info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 33.03
31 views
Skip to first unread message
RISKS List Owner
Jan 22, 2022, 8:12:21 PM1/22/22
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 22 January 2022 Volume 33 : Issue 03
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.03>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks
(NYTimes)
The Rise of AI Fighter Pilots (Sue Halpern)
AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)
More Than Half of Medical Devices Have Critical Vulnerabilities (ZDNet)
European Parliament uses Google Analytics, which is illegal in the EU
(Handelsblatt)
Hotel chain switches to Chrome OS to recover from ransomware attack
(The Record)
My 2020 app (Rob Slade with URL from Lauren Weinstein)
Google Voice Authentication Scam Leaves Victims on the Hook (Threatpost)
Spam, spam, spam, spam ... (Rob Slade)
FAA/FCC food fight (John Levine)
U.S. airline officials warn of crisis in aviation with new 5G service
(paul cornish)
FAA sets rules for some Boeing 787 landings near 5G service (techxplore)
Palomar survey instrument analyzes impact of Starlink satellites (phys.org)
Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)
Cross-country Exposure: Analysis of the MY2022 Olympics app (Citizen Lab)
Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador
with Pegasus Spyware (Jan Wolitzky)
Re: Alexa tells 10-year-old girl to touch live plug with penny (Frank Sudia)
Re: Automakers Rev Up Subscription Services (Martin Ward)
Re: Fake QR Codes on Parking Meters (Jerry Leichter)
Re: Metro says timing for return of suspended railcars is unknown
(Martin Ward, dave russo)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 16 Jan 2022 07:19:35 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Microsoft Warns of Destructive Cyberattack on Ukrainian Computer
Networks (NYTimes)
The malware was revealed as Russian troops remain massed at the Ukrainian
border, and after Ukrainian government agencies had their websites defaced.
https://www.nytimes.com/2022/01/16/us/politics/microsoft-ukraine-cyberattack.html
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
------------------------------
Date: Mon, 17 Jan 2022 16:33:46 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: The Rise of AI Fighter Pilots (Sue Halpern)
Sue Halpern, *The New Yorker*, 17 Jan 2022
Artificial intelligence is being taught to fly warplanes. Can the
technology be trusted?
https://www.newyorker.com/magazine/2022/01/24/the-rise-of-ai-fighter-pilots
------------------------------
Date: Fri, 21 Jan 2022 14:44:33 PST
From: ACM TechNews <technew...@acm.org>
Subject: AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)
Erin Mulvaney, *Bloomberg Law*, 29 Dec 2021, via ACM TechNews, 10 Jan 2022
Artificial intelligence (AI)-related hiring discrimination has prompted
regulatory action, with New York City banning employers from using automated
employment decision tools for screening job applicants in lieu of a bias
audit. Meanwhile, District of Columbia Attorney General Karl Racine has
announced proposed legislation to address algorithmic discrimination by
mandating annual corporate technology audits. The U.S. Equal Employment
Opportunity Commission's Charlotte Burrows said up to 83% of employers, and
as many as 90% of Fortune 500 companies, use automated tools to screen or
rank job candidates; she warned these technologies "could be used to mask or
even perpetuate existing discrimination and create new discriminatory
barriers to jobs." Civil rights groups like the Surveillance Technology
Oversight Project (STOP) worry that New York's measure could enable more AI
bias, and have proposed banning biased technology altogether.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dbd4x23061ex072805&
------------------------------
Date: Fri, 21 Jan 2022 12:20:57 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: More Than Half of Medical Devices Have Critical Vulnerabilities
(ZDNet)
Allison Murray, *ZDNet*, 20 Jan 2022, via ACM TechNews, 21 Jan 2022
Medical cybersecurity platform Cynerio's 2022 State of Healthcare IoT Device
Security Report estimates 53% of connected medical devices in hospitals have
critical flaws, including a third of bedside devices. Cynerio analyzed more
than 10 million medical devices at over 300 global hospitals and medical
facilities and found, among other things, that 73% of infusion pumps,
constituting 38% of hospital Internet of Things (IoT) inventory, possess
some type of vulnerability. Cynerio warns hacked medical devices would
affect hospital service availability, data confidentiality, and patient
safety. Said Cynerio's Daniel Brodie, "Hospitals and health systems don't
need more data--they need advanced solutions that mitigate risks and empower
them to fight back against cyberattacks, and as medical device security of
Technology (MIT) Computer Science and Artificial Intelligence Laboratory is
designed to codify quantum computing. Twist can characterize and verify
which pieces of data are entangled in a quantum algorithm, and applies the
concept of purity, which enforces the absence of quantum entanglement, to
produce intuitive programs with fewer flaws. MIT's Charles Yuan said,
"Because understanding quantum programs requires understanding entanglement,
we hope that Twist paves the way to languages that make the unique
challenges of quantum computing more accessible to programmers."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dd2ex230a40x074115&
------------------------------
Date: Sun, 16 Jan 2022 17:29:03 +0100
From: Thomas Koenig <tko...@netcologne.de>
Subject: European Parliament uses Google Analytics, which is illegal in
the EU (Handelsblatt)
Data of European citizens may not be stored in the USA without further
considerations. This is stated in a ruling by the European Court of Justice
(ECJ) from the summer of 2020. However, many companies violate this
requirement on a daily basis, as does the European Parliament.
