info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 31.44
58 views
Skip to first unread message
RISKS List Owner
Oct 2, 2019, 4:43:51 PM10/2/19
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Wednesday 2 October 2019 Volume 31 : Issue 44
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Secret FBI subpoenas scoop up personal data from scores of companies (NYT)
Putin Begins Installing Equipment To Cut Russia's Access To World Wide Web
(Zak Doffman)
Lawmakers warn about threat of political deepfakes by creating one
(WashPost)
How will Self-Driving Cars Impact Cities? (CTA)
A Nation Divided: U.S. Politics Taking Physical, Emotional Toll On Americans
(StudyFinds)
White House mistakenly sends Trump-Ukraine talking points to Democrats
(WashPost)
As Made-To-Order DNA Gets Cheaper, Keeping It Out Of The Wrong Hands Gets
Harder (npr.org)
Airbus hit by a series of cyber-attacks on its suppliers (PGN)
Feds say Boeing 737 needs to be better designed for humans (WiReD)
The Dangers of Delaying FAA Modernization (WiReD)
The Loophole That Turns Your Apps Into Spies (NYTimes)
Exim vulnerability "remote code execution seems to be possible" (J Coe)
Inside the campaign that tried to compromise Tibetans' iOS and Android
phones (Ars Technica)
People are hacking their Peloton bikes so they can watch Netflix and cheat
the leaderboard ranking system (Business Insider)
Life imitates a bad sitcom? (Ars Technica)
No big conspiracy. Just map tile boundaries right upon borders
(Dan Jacobson)
The Privacy Project (NYTimes)
Twitter executive with editorial responsibility for the Middle East
is also British psyops officer (Middle East Eye)
Heyyo dating app leaked users' personal data, photos, location, more
(Catalin Cimpanu)
An 11-year-old drove 200 miles alone to live with a man he met on Snapchat,
police say (WashPost)
99% of Misconfigurations in the Public Cloud Go Unreported (Charlie Osborne)
Hackers Say They Took Over Vote Scanners Like Those Coming to Georgia
(Mark Neisse)
Developer of Checkm8 explains why iDevice jailbreak exploit is a game
changer (Ars Technica)
A fitness influencer will serve nearly 5 years in jail ...
(Business Insider)
What Is a Blockchain Smartphone and Should You Buy One Now? (Blocks Decoded)
The risk? "Security" questions (MadMeSmile)
Re: Google Chrome update corrupting some macOS installs (Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 25 Sep 2019 01:07:03 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Secret FBI subpoenas scoop up personal data from scores of companies
(NYTimes)
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html
The practice, which the bureau says is vital to counterterrorism
efforts, casts a much wider net than previously disclosed, newly
released documents show.
------------------------------
Date: September 26, 2019 0:00:19 JST
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Putin Begins Installing Equipment To Cut Russia's Access To
World Wide Web (Zak Dorfman)
[Note: This item comes from friend Steve Goldstein. DLH]
[Via Dave Farber]
Zak Dorfman, Forbes, 24 Sep 2019
<https://www.forbes.com/sites/zakdoffman/2019/09/24/russia-begins-installing-equipment-to-cut-its-access-to-world-wide-web/>
Earlier this year, Russian President Vladimir Putin signed the Russian
Internet (RuNet) into law to protect the country's communications
infrastructure in case it was disconnected from the world wide web -- or so
he said. Critics argued it was opening a door to a Chinese-style firewall
disconnecting Russia from the outside world.
Now, Alexander Zharov, the head of the federal communications regulator
Roskomnadzor has confirmed to reporters that ``equipment is being installed
on the networks of major telecom operators,'' and RuNet will begin testing
by early October. Such testing, reporters were told, is known as `combat
mode'.
When the legislation was introduced there was some debate as to whether it
would work in practice. The government claimed its objective was to deal
with "threats to the stable, safe and integral operation of the Russian
Internet on Russian territory," by centralizing "the general communications
network." This would works by deploying an alternative domain name system
(DNS) for Russia to steer its web traffic away from international
servers. ISPs are mandated to comply.
The Moscow Times reported at the time that "Russia carried out drills in
mid-2014 to test the country's response to the possibility of its Internet
being disconnected from the web -- the secret tests reportedly showed that
isolating the Russian Internet is possible, but that 'everything' would go
back online within 30 minutes."
As for this `combat testing', Zharov has assured that everything will be
done ``carefully'', according to local media reports, explaining that ``we
will first conduct a technical check -- affects traffic, does not affect
traffic, do all services work.'' The plan is for all of this testing to be
completed by the end of October.
Although the regulator has been keen to emphasise that RuNet is only for
deployment when the system its perceived to be `in danger', there is a clear
question as to where and how such a decision would be taken. Such threats
have been classified as ``impacts to the integrity of networks, the
stability of networks, natural or man-made impacts, or security threats,''
all pretty wide-ranging classifiers.
Russia's recent moves to shut down cellular data traffic to stymie
anti-Putin protesters and government warnings that social media access may
be curtailed have not brought much confidence to its tech savvy citizens.
------------------------------
Date: Fri, 27 Sep 2019 14:23:00 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Lawmakers warn about threat of political deepfakes by creating one
(WashPost)
Rep. Michael Waltz wants Navy to beat Army in this year's football game,
according to a newly released political deepfake - a video doctored with
artificial intelligence. But it the content wasn't true, as Waltz is a
former Army Green Beret.
But Waltz teamed up with Rep. Don Beyer, D-Va., to craft the mock deepfake
for the House Science subcommittee to illustrate just how realistic this
kind of disinformation can be. The SUNY-Albany and University of Chicago
researchers took a recorded video statement from Beyer and transposed it
onto Waltz's image - designed to be a jarring sight for subcommittee chair
and former Navy pilot Mikie Sherill, D-N.J.
The resulting video is a warning for lawmakers - and the public - that bad
actors could abuse this technology for much more nefarious purposes than
having a friendly joke about a sports rivalry. Watch it here:
"You see how dangerous and misleading it could be; I'm sure we fooled a
couple of people," Beyer said. "For instance, what if instead of 'Go Navy,
Beat Army,' I said, 'It's time to impeach the president'? That would be
viral everywhere."...
https://www.greenwichtime.com/news/article/Lawmakers-warn-about-threat-of-political-14472593.php
https://www.washingtonpost.com/news/powerpost/paloma/the-technology-202/2019/09/27/the-technology-202-lawmakers-warn-about-threat-of-political-deepfakes-by-creating-one/
------------------------------
Date: Thu, 26 Sep 2019 13:43:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How will Self-Driving Cars Impact Cities? (CTA)
Article: Plenty of options for customization exist on a city-wide level,
including mandating that shared-ride service vehicles also be designed with
cameras for neighborhood watch duties, he adds.
