RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.63> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The Plane Paradox: More Automation Should Mean More Training (WiReD) VPN hacks are a slow-motion disaster (WiReD) AirDrop could make 1.5 billion Apple devices vulnerable to hackers (Fortune) Hundreds lose Internet service in northern B.C. after beaver chews through cable (CBC.CA) NYPD Robot Dog's Run Is Cut Short After Fierce Backlash (NYTimes) Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug (Mike Snider) Why the FCC Keeps Shooting Down Requests From Companies That Want To Shoot Down Drones (IEEE Spectrum) How Close Is Ordinary Light to Doing Quantum Computing? (Niel Savage) SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security (James Rundle) Outlook/Exchange accounts under attack? (Rob Slade) U.S. investigating possible mysterious directed energy attack near White House (CNNPolitics) An Ambitious Plan to Tackle Ransomware Faces Long Odds (WiReD) Man arrested over fake QR codes (South Australia Police) Spending on Cloud Computing Hits US$42 Billion Worldwide (Canalys) Fighting patent trolls (Rob Slade) Re: Eversource Energy data breach caused by unsecured cloud storage (Anthony Thorn) Re: Fiery Tesla crash with no one driving (Goldy) Re: IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours (Amos Shapir) Re: Masking the CoVID-19 problem (Robert Weaver) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 25 Apr 2021 21:23:37 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: The Plane Paradox: More Automation Should Mean More Training (WiReD) Today's highly automated planes create surprises pilots aren't familiar with. The humans in the cockpit need to be better prepared for the machine's quirks. Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, 2018, all four of the aircraft's flight control computers stopped working. Each performed precisely as designed, taking themselves offline after (incorrectly) sensing a fault. The problem, later discovered, was an actuator that had been serviced with oil that was too viscous. A design created to prevent a problem created a problem. Only the skill of the instructor pilot on board prevented a fatal crash. Now, as the Boeing 737 MAX returns to the skies worldwide following a 21-month grounding, flight training and design are in the crosshairs. Ensuring a safe future of aviation ultimately requires an entirely new approach to automation design using methods based on system theory, but planes with that technology are 10 to 15 years off. For now we need to train pilots how to better respond to automation's many inevitable quirks. https://www.wired.com/story/opinion-the-plane-paradox-more-automation-should-mean-more-training/ [This leads us to the old paradox. The more automated everything is, the fewer trained system administrators will know what to do when the resiliency fails to provide self-recovering automated systems. PGN] ------------------------------ Date: Sun, 25 Apr 2021 21:27:54 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: VPN hacks are a slow-motion disaster (WiReD) Recent spying attacks against Pulse Secure VPN are just the latest example of a long-simmering cybersecurity meltdown. https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/ ------------------------------ Date: Mon, 26 Apr 2021 01:09:23 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: AirDrop could make 1.5 billion Apple devices vulnerable to hackers (Fortune) Apple's AirDrop feature could allow hackers to gain personal information via your Apple device, according to security researchers in Germany. A report from Technische Universitat Darmstadt says it has found a `significant privacy leak' in Apple's file-sharing service. When users begin sharing files with each other using AirDrop, others with malicious intent can also tap into the data and gain access to the phone number and email of users. Researchers say 1.5 billion Apple devices are vulnerable, and Apple has not issued a security update since the report was issued. Researchers say they alerted Apple to the problem in May 2019 but said, “Apple has neither acknowledged the problem nor indicated that they are working on a solution.” The team added it had also offered a fix for the flaw, but have not heard back from Apple about the proposal. https://fortune.com/2021/04/23/airdrop-security-privacy-leak-apple-devices-iphones-hackers/ Linked article gives a bit more information: https://www.informatik.tu-darmstadt.de/fb20/ueber_uns_details_231616.en.jsp ...but it requires proximity AND a brute force attack. So claiming 1.5B devices at risk is a bit overwrought. So if this gets wider coverage, don't panic. ------------------------------ Date: Mon, 26 Apr 2021 13:19:38 -0600 From: "Matthew Kruk" <mkr...