Parliament had installed cookies from Google Analytics and the payment
service provider Stripe on its website.
European Data Protection Supervisor Wojciech Wiewiorowski investigated the
cookies and has now concluded that they should not have been used. He
issued a cease-and-desist order.
https://www.handelsblatt.com/politik/international/dsgvo-europaparlament-missachtet-datenschutz-warnung-an-unternehmen/27964838.html
------------------------------
Date: Tue, 11 Jan 2022 17:21:52 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Hotel chain switches to Chrome OS to recover from ransomware attack
(The Record)
https://therecord.media/hotel-chain-switches-to-chrome-os-to-recover-from-ransomware-attack/
------------------------------
Date: Thu, 20 Jan 2022 01:49:29 -0800
From: Rob Slade <rsl...@gmail.com>
Subject: My 2020 app
The 2020 Olympics are coming up. I have more reason than normal to ignore
them this year, but I noted a news story about the "My 2020" app, and its
security problems.
All athletes, coaches, officials, and the vanishingly small number of
"guests" that are allowed at this year's Olympics, are to use the "My 2020"
app, which is provided by China. It seems to provide information and
schedules, but it also collects detailed information about all attendees,
including CoVID test status (on a very regular basis). The thing is, it's
insecure.
As most such apps do, it connects to a central server to collect and dump
data. Most apps do a bit of verification of that server. My 2020 does
not. So, of course, it would be relatively trivial to set up a fake
server, collect all kinds of data and personal information (for example,
loads of names, birthdates, and passport numbers, as well as the
aforementioned CoVID results), and give out misinformation or
Disinformation about schedules, events, locations, and generally mess with
the games.
I think I'll have a heart attack and die from *NOT* being surprised that
the Chinese government failed to take this simple security precaution.
You have to understand that there is a difference in mindset. Here in "the
West" (being from BC, I tend to think of myself as being from the far, far
east), the computer security field started with an interest in
confidentiality. It was only later that we, in information security,
expanded our interest to include integrity and availability. But the
Chinese government has never been interested in confidentiality and privacy.
(At least, not for their citizens.) The Chinese government always wants to
know everything there is to know about anyone in China. (Or anyone outside
of China, for that matter.) Privacy is a non-issue. (To the government.)
This is why encryption is almost unheard of in China. Even most government
and military personnel and officials (with the exception of a very, very
few) do not have their communications protected by encryption. (Other
governments therefore find it trivially easy to snoop on the bulk of
military and government communications traffic in China.)
So, since the government of China is primarily interested in availability
(of the opportunity to snoop on visitors), the lack of server authentication
is unsurprising. It may not have occurred to anyone that it might be a
problem. It may even be a design feature, from the Chinese perspective,
rather than a flaw. After all, if anyone can set up a fake server, collect
information, and provide disinformation, so can the Chinese government.
With impunity and total deniability.
[Lauren Weinstein suggests visiting this item:
China's Olympic app contains 'simple but devastating' flaw (CTVnews)
https://www.ctvnews.ca/sci-tech/china-s-olympic-app-contains-simple-but-devastating-flaw-1.5744221
PGN]
------------------------------
Date: Thu, 20 Jan 2022 16:54:07 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Google Voice Authentication Scam Leaves Victims on the Hook
(Threatpost)
The FBI is seeing so much activity around malicious Google Voice activity,
where victims are associated with fraudulent virtual phone numbers, that it
sent out an alert this week.
https://threatpost.com/google-voice-authentication-scam/177421/
------------------------------
Date: Tue, 18 Jan 2022 11:23:44 -0800
From: Rob Slade <rsl...@gmail.com>
Subject: Spam, spam, spam, spam ....
Anybody else getting lots of Media Message Service messages, ostensibly from
twelve digit phone numbers? I have no idea what they are trying to get me
to do, since this phone doesn't have a data plan, and, regardless of what
the cell companies tell you when they sell you the plan, without buying
extra data you cannot receive MMS messages.
(I'm also getting lots of robot phone calls warning me about extraneous
charges on my Visa. Which, presumably, they can catch and fix as long as I
wire money somewhere for some reason ...)
------------------------------
Date: 8 Jan 2022 16:10:40 -0500
From: "John Levine" <jo...@iecc.com>
Subject: FAA/FCC food fight
Re: Boeing and Airbus warn US over 5 G safety concerns (bbc.com)
This is a long running fight between the FAA and FCC. Neither side has
covered itself in glory but the FAA has been a lot worse.