Seriously? That's astonishing coming from someone in privacy-aware Europe.
Given what Fairfax County has just gone through regarding privacy policies
and implementation details on drones and body-worn cameras, the idea of
*mandating* civilian implementation of massive surveillance is a hoot.
Article: This could include a city-licensed remote vehicle monitoring center
staffed with tele-operators or run by artificial intelligence capable of
taking over a vehicle if the need arises.
Seriously? AI or remote driver -- with no situational awareness -- suddenly
seizes vehicle control? What could go wrong with that.
https://www.cta.tech/News/i3/Articles/2019/July-August/How-will-Self-driving-Cars-Impact-Cities.aspx
------------------------------
Date: Fri, 27 Sep 2019 14:24:00 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: A Nation Divided: U.S. Politics Taking Physical, Emotional Toll
On Americans (StudyFinds)
- Survey reveals about two in five Americans are stressed out by the
political climate, and one in five say they're even losing sleep.
- Nearly a third of those surveyed feel views expressed on cable news
channels are driving them crazy.
- Study author believes problem is akin to a public health crisis in the
country.
The past few years in American politics have been tumultuous, to say the
least. Personal political beliefs aside, there is no denying that the U.S.
has grown especially divided in the wake of Donald Trump's 2016 presidential
election victory. Between social media bots partisan news coverage
<https://www.studyfinds.org/modern-politics-social-media-bots-will-be-harder-to-detect-during-2020-election-study-finds/>,
<https://www.studyfinds.org/mainstream-media-news-politics/>, and the
president's frequent Twitter posts, it has never been harder for the average
American to avoid being bombarded with some type of political message on an
almost hourly basis.
It isn't a stretch to assume that at some point all of that polarization
<https://www.studyfinds.org/political-divide-america-worst-ever/> would have
a negative effect on the collective well being of the nation, and a new
study conducted at the University of Nebraska-Lincoln has effectively
confirmed this assumption. According to researchers, the current U.S.
political climate is literally making Americans physically sick, damaging
friendships, and driving many people crazy.
In March of 2017 researchers surveyed 800 Americans, selected from a pool of
1.8 million in order to create representative samples of the U.S.
population. Almost 40% admitted that politics is stressing them out, and
one in five even said they are losing sleep over U.S. politics.
<https://www.studyfinds.org/expert-warns-lack-of-sleep-changes-dna-behavior-weight-gain-high-blood-pressure/>
``It became apparent, especially during the 2016 electoral season, that this
was a polarized nation, and it was getting even more politically
polarized,'' comments study leader and political scientist Kevin Smith in a
release. ``The cost of that polarization to individuals had not fully been
accounted for by social scientists or, indeed, health researchers.''
<https://news.unl.edu/newsrooms/today/article/stressed-out-americans-making-themselves-sick-over-politics/>
Smith even described the study's findings as akin to a public health crisis.
This study is among the first to comprehensively examine the physical and
emotional cost of participating in the current U.S. political system and
subsequent discourse. Of course, there have been other studies conducted on
U.S. politics, but those focused primarily on economic or monetary costs...
https://www.studyfinds.org/a-nation-divided-u-s-politics-taking-physical-emotional-toll-on-americans/
------------------------------
Date: Wed, 25 Sep 2019 23:27:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: White House mistakenly sends Trump-Ukraine talking points to
Democrats (WashPost)
The email outlined the White House's messaging strategy following the
release of the rough transcript of President Trump's call with his Ukraisnian
counterpart. It was quickly recalled, amid ridicule from Democrats.
https://www.washingtonpost.com/politics/white-house-mistakenly-sends-trump-ukraine-talking-points-to-democrats/2019/09/25/5170aa52-dfb2-11e9-b199-f638bf2c340f_story.html
------------------------------
Date: Wed, 25 Sep 2019 09:57:29 +0800
From: Richard Stein <rms...@ieee.org>
Subject: As Made-To-Order DNA Gets Cheaper, Keeping It Out Of The Wrong Hands
Gets Harder (npr.org)
https://www.npr.org/sections/health-shots/2019/09/24/762834987/as-made-to-order-dna-gets-cheaper-keeping-it-out-of-the-wrong-hands-gets-harder
'The technology needed to "write" DNA is now undergoing a similar
transformation. Over the last decade, the cost of synthesizing a pair of
DNA letters has dropped from about one dollar to less than 10 cents.
'"We can actually finally afford to write this code, and we can write much
more of it," says Boyle. "We're coming up with thousands of new designs on a
computer, printing out the DNA for them, booting up that DNA, seeing what it
does and then iterating on those designs."'
Risk: Biotoxic, viral defect escape.
------------------------------
Date: Thu, 26 Sep 2019 0:48:04 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Airbus hit by a series of cyber-attacks on its suppliers
Hackers searching for technical secrets, security sources say.
China link suspected. https://t.co/8LFEokucaV
(Twitter via IFTTT <act...@ifttt.com>)
------------------------------
Date: Sat, 28 Sep 2019 11:37:35 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Feds say Boeing 737 needs to be better designed for humans
(WiReD)
https://www.wired.com/story/feds-boeing-737s-better-designed-humans/
------------------------------
Date: Sat, 28 Sep 2019 23:16:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Dangers of Delaying FAA Modernization (WiReD)
Opinion: Grounded by mid-20th-century technology, air traffic controllers
cannot handle the ongoing demands of commercial airlines and drones.
https://www.wired.com/story/the-dangers-of-delaying-faa-modernization/
------------------------------
Date: Wed, 25 Sep 2019 00:20:37 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Loophole That Turns Your Apps Into Spies (NYTimes)
https://www.nytimes.com/2019/09/24/opinion/facebook-google-apps-data.html
------------------------------
Date: Tue, 1 Oct 2019 07:02:00 +0100
From: J Coe <spen...@gmail.com>
Subject: Exim vulnerability "remote code execution seems to be possible"
A new Exim patch has been released for a critical vulnerability in the
world's most popular MX server. The second this month.
