DIY devices let car owners add autonomous features to vehicles

CERT-LatestNews KasperskyNews Malware Security News ThreatsCybercrime ThreatsStrategic Uncategorized

The RISKS Digest Volume 30 Issue 37

The Risks Digest

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 37

Friday 14 July 2017

Contents

DIY devices let car owners add autonomous features to vehicles
Carolyn Said via PGN
Kaspersky in the crosshairs
Engadget
Requested voter details may be gold for cybercriminals
John Wildermuth
On the request for states to provide all personal info on voters
The Washington Post
FTC Halts Operation That Unlawfully Shared and Sold Consumers’ Sensitive Data
FTC
Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case
DoJ
The White House just posted the emails of critics without censoring sensitive personal information
Vox via Lauren Weinstein
Beware of a new scam involving “relatives” and gift cards
CBS
Computerization and overnight train service
Mark Brader
Why fact-checking ‘fake news’ stories is a waste of time
WeForum
Web gets built-in copy protection hooks with a few key flaws
Engadget
“Charging Phone Kills 14-Year-Old Girl in Bathtub”
Harriet Sinclair
Funny how these articles are all the same…
Gabe Goldberg
Woman’s selfie causes $200,000 of damage to LA art exhibit
Pamela Ng
FDA Deal Would Relax Rules on Reporting Medical Device Problems
The New York Times
Judges refuse to order fix for court software that put people in jail by mistake
Ars Technica
Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
UpGuard
Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak
Ars Technica
Hackers have been stealing credit card numbers from Trump’s hotels for months
The Washington Post
Everybody lies: how Google search reveals our darkest secrets
The Guardian
Re: Volvo admits its self-driving cars are confused by kangaroos
Dave Horsfall
Re: Western tech firms bow to Russian demands to share cybersecrets
Anthony Youngman
Press kits or other publications on thumb drives?
Gabe Goldberg
Info on RISKS (comp.risks)

DIY devices let car owners add autonomous features to vehicles

“Peter G. Neumann” <[email protected]>

Wed, 12 Jul 2017 16:33:21 PDT

Carolyn Said, San Francisco Chronicle, Business Report, C1, 7 Jul 2017
(PGN-ed) The original goal of some developers was to provide kits to enable owners to
retrofit conventional cars to be self-driving. The article mentions Panda,
OpenPilot, Chffr, Cabana, Comma, Neodriven, and more. “The adaptive
cruise-control from Honda Sensing is almost embarrassing in bumper-to-bumper
traffic; it drives just like a 16-year-old just learning.'' Fascinating
article, but lacking in assurance that nothing bad is likely to happen. Risks (totally unmentioned, and often left to the imagination of RISKS
readers) might include (for example), * Tinkering with (enhancing) the kits * Disabling kit-provided safety features, intentionally or unintentionally? * Providing new or augmented kits that can alter the hardware and software of off-the-shelf kit-based hand-tinkered conventional cars, or in emerging self-driving cars * Disrupting surrounding vehicles (e.g., passing in heavy traffic, or jamming communications of neighboring vehicles), circumventing rules and regulations, and lots more. 

Kaspersky in the crosshairs (Engadget)

Lauren Weinstein <[email protected]>

Fri, 14 Jul 2017 15:25:05 -0700

via NNSquad
https://www.engadget.com/2017/07/14/kaspersky-in-the-crosshairs/ Kaspersky is in what you might call "a bit of a pickle." The Russian cybersecurity firm, famous for its antivirus products and research reports on active threat groups is facing mounting accusations of working with, or for, the Russian government. These accusations have been made in press and infosec gossip for years. In the past month there's been more scuttlebutt in the press, an NSA probe surfaced, and the Senate got involved by pushing for a product ban. This week things reached a peak with fresh accusations from Bloomberg and a surprising attack from the Trump administration. Which is odd, considering how eager the current regime is to please and grease the wheels of its Russian counterparts. Either way, Kaspersky is really in a tight spot this time. The hammer dropped Tuesday when Bloomberg published Kaspersky Lab Has Been Working With Russian Intelligence. It comes from the same reporters who started 2015's "banyagate," in which Kaspersky Lab Has Close Ties to Russian Spies alleged CEO Eugene Kaspersky colluded with Russian intel in secret sauna meetings. 

Requested voter details may be gold for cybercriminals (John Wildermuth)

“Peter G. Neumann” <[email protected]>

Fri, 7 Jul 2017 7:49:57 PDT

John Wildermuth, *San Francisco Chronicle*, front page, 7 Jul 2017 The article caption tells it all for RISKS readers. "Kobach could be setting up a one-stop shop of personal information that would be a treasure trove not only for shady online entrepeneurs, but also for identity thieves and criminal hackers." 