For 15 years we have known that old cruddy radio altimeters are subject to
interference from adjacent bands including the new 5G C-band. The sensible
approach would have been for the FAA and FCC to work together on a
combination of finding and replacing the old altimeters perhaps with
subsidies from the telcos, and power limits on C-band cells near runways.
Instead we get dueling press releases.
Forty other countries have worked this out with the same altimeters and same
5G band. What do they know that we don't?
------------------------------
Date: Tue, 18 Jan 2022 09:40:53 +0000
From: "paul cornish" <paul.a....@googlemail.com>
Subject: U.S. airline officials warn of crisis in aviation with new
5G service (The Guardian)
Following on from the risk highlighted after Christmas (RISKS-33.01), it now
appears that the airline / mobile ( cellular) operator deal was only a
temporary halt.
The risk still remains -- in the U.S. the frequencies used by 5G overlap
with those used by critical safety devices fitted to aircraft. Aircraft
systems are built to an international standard and hence can't be changed.
https://www.theguardian.com/technology/2022/jan/17/us-airline-officials-crisis-5
Airlines have identified 50+ airports that could be impacted and Bloomberg
has identified that medevac helicopters could also be impacted.
https://www.bloomberg.com/news/articles/2022-01-13/medevac-helicopter-flights-risk-grounding-with-5g-deadline-ahead
------------------------------
Date: Tue, 18 Jan 2022 10:17:43 +0800
From: Richard Stein <rms...@ieee.org>
Subject: FAA sets rules for some Boeing 787 landings near 5G service
(techxplore.com)
https://techxplore.com/news/2022-01-faa-boeing-5g.html
Federal safety officials are directing operators of some Boeing planes to
adopt extra procedures when landing on wet or snowy runways near impending
5G service because, they say, interference from the wireless networks could
mean that the planes need more room to land.
The Federal Aviation Administration said Friday that interference could
delay systems like thrust reversers on Boeing 787s from kicking in, leaving
only the brakes to slow the plane.
That 'could prevent an aircraft from stopping on the runway,' the FAA said."
------------------------------
Date: Tue, 18 Jan 2022 08:17:51 -0800
From: Richard Stein <rms...@ieee.org>
Subject: Palomar survey instrument analyzes impact of Starlink satellites
(phys.org)
https://phys.org/news/2022-01-palomar-survey-instrument-impact-starlink.html
``In 2019, 0.5 percent of twilight images were affected, and now almost 20
percent are affected,'' says Przemek Mróz, study lead author and a former
Caltech postdoctoral scholar who is now at the University of Warsaw in
Poland. ... There is a small chance that we would miss an asteroid or
another event hidden behind a satellite streak, but compared to the impact
of weather, such as a cloudy sky, these are rather small effects for ZTF
[Zwicky Transient Facility].
Private satellite constellations pollute Earth-based astronomical
observations.
------------------------------
Date: Sat, 22 Jan 2022 08:00:59 -0800
From: Richard Stein <rms...@ieee.org>
Subject: Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)
https://www.bbc.com/news/uk-england-cambridgeshire-60084347
Like a page from Asimov's "I, Robot." The article notes that "Nature abhors
a vacuum." [RS]
[HOO-VERy-likely other than the BBC might have thought of that? PGN]
------------------------------
Date: Tue, 18 Jan 2022 09:54:40 -0500
From: Gene Spafford <sp...@purdue.edu>
Subject: Cross-country Exposure: Analysis of the MY2022 Olympics app
(The Citizen Lab)
Not surprising, but that doesn't mean it is okay:
https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olymp=
ics-app/
------------------------------
Date: Fri, 14 Jan 2022 20:45:09 -0500
From: "Jan Wolitzky" <jan.wo...@gmail.com>
Subject: Project Torogoz: Extensive Hacking of Media & Civil Society in El
Salvador with Pegasus Spyware
Key Findings
The Citizen Lab and Access Now have conducted a joint investigation into
Pegasus hacking in El Salvador in collaboration with Frontline Defenders,
SocialTIC, and Fundación Acceso.
We confirmed 35 cases of journalists and members of civil society whose
phones were successfully infected with NSOâs Pegasus spyware between July
2020 and November 2021. We shared a sample of forensic data with Amnesty
International's Security Lab which independently confirms the findings.
Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica,
Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two
independent journalists. Civil society targets included Fundación DTJ,
Cristosal, and another NGO.