https://exim.org/static/doc/security/CVE-2019-16928.txt
https://www.bleepingcomputer.com/news/security/new-exim-vulnerability-exposes-servers-to-dos-attacks-rce-risks/
------------------------------
Date: Sat, 28 Sep 2019 12:36:40 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Inside the campaign that tried to compromise Tibetans' iOS and
Android phones (Ars Technica)
https://arstechnica.com/information-technology/2019/09/attackers-used-one-click-exploits-to-target-tibetans-ios-and-android-phones/
------------------------------
Date: Sun, 29 Sep 2019 09:31:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: People are hacking their Peloton bikes so they can
watch Netflix and cheat the leaderboard ranking system (Business Insider)
https://www.businessinsider.com/peloton-bike-tablets-rooted-watch-netflix-spotify-hacked-cheat-leaderboards-2019-9
------------------------------
Date: Wed, 25 Sep 2019 01:23:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Life imitates a bad sitcom? (Ars Technica)
Inmates built computers hidden in ceiling, connected them to prison network
https://arstechnica.com/tech-policy/2017/04/inmates-built-computers-hidden-in-ceiling-connected-them-to-prison-network/
Randall Meyer, the Ohio inspector general, said the prison's lax supervision
allowed a situation akin to "an episode from Hogan's Heroes."
------------------------------
Date: Thu, 26 Sep 2019 12:54:20 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: No big conspiracy. Just map tile boundaries right upon borders
Here on OpenStreetMap,
"They are blocking my edits to North Korea",
"They are blocking my edits to South Korea",
might all in fact be due to a portion of the border lying right along a
map tile boundary, and different tiles getting refreshed in one's browser
not at the same time. All quite innocent. Something similar fooled me in
https://github.com/gravitystorm/openstreetmap-carto/issues/3906 .
So OK, if there seems to be some unfairness going on, first check if it is
happening along a edge of a country, city, building, etc. that runs due
north/south/east/west...
------------------------------
Date: Wed, Sep 25, 2019 at 6:25 AM
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: The Privacy Project (NYTimes)
Companies and governments are gaining new powers to follow people across the
Internet and around the world, and even to peer into their genomes. The
benefits of such advances have been apparent for years; the costs -- in
anonymity, even autonomy --- are now becoming clearer. The boundaries of
privacy are in dispute, and its future is in doubt. Citizens, politicians
and business leaders are asking if societies are making the wisest
tradeoffs. The Times is embarking on this months long project to explore the
technology and where it's taking us, and to convene debate about how it can
best help realize human potential.
By now you probably know that your apps ask for permission to tap into loads
of data. They request device information, like advertiser IDs, which
companies use to build marketing profiles. There's data the companies
explicitly ask for via a pop-up window, like access to contacts or your
camera roll. And then there's tracking that is especially invasive, like
access to your microphone or your phone's gyroscope or location tracking
data.
What you probably didn't know is that by downloading those apps and entering
into those contracts, you're also exposing your sensitive information to
dozens of other technology companies, ad networks, data brokers and
aggregators. Sometimes the information is shared with global tech giants;
other times it's with small companies you've never heard of.
The data is transmitted -- or in some cases leaked -- via software
development kits (SDKs). They are essentially developer shortcuts, a set of
tools or a library of code that developers can import from a third party so
that they don't have to build them from scratch.
Because they're so useful to app developers, SDKs are embedded into
thousands of apps, ranging from mundane weather services to mobile games and
even in some health apps. Facebook, Google and Amazon, for example, have
extremely popular SDKs that allow smaller apps to connect to bigger
companies' ad platforms or help provide web traffic analytics or payment
infrastructure. In exchange, the SDK makers receive user data from that
app. Just how much data is often unclear. And once the companies have it,
there are no restrictions on what they can do with it. Theoretically, they
could turn around and sell that data for profit.
Last December I reported on how Facebook's SDK was collecting information
from apps like Tinder and Grindr as well as various pregnancy and religious
apps. Among the information sent to Facebook: your device IP address and
type, the time of use and your advertising ID. While the data is supposedly
anonymized, the advertising ID makes it extremely easy for bigger companies
like Facebook to identify and link third-party app information to existing
Facebook users (if you've logged into Facebook on your phone or downloaded
the app, Facebook can theoretically match that advertising ID with the ID
transmitted through the SDK).
SDKs become particularly concerning when embedded inside apps that contain
sensitive information. This month BuzzFeed News reported that period tracker
apps were sending highly personal data to Facebook via SDKs, including when
women last had sex. And it's not just Facebook; small tech companies and ad
networks with unknown business practices provide SDKs to apps, and hoover up
and potentially expose information. In 2018, a researcher for Kaspersky Labs
``found 4 million Android apps were sending unencrypted user profile data,
such as names, ages, incomes, phone numbers and email addresses -- and, in
one example, dates of birth, user names and GPS coordinates'' from the app
to the advertisers' servers.
To get a sense of how prevalent SDKs are, I used Mighty Signal, a tool that
tracks the SDKs embedded inside tens of thousands of apps to search around
for sensitive categories. I quickly found Period Tracker, an Android app
with more than 100 million downloads, according to the site. Mighty Signal
listed 26 SDKs embedded in the app from Facebook and Google as well as
smaller tech companies, each one transmitting potentially sensitive
information. Feeld, an app that originally started as a way for couples and
singles to participate in group hookups, currently has 42 installed SDKs and
52 previously installed SDKs on its iOS app. While its unclear exactly what
information is being shared, each third party that's receiving sensitive
information is a potential vulnerability. In the case of some SDKs, which
belong to ad networks or smaller analytics firms, the companies may be
bought or sold, so the data could change hands without its owners knowing.
Nearly every advertising industry source I've spoken with requested
anonymity to speak about SDKs, in part because their companies were using
them in some way to collect data. One described the industry, which isn't
meaningfully regulated or monitored, as the Wild West. ``It's s the
industry standard,'' an online ad industry veteran told me. ``And every app
is potentially leaking data to five or 10 other apps. Every SDK is taking
your data and doing something different -- combining it with other data to
learn more about you. It's happening even if the company says we don't share
data. Because they're not technically sharing it; the SDK is just pulling it
out. Nobody has any privacy.''
https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html
------------------------------
Date: Tue, 1 Oct 2019 05:50:18 +0100
From: J Coe <spen...@gmail.com>
Subject: Twitter executive with editorial responsibility for the Middle East
is also British psyops officer (Middle East Eye)
The senior Twitter executive with editorial responsibility for the Middle
East is also a part-time officer in the British Army's psychological
warfare unit, Middle East Eye has established.
