamby)
    Could 'fake text' be the next global political threat?
    Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem
    7-Eleven Japanese customers lose $500,000 due to mobile app flaw
    Google Maps detour traps drivers in mud
    "How Hackers Turn Microsoft Excel's Own Features Against It"
    Microsoft Kills Automatic Registry Backups in Windows 10
    Cloudflare stutters and the Internet stumbles (ZDNet)
    Superhuman is Spying on You
    Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    China Is Forcing Tourists to Install Text-Stealing Malware at its
    Line just went Orwellian on Japanese users with its social credit
    These are the sneaky new ways that Android apps track you
    Re: Autonomous vehicles don't need provisions and protocols
    Mobius: A Memoir (Richard Thieme)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Jul 2019 14:25:04 -0700
    From: Paul Burke <box1320@gmail.com>
    Subject: FDA recalls insulin pumps because of wireless vulnerability

    https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain

    I wish more products were recalled for cybersecurity vulnerabilities.

    "The potential risks are related to the wireless communication between Medtronic's MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps. The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect
    wirelessly to a nearby MiniMed insulin pump and change the pump's settings. This could allow a person to over deliver insulin to a patient, leading to
    low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)...

    "Medtronic is unable to adequately update the MiniMed 508 and Paradigm
    insulin pumps with any software or patch to address the devices' vulnerabilities...

    "The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and
    security of... medical devices. The agency also is responsible for the
    safety and security of our nation's food supply, cosmetics, dietary supplements, products that give off electronic radiation"

    [Gabe Goldberg noted Hackable Insulin Pumps https://securityboulevard.com/2019/07/more-medtronic-hack-malarkey-this-time-its-insulin-pumps/
    PGN]

    ------------------------------

    Date: Thu, 27 Jun 2019 8:10:54 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: FAA Flags New Computer Issue In 737 MAX Testing

    Sean Broderick, *Aviation Week*, 26 Jun 2019

    https://aviationweek.com/penton_ur/nojs/user/register?path=node/1963138&nid=1963138&source=email
    See also https://www.bbc.com/news/business-48752932

    ------------------------------

    Date: Thu, 27 Jun 2019 11:22:19 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: In the Census Case, a Rebuke to Bad-Faith Government

    https://www.nytimes.com/2019/06/27/opinion/census-question-supreme-court.html

    *The New York Times*, Editorial Board, 27 Jun 2019

    The Supreme Court noted a disconnect between the Trump administration's
    stated reason for including a citizenship question on the census form and
    the actual rationale for doing so.

    In a win for good government, the Supreme Court on Thursday refused to give
    its full imprimatur to the Trump administration's irresponsible decision to
    add a citizenship question to the 2020 census form. [...]

    ------------------------------

    Date: Fri, 5 Jul 2019 14:27:46 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: U.S. Census at risk from glitches and attackers (Chris Hamby)

    Chris Hamby, *The New York Times*, 5 Jul 2019 [PGN-ed] https://www.nytimes.com/2019/07/03/us/2020-census-digital.html

    The Census Bureau had turned to Amazon Web Services for computing power
    and digital storage, but discovered that access credentials had been "lost"
    -- potentially allowing completely uncontrolled access. That vulnerability
    has now purportedly been fixed, but risks seem to remain.

    ``If you wanted to provoke fears among the population as to how the census
    data could be used, the American population is fertile ground right now for conspiracy theories and manipulation.'' Nathaniel Persily, Stanford Law
    School professor.

    ------------------------------

    Date: July 6, 2019 5:12:33 JST
    From: Dewayne Hendricks <dewayne@warpspeed.com>
    Subject: Could 'fake text' be the next global political threat?
    (Oscar Schwartz)

    [via Dave Farber] 4 Jul 2019

    An AI fake text generator that can write paragraphs in a style based on just
    a sentence has raised concerns about its potential to spread false
    information

    https://www.theguardian.com/technology/2019/jul/04/ai-fake-text-gpt-2-concerns-false-information

    Earlier this month, an unexceptional thread appeared on Reddit announcing
    that there is a new way ``to cook egg white[s] without a frying pan. As so often happens on this website, which calls itself ``the front page of the internet'', this seemingly banal comment inspired a slew of responses.
    ``I've never heard of people frying eggs without a frying pan,'' one incredulous Redditor replied. ``I'm gonna try this,'' added another. One particularly enthusiastic commenter even offered to look up the scientific literature on the history of cooking egg whites without a frying pan.

    Every day, millions of these unremarkable conversations unfold on Reddit, spanning from cooking techniques to geopolitics in the Western Sahara to
    birds with arms. But what made this conversation about egg whites noteworthy
    is that it was not taking place among people, but artificial intelligence
    (AI) bots.