------------------------------
Date: Sat, 8 Jan 2022 17:28:31 -0500
From: "Frank Sudia 128" <fs...@fwsudia.com>
Subject: Re: Alexa tells 10-year-old girl to touch live plug with penny
(RISKS-33.01)
Aren't these so-called smart speakers really driven by humans in the back
room, pretending to be AI? Which is why I don't use them, both to avoid
being an unpaid tester to make some co rich, and because it's pathetic that
they are nowhere near to having real AI, and so it's a huge privacy
violation to have dopey humans listening in, and in this case issuing dopey
ideas to kids. My take, no AI would have made that suggestion. That was a
phony AI, like a chess player with a midget inside! A chess player who
should be fired.
------------------------------
From: Martin Ward <mar...@gkc.org.uk>
Date: Sun, 16 Jan 2022 13:17:55 +0000
Subject: Re: Automakers Rev Up Subscription Services (Washington Consumers',)
RISKS-33.02)
> ... one way to do that is to require a subscription for some pretty basic
> services
What next?
"Subscribe to the basic steering wheel package (right turns only) for just
$5 a month, or opt for the delux package (includes both left *and* right
turns) for only $8 a month!!!"
------------------------------
Date: Sun, 16 Jan 2022 11:29:36 -0500
From: Jerry Leichter <leic...@lrw.com>
Subject: Re: Fake QR Codes on Parking Meters (RISKS-33.02)
I warned about this class of attacks a few months back (RISKS 32.93).
Although I must admit the attackers took the next step. I was concerned
about attackers replacing legitimate QR codes (e.g., on menus) with their
own versions. In this attack, however, Austin doesn't actually put QR codes
on meters." The attackers just added their own. People have no become so
accustomed to scanning QRcodes that they don't question even their presence.
This opens the attack surface wide. How about a "scan for hours and menu"
QR code on the outside glass of a restaurant? If they are closed on Monday,
how many passers-by will it catch if placed there early Monday morning --
with no one from the store even being present to notice until Tuesday?
Similar attacks work all over the place. Any store window. The doors of
cars on a dealer lot -- "Scan for our best price on this beauty!" At the
entrance to a Mall: "Scan for a map." Or at an office building: "Scan for a
tenant list." The commuter rail lines around NY have an app that allows you
to pay for your ticket; you then show your phone to the conductor when he
checks for tickets. For those who don't have the app ... imagine a QR code
that says "Beat the rush! Scan here to buy an eTicket."
The important thing to realize is that an "addition" attack -- unlike a
"replacement" attack -- leaves the owner of the physical object where the
code is presented entirely out of the loop. A restaurant using QR codes for
menus, say, could in principle have a sign on the wall with a picture to be
matched to the presented menu. It could change very day -- or, if presented
on a screen, every 10 minutes. How effective this would be -- how often
people would actually look and compare -- is questionable, but it's at least
a way to provide some degree of authentication. But what's Austin to do:
Post signs everywhere telling people "we don't use QR codes"? How effective
is that likely to be.
We've spent decades (mainly unsuccessfully) teaching people not to click on
links in unsolicited emails. QR codes are even worse. Since they are
essentially * never* solicited in any meaningful sense ... "intent" is no
longer a meaningful distinction. They are completely unparseable to human
beings. Even if a QR code reader showed the URL on the phone's screen with a
"click if this is OK" ... given that the whole purpose of the code is
provide a quick, frictionless interface, what are the odds people will read
the incomprehensible -- even the legitimate ones are not intended for human
comprehension - URL's that result?
QR codes. Just say no.
------------------------------
Date: Sun, 16 Jan 2022 11:37:47 +0000
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: Metro says timing for return of suspended railcars is unknown
(RISKS-33.01-02)
The mathematical relationship "more than" does not need further
interpretation. It is the measurement itself that needs interpreting.
If the displacement is measured at precisely 1/32 of an inch, then the
actual measurement is 1/32 of an inch plus or minus the error in the
reading. This error is very unlikely to be precisely zero. So the
probability of the actual measurement being *more than* 1/32 of an inch is
very close to 50%.
So the question is: should a car be taken out of service if there is close
to a 50% chance that it is out of spec?
Put this way, I think it is reasonable to err on the side of safety.
------------------------------
Date: Sun, 16 Jan 2022 13:46:41 -0800
From: dave russo <david.al...@gmail.com>
Subject: Re: Metro says timing for return of suspended railcars is unknown
(RISKS-33.02)
To be fair, the technicians may well understand both the meaning of "More
than" and that small length measurements need to be specified as a function
of their environment.
The metro specification requires a measurement accuracy of at least
1/32 of an inch. But steel expands approximately .07% per 100 degrees
F. For a measurement of 53 5/16 of inches, a 100 degree difference
works out to be .037 inches > 1/32 inch. Working backwards, an 85
degree F difference could result in a greater than 1/32 inch
expansion.
It seems to me that the real risk is in a specification of an absolute
length deviation without ALSO specifying the temperature at which the
measurement must be made.
FWIW: Coincidentally, Adam Savage (of Myth Busters) recently produced
a wonderful video (https://youtu.be/qE7dYhpI_bI) on why all
sufficiently precise measurements are a function of their environment.