Gordon MacMillan, who joined the social media company's UK office six years
ago, has for several years also served with the 77th Brigade, a unit formed
in 2015 in order to develop `non-lethal' ways of waging war.
The 77th Brigade uses social media platforms such as Twitter, Instagram and
Facebook, as well as podcasts, data analysis and audience research to wage
what the head of the UK military, General Nick Carter, describes as
`information warfare'.
https://www.middleeasteye.net/news/twitter-executive-also-part-time-officer-uk-army-psychological-warfare-unit
------------------------------
Date: Thu, 26 Sep 2019 09:23:06 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Heyyo dating app leaked users' personal data, photos, location, more
(Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 25 Sep 2019
https://www.zdnet.com/article/heyyo-dating-app-leaked-users-personal-data-photos-location-data-more/
Another dating app fails to secure production server and puts users at risk.
selected text:
Online dating app Heyyo has made the same mistake that thousands of
companies have made before it -- namely, it left a server exposed on the
Internet without a password.
This leaky server, an Elasticsearch instance, exposed the personal details,
images, location data, phone numbers, and dating preferences for nearly
72,000 users, believed to be the app's entire userbase.
During the time we looked at the database, it also became clear that the
server was a live production system and not an older server used for tests
or storing backups.
The number of registered users grew from 71,769 to 71,921 in the time we
looked at the data. We also registered a test account, and we saw it appear
on the server within seconds.
To show how intrusive the leak could be, we performed a simple test. We
took the details of three random users, and in a few minutes, using Google
search queries and simple OSINT (open-source intelligence) scripts
downloaded from GitHub, we easily tracked down and linked the three users to
their real-life identities, LinkedIn profiles, social media accounts, and
even posts they made on niche Internet forums.
Since we're talking about a dating website, this type of information could
be used for stalking or extorting users with information about their dating
life and habits. This is not a hypothetical scenario. These types of
extortion campaigns have happened in the past, especially after the Ashley
Madison data breach.
------------------------------
Date: Wed, 25 Sep 2019 15:10:11 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: An 11-year-old drove 200 miles alone to live with a man he met on
Snapchat, police say (WashPost)
Police found him lost in Charleston, and he was returned to his family.
https://www.washingtonpost.com/nation/2019/09/25/an-year-old-drove-miles-alone-live-with-man-he-met-snapchat-police-say/
------------------------------
Date: Fri, 27 Sep 2019 10:04:48 PDT
From: ACM Tech News
Subject: 99% of Misconfigurations in the Public Cloud Go Unreported
(Charlie Osborne)
Charlie Osborne, ZDNet, 24 Sep 2019, via ACM TechNews, 27 Sep 2019
The recent growth in the adoption of cloud-based technologies and
Infrastructure as a Service (IaaS) has resulted in loss of information
caused by misconfigurations and weak credentials in the public cloud
space. Researchers at McAfee say that only 1% of IaaS misconfigurations are
reported, suggesting there are numerous companies around the world
unwittingly leaking data. The researchers surveyed 1,000 IT professionals
from 11 countries and aggregated cloud usage data from over 30 million
McAfee Mvision cloud users. The team found that while companies believe they
average 37 IaaS misconfiguration issues per month, in reality the figure is
closer to 3,500. The majority (90%) of respondents said they had encountered
security issues with IaaS, but only 26% said they were equipped to handle
misconfiguration audits.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df34x070237&
------------------------------
Date: Fri, 27 Sep 2019 10:04:48 PDT
From: ACM Tech News
Subject: Hackers Say They Took Over Vote Scanners Like Those Coming to Georgia
Mark Neisse, *Atlanta Journal-Constitution*, 26 Sep 2019 via ACM Tech News
A report from the DEF CON Voting Machine Hacking Village conference
described the discovery of a hack for commandeering ballot-scanning machines
similar to those soon to be deployed in Georgia. Hackers at the conference
seeking weaknesses in voting technology broke into the scanner with a
screwdriver and replaced a memory card, allowing them to run their own
operating system. Jeremy Epstein, vice chair of ACM's U.S. Technology Policy
Committee and an election and cybersecurity expert, said the conference
report emphasizes the need for both strong paper-ballot audits, and physical
security of voting equipment. Said Epstein, "The good thing about the paper
ballots, unlike the touchscreen machines historically used in Georgia, is in
the worst case the paper ballots are in a box" that can be used to verify
votes are tabulated accurately.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df38x070237&
------------------------------
Date: Sat, 28 Sep 2019 08:38:10 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Developer of Checkm8 explains why iDevice jailbreak exploit is a
game changer (Ars Technica)
https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
------------------------------
Date: Sun, 29 Sep 2019 09:44:22 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: A fitness influencer will serve nearly 5 years in jail ...
for using 369 Instagram accounts to harass bodybuilding colleagues and
allegedly faking her daughter's kidnapping.
https://www.businessinsider.com/fitness-influencer-tammy-steffen-jailed-instagram-fake-kidnapping-florida-2019-9
------------------------------
Date: Mon, 30 Sep 2019 00:40:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: What Is a Blockchain Smartphone and Should You Buy One Now?
(Blocks Decoded)
What is a blockchain smartphone? Should you buy one now?
You're in the market for a new smartphone. There are all the usual suspects;
Huawei, Samsung, Apple, and so on. But a new trend caught your eye: the
blockchain smartphone.
What is a blockchain smartphone? Should you bother buying one? And how do
they compare to a regular smartphone?