    The egg whites thread is just one in a growing archive of conversations on a subreddit -- a Reddit forum dedicated to a specific topic -- that is made up entirely of bots trained to emulate the style of human Reddit contributors. This simulated forum was created by a Reddit user called disumbrationist
    using a tool called GPT-2, a machine learning language generator that was unveiled in February by OpenAI, one of the world's leading AI labs.

    Jack Clark, policy director at OpenAI, told me that chief among these
    concerns is how the tool might be used to spread false or misleading information at scale. In a recent testimony given at a House intelligence committee hearing about the threat of AI-generated fake media, Clark said he foresees fake text being used ``for the production of [literal] `fake news',
    or to potentially impersonate people who had produced a lot of text online,
    or simply to generate troll-grade propaganda for social networks''.

    GPT-2 is an example of a technique called language modeling, which involves training an algorithm to predict the next most likely word in a
    sentence. While previous language models have struggled to generate coherent longform text, the combination of more raw data -- GPT-2 was trained on 8m online articles -- and better algorithms has made this model the most robust yet.

    It essentially works like Google auto-complete or predictive text for messaging. But instead of simply offering one-word suggestions, if you prompt GPT-2 with a sentence, it can generate entire paragraphs of language in that style. For example, if you
    feed the system a line from Shakespeare, it generates a Shakespeare-like response. If you prompt it with a news headline, it will generate text that almost looks like a news article.

    Alec Radford, a researcher at OpenAI, told me that he also sees the success
    of GPT-2 as a step towards more fluent communication between humans and machines in general. He says the intended purpose of the system is to give computers greater mastery of natural language, which may improve tasks like speech recognition, which is used by the likes of Siri and Alexa to
    understand your commands; and machine translation, which is used to power Google Translate.

    But as GPT-2 spreads online and is appropriated by more people like disumbrationist -- amateur makers who are using the tool to create
    everything from Reddit threads, to short stories and poems, to restaurant reviews -- the team at OpenAI are also grappling with how their powerful
    tool might flood the internet with fake text, making it harder to know the origins of anything we read online.

    Clark and the team at OpenAI take this threat so seriously that when they unveiled GPT-2 in February this year, they released a blogpost alongside it stating that they weren't releasing the full version of the tool due to ``concerns about malicious applications''. (They have since released a
    larger version of the model, which is being used to create the fake Reddit threads, poems and so on.)

    ------------------------------

    Date: Fri, 5 Jul 2019 12:10:38 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

    A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem.

    https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem

    ------------------------------

    Date: Fri, 05 Jul 2019 09:42:37 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: 7-Eleven Japanese customers lose $500,000 due to mobile app flaw

    Catalin Cimpanu for Zero Day (Jul 4 2019)

    https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/

    Hackers exploit 7-Eleven's poorly designed password reset function to make unwanted charges on 900 customers' accounts (and the equivalent of $.5M)
    after hackers hijacked their 7pay app accounts and made illegal charges in their names.

    The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the
    country on Monday, July 1.

    However, in a mind-boggling turn of events, the app contained a password
    reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.

    A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party
    email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.

    Furthermore, if the user didn't enter their date of birth, the app would use
    a default of January 1, 2019, making some attacks even easier, according to
    a report in Yahoo Japan.

    ------------------------------

    Date: Wed, 26 Jun 2019 21:12:37 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Google Maps detour traps drivers in mud

    Denver drivers followed Google's detour down a dirt road

    A crash on the main road to Denver's airport led to hour-long delays this
    week. When Google Maps offered a quick detour, nearly a hundred drivers
    were led into trouble.

    https://www.bbc.com/news/av/world-us-canada-48779516/denver-drivers-followed-google-s-detour-down-a-dirt-road

    ------------------------------

    Date: Fri, 28 Jun 2019 9:28:34 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: "How Hackers Turn Microsoft Excel's Own Features Against It"

    Lily Hay Newman, WiReD, 27 Jun 2019 via ACM TechNews; Friday, June 28, 2019

    Researchers at threat intelligence company Mimecast have found that a
    feature in Microsoft's Excel spreadsheet program can be exploited to orchestrate Office 365 system hacks. Excel's Power Query permits the combination of data from various sources via a spreadsheet, which can be manipulated to connect to a malicious Webpage hosting malware. Said
    Mimecast's Meni Farjon, "The exploit will work in all the versions of Excel
    as well as new versions, and will probably work across all operating
    systems, programming languages, and sub-versions, because it's based on a legitimate feature." Farjon thinks a Power Query connection to a malicious
    site could enable attacks similar to a Dynamic Data Exchange
    exploit. Meanwhile, Microsoft's security intelligence warns of another Excel hack, which uses malicious macros to compromise Windows systems, even with
    the newest security updates. 3Dhttps://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-20693x21cae2x069960%26