Perhaps the technicians are Adam Savage fans.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.03
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.03>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks
(NYTimes)
The Rise of AI Fighter Pilots (Sue Halpern)
AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)
More Than Half of Medical Devices Have Critical Vulnerabilities (ZDNet)
European Parliament uses Google Analytics, which is illegal in the EU
(Handelsblatt)
Hotel chain switches to Chrome OS to recover from ransomware attack
(The Record)
My 2020 app (Rob Slade with URL from Lauren Weinstein)
Google Voice Authentication Scam Leaves Victims on the Hook (Threatpost)
Spam, spam, spam, spam ... (Rob Slade)
FAA/FCC food fight (John Levine)
U.S. airline officials warn of crisis in aviation with new 5G service
(paul cornish)
FAA sets rules for some Boeing 787 landings near 5G service (techxplore)
Palomar survey instrument analyzes impact of Starlink satellites (phys.org)
Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)
Cross-country Exposure: Analysis of the MY2022 Olympics app (Citizen Lab)
Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador
with Pegasus Spyware (Jan Wolitzky)
Re: Alexa tells 10-year-old girl to touch live plug with penny (Frank Sudia)
Re: Automakers Rev Up Subscription Services (Martin Ward)
Re: Fake QR Codes on Parking Meters (Jerry Leichter)
Re: Metro says timing for return of suspended railcars is unknown
(Martin Ward, dave russo)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 16 Jan 2022 07:19:35 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Microsoft Warns of Destructive Cyberattack on Ukrainian Computer
Networks (NYTimes)
The malware was revealed as Russian troops remain massed at the Ukrainian
border, and after Ukrainian government agencies had their websites defaced.
https://www.nytimes.com/2022/01/16/us/politics/microsoft-ukraine-cyberattack.html
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
------------------------------
Date: Mon, 17 Jan 2022 16:33:46 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: The Rise of AI Fighter Pilots (Sue Halpern)
Sue Halpern, *The New Yorker*, 17 Jan 2022
Artificial intelligence is being taught to fly warplanes. Can the
technology be trusted?
https://www.newyorker.com/magazine/2022/01/24/the-rise-of-ai-fighter-pilots
------------------------------
Date: Fri, 21 Jan 2022 14:44:33 PST
From: ACM TechNews <technew...@acm.org>
Subject: AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)
Erin Mulvaney, *Bloomberg Law*, 29 Dec 2021, via ACM TechNews, 10 Jan 2022
Artificial intelligence (AI)-related hiring discrimination has prompted
regulatory action, with New York City banning employers from using automated
employment decision tools for screening job applicants in lieu of a bias
audit. Meanwhile, District of Columbia Attorney General Karl Racine has
announced proposed legislation to address algorithmic discrimination by
mandating annual corporate technology audits. The U.S. Equal Employment
Opportunity Commission's Charlotte Burrows said up to 83% of employers, and
as many as 90% of Fortune 500 companies, use automated tools to screen or
rank job candidates; she warned these technologies "could be used to mask or
even perpetuate existing discrimination and create new discriminatory
barriers to jobs." Civil rights groups like the Surveillance Technology
Oversight Project (STOP) worry that New York's measure could enable more AI
bias, and have proposed banning biased technology altogether.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dbd4x23061ex072805&
------------------------------
Date: Fri, 21 Jan 2022 12:20:57 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: More Than Half of Medical Devices Have Critical Vulnerabilities
(ZDNet)
Allison Murray, *ZDNet*, 20 Jan 2022, via ACM TechNews, 21 Jan 2022
Medical cybersecurity platform Cynerio's 2022 State of Healthcare IoT Device
Security Report estimates 53% of connected medical devices in hospitals have
critical flaws, including a third of bedside devices. Cynerio analyzed more
than 10 million medical devices at over 300 global hospitals and medical
facilities and found, among other things, that 73% of infusion pumps,
constituting 38% of hospital Internet of Things (IoT) inventory, possess
some type of vulnerability. Cynerio warns hacked medical devices would
affect hospital service availability, data confidentiality, and patient
safety. Said Cynerio's Daniel Brodie, "Hospitals and health systems don't
need more data--they need advanced solutions that mitigate risks and empower
them to fight back against cyberattacks, and as medical device security of
Technology (MIT) Computer Science and Artificial Intelligence Laboratory is
designed to codify quantum computing. Twist can characterize and verify
which pieces of data are entangled in a quantum algorithm, and applies the
concept of purity, which enforces the absence of quantum entanglement, to
produce intuitive programs with fewer flaws. MIT's Charles Yuan said,
"Because understanding quantum programs requires understanding entanglement,
we hope that Twist paves the way to languages that make the unique
challenges of quantum computing more accessible to programmers."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dd2ex230a40x074115&
------------------------------
Date: Sun, 16 Jan 2022 17:29:03 +0100
From: Thomas Koenig <tko...@netcologne.de>
Subject: European Parliament uses Google Analytics, which is illegal in
the EU (Handelsblatt)
Data of European citizens may not be stored in the USA without further
considerations. This is stated in a ruling by the European Court of Justice
(ECJ) from the summer of 2020. However, many companies violate this
requirement on a daily basis, as does the European Parliament.