Here's what you need to know about blockchain smartphones.
https://blocksdecoded.com/what-is-blockchain-smartphone-should-you-buy-one/
------------------------------
Date: Tue, 24 Sep 2019 16:41:10 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The risk? "Security" questions (MadMeSmile)
My 14-year-old is finally taking an interest in me. [...]
https://i.redd.it/drudi6wikgo31.jpg
------------------------------
Date: Wed, 25 Sep 2019 20:08:23 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Re: Google Chrome update corrupting some macOS installs (R 31 43)
Google has confirmed the existence of an issue in a Chrome update that has
reportedly affected movie studios that use the Avid video editing suite on
the cylindrical Mac Pro, with the company offering a solution to the issue
it claims will recover affected machines.
https://appleinsider.com/articles/19/09/25/google-chrome-update-corrupting-some-macos-installs----but-theres-a-fix
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.44
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Secret FBI subpoenas scoop up personal data from scores of companies (NYT)
Putin Begins Installing Equipment To Cut Russia's Access To World Wide Web
(Zak Doffman)
Lawmakers warn about threat of political deepfakes by creating one
(WashPost)
How will Self-Driving Cars Impact Cities? (CTA)
A Nation Divided: U.S. Politics Taking Physical, Emotional Toll On Americans
(StudyFinds)
White House mistakenly sends Trump-Ukraine talking points to Democrats
(WashPost)
As Made-To-Order DNA Gets Cheaper, Keeping It Out Of The Wrong Hands Gets
Harder (npr.org)
Airbus hit by a series of cyber-attacks on its suppliers (PGN)
Feds say Boeing 737 needs to be better designed for humans (WiReD)
The Dangers of Delaying FAA Modernization (WiReD)
The Loophole That Turns Your Apps Into Spies (NYTimes)
Exim vulnerability "remote code execution seems to be possible" (J Coe)
Inside the campaign that tried to compromise Tibetans' iOS and Android
phones (Ars Technica)
People are hacking their Peloton bikes so they can watch Netflix and cheat
the leaderboard ranking system (Business Insider)
Life imitates a bad sitcom? (Ars Technica)
No big conspiracy. Just map tile boundaries right upon borders
(Dan Jacobson)
The Privacy Project (NYTimes)
Twitter executive with editorial responsibility for the Middle East
is also British psyops officer (Middle East Eye)
Heyyo dating app leaked users' personal data, photos, location, more
(Catalin Cimpanu)
An 11-year-old drove 200 miles alone to live with a man he met on Snapchat,
police say (WashPost)
99% of Misconfigurations in the Public Cloud Go Unreported (Charlie Osborne)
Hackers Say They Took Over Vote Scanners Like Those Coming to Georgia
(Mark Neisse)
Developer of Checkm8 explains why iDevice jailbreak exploit is a game
changer (Ars Technica)
A fitness influencer will serve nearly 5 years in jail ...
(Business Insider)
What Is a Blockchain Smartphone and Should You Buy One Now? (Blocks Decoded)
The risk? "Security" questions (MadMeSmile)
Re: Google Chrome update corrupting some macOS installs (Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 25 Sep 2019 01:07:03 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Secret FBI subpoenas scoop up personal data from scores of companies
(NYTimes)
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html
The practice, which the bureau says is vital to counterterrorism
efforts, casts a much wider net than previously disclosed, newly
released documents show.
------------------------------
Date: September 26, 2019 0:00:19 JST
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Putin Begins Installing Equipment To Cut Russia's Access To
World Wide Web (Zak Dorfman)
[Note: This item comes from friend Steve Goldstein. DLH]
[Via Dave Farber]
Zak Dorfman, Forbes, 24 Sep 2019
<https://www.forbes.com/sites/zakdoffman/2019/09/24/russia-begins-installing-equipment-to-cut-its-access-to-world-wide-web/>
Earlier this year, Russian President Vladimir Putin signed the Russian
Internet (RuNet) into law to protect the country's communications
infrastructure in case it was disconnected from the world wide web -- or so
he said. Critics argued it was opening a door to a Chinese-style firewall
disconnecting Russia from the outside world.
Now, Alexander Zharov, the head of the federal communications regulator
Roskomnadzor has confirmed to reporters that ``equipment is being installed
on the networks of major telecom operators,'' and RuNet will begin testing
by early October. Such testing, reporters were told, is known as `combat
mode'.
When the legislation was introduced there was some debate as to whether it
would work in practice. The government claimed its objective was to deal
with "threats to the stable, safe and integral operation of the Russian
Internet on Russian territory," by centralizing "the general communications
network." This would works by deploying an alternative domain name system
(DNS) for Russia to steer its web traffic away from international
servers. ISPs are mandated to comply.
The Moscow Times reported at the time that "Russia carried out drills in
mid-2014 to test the country's response to the possibility of its Internet
being disconnected from the web -- the secret tests reportedly showed that
isolating the Russian Internet is possible, but that 'everything' would go
back online within 30 minutes."
As for this `combat testing', Zharov has assured that everything will be
done ``carefully'', according to local media reports, explaining that ``we
will first conduct a technical check -- affects traffic, does not affect
traffic, do all services work.'' The plan is for all of this testing to be
completed by the end of October.
Although the regulator has been keen to emphasise that RuNet is only for
deployment when the system its perceived to be `in danger', there is a clear
question as to where and how such a decision would be taken. Such threats
have been classified as ``impacts to the integrity of networks, the
stability of networks, natural or man-made impacts, or security threats,''
all pretty wide-ranging classifiers.
Russia's recent moves to shut down cellular data traffic to stymie
anti-Putin protesters and government warnings that social media access may
be curtailed have not brought much confidence to its tech savvy citizens.
------------------------------
Date: Fri, 27 Sep 2019 14:23:00 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Lawmakers warn about threat of political deepfakes by creating one
(WashPost)
Rep. Michael Waltz wants Navy to beat Army in this year's football game,
according to a newly released political deepfake - a video doctored with
artificial intelligence. But it the content wasn't true, as Waltz is a
former Army Green Beret.
But Waltz teamed up with Rep. Don Beyer, D-Va., to craft the mock deepfake
for the House Science subcommittee to illustrate just how realistic this
kind of disinformation can be. The SUNY-Albany and University of Chicago
researchers took a recorded video statement from Beyer and transposed it
onto Waltz's image - designed to be a jarring sight for subcommittee chair
and former Navy pilot Mikie Sherill, D-N.J.
The resulting video is a warning for lawmakers - and the public - that bad
actors could abuse this technology for much more nefarious purposes than
having a friendly joke about a sports rivalry. Watch it here:
"You see how dangerous and misleading it could be; I'm sure we fooled a
couple of people," Beyer said. "For instance, what if instead of 'Go Navy,
Beat Army,' I said, 'It's time to impeach the president'? That would be
viral everywhere."...
https://www.greenwichtime.com/news/article/Lawmakers-warn-about-threat-of-political-14472593.php
https://www.washingtonpost.com/news/powerpost/paloma/the-technology-202/2019/09/27/the-technology-202-lawmakers-warn-about-threat-of-political-deepfakes-by-creating-one/
------------------------------
Date: Thu, 26 Sep 2019 13:43:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How will Self-Driving Cars Impact Cities? (CTA)
Article: Plenty of options for customization exist on a city-wide level,
including mandating that shared-ride service vehicles also be designed with
cameras for neighborhood watch duties, he adds.