    ------------------------------

    Date: Thu, 4 Jul 2019 13:22:44 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Microsoft Kills Automatic Registry Backups in Windows 10

    https://www.forbes.com/sites/gordonkelly/2019/06/29/microsoft-windows-10-upgrade-registry-warning-upgrade-windows/#6f92a9b971ef

    https://www.extremetech.com/computing/294290-microsoft-kills-automatic-registry-backups-in-windows-10

    ------------------------------

    Date: Thu, 4 Jul 2019 00:14:16 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Cloudflare stutters and the Internet stumbles (ZDNet)

    An internal Cloudflare problem caused websites to fall bringing some parts
    of the internet to a crawl. ...

    How could this simple mistake cause so many problems? Cloudflare operates an extremely popular content delivery network (CDN). When it works right, its services protect website owners from peak loads, comment spam attacks, and Distributed Denial of Service (DDoS) attacks. When it doesn't work right, well, we get problems like this one.

    https://www.zdnet.com/article/cloudflare-stutters-and-the-internet-stumbles/

    ------------------------------

    Date: Wed, 3 Jul 2019 12:58:21 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Superhuman is Spying on You

    Over the past 25 years, email has weaved itself into the daily fabric of
    life. Our inboxes contain everything from very personal letters, to work correspondence, to unsolicited inbound sales pitches. In many ways, they are
    an extension of our homes: private places where we are free to deal with
    what life throws at us in whatever way we see fit. Have an inbox zero
    policy? Thatâs up to you. Let your inbox build into the thousands and only deal with what you can stay on top of? Thatâs your business too.

    It is disappointing then that one of the most hyped new email clients, Superhuman, has decided to embed hidden tracking pixels inside of the emails its customers send out. Superhuman calls this feature Read Receipts consent
    of its recipients, so you have most likely have been conditioned to believe
    its a simple [text garbled]

    https://mikeindustries.com/blog/archive/2019/06/superhuman-is-spying-on-you

    ...FAR too long for the simple point: it's secretly monitoring recipients'
    behavior/locations.

    ------------------------------

    Date: Wed, 3 Jul 2019 16:31:39 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    Contact During FaceTime Calls (MacRumors)

    A new feature in the latest iOS 13 beta makes users appear as if they're looking directly at the camera to make eye contact during FaceTime calls,
    when actually they're looking away from the camera at the image of the other person on their screen.

    https://www.macrumors.com/2019/07/03/ios-13-beta-has-facetime-attention-correction/

    ...what else can this "feature" do?

    ------------------------------

    Date: Wed, 3 Jul 2019 16:36:19 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: China Is Forcing Tourists to Install Text-Stealing Malware at its
    Border (Vice)

    The malware downloads a tourist's text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

    https://www.vice.com/amp/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware

    ------------------------------

    Date: Thu, 27 Jun 2019 08:30:08 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: Line just went Orwellian on Japanese users with its social credit
    scoring system

    EXCERPT:

    It appears other countries besides China are heading toward a bleak
    dystopian future where a human being is scored by their online activities.
    Only this time, it's a tech company and not a government implementing the social credit score. While not as bleak as China's social credit system,
    today Line, Japan's dominant social media company, introduced a slew of new products -- the most alarming among them, Line Score, reports the *Verge* https://www.theverge.com/2019/6/27/18760928/line-conference-2019-score-sticker-vision-mini-app-tokyo%3Futm_campaign%3Dtheverge%26utm_content%3Dchorus%26utm_medium%3Dsocial%26utm_source%3Dtwitter

    Line Score will use AI to give a social credit score to Line users. The strength of their social credit score will allow them to get access to
    better special deals and offers that Line users with lower social credit
    scores will not have access to.

    While the new product is unnerving, it's not completely out of character for Line. Recently the company has been positioning itself as a fintech
    provider, and its Line Pay digital wallet system is wildly popular in
    Japan. Line Pay also allows users to shop for insurance and allows them to invest in personal portfolios. Line Score builds on top of Line Pay by
    offering those with higher scores better perks.

