Risks Digest 33.22

Skip to first unread message

RISKS List Owner

May 19, 2022, 7:16:28 PMMay 19
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 19 May 2022 Volume 33 : Issue 22

Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at

Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF
(The Hacker News)
PDF election ballots (Andrew Appel)
New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars
(The Hacker News)
When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity)
Sadly, this food delivery robot got caught on the tracks while trying to
cross (Twitter)
Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are
Ripping Off Consumers (Buzzfeed News)
Crypto meltdown highlights need for urgent regulatory intervention
(Dave Farber)
Eavesdroppers Can Hack 6G Frequency with DIY Metasurface (Jake Boyd)
China's Internet Censors Try a New Trick: Revealing Users' Locations?
Exposure through identity verification? (Geoff Keunning)
463 people's COVID benefits accidentally sent to one of them (Mark Brader)
Zero-trust security: Assume everyone on the Internet is out to get you --
and already has (techxplore)
DOJ says it will no longer prosecute good-faith hackers under CFAA
Selfies Further Endanger Rare Phallic Plant, Conservationists Fear
(Richard C. Paddock)
Artificial Intelligence (Colbert/Gervais via Lauren Weinstein)
Re: Companies envision taxis flying above jammed traffic (Martin Ward,
John Levine, Barry Gold)
Re: Finding it hard to get a new job? Robot recruiters might be to blame
(Amos Shapir)
Abridged info on RISKS (comp.risks)


Date: Tue, 17 May 2022 18:00:14 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Researchers Find Potential Way to Run Malware on iPhone Even When
it's OFF (The Hacker News)

A first-of-its-kind security analysis of iOS Find My function has identified
a novel attack surface that makes it possible to tamper with the firmware
and load malware onto a Bluetooth chip that's executed while an iPhone is

The mechanism takes advantage of the fact that wireless chips related to
Bluetooth, Near-field communication (NFC
<https://en.wikipedia.org/wiki/Near-field_communication>), and
ultra-wideband (UWB <https://en.wikipedia.org/wiki/Ultra-wideband>) continue
to operate while iOS is shut down when entering a "power reserve" Low Power
Mode (LPM).

While this is done so as to enable features like Find My
and facilitate Express Card transactions
<https://support.apple.com/en-us/guide/security/sec90cd29d1f/web>, all the
three wireless chips have direct access to the secure element, academics
from the Secure Mobile Networking Lab (SEEMOO
<https://www.seemoo.tu-darmstadt.de/>) at the Technical University of
Darmstadt said <https://arxiv.org/pdf/2205.06114.pdf> in a paper entitled
"Evil Never Sleeps."

"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in
the NFC chip, storing secrets that should be available in LPM," the
researchers said.

"Since LPM support is implemented in hardware, it cannot be removed by
changing software components. As a result, on modern iPhones, wireless
chips can no longer be trusted to be turned off after shutdown. This poses
a new threat model."

The findings are set to be *presented*
<https://wisec2022.cs.utsa.edu/accepted-papers/> at the ACM Conference on
Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this
week. [...]



Date: Thu, 19 May 2022 13:48:37 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: PDF election ballots

Andrew Appel:

A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified


[PDF is an executable language. Ballots can also be altered -- or indeed
executed, as seems to happens to certain disfavored candidates in certain
countries. PGN]


Date: Thu, 19 May 2022 10:08:46 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Bluetooth Hack Could Let Attackers Remotely Unlock Smart
Locks and Cars (The Hacker News)

A novel Bluetooth relay attack can let cybercriminals more easily than ever
remotely unlock and operate cars, break open residential smart locks, and
breach secure areas.

"An attacker can falsely indicate the proximity of Bluetooth LE (BLE)
devices to one another through the use of a relay attack," UK-based
cybersecurity company NCC Group said. "This may enable unauthorized access
to devices in BLE-based proximity authentication systems."