@gmail.com> Subject: Hundreds lose Internet service in northern B.C. after beaver chews through cable (CBC.CA) Telus calls damage 'uniquely Canadian turn of events' affecting about 900 customers. https://www.cbc.ca/news/canada/british-columbia/beaver-internet-down-tumbler-ridge-1.6001594 [This event was noted in Tumbler Ridge, British Columbia. However, it is not the first such case reported in RISKS: Eager beaver blamed for killing Internet, cell service" (RISKS-27.36) Nevertheless, beavers have a long way to go in competing with squirrel stories. PGN] ------------------------------ Date: Fri, 30 Apr 2021 12:12:31 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: NYPD Robot Dog's Run Is Cut Short After Fierce Backlash (NYTimes) The Police Department will return the device earlier than planned after critics seized on it as a dystopian example of overly aggressive policing. When the Police Department acquired a robotic dog last year, officials heralded the four-legged device as a futuristic tool that could go places that were too dangerous to send officers. “This dog is going to save lives,” Inspector Frank Digiacomo of the department's technical Assistance Response Unit said in a television interview in December. “It's going to protect people. It's going to protect officers.” Instead, the machine, which the police named Digidog, became a source of heated debate. After it was seen being deployed as part of the response to a home invasion in the Bronx in February, critics likened it to a dystopian surveillance drone. And when officers used it at a public housing building in Manhattan this month, a backlash erupted again, with some people describing the device as emblematic of how overly aggressive the police can be when dealing with poor communities. Now, the robotic dog's days in New York have quietly been cut short. https://www.nytimes.com/2021/04/28/nyregion/nypd-robot-dog-backlash.html Blindingly stupid citizens. Robodog is cute, capable, and unarmed yet people feel threatened while worse issues ignored. ------------------------------ Date: Mon, 26 Apr 2021 12:22:14 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug (Mike Snider) Mike Snider, *USA Today*, 24 Apr 2021, via ACM TechNews, 26 Apr 2021 Scammers could exploit a bug in iPhones and MacBooks' AirDrop feature to access owners' email and phone numbers, according to researchers at Germany's Technical University of Darmstadt (TU Darmstadt). AirDrop allows users with both Bluetooth and Wi-Fi activated to discover nearby Apple devices, and share documents and other files; however, strangers in range of such devices can extract emails and phone numbers when users open AirDrop, because the function checks such data against the other user's address book during the authentication process. The researchers said they alerted Apple to the vulnerability nearly two years ago, but the company "has neither acknowledged the problem nor indicated that they are working on a solution." They recommend users disable AirDrop and not open the sharing menu, and to only activate the function when file sharing is needed, then deactivate it when done. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2aad0x22aafax070412& ------------------------------ Date: Thu, 29 Apr 2021 00:22:34 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Why the FCC Keeps Shooting Down Requests From Companies That Want To Shoot Down Drones (IEEE Spectrum) Regulators have denied testing permits to at least four electronic warfare systems in the last six months https://spectrum.ieee.org/tech-talk/aerospace/military/fcc-shoot-down-drones ------------------------------ Date: Wed, 28 Apr 2021 12:19:27 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: How Close Is Ordinary Light to Doing Quantum Computing? (Niel Savage) Neil Savage, *IEEE Spectrum*, 27 Apr 2021 via ACM TechNews, Wednesday, April 28, 2021 Using mirrors to generate a light beam with multiple, classical entanglements is possible, according to researchers at China's Tsinghua University, the U.K.'s University of Southampton, and South Africa's University of Witswaterand (WITS). WITS' Andrew Forbes said this technique can entangle a potentially infinite number of photonic pathways, and his team demonstrated eight degrees of freedom within a single beam by changing the spacing between mirrors in the laser cavity. Said Forbes, "Not only could we make light that took many different paths at once, but we could encode information into those paths to make it look like we were holding a high-dimensional multi-photon quantum state." Forbes added that since quantum computing relies on particles existing in multiple states, some algorithms could be run using classically entangled light, bridging quantum and classical computers. