1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 31.48 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Nov 25 17:38:07 2019
    [continued from previous message]

    Subject: Officials Warn of "Juice Jacking" Scams at USB Charging Stations

    Los Angeles -- Law enforcement officials in Los Angeles County are warning
    cell phone users about a new scam that could infect their devices with
    malware when they plug into USB charging stations at airports, hotels and
    other public locations. In a scam called "juice jacking," criminals load malware onto charging stations or cables they leave plugged in at the
    stations, infecting the phones and other electronic devices of unsuspecting users. The malware may lock a user's device or export data and passwords directly to the scammer. "A free charge could end up draining your bank account," said Luke Sisak, a deputy district attorney in Los Angeles
    County. "Within minutes of being plugged in, the malware could lock the
    device or send private information, like passwords, addresses or even a full backup of the phone directly to the criminal." Officials are urging people
    to use AC power outlets instead of USB charging stations, as well as to take
    AC and car chargers when traveling and consider buying a portable charger
    for emergencies. http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff

    ------------------------------

    Date: Fri, 22 Nov 2019 20:11:44 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Artificial Intelligence Discovers Tool Use in Hide-and-Seek Games
    (Quanta Magazine)

    After millions of games, machine learning algorithms found creative
    solutions and unexpected new strategies that could transfer to the real
    world.

    https://www.quantamagazine.org/artificial-intelligence-discovers-tool-use-in-hide-and-seek-games-20191118/

    The risk? That bots dominate world Hide-and-Seek tournaments...

    ------------------------------

    Date: Fri, 22 Nov 2019 20:16:49 -0500
    From: Monty Solomon <monty@roscom.com>
    Subject: After False Drug Test, He Was in Solitary Confinement for 120 Days
    (NYTimes)

    https://www.nytimes.com/2019/11/20/nyregion/prison-inmate-drug-testing-lawsuit.html

    Hundreds of New York State prisoners were locked in cells, denied release or removed from programs when tests erroneously showed they had used narcotics, according to a lawsuit.

    ------------------------------

    Date: Sat, 23 Nov 2019 07:15:14 -0500
    From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
    Subject: NoiseAware - proprietary algorithm for noise detection in rental
    properties (The Verge)

    [Should this be called "Noiseware?" PGN]

    I'm staying in an Airbnb for Thanksgiving, and noticed this in the fine
    print:

    "We are dedicated to protecting our guests and neighbors from bothersome
    levels of noise. In an effort to do so, this property is equipped with
    NoiseAware technology. NoiseAware is a smart home device that measures
    volume levels throughout the property and allows us to respond to noise
    nuisances without disrupting your stay. NoiseAware is privacy compliant
    and is required on this property."

    So I naturally had to learn what this "privacy compliant" system is. It purports to be a device that will plug in and inform the property owner if
    it gets too noisy, but using a proprietary algorithm that's more
    sophisticated than just measuring dB level. Of course it's proprietary, so
    no one can tell how it comes to a conclusion, but if it reacts, I presume
    there would be a call from the property owner - and perhaps impact my
    ability to get future rentals.

    There's some hint of the algorithm ("Our Noise Risk Score goes beyond the sporadic and instantaneous measurement of a decibel, to bring you context
    and deeper insight. We track not only how loud it is, but how long it is
    loud for. We combine this with a number of other factors to bring you the contextual noise risk score. Nobody wants a text every time your guest sneezes."). But there's no explanation of why they say it's "privacy compliant" - is it a microphone that sends what it hears to the cloud, or
    just a loudness sensor that's sending a dB score (which would be less intrusive)?

    I found one article in Verge that indicates it's truly a simple sensor, not
    a microphone, so perhaps this is one of the rare cases of an IoT vendor
    getting it right! (Having said that, I'd be more comfortable if someone did
    a teardown of one of the devices and verified that indeed it is just a noise sensor, and that the lack of a microphone isn't a false claim.)

    https://www.theverge.com/circuitbreaker/2018/10/29/18037604/noiseaware-gen-3-indoor-outdoor-security-microphone

    ------------------------------

    Date: Sun, 24 Nov 2019 11:41:14 -0500
    From: José María Mateos <chema@rinzewind.org>
    Subject: A hypothesis on the immediate future of audio scams (CBC)

    My landlady send me the other day this news article:

    https://www.cbc.ca/news/canada/edmonton/can-you-hear-me-phone-scam-warning-bbb-1.3970312

    Excerpt:

    From encrypted passwords to padlocked doors, Canadians will go to extreme
    lengths to avoid scammers.

    Now it may not be safe to pick up the phone.

    A new scam relies on your voice to answer a simple question: "Can you hear
    me now"? The scammers try to bait callers into answering "yes."