Parliament had installed cookies from Google Analytics and the payment
service provider Stripe on its website.
European Data Protection Supervisor Wojciech Wiewiorowski investigated the
cookies and has now concluded that they should not have been used. He
issued a cease-and-desist order.
https://www.handelsblatt.com/politik/international/dsgvo-europaparlament-missachtet-datenschutz-warnung-an-unternehmen/27964838.html
------------------------------
Date: Tue, 11 Jan 2022 17:21:52 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Hotel chain switches to Chrome OS to recover from ransomware attack
(The Record)
https://therecord.media/hotel-chain-switches-to-chrome-os-to-recover-from-ransomware-attack/
------------------------------
Date: Thu, 20 Jan 2022 01:49:29 -0800
From: Rob Slade <rsl...@gmail.com>
Subject: My 2020 app
The 2020 Olympics are coming up. I have more reason than normal to ignore
them this year, but I noted a news story about the "My 2020" app, and its
security problems.
All athletes, coaches, officials, and the vanishingly small number of
"guests" that are allowed at this year's Olympics, are to use the "My 2020"
app, which is provided by China. It seems to provide information and
schedules, but it also collects detailed information about all attendees,
including CoVID test status (on a very regular basis). The thing is, it's
insecure.
As most such apps do, it connects to a central server to collect and dump
data. Most apps do a bit of verification of that server. My 2020 does
not. So, of course, it would be relatively trivial to set up a fake
server, collect all kinds of data and personal information (for example,
loads of names, birthdates, and passport numbers, as well as the
aforementioned CoVID results), and give out misinformation or
Disinformation about schedules, events, locations, and generally mess with
the games.
I think I'll have a heart attack and die from *NOT* being surprised that
the Chinese government failed to take this simple security precaution.
You have to understand that there is a difference in mindset. Here in "the
West" (being from BC, I tend to think of myself as being from the far, far
east), the computer security field started with an interest in
confidentiality. It was only later that we, in information security,
expanded our interest to include integrity and availability. But the
Chinese government has never been interested in confidentiality and privacy.
(At least, not for their citizens.) The Chinese government always wants to
know everything there is to know about anyone in China. (Or anyone outside
of China, for that matter.) Privacy is a non-issue. (To the government.)
This is why encryption is almost unheard of in China. Even most government
and military personnel and officials (with the exception of a very, very
few) do not have their communications protected by encryption. (Other
governments therefore find it trivially easy to snoop on the bulk of
military and government communications traffic in China.)
So, since the government of China is primarily interested in availability
(of the opportunity to snoop on visitors), the lack of server authentication
is unsurprising. It may not have occurred to anyone that it might be a
problem. It may even be a design feature, from the Chinese perspective,
rather than a flaw. After all, if anyone can set up a fake server, collect
information, and provide disinformation, so can the Chinese government.
With impunity and total deniability.
[Lauren Weinstein suggests visiting this item:
China's Olympic app contains 'simple but devastating' flaw (CTVnews)
https://www.ctvnews.ca/sci-tech/china-s-olympic-app-contains-simple-but-devastating-flaw-1.5744221
PGN]
------------------------------
Date: Thu, 20 Jan 2022 16:54:07 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Google Voice Authentication Scam Leaves Victims on the Hook
(Threatpost)
The FBI is seeing so much activity around malicious Google Voice activity,
where victims are associated with fraudulent virtual phone numbers, that it
sent out an alert this week.
https://threatpost.com/google-voice-authentication-scam/177421/
------------------------------
Date: Tue, 18 Jan 2022 11:23:44 -0800
From: Rob Slade <rsl...@gmail.com>
Subject: Spam, spam, spam, spam ....
Anybody else getting lots of Media Message Service messages, ostensibly from
twelve digit phone numbers? I have no idea what they are trying to get me
to do, since this phone doesn't have a data plan, and, regardless of what
the cell companies tell you when they sell you the plan, without buying
extra data you cannot receive MMS messages.
(I'm also getting lots of robot phone calls warning me about extraneous
charges on my Visa. Which, presumably, they can catch and fix as long as I
wire money somewhere for some reason ...)
------------------------------
Date: 8 Jan 2022 16:10:40 -0500
From: "John Levine" <jo...@iecc.com>
Subject: FAA/FCC food fight
Re: Boeing and Airbus warn US over 5 G safety concerns (bbc.com)
This is a long running fight between the FAA and FCC. Neither side has
covered itself in glory but the FAA has been a lot worse.