    However, before George Orwell rolls over in his grave, it's important to
    note that Line stresses Line Score is opt-in only and that the company will never share a user's Line Score with third parties without the user's permission and it will not read a user's online chats to determine their
    Line Score. Still, it's unnerving that tech companies seem to think that
    social credit ratings are the next big thing for now. Hopefully, this is a trend that will not catch on.

    https://www.fastcompany.com/90370203/line-just-went-orwellian-on-japanese-users-with-its-social-credit-scoring-system

    ------------------------------

    Date: Thu, 4 Jul 2019 00:12:40 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: These are the sneaky new ways that Android apps track you

    Google's operating system manages access to your personal information. But what happens when apps refuse to play by the rules?

    https://www.fastcompany.com/90372033/these-are-the-sneaky-new-ways-that-android-apps-are-tracking-you

    ------------------------------

    Date: Thu, 27 Jun 2019 22:02:39 +0100
    From: Chris Drewe <e767pmk@yahoo.co.uk>
    Subject: Re: Autonomous vehicles don't need provisions and protocols
    (RISKS-31.21-30).

    Not sure if this is relevant here, but one example which comes to mind is
    just around the corner from my house. There's a crossroads where a main
    road and residential street meet. At each side of the junction, the main
    road is divided into three lanes: left-hand lane (this is in drive-on-left Britain) is for turning left or driving straight on, with traffic lights on
    the left-hand side of the road; middle lane is for turning right, with a traffic light on the right-hand side of the road; and the right-hand lane is for traffic coming in the opposite direction.

    Drivers unfamiliar with the area are occasionally confused by separate
    traffic lights on each side of the road, so presumably autonomous vehicles
    may also have the same problem unless they can distinguish the small green arrows indicating the permitted direction. A possible additional
    complication is the red and green pushbutton-controlled lights for
    pedestrians and cyclists mounted on the traffic light posts at shoulder
    height.

    Personally I feel that the simplest solution would be to have some sort of radio/wi-fi signal for autonomous vehicles (and maybe to conventional
    vehicles with driver-information systems) giving them an unambiguous warning
    of the traffic light indication ("OK for northbound-to-westbound turns, stop otherwise") rather than expecting them to figure out visual signs intended
    only for humans, but then that would mean special provision for them..?

    ------------------------------

    Date: Wed, 3 Jul 2019 9:40:55 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Mobius: A Memoir (Richard Thieme)

    [Richard Thieme, a long-time friend, invites interested parties to review
    small pieces of his novel in progress as it comes off the line, offering
    suggestions. He's been around this `space' for a long time, not as long as
    I have, but at least a quarter century. I believe he has friends who may
    have worked in hidden places, but I don't believe he actually did. On the
    other hand, creative fiction sometimes bears a remarkable resemblance to
    reality. If you are interested, e-mail him at rthieme@thiemeworks.com, or
    check him out at www.thiemeworks.com. PGN]

    Mobius: A Memoir
    by
    Richard Thieme
    A Note from the Author

    All CIA officers, as a condition of employment, sign the standard CIA
    secrecy agreement when entering on duty. This agreement requires submission
    of all written and spoken material to the Publications Review Board for approval. The absence of such submission in this instance indicates clearly that while some of the allusions in this memoir are to that agency, some are
    to other agencies, and some are to fictional agencies. That mashup is intentional. The account has been fictionalized to (1) avoid publication
    review which can drag on for years and (2) protect identities, sources and methods. This memoir is accordingly like a reflection in a fun-house mirror: recognizable but distorted, unlike agency-redacted materials which are distorted but unrecognizable.

    That said, the following holds true:

    While the author told the least untruthful things he could say about his
    work, this memoir is a work of fiction. Names of characters, places, and incidents are either the product of the author's imagination or are used fictitiously. Any resemblance to actual persons, living or dead, or to
    locales is entirely coincidental. In addition, the names of the author's colleagues have been changed to protect their identities. In particular, `Penny' does not refer to a specific person but is a conflation of a number
    of relationships the author had over several decades. That accounts for
    seeming contradictions and omissions.

    The author is grateful to all of his colleagues who contributed to this
    memoir. He must single out `Jamison' who willingly provided details of how
    he was taught to torture prisoners and to one physician in particular,
    referred to as `Brooks', who acknowledged that his monitoring of torture, learning from same, and bringing those hard-won lessons to the next session, might in fact constitute violations of international law dating back to Nuremberg and account for our withdrawal from the proceedings of the International Criminal Court lest the law be applied equally to all. Special thanks to Fatou Bensouda (not his real name, because it can't be, right?)
    for his insights in this matter.

    The incidents in this memoir took place over half a century in two dozen countries. The author's long-term memories are crisp despite his advanced
    age. His sleep continues to be disturbed by some of the reported incidents
    and his `partner' frequently shakes him awake when he cries out during nightmares. (It is a false rumor that he has sixteen flashlights in
    strategic locations in his home. He has only two and both are in bedside drawers).

    Richard Thieme

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.32
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)