On the request for states to provide all personal info on voters

“Peter G. Neumann” <[email protected]>

Mon, 10 Jul 2017 17:43:57 PDT

https://www.washingtonpost.com/local/public-safety/trump-voting-panel-tells-states-to-hold-off-sending-data-while-court-weighs-privacy-impact/2017/07/10/c4c837fa-6597-11e7-a1d7-9a32c91c6f40_story.html Trump voting panel tells states to hold off sending data while court weighs
privacy impact President Trump's voting commission on Monday asked states and the District
to hold off submitting the sweeping voter data the panel had requested until
a federal judge in Washington decides whether the White House has done
enough to protect Americans' privacy. The Electronic Privacy Information Center (EPIC), a watchdog group, has
asked U.S. District Judge Colleen Kollar-Kotelly to block the commission's
data request, arguing that the panel had not conducted the full privacy
impact statement required by federal law for new government electronic
data-collection systems. Separately Monday, two civil liberties groups filed lawsuits to prevent the
commission from holding its first scheduled meeting next week, alleging that
the panel had been working in secret and in violation of government
regulations on public transparency. The two new lawsuits add to the potential roadblocks faced by the
commission, whose request for voting information from more than 150 million
registered voters has drawn bipartisan criticism across the states as an
assault on privacy and states' rights and a stealth attempt at voter
suppression. [...] 

FTC Halts Operation That Unlawfully Shared and Sold Consumers’ Sensitive Data (FTC)

Monty Solomon <[email protected]>

Fri, 7 Jul 2017 10:29:26 -0400

Lead generation firm earned millions by falsely promising to match consumers
with low-rate loans
https://www.ftc.gov/news-events/press-releases/2017/07/ftc-halts-operation-unlawfully-shared-sold-consumers-sensitive 

Two Former Employees of House Member Indicted On Federal Charges in Cyberstalking Case (DoJ)

Gabe Goldberg <[email protected]>

Thu, 13 Jul 2017 20:31:36 -0400

WASHINGTON – Two former staff employees of a member of the U.S. House of
Representatives have been indicted following an investigation into the
circulation of private, nude images and videos of the member and the
member's spouse, announced U.S. Attorney Channing D. Phillips and Matthew
R. Verderosa, Chief of the United States Capitol Police. ... The indictment alleges that, during the course of his employment, McCullum
offered in March 2016 to assist the House member in repairing the member’s
malfunctioning, password-protected cellular iPhone by taking the device to a
local Apple store. According to the indictment, the House member provided
McCullum with the device solely to have the iPhone repaired. McCullum was
not given permission to take, copy, or distribute any of the contents of the
iPhone. The iPhone contained the private, nude images and videos. https://www.justice.gov/usao-dc/pr/two-former-employees-house-member-indicted-federal-charges-cyberstalking-case Well, of course—what could go wrong? 

The White House just posted the emails of critics without censoring sensitive personal information

Lauren Weinstein <[email protected]>

July 14, 2017 at 4:31:10 PM EDT

INCOMPETENT and ILLEGAL!
https://www.vox.com/policy-and-politics/2017/7/14/15973464/white-house-election-integrity-doxx The White House just responded to concerns it would release voters' sensitive personal information by releasing a bunch of voters' sensitive personal information. Last month, the White House's "election integrity" commission sent out requests to every state asking for all voters' names, party IDs, addresses, and even the last four digits of their Social Security numbers, among other information. The White House then said this information would be made available to the public. A lot of people did not like the idea, fearing that their personal information could be made public. So some sent emails to the White House, demanding that it rescind the request. This week, the White House decided to make those emails from concerned citizens public through the commission's new website. But the administration made a big mistake: It didn't censor any of the personal information—such as names, email addresses, actual addresses, and phone numbers—included in those emails. In effect, the White House just released the sensitive personal information of a lot of concerned citizens giving feedback to their government. That's made even worse by the fact that the White House did this when the thing citizens were complaining about was the possibility that their private information would be made public. As of Friday afternoon, the emails are still uncensored and available on the White House's website. They include all sorts of feedback, from concerns about privacy to outright insults of the Trump administration. One email just links to an image of the terrifying pornographic meme Goatse. (Do not Google this if you value your eyes.) 