For 15 years we have known that old cruddy radio altimeters are subject to
interference from adjacent bands including the new 5G C-band. The sensible
approach would have been for the FAA and FCC to work together on a
combination of finding and replacing the old altimeters perhaps with
subsidies from the telcos, and power limits on C-band cells near runways.
Instead we get dueling press releases.
Forty other countries have worked this out with the same altimeters and same
5G band. What do they know that we don't?
------------------------------
Date: Tue, 18 Jan 2022 09:40:53 +0000
From: "paul cornish" <paul.a....@googlemail.com>
Subject: U.S. airline officials warn of crisis in aviation with new
5G service (The Guardian)
Following on from the risk highlighted after Christmas (RISKS-33.01), it now
appears that the airline / mobile ( cellular) operator deal was only a
temporary halt.
The risk still remains -- in the U.S. the frequencies used by 5G overlap
with those used by critical safety devices fitted to aircraft. Aircraft
systems are built to an international standard and hence can't be changed.
https://www.theguardian.com/technology/2022/jan/17/us-airline-officials-crisis-5
Airlines have identified 50+ airports that could be impacted and Bloomberg
has identified that medevac helicopters could also be impacted.
https://www.bloomberg.com/news/articles/2022-01-13/medevac-helicopter-flights-risk-grounding-with-5g-deadline-ahead
------------------------------
Date: Tue, 18 Jan 2022 10:17:43 +0800
From: Richard Stein <rms...@ieee.org>
Subject: FAA sets rules for some Boeing 787 landings near 5G service
(techxplore.com)
https://techxplore.com/news/2022-01-faa-boeing-5g.html
Federal safety officials are directing operators of some Boeing planes to
adopt extra procedures when landing on wet or snowy runways near impending
5G service because, they say, interference from the wireless networks could
mean that the planes need more room to land.
The Federal Aviation Administration said Friday that interference could
delay systems like thrust reversers on Boeing 787s from kicking in, leaving
only the brakes to slow the plane.
That 'could prevent an aircraft from stopping on the runway,' the FAA said."
------------------------------
Date: Tue, 18 Jan 2022 08:17:51 -0800
From: Richard Stein <rms...@ieee.org>
Subject: Palomar survey instrument analyzes impact of Starlink satellites
(phys.org)
https://phys.org/news/2022-01-palomar-survey-instrument-impact-starlink.html
``In 2019, 0.5 percent of twilight images were affected, and now almost 20
percent are affected,'' says Przemek Mróz, study lead author and a former
Caltech postdoctoral scholar who is now at the University of Warsaw in
Poland. ... There is a small chance that we would miss an asteroid or
another event hidden behind a satellite streak, but compared to the impact
of weather, such as a cloudy sky, these are rather small effects for ZTF
[Zwicky Transient Facility].
Private satellite constellations pollute Earth-based astronomical
observations.
------------------------------
Date: Sat, 22 Jan 2022 08:00:59 -0800
From: Richard Stein <rms...@ieee.org>
Subject: Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)
https://www.bbc.com/news/uk-england-cambridgeshire-60084347
Like a page from Asimov's "I, Robot." The article notes that "Nature abhors
a vacuum." [RS]
[HOO-VERy-likely other than the BBC might have thought of that? PGN]
------------------------------
Date: Tue, 18 Jan 2022 09:54:40 -0500
From: Gene Spafford <sp...@purdue.edu>
Subject: Cross-country Exposure: Analysis of the MY2022 Olympics app
(The Citizen Lab)
Not surprising, but that doesn't mean it is okay:
https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olymp=
ics-app/
------------------------------
Date: Fri, 14 Jan 2022 20:45:09 -0500
From: "Jan Wolitzky" <jan.wo...@gmail.com>
Subject: Project Torogoz: Extensive Hacking of Media & Civil Society in El
Salvador with Pegasus Spyware
Key Findings
The Citizen Lab and Access Now have conducted a joint investigation into
Pegasus hacking in El Salvador in collaboration with Frontline Defenders,
SocialTIC, and Fundación Acceso.
We confirmed 35 cases of journalists and members of civil society whose
phones were successfully infected with NSOâs Pegasus spyware between July
2020 and November 2021. We shared a sample of forensic data with Amnesty
International's Security Lab which independently confirms the findings.
Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica,
Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two
independent journalists. Civil society targets included Fundación DTJ,
Cristosal, and another NGO.
------------------------------
Date: Sat, 8 Jan 2022 17:28:31 -0500
From: "Frank Sudia 128" <fs...@fwsudia.com>
Subject: Re: Alexa tells 10-year-old girl to touch live plug with penny
(RISKS-33.01)
Aren't these so-called smart speakers really driven by humans in the back
room, pretending to be AI? Which is why I don't use them, both to avoid
being an unpaid tester to make some co rich, and because it's pathetic that
they are nowhere near to having real AI, and so it's a huge privacy
violation to have dopey humans listening in, and in this case issuing dopey
ideas to kids. My take, no AI would have made that suggestion. That was a
phony AI, like a chess player with a midget inside! A chess player who
should be fired.