Relay attacks <https://en.wikipedia.org/wiki/Relay_attack>, also called
two-thief attacks, are a variation of person-in-the-middle attacks in which
an adversary intercepts communication between two parties, one of whom is
also an attacker, and then relays it to the target device without any

While various mitigations have been implemented to prevent relay attacks,
including imposing response time limits during data exchange between any
two devices communicating over BLE and triangulation-based localization
techniques, the new relay attack can bypass these measures. [...]


[Tom Van Vleck noted:
New Bluetooth hack can unlock your Tesla -- and all kinds of other devices
The comments are really funny.


Date: Tue, 17 May 2022 17:14:53 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity)

Millions of U.S. government employees and contractors have been issued a
secure smart ID card that enables physical access to buildings and
controlled spaces, and provides access to government computer networks and
systems at the cardholder's appropriate security level. But many government
employees aren't issued an approved card reader device that lets them use
these cards at home or remotely, and so turn to low-cost readers they find
online. What could go wrong? Here's one example. [...]



Date: Wed, 18 May 2022 11:16:05 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Sadly, this food delivery robot got caught on the tracks while
trying to cross (Twitter)


[Gee whiz. Two different food-delivery robots in successive issues. This
one should be in a Train "sears robot catalog", because it caught fire.
(Funny only if you are my age, perhaps.) PGN]


Date: Wed, 18 May 2022 16:08:50 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers
Who Are Ripping Off Consumers (Buzzfeed News)

The global credit-card rivals maintain a strikingly permissive relationship
with companies that have been accused of fraud. For one of Mastercard' top
executives, that relationship went even further. A BuzzFeed News



Date: Fri, 20 May 2022 06:32:12 +0900
From: Dave Farber <far...@keio.jp>
Subject: Crypto meltdown highlights need for urgent regulatory intervention

>From an OPED in Nikkei Asia 5/20 by David Farber and Dan Gilmor

You have to feel a twinge of sympathy for the people who "invested" their
savings in cryptocurrencies during the past few months and who subsequently
lost most or all of their money when the cryptocurrency marketplace
collapsed during the past several weeks.

The words "invested" is in quotes for a reason. This bubble was a classic in
the genre, and the people who are collectively losing the most money are
low-information gamblers, not investors, just as they are when every
economic bubble deflates.

And they were warned. Anyone paying the slightest attention had to have
heard the ever-more-strident cautions, including ours, that cryptocurrencies
were not what they seemed and that this "marketplace" was in large part a
mirage. And, as we said in the article, ``Cryptocurrencies remain a gamble
best avoided,'' published online on Feb. 5, a rigged game.


Date: Wed, 18 May 2022 12:28:57 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Eavesdroppers Can Hack 6G Frequency with DIY Metasurface
(Jake Boyd)

Jade Boyd, Rice University News, 16 May 2022, via ACM TechNews, 18 May 2022

Hackers can use common tools to construct a metasurface that allows them to
listen in on 6G wireless transmissions. Researchers at Rice and Brown
universities demonstrated that attackers could employ a sheet of office
paper covered with two-dimensional foil symbols to reroute part of a
150-gigahertz "pencil beam" signal between two users, calling it a
Metasurface-in-the-Middle exploit. In such a situation, the eavesdropper
designs a metasurface to diffract part of a signal to their location; Rice's
Zhambyl Shaikhanov said they then laser-print the metasurface by feeding
metal foil through a laminator. Brown's Daniel Mittleman said the
hot-stamping technique was developed to simplify metasurface manufacturing
for quick, affordable testing. Warns Rice's Edward Knightly,
"Next-generation wireless will use high frequencies and pencil beams to
support wide-band applications like virtual reality and autonomous



Date: Wed, 18 May 2022 07:12:17 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: China's Internet Censors Try a New Trick: Revealing Users'
Locations? (NYTimes)

For years China's censors have relied on a trusted tool kit to control the
country's Internet. They have deleted posts, suspended accounts, blocked
keywords, and arrested the most outspoken.

Now they are trying a new trick: displaying social media users' locations
beneath posts.