Seriously? That's astonishing coming from someone in privacy-aware Europe.
Given what Fairfax County has just gone through regarding privacy policies
and implementation details on drones and body-worn cameras, the idea of
*mandating* civilian implementation of massive surveillance is a hoot.
Article: This could include a city-licensed remote vehicle monitoring center
staffed with tele-operators or run by artificial intelligence capable of
taking over a vehicle if the need arises.
Seriously? AI or remote driver -- with no situational awareness -- suddenly
seizes vehicle control? What could go wrong with that.
https://www.cta.tech/News/i3/Articles/2019/July-August/How-will-Self-driving-Cars-Impact-Cities.aspx
------------------------------
Date: Fri, 27 Sep 2019 14:24:00 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: A Nation Divided: U.S. Politics Taking Physical, Emotional Toll
On Americans (StudyFinds)
- Survey reveals about two in five Americans are stressed out by the
political climate, and one in five say they're even losing sleep.
- Nearly a third of those surveyed feel views expressed on cable news
channels are driving them crazy.
- Study author believes problem is akin to a public health crisis in the
country.
The past few years in American politics have been tumultuous, to say the
least. Personal political beliefs aside, there is no denying that the U.S.
has grown especially divided in the wake of Donald Trump's 2016 presidential
election victory. Between social media bots partisan news coverage
<https://www.studyfinds.org/modern-politics-social-media-bots-will-be-harder-to-detect-during-2020-election-study-finds/>,
<https://www.studyfinds.org/mainstream-media-news-politics/>, and the
president's frequent Twitter posts, it has never been harder for the average
American to avoid being bombarded with some type of political message on an
almost hourly basis.
It isn't a stretch to assume that at some point all of that polarization
<https://www.studyfinds.org/political-divide-america-worst-ever/> would have
a negative effect on the collective well being of the nation, and a new
study conducted at the University of Nebraska-Lincoln has effectively
confirmed this assumption. According to researchers, the current U.S.
political climate is literally making Americans physically sick, damaging
friendships, and driving many people crazy.
In March of 2017 researchers surveyed 800 Americans, selected from a pool of
1.8 million in order to create representative samples of the U.S.
population. Almost 40% admitted that politics is stressing them out, and
one in five even said they are losing sleep over U.S. politics.
<https://www.studyfinds.org/expert-warns-lack-of-sleep-changes-dna-behavior-weight-gain-high-blood-pressure/>
``It became apparent, especially during the 2016 electoral season, that this
was a polarized nation, and it was getting even more politically
polarized,'' comments study leader and political scientist Kevin Smith in a
release. ``The cost of that polarization to individuals had not fully been
accounted for by social scientists or, indeed, health researchers.''
<https://news.unl.edu/newsrooms/today/article/stressed-out-americans-making-themselves-sick-over-politics/>
Smith even described the study's findings as akin to a public health crisis.
This study is among the first to comprehensively examine the physical and
emotional cost of participating in the current U.S. political system and
subsequent discourse. Of course, there have been other studies conducted on
U.S. politics, but those focused primarily on economic or monetary costs...
https://www.studyfinds.org/a-nation-divided-u-s-politics-taking-physical-emotional-toll-on-americans/
------------------------------
Date: Wed, 25 Sep 2019 23:27:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: White House mistakenly sends Trump-Ukraine talking points to
Democrats (WashPost)
The email outlined the White House's messaging strategy following the
release of the rough transcript of President Trump's call with his Ukraisnian
counterpart. It was quickly recalled, amid ridicule from Democrats.
https://www.washingtonpost.com/politics/white-house-mistakenly-sends-trump-ukraine-talking-points-to-democrats/2019/09/25/5170aa52-dfb2-11e9-b199-f638bf2c340f_story.html
------------------------------
Date: Wed, 25 Sep 2019 09:57:29 +0800
From: Richard Stein <rms...@ieee.org>
Subject: As Made-To-Order DNA Gets Cheaper, Keeping It Out Of The Wrong Hands
Gets Harder (npr.org)
https://www.npr.org/sections/health-shots/2019/09/24/762834987/as-made-to-order-dna-gets-cheaper-keeping-it-out-of-the-wrong-hands-gets-harder
'The technology needed to "write" DNA is now undergoing a similar
transformation. Over the last decade, the cost of synthesizing a pair of
DNA letters has dropped from about one dollar to less than 10 cents.
'"We can actually finally afford to write this code, and we can write much
more of it," says Boyle. "We're coming up with thousands of new designs on a
computer, printing out the DNA for them, booting up that DNA, seeing what it
does and then iterating on those designs."'
Risk: Biotoxic, viral defect escape.
------------------------------
Date: Thu, 26 Sep 2019 0:48:04 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Airbus hit by a series of cyber-attacks on its suppliers
Hackers searching for technical secrets, security sources say.
China link suspected. https://t.co/8LFEokucaV
(Twitter via IFTTT <act...@ifttt.com>)
------------------------------
Date: Sat, 28 Sep 2019 11:37:35 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Feds say Boeing 737 needs to be better designed for humans
(WiReD)
https://www.wired.com/story/feds-boeing-737s-better-designed-humans/
------------------------------
Date: Sat, 28 Sep 2019 23:16:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Dangers of Delaying FAA Modernization (WiReD)
Opinion: Grounded by mid-20th-century technology, air traffic controllers
cannot handle the ongoing demands of commercial airlines and drones.
https://www.wired.com/story/the-dangers-of-delaying-faa-modernization/
------------------------------
Date: Wed, 25 Sep 2019 00:20:37 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Loophole That Turns Your Apps Into Spies (NYTimes)
https://www.nytimes.com/2019/09/24/opinion/facebook-google-apps-data.html
------------------------------
Date: Tue, 1 Oct 2019 07:02:00 +0100
From: J Coe <spen...@gmail.com>
Subject: Exim vulnerability "remote code execution seems to be possible"
A new Exim patch has been released for a critical vulnerability in the
world's most popular MX server. The second this month.