Beware of a new scam involving “relatives” and gift cards (CBS)

Monty Solomon <[email protected]>

Fri, 7 Jul 2017 09:04:03 -0400

In a new twist on an old phone scam, criminals are preying on family ties by
asking people to buy gift cards to help relatives they falsely claim are in
trouble. http://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/ 

Computerization and overnight train service

Mark Brader

Sun, 9 Jul 2017 00:11:51 -0400 (EDT)

Once upon a time, if you were operating a train service and you decided
to extend its operating hours to run all night, your only concerns would
be finding the staff to operate it, and what to do about maintenance that
formerly occurred during the nightly downtime. Last year the London Underground began two nights per week of all-night
operations on some lines, with continuous service from Friday morning
through Sunday evening. And according to Mark Curran in the June
issue of "Modern Railways" magazine: | The greatest single cost in implementing Night Tube has been
| modifications to the signalling systems, which were not designed
| to operate through the end/beginning of the traffic day at 03:00.
| The next day's timetables are uploaded around this time and the
| signalling and control systems undertake various test routines.
|
| The typical issues were self-tests bringing all trains to
| a halt... loss of train control data... loss of any customer
| information on the train or platform, and extended periods when
| trains would need to be manually signalled.
|
| ...The ticketing system on the Underground was also not designed to
| operate through the end/beginning of the ticketing day at 04:30...
| a customer touching in at 04:15 and out at 04:45 would be charged
| two incomplete single journeys... Of course the systems would not have been designed this way if overnight
service had already been contemplated when they were introduced. 

Why fact-checking ‘fake news’ stories is a waste of time (WeForum)

Lauren Weinstein <[email protected]>

Mon, 10 Jul 2017 16:41:35 -0700

via NNSquad
https://www.weforum.org/agenda/2017/07/why-fact-checking-fake-news-stories-is-a-waste-of-time A new study suggests that fact-checking has little influence on what online news media covers, and fact-checks of false news stories spreading online--"fake news"--may use up resources newsrooms could better use covering substantive stories. Don't bother fact checking them. When they're clearly false by reasonable
objective measures, delete them—or alternatively, de-rank them into
oblivion in search results and post surfacing algorithms. 

Web gets built-in copy protection hooks with a few key flaws

Lauren Weinstein <[email protected]>

Sat, 8 Jul 2017 11:10:45 -0700

via NNSquad
https://www.engadget.com/2017/07/08/w3c-approves-built-in-web-copy-protection-hook/ Like it or not, the web is getting some built-in padlocks. The World Wide Web Consortium has decided to publish Encrypted Media Extensions, a standard for hooking copy protection into web-based streaming video, without making significant changes to a version agreed to in March. While it's not perfect, the W3C argues (you still need to deal with a vendor's content decryption module), it's purportedly better than the make-it-yourself approach media providers have to deal with right now. There do appear to be some improvements to the status quo for digital rights management. However, there are more than a few detractors—there are concerns that the W3C simply ignored concerns in the name of expediency. This really has become necessary. 

“Charging Phone Kills 14-Year-Old Girl in Bathtub” (Harriet Sinclair)

Gene Wirchenko <[email protected]>

Wed, 12 Jul 2017 19:38:55 -0700

[There is something to be said for understanding the basics of technology. GW] Harriet Sinclair, *Newsweek*, 11 Jul 2017
http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208 opening text: A teenager has been killed after using her cell phone in the bath and
suffering an electric shock. Madison Coe, 14, died at her father's home in
Lovington, New Mexico, on Sunday in an accident her family said took place
when she either plugged in her phone or reached for a phone that was already
plugged into the wall while she was in the bath. 

Funny how these articles are all the same…

Gabe Goldberg <[email protected]>

Thu, 13 Jul 2017 17:34:05 -0400

https://www.linkedin.com/pulse/realizing-potential-blockchain-don-tapscott ...repeating "It's wonderful" with no details how it works. An
encryption-savvy colleague has said this quickly gets into the weeds—but
how about clues on how (for example (quoting): Realizing the Potential of Blockchain Innovators are programming this new digital ledger to record anything of
value to humankind – birth and death certificates, marriage licenses, deeds
and titles of ownership, rights to intellectual property, educational
degrees, financial accounts, medical history, insurance claims, citizenship
and voting privileges, location of portable assets, provenance of food and
diamonds, job recommendations and performance ratings, charitable donations
tied to specific outcomes, employment contracts, managerial decision rights
and anything else that we can express in code. --- It's always proof by assertion with NO insight how these wildly different
functions will be implemented. And regarding this idea—give me a break,
put everyone's IoT online for sharing? What could go wrong with THAT? The
emperor may actually have a fine wardrobe but I'm awaiting the fashion show. Paul Brody, principal and global innovation leader of blockchain technology
at Ernst & Young, thinks that all our appliances should donate their
processing power to the upkeep of a blockchain: “Thanks to the smartphone
business driving very low-cost systems, your lawnmower or dishwasher is
going to come with a CPU that is probably a thousand times more powerful
than it actually needs, so why not have the appliance mine? Not to make
money, but to contribute to the security and viability of the blockchain as
a whole,†he said. 