Authorities say the location tags, which are displayed automatically, will
help unearth overseas disinformation campaigns intended to destabilize
China. In practice, they have offered new fuel for pitched online battles
that increasingly link Chinese citizens' locations with their national
loyalty. Chinese people posting from overseas, and even from provinces
deemed insufficiently patriotic, are now easily targeted by nationalist
influencers, whose fans harass them or report their accounts.

The tags, based on a user's Internet Protocol, or I.P., address that can
reveal where a person is located, were first applied to posts that mentioned
the Russian invasion of Ukraine, a topic authorities said was being
manipulated with foreign propaganda. Now they are being expanded to most
social media content, further chilling speech on a Chinese Internet
dominated by censorship and isolated from the world.

The move marks a new step in a decade-long push by Chinese officials to end
anonymity online and exert a more perfect control over China's digital town



Date: Mon, 16 May 2022 19:55:30 -0700
From: Geoff Kuenning <ge...@cs.hmc.edu>
Subject: Exposure through identity verification?

I got data-breach notice today from Assurance IQ, LLC and some of its
affiliated companies. (I'm dang sure they wouldn't have told me if they
weren't forced to by law.) Of course they said that "keeping personal data
safe and secure is very important" to them.

I guess that's why they didn't notice for 16 months that someone was
repeatedly using their site to extract personal data. Based on their
description, it sounds like if you filled out a life insurance application
with someone's "name, address, and other information", they then "retrieved
a driver's license number that was then displayed...in the online
application." Yup, either they helpfully auto-filled that number (if they
knew it, why did they need it filled in?) or, more likely, displayed it as a
method of identity verification. "Please click here if you are the person
with DL number 1234567."

Did nobody review this design?

[I suspect nobody who knew anything did. PGN]


Date: Tue, 17 May 2022 09:49:17 -0400 (EDT)
From: Mark Brader <m...@Vex.Net>
Subject: 463 people's COVID benefits accidentally sent to one of them



Date: Thu, 19 May 2022 09:47:40 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Zero-trust security: Assume everyone on the Internet is out to get
you -- and already has (techxplore)


"Using the public health analogy, a zero-trust approach to cybersecurity
assumes that an infection is only a cough -- or, in this case, a click --
away, and focuses on building an immune system capable of dealing with
whatever novel virus may come along. Put another way, instead of defending a
castle, this model assumes that the invaders are already inside the walls."

"Zero Trust Architecture," from
https://csrc.nist.gov/publications/detail/sp/800-207/final(retrieved on
19MAY2022) documents a framework for infrastructure, processes, and policies
to establish a Zero Trust ecosystem.

A significant shift from the static, network-based Internet perimeter we
enjoy today, where trust -- too much trust -- enables convenient and
anonymous access easing navigation through infrastructure, Zero Trust
imposes constant credential authentication challenges for users, assets and
resources based on a centralized policy enforcement mechanism.

Policy enforcement subjects a user's identity to verification checks for
each new resource access request, and access is subject to mediation (via
privilege and allocation masks), logging, and analysis.

The US government now requires disclosure of industry cyber incidents. For
businesses deemed "critical infrastructure," regulation will likely be
necessary to compel Zero Trust adoption. The days of voluntary business
cyber compliance are history.

Commercial enterprises will object to the transition cost. Ransomware and
business e-mail compromise payoffs are illegal -- but weakly enforced, and
indictments of impacted business organizations have not materialized so
far. See "Ransomware Payments and the Law," from
https://www.lawfareblog.com/ransomware-payments-and-law (retrieved on
19MAY2022) for background. Incidents are inconvenient and embarrassing, a
mere business expense passed onto the customer as cyber-insurance premium
prices inflate.

An overview of Zero Trust architecture and prototype of how it operates can
be found in the video https://youtu.be/6I6bnNdZ5XU via "Zero-trust
architecture may hold the answer to cybersecurity insider threats"

["Get got" is a prerequisite for becoming "got got."]