https://exim.org/static/doc/security/CVE-2019-16928.txt
https://www.bleepingcomputer.com/news/security/new-exim-vulnerability-exposes-servers-to-dos-attacks-rce-risks/
------------------------------
Date: Sat, 28 Sep 2019 12:36:40 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Inside the campaign that tried to compromise Tibetans' iOS and
Android phones (Ars Technica)
https://arstechnica.com/information-technology/2019/09/attackers-used-one-click-exploits-to-target-tibetans-ios-and-android-phones/
------------------------------
Date: Sun, 29 Sep 2019 09:31:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: People are hacking their Peloton bikes so they can
watch Netflix and cheat the leaderboard ranking system (Business Insider)
https://www.businessinsider.com/peloton-bike-tablets-rooted-watch-netflix-spotify-hacked-cheat-leaderboards-2019-9
------------------------------
Date: Wed, 25 Sep 2019 01:23:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Life imitates a bad sitcom? (Ars Technica)
Inmates built computers hidden in ceiling, connected them to prison network
https://arstechnica.com/tech-policy/2017/04/inmates-built-computers-hidden-in-ceiling-connected-them-to-prison-network/
Randall Meyer, the Ohio inspector general, said the prison's lax supervision
allowed a situation akin to "an episode from Hogan's Heroes."
------------------------------
Date: Thu, 26 Sep 2019 12:54:20 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: No big conspiracy. Just map tile boundaries right upon borders
Here on OpenStreetMap,
"They are blocking my edits to North Korea",
"They are blocking my edits to South Korea",
might all in fact be due to a portion of the border lying right along a
map tile boundary, and different tiles getting refreshed in one's browser
not at the same time. All quite innocent. Something similar fooled me in
https://github.com/gravitystorm/openstreetmap-carto/issues/3906 .
So OK, if there seems to be some unfairness going on, first check if it is
happening along a edge of a country, city, building, etc. that runs due
north/south/east/west...
------------------------------
Date: Wed, Sep 25, 2019 at 6:25 AM
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: The Privacy Project (NYTimes)
Companies and governments are gaining new powers to follow people across the
Internet and around the world, and even to peer into their genomes. The
benefits of such advances have been apparent for years; the costs -- in
anonymity, even autonomy --- are now becoming clearer. The boundaries of
privacy are in dispute, and its future is in doubt. Citizens, politicians
and business leaders are asking if societies are making the wisest
tradeoffs. The Times is embarking on this months long project to explore the
technology and where it's taking us, and to convene debate about how it can
best help realize human potential.
By now you probably know that your apps ask for permission to tap into loads
of data. They request device information, like advertiser IDs, which
companies use to build marketing profiles. There's data the companies
explicitly ask for via a pop-up window, like access to contacts or your
camera roll. And then there's tracking that is especially invasive, like
access to your microphone or your phone's gyroscope or location tracking
data.
What you probably didn't know is that by downloading those apps and entering
into those contracts, you're also exposing your sensitive information to
dozens of other technology companies, ad networks, data brokers and
aggregators. Sometimes the information is shared with global tech giants;
other times it's with small companies you've never heard of.
The data is transmitted -- or in some cases leaked -- via software
development kits (SDKs). They are essentially developer shortcuts, a set of
tools or a library of code that developers can import from a third party so
that they don't have to build them from scratch.
Because they're so useful to app developers, SDKs are embedded into
thousands of apps, ranging from mundane weather services to mobile games and
even in some health apps. Facebook, Google and Amazon, for example, have
extremely popular SDKs that allow smaller apps to connect to bigger
companies' ad platforms or help provide web traffic analytics or payment
infrastructure. In exchange, the SDK makers receive user data from that
app. Just how much data is often unclear. And once the companies have it,
there are no restrictions on what they can do with it. Theoretically, they
could turn around and sell that data for profit.
Last December I reported on how Facebook's SDK was collecting information
from apps like Tinder and Grindr as well as various pregnancy and religious
apps. Among the information sent to Facebook: your device IP address and
type, the time of use and your advertising ID. While the data is supposedly
anonymized, the advertising ID makes it extremely easy for bigger companies
like Facebook to identify and link third-party app information to existing
Facebook users (if you've logged into Facebook on your phone or downloaded
the app, Facebook can theoretically match that advertising ID with the ID
transmitted through the SDK).
SDKs become particularly concerning when embedded inside apps that contain
sensitive information. This month BuzzFeed News reported that period tracker
apps were sending highly personal data to Facebook via SDKs, including when
women last had sex. And it's not just Facebook; small tech companies and ad
networks with unknown business practices provide SDKs to apps, and hoover up
and potentially expose information. In 2018, a researcher for Kaspersky Labs
``found 4 million Android apps were sending unencrypted user profile data,
such as names, ages, incomes, phone numbers and email addresses -- and, in
one example, dates of birth, user names and GPS coordinates'' from the app
to the advertisers' servers.
To get a sense of how prevalent SDKs are, I used Mighty Signal, a tool that
tracks the SDKs embedded inside tens of thousands of apps to search around
for sensitive categories. I quickly found Period Tracker, an Android app
with more than 100 million downloads, according to the site. Mighty Signal
listed 26 SDKs embedded in the app from Facebook and Google as well as
smaller tech companies, each one transmitting potentially sensitive
information. Feeld, an app that originally started as a way for couples and
singles to participate in group hookups, currently has 42 installed SDKs and
52 previously installed SDKs on its iOS app. While its unclear exactly what
information is being shared, each third party that's receiving sensitive
information is a potential vulnerability. In the case of some SDKs, which
belong to ad networks or smaller analytics firms, the companies may be
bought or sold, so the data could change hands without its owners knowing.
Nearly every advertising industry source I've spoken with requested
anonymity to speak about SDKs, in part because their companies were using
them in some way to collect data. One described the industry, which isn't
meaningfully regulated or monitored, as the Wild West. ``It's s the
industry standard,'' an online ad industry veteran told me. ``And every app
is potentially leaking data to five or 10 other apps. Every SDK is taking
your data and doing something different -- combining it with other data to
learn more about you. It's happening even if the company says we don't share
data. Because they're not technically sharing it; the SDK is just pulling it
out. Nobody has any privacy.''
https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html
------------------------------
Date: Tue, 1 Oct 2019 05:50:18 +0100
From: J Coe <spen...@gmail.com>
Subject: Twitter executive with editorial responsibility for the Middle East
is also British psyops officer (Middle East Eye)
The senior Twitter executive with editorial responsibility for the Middle
East is also a part-time officer in the British Army's psychological
warfare unit, Middle East Eye has established.