Woman’s selfie causes $200,000 of damage to LA art exhibit (Pamela Ng)

Jim Reisert AD1C <[email protected]>

Fri, 14 Jul 2017 12:14:21 -0600

Pamela Ng, Fox News, 14 Jul 2017 http://www.foxnews.com/tech/2017/07/14/womans-selfie-causes-200000-damage-to-la-art-exhibit.html A woman taking a selfie at a Los Angeles art exhibit sent shockwaves around the room after knocking over several displays, causing $200,000 in damage. The unidentified woman was at The 14th Factory for the "Hypercaine" installation when she appeared to crouch down in front of one of the displays for a photo and fall backwards, video of the incident shows. 

FDA Deal Would Relax Rules on Reporting Medical Device Problems

Monty Solomon <[email protected]>

Thu, 13 Jul 2017 23:14:05 -0400

The makers of cardiac defibrillators, insulin pumps, breast implants and
other devices will be able to delay the reporting of malfunctions under an
agreement headed to Congress. https://www.nytimes.com/2017/07/11/health/fda-medical-device-problems-rules.html 

Judges refuse to order fix for court software that put people in jail by mistake (Ars Technica)

Monty Solomon <[email protected]>

Wed, 28 Jun 2017 23:42:34 -0400

https://arstechnica.com/tech-policy/2017/06/appeals-court-public-defender-lacks-standing-in-dispute-over-court-software/ 

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts (UpGuard)

Monty Solomon <[email protected]>

Fri, 14 Jul 2017 09:49:54 -0400

https://www.upguard.com/breaches/verizon-cloud-leak 

Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak

Monty Solomon <[email protected]>

Mon, 10 Jul 2017 08:39:12 -0400

Operation that hit thousands was “thoroughly well-planned and well-executed.â€
https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/ 

Hackers have been stealing credit card numbers from Trump’s hotels for months

Monty Solomon <[email protected]>

Wed, 12 Jul 2017 21:53:50 -0400

This is the third cybersecurity breach to hit the luxury hotel chain since 2014.
https://www.washingtonpost.com/news/business/wp/2017/07/11/hackers-have-been-stealing-credit-card-numbers-from-trumps-hotels-for-months/ 

Everybody lies: how Google search reveals our darkest secrets (The Guardian)

Monty Solomon <[email protected]>

Sun, 9 Jul 2017 09:53:26 -0400

https://www.theguardian.com/technology/2017/jul/09/everybody-lies-how-google-reveals-darkest-secrets-seth-stephens-davidowitz 

Re: Volvo admits its self-driving cars are confused by kangaroos (The Guardian)

Dave Horsfall <[email protected]>

Wed, 12 Jul 2017 10:06:48 +1000 (EST)

A colleague told me that the vehicle determines the distance to the object
by the apparent height above ground from the camera's point of view, thus a
mid-air roo appears to be further away than it really is. And when it
lands... Dave Horsfall, Unit 13, 79 Glennie St, North Gosford NSW 2250, Australia 

Re: Western tech firms bow to Russian demands to share cybersecrets (Ward, RISKS-30.35)

Anthony Youngman <[email protected]>

Fri, 7 Jul 2017 20:15:43 +0100

Unfortunately, formal methods also lead you to the proof that your formal
proof is worthless ... to many people believe (Godel's proof to the contrary
notwithstanding) that it is possible to guarantee that systems are bug-free. A formal proof is mathematics. It is only as good as its axioms (which by
definition are unprovable). And, as we keep on discovering, all too often
reality has a habit of saying "you've got the wrong axioms". To say nothing
of Godel's proof that you can NOT get all your axioms right even within the
world of logic, let alone align them correctly with reality. Then of course, there is the little problem that any program of any size
will likely exhibit knapsack complexity, ie an automated proof would take
longer than the universe has existed. That's not to decry formal proofs, or even the attempt thereat. They are a
very useful tool, but you need to remember that they *guarantee* *nothing*
in reality. [Reality guarantees nothing in reality either. It's the total system that counts, including squirrels, cosmic rays, and whatever might bite you. PGN] 

Press kits or other publications on thumb drives? [RE:????]

Gabe Goldberg <[email protected]>

Thu, 13 Jul 2017 17:41:24 -0400

Interesting comments on material distributed that way: (E.g., "Blue Cross wants you to insert this USB card into your computer. You'd be safer inserting it into your you-know-what.) https://plus.google.com/+LaurenWeinstein/posts/4TS3iRwjXuo ...of course, how do you check out shrink-wrapped commercial thumb drives
products without potentially compromising your systems? 

Please report problems with the web pages to the maintainer

Top

http://catless.ncl.ac.uk/Risks/30/37#subj1

Tagged