[As I must have noted here already, ZERO-TRUST is a horrible term. There
is always something that has to be trusted, whether you like it or not.
"Minimal-trust" might make some sense, except today everything is a
potential weak link, and NOTHING is trustworthy. Applying it to bacterial
and viral infections is similarly stupid. PGN]


Date: Thu, 19 May 2022 09:37:55 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: DOJ says it will no longer prosecute good-faith hackers under CFAA



Date: Thu, 19 May 2022 08:36:31 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Selfies Further Endanger Rare Phallic Plant, Conservationists Fear (NYT)
(Richard C. Paddock)

18 May 2022

The three women shrieked and giggled as they plucked the tubular pitchers
from rare carnivorous plants in the mountains of Cambodia. The phallic
shape of the pitchers reminded them of something, they joked as a friend
filmed the scene with a phone.

The women broke off some of the distinctive appendages, which the plants
use to trap insects. Holding them suggestively for the camera, they
compared the pitchers' sizes to the physique of different men from various
parts of Cambodia. "I want all of them," says the woman in blue,
displaying four plucked pitchers for the camera.

The widely viewed video prompted Cambodia's ministry of environment to
warn the public last week not to pick the pitchers of the plant, which is
an endangered species and protected by law. Conservationists are concerned
that the growing popularity of smartphones and selfies could increase
pressure on the rare plants.



Date: Thu, 19 May 2022 08:47:14 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Artificial Intelligence

* Stephen Colbert: "Are you afraid of artificial intelligence taking over?"

* Ricky Gervais: "I'd love for any intelligence to take over."


Date: Tue, 17 May 2022 14:00:48 +0100
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: Companies envision taxis flying above jammed traffic
(Bacher, RISKS-33.21)

You are not thinking three-dimensionally.

Consider the famous "spaghetti junction"
(https://en.wikipedia.org/wiki/Gravelly_Hill_Interchange) where 18 different
roads intersect in a free-flowing junction over five different levels.
Flying cars can operate on an arbitrarily large number of different levels,
so you can indeed "just breeze through the sky".


Date: 16 May 2022 21:15:36 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Companies envision taxis flying above jammed traffic
(Bacher, RISKS-33.20)

>Hasn't anyone considered that once flying cars/taxis are practical and
>popularized, the traffic jams will simply migrate from the roads to the

Maybe, maybe not. Cars have to stay on the road, but in principle flying
vehicles can go point to point so long as they are able to avoid running
into each other (admittedly a significant "if".) Also, flying vehicles can
fly at different altitudes. Commercial planes fly at specified altitudes,
1000 vertical feet apart, with alternating levels for alternating

I have my doubts whether flying cars will ever be a mass market item, as
opposed to a toy for rich people and a niche item for people who have some
business reason that the time savings are worth it. We've had small planes
for over a century and the cost to own and run a plane is still a lot more
than for a car.


Date: Thu, 19 May 2022 10:15:54 -0700
From: Barry Gold <Barry...@ca.rr.com>
Subject: Re: Companies envision taxis flying above jammed traffic

Except that there's a lot more room in the air. Freeways are limited to
whatever land we can afford to buy for the purpose. Airways can use a huge
amount of space, and can use it on multiple levels. Even if you restricted
air traffic to the space above existing roadways (on the basis that
landowners also own the airspace above their land, at least up to wherever
the commercial airlanes start), you could stack traffic 2, 3, 5, 10, 20
levels high, where existing roadways are limited to 1 or at most 2 levels.

[You seem to be completely ignoring the TCAS issues relating to changing
altitudes. PGN]


Date: Tue, 17 May 2022 12:32:45 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Finding it hard to get a new job? Robot recruiters might be
to blame (RISKS-33.21)

The problem seems to be that such tools are deployed before testing if they
are actually adequate for the job. It seems as if the rules are defined by
programmers, and if there are people who participate in the process on
behalf of the hiring company, they are of HR and not of the hiring
departments. The result may give rise to Artificial Stupidity.

Testing such a tool should involve running it in parallel with screening
candidates by human managers, for a significant time period (I think at
least a year); and then comparing the results to catch any misfeatures or
biases in the design.


Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 33.22

Reply all
Reply to author
0 new messages