    Anti-fraud agencies say that simple acknowledgment can be used to make it
    sound as if you signed on for a purchase or service. ``They're trying to
    get a recording of you saying *yes*,'' said Ron Mycholuk, a spokesman with
    the Better Business Bureau of Central and Northern Alberta. ``They're going
    to take that recorded *yes*, play around with that audio and make it seem to you, or a representative of a business, that you have paid for some advertising, a cruise or a big ticket item, and send you the bill.''

    At this point I don't pick up the phone if I don't recognize the number. Voicemail is quite useful and I can always call back if the message is not spam, which rarely happens.

    However, I then remembered this other piece of news (which, incidentally, I haven't been able to find on the RISKS archive, but I'd be surprised if it hasn't been sent before): https://www.zdnet.com/article/forget-email-scammers-use-ceo-voice-deepfakes-to-con-workers-into-wiring-cash/

    Excerpt:

    Criminals are using AI-generated audio to impersonate a CEO's voice and con subordinates into transferring funds to a scammer's account. So-called deepfake voice attacks could be the next frontier in a scam that's cost US businesses almost $2bn over the past two years using fraudulent email.

    *The Wall Street Journal* reports that the CEO of an unnamed UK-based energy company thought he was talking on the phone with his boss, the CEO of the German parent company, who'd asked him to urgently transfer [the equivalent
    of] $243,000 to a Hungarian supplier.

    However, the UK CEO was in fact taking instructions from a scammer who'd
    used AI-powered voice technology to impersonate the German CEO. It's the
    voice equivalent of deepfake videos that are causing alarm for their
    potential to manipulate public opinion and cause social discord.

    So of course at this point one would expect that the first scam (the method) and the second one (the technology) are a match made in heaven. Let's see
    if that starts happening. I'm betting on "sure, what else is to expect".

    ------------------------------

    Date: Sun, 24 Nov 2019 22:03:05 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: How to prevent a data breach, lessons learned from the infosec
    vendors themselves (Web Informant)

    https://blog.strom.com/wp/?p=7456

    ------------------------------

    Date: Sun, 24 Nov 2019 22:28:29 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Someone Got Access to Their Secret Consumer Score. Now You Can Get
    Yours, Too. (NYTimes)

    Little-known companies are amassing your data -- like food orders and
    Airbnb messages -- and selling the analysis to clients. Here's how to
    get a copy of what they have on you.

    I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too. https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html

    Sigh, a while ago I requested my files from various government agencies mentioned in a surveillance article. Nothing much found. Now there's more
    work learning what these people have on me.

    ------------------------------

    Date: Wed, 13 Nov 2019 11:20:00 PST
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Iowa hired cyberhackers, then arrested them (TechSpot)

    https://www.techspot.com/news/82740-iowa-hired-cybersecurity-firm-do-penetration-testing-arrested.html

    ------------------------------

    Date: Sat, 16 Nov 2019 23:02:06 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Mastercard vs. mistakes and fraud (Fortune)

    The AI profiles of lots of other companies are starting to look more like Amazon's. Case in point: Mastercard. Ajay Bhalla, who heads cyber and intelligence solutions for the payments company, told me it has used AI to
    cut in half the number of times a customer has their credit card transaction erroneously declined, while at the same time reducing fraudulent
    transactions by about 40%.

    Mastercard has also used predictive analytics to spot cyberattacks <https://click.newsletters.fortune.com/?qs=dbd9314600a712630e23a5418eacc48e1536514d7dbfffe4f219611063d6d67fb034c62e813981dd59682d0fb76c03606d9ed2e8b28103db>
    and waves of fraudulent activity by organized crime groups. Bhalla says this has helped its customers avoid some $7.5 billion worth of damage from cyber attacks in just the past 10 months. And, he says, Mastercard is now using AI-based software across every section of the company, from human resources
    to finance to marketing.

    ------------------------------

    Date: Sat, 16 Nov 2019 23:02:46 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: As 5G Rolls Out, Troubling New Security Flaws Emerge (WiReD)

    https://www.wired.com/story/5g-vulnerabilities-downgrade-attacks/

    ------------------------------

    Date: Wed, 13 Nov 2019 16:52:12 +0200
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: The rise of microchipping: are we ready for technology to get
    under the skin? (RISKS-31.47)

    Technically, the machines which read the ID chips do not care whether the
    chip is embedded in a card or implanted under the customer's skin.

    The difference is that implantation is like branding: The decision whether
    to carry an ID chip is transferred from the people themselves to their
    owner ^H^H^H^H employer.

    ------------------------------

    Date: 13 Nov 2019 11:16:22 -0500
    From: "John R. Levine" <johnl@iecc.com>
    Subject: Re: What happens if your mind lives for ever on the Internet?
    (RISKS-31.47)

    It may be some way off, but mind uploading, the digital duplication of your >> mental essence, could expand human experience into a virtual afterlife.

    For another take on this very topic from June of this year, see:

    http://wondermark.com/c1485/

    It's five pages, click the Next arrow at the right.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.48
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)