------------------------------
From: Martin Ward <mar...@gkc.org.uk>
Date: Sun, 16 Jan 2022 13:17:55 +0000
Subject: Re: Automakers Rev Up Subscription Services (Washington Consumers',)
RISKS-33.02)
> ... one way to do that is to require a subscription for some pretty basic
> services
What next?
"Subscribe to the basic steering wheel package (right turns only) for just
$5 a month, or opt for the delux package (includes both left *and* right
turns) for only $8 a month!!!"
------------------------------
Date: Sun, 16 Jan 2022 11:29:36 -0500
From: Jerry Leichter <leic...@lrw.com>
Subject: Re: Fake QR Codes on Parking Meters (RISKS-33.02)
I warned about this class of attacks a few months back (RISKS 32.93).
Although I must admit the attackers took the next step. I was concerned
about attackers replacing legitimate QR codes (e.g., on menus) with their
own versions. In this attack, however, Austin doesn't actually put QR codes
on meters." The attackers just added their own. People have no become so
accustomed to scanning QRcodes that they don't question even their presence.
This opens the attack surface wide. How about a "scan for hours and menu"
QR code on the outside glass of a restaurant? If they are closed on Monday,
how many passers-by will it catch if placed there early Monday morning --
with no one from the store even being present to notice until Tuesday?
Similar attacks work all over the place. Any store window. The doors of
cars on a dealer lot -- "Scan for our best price on this beauty!" At the
entrance to a Mall: "Scan for a map." Or at an office building: "Scan for a
tenant list." The commuter rail lines around NY have an app that allows you
to pay for your ticket; you then show your phone to the conductor when he
checks for tickets. For those who don't have the app ... imagine a QR code
that says "Beat the rush! Scan here to buy an eTicket."
The important thing to realize is that an "addition" attack -- unlike a
"replacement" attack -- leaves the owner of the physical object where the
code is presented entirely out of the loop. A restaurant using QR codes for
menus, say, could in principle have a sign on the wall with a picture to be
matched to the presented menu. It could change very day -- or, if presented
on a screen, every 10 minutes. How effective this would be -- how often
people would actually look and compare -- is questionable, but it's at least
a way to provide some degree of authentication. But what's Austin to do:
Post signs everywhere telling people "we don't use QR codes"? How effective
is that likely to be.
We've spent decades (mainly unsuccessfully) teaching people not to click on
links in unsolicited emails. QR codes are even worse. Since they are
essentially * never* solicited in any meaningful sense ... "intent" is no
longer a meaningful distinction. They are completely unparseable to human
beings. Even if a QR code reader showed the URL on the phone's screen with a
"click if this is OK" ... given that the whole purpose of the code is
provide a quick, frictionless interface, what are the odds people will read
the incomprehensible -- even the legitimate ones are not intended for human
comprehension - URL's that result?
QR codes. Just say no.
------------------------------
Date: Sun, 16 Jan 2022 11:37:47 +0000
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: Metro says timing for return of suspended railcars is unknown
(RISKS-33.01-02)
The mathematical relationship "more than" does not need further
interpretation. It is the measurement itself that needs interpreting.
If the displacement is measured at precisely 1/32 of an inch, then the
actual measurement is 1/32 of an inch plus or minus the error in the
reading. This error is very unlikely to be precisely zero. So the
probability of the actual measurement being *more than* 1/32 of an inch is
very close to 50%.
So the question is: should a car be taken out of service if there is close
to a 50% chance that it is out of spec?
Put this way, I think it is reasonable to err on the side of safety.
------------------------------
Date: Sun, 16 Jan 2022 13:46:41 -0800
From: dave russo <david.al...@gmail.com>
Subject: Re: Metro says timing for return of suspended railcars is unknown
(RISKS-33.02)
To be fair, the technicians may well understand both the meaning of "More
than" and that small length measurements need to be specified as a function
of their environment.
The metro specification requires a measurement accuracy of at least
1/32 of an inch. But steel expands approximately .07% per 100 degrees
F. For a measurement of 53 5/16 of inches, a 100 degree difference
works out to be .037 inches > 1/32 inch. Working backwards, an 85
degree F difference could result in a greater than 1/32 inch
expansion.
It seems to me that the real risk is in a specification of an absolute
length deviation without ALSO specifying the temperature at which the
measurement must be made.
FWIW: Coincidentally, Adam Savage (of Myth Busters) recently produced
a wonderful video (https://youtu.be/qE7dYhpI_bI) on why all
sufficiently precise measurements are a function of their environment.
Perhaps the technicians are Adam Savage fans.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.03
************************
0 new messages