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ab7fx22ac75x070972& ------------------------------ Date: Wed, 28 Apr 2021 12:19:27 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security (James Rundle) James Rundle, *The Wall Street Journal*, 26 Apr 2021 via ACM TechNews, Wednesday, April 28, 2021 At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do what it is asking to do. Ericom Software Ltd.'s Chase Cunningham said, "No one who actually understands zero trust says abandon the perimeter. But the reality of it is that you need to understand your perimeter's probably already compromised, especially when you're in a remote space." Carnegie Mellon University's Gregory Touhill stressed that zero trust is not a technology but a strategy, and "we've got too many folks in industry that are trying to peddle themselves as zero-trust vendors selling the same stuff that wasn't good enough the first time." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ab7fx22ac7ax070972& ------------------------------ Date: Thu, 29 Apr 2021 10:06:53 -0700 From: Rob Slade <rsl...@gmail.com> Subject: Outlook/Exchange accounts under attack? Possibly it's due to all the Exchange servers still "pwned" from the SolarWinds attack. But I have been noticing a *huge* up-tick in spam (and particularly phishing) messages in my Outlook account, rmsl...@outlook.com. (The same account is also rob-the-vi...@outlook.com, usual-suspe...@outlook.com, i...@outlook.com, and the-usual-susp...@outlook.com, but most of the spam seems to be addressed to rmsl...@outlook.com.) OK, maybe nine messages a day doesn't seem huge, but bear in mind that this is an account that I hardly ever use. I generally don't post from it, and almost never to any mailing lists. I don't exactly hide its existence, and I sometimes note it as an alternate email when people have trouble with my main Shaw account, or when I'm giving presentations. And, up until a couple of months ago, I hardly received any email in it at all. (Which is why I wonder about the SolarWinds thing.) It's not as if Microsoft is really bad at spam filtering. Looking at the spam folder (which Microsoft insists on labeling "Junk") I note that there are a number of messages Microsoft has dealt with automatically. Although an awful lot of the phishing messages that I *do* see (and report, religiously, one of the reasons that I'm so aware of the growing spam numbers) are dead copies of each other, even if they come from different email accounts and sources. I know that phishing doesn't have to have a high success rate. Sending phishing messages is pretty close to zero cost for phishers, so you can have a success rate of 0.01% and still consider that a win. But I am starting to wonder how many people are getting"pwned" by this recent onslaught ... ------------------------------ Date: Thu, 29 Apr 2021 18:15:52 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: U.S. investigating possible mysterious directed energy attack near White House (CNNPolitics) Washington (CNN) -- Federal agencies are investigating at least two possible incidents on US soil, including one near the White House in November of last year, that appear similar to mysterious, invisible attacks that have led to debilitating symptoms for dozens of US personnel abroad. Multiple sources familiar with the matter tell CNN that while the Pentagon and other agencies probing the matter have reached no clear conclusions on what happened, the fact that such an attack might have taken place so close to the White House is particularly alarming. Defense officials briefed lawmakers on the Senate and House Armed Services Committees on the matter earlier this month, including on the incident near the White House. That incident, which occurred near the Ellipse, the large oval lawn on the south side of the White House, sickened one National Security Council official, according to multiple current and former US officials and sources familiar with the matter. https://www.cnn.com/2021/04/29/politics/us-investigating-mysterious-directed-energy-attack-white-house/index.html ------------------------------ Date: Thu, 29 Apr 2021 18:24:59 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: An Ambitious Plan to Tackle Ransomware Faces Long Odds (WiReD) A task force counting Amazon, Cisco, and the FBI among its members has proposed a framework to solve one of cybersecurity's biggest problems. Good luck. https://www