Gordon MacMillan, who joined the social media company's UK office six years
ago, has for several years also served with the 77th Brigade, a unit formed
in 2015 in order to develop `non-lethal' ways of waging war.
The 77th Brigade uses social media platforms such as Twitter, Instagram and
Facebook, as well as podcasts, data analysis and audience research to wage
what the head of the UK military, General Nick Carter, describes as
`information warfare'.
https://www.middleeasteye.net/news/twitter-executive-also-part-time-officer-uk-army-psychological-warfare-unit
------------------------------
Date: Thu, 26 Sep 2019 09:23:06 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Heyyo dating app leaked users' personal data, photos, location, more
(Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 25 Sep 2019
https://www.zdnet.com/article/heyyo-dating-app-leaked-users-personal-data-photos-location-data-more/
Another dating app fails to secure production server and puts users at risk.
selected text:
Online dating app Heyyo has made the same mistake that thousands of
companies have made before it -- namely, it left a server exposed on the
Internet without a password.
This leaky server, an Elasticsearch instance, exposed the personal details,
images, location data, phone numbers, and dating preferences for nearly
72,000 users, believed to be the app's entire userbase.
During the time we looked at the database, it also became clear that the
server was a live production system and not an older server used for tests
or storing backups.
The number of registered users grew from 71,769 to 71,921 in the time we
looked at the data. We also registered a test account, and we saw it appear
on the server within seconds.
To show how intrusive the leak could be, we performed a simple test. We
took the details of three random users, and in a few minutes, using Google
search queries and simple OSINT (open-source intelligence) scripts
downloaded from GitHub, we easily tracked down and linked the three users to
their real-life identities, LinkedIn profiles, social media accounts, and
even posts they made on niche Internet forums.
Since we're talking about a dating website, this type of information could
be used for stalking or extorting users with information about their dating
life and habits. This is not a hypothetical scenario. These types of
extortion campaigns have happened in the past, especially after the Ashley
Madison data breach.
------------------------------
Date: Wed, 25 Sep 2019 15:10:11 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: An 11-year-old drove 200 miles alone to live with a man he met on
Snapchat, police say (WashPost)
Police found him lost in Charleston, and he was returned to his family.
https://www.washingtonpost.com/nation/2019/09/25/an-year-old-drove-miles-alone-live-with-man-he-met-snapchat-police-say/
------------------------------
Date: Fri, 27 Sep 2019 10:04:48 PDT
From: ACM Tech News
Subject: 99% of Misconfigurations in the Public Cloud Go Unreported
(Charlie Osborne)
Charlie Osborne, ZDNet, 24 Sep 2019, via ACM TechNews, 27 Sep 2019
The recent growth in the adoption of cloud-based technologies and
Infrastructure as a Service (IaaS) has resulted in loss of information
caused by misconfigurations and weak credentials in the public cloud
space. Researchers at McAfee say that only 1% of IaaS misconfigurations are
reported, suggesting there are numerous companies around the world
unwittingly leaking data. The researchers surveyed 1,000 IT professionals
from 11 countries and aggregated cloud usage data from over 30 million
McAfee Mvision cloud users. The team found that while companies believe they
average 37 IaaS misconfiguration issues per month, in reality the figure is
closer to 3,500. The majority (90%) of respondents said they had encountered
security issues with IaaS, but only 26% said they were equipped to handle
misconfiguration audits.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df34x070237&
------------------------------
Date: Fri, 27 Sep 2019 10:04:48 PDT
From: ACM Tech News
Subject: Hackers Say They Took Over Vote Scanners Like Those Coming to Georgia
Mark Neisse, *Atlanta Journal-Constitution*, 26 Sep 2019 via ACM Tech News
A report from the DEF CON Voting Machine Hacking Village conference
described the discovery of a hack for commandeering ballot-scanning machines
similar to those soon to be deployed in Georgia. Hackers at the conference
seeking weaknesses in voting technology broke into the scanner with a
screwdriver and replaced a memory card, allowing them to run their own
operating system. Jeremy Epstein, vice chair of ACM's U.S. Technology Policy
Committee and an election and cybersecurity expert, said the conference
report emphasizes the need for both strong paper-ballot audits, and physical
security of voting equipment. Said Epstein, "The good thing about the paper
ballots, unlike the touchscreen machines historically used in Georgia, is in
the worst case the paper ballots are in a box" that can be used to verify
votes are tabulated accurately.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df38x070237&
------------------------------
Date: Sat, 28 Sep 2019 08:38:10 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Developer of Checkm8 explains why iDevice jailbreak exploit is a
game changer (Ars Technica)
https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
------------------------------
Date: Sun, 29 Sep 2019 09:44:22 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: A fitness influencer will serve nearly 5 years in jail ...
for using 369 Instagram accounts to harass bodybuilding colleagues and
allegedly faking her daughter's kidnapping.
https://www.businessinsider.com/fitness-influencer-tammy-steffen-jailed-instagram-fake-kidnapping-florida-2019-9
------------------------------
Date: Mon, 30 Sep 2019 00:40:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: What Is a Blockchain Smartphone and Should You Buy One Now?
(Blocks Decoded)
What is a blockchain smartphone? Should you buy one now?
You're in the market for a new smartphone. There are all the usual suspects;
Huawei, Samsung, Apple, and so on. But a new trend caught your eye: the
blockchain smartphone.
What is a blockchain smartphone? Should you bother buying one? And how do
they compare to a regular smartphone?
Here's what you need to know about blockchain smartphones.
https://blocksdecoded.com/what-is-blockchain-smartphone-should-you-buy-one/
------------------------------
Date: Tue, 24 Sep 2019 16:41:10 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The risk? "Security" questions (MadMeSmile)
My 14-year-old is finally taking an interest in me. [...]
https://i.redd.it/drudi6wikgo31.jpg
------------------------------
Date: Wed, 25 Sep 2019 20:08:23 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Re: Google Chrome update corrupting some macOS installs (R 31 43)
Google has confirmed the existence of an issue in a Chrome update that has
reportedly affected movie studios that use the Avid video editing suite on
the cylindrical Mac Pro, with the company offering a solution to the issue
it claims will recover affected machines.
https://appleinsider.com/articles/19/09/25/google-chrome-update-corrupting-some-macos-installs----but-theres-a-fix
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.44
************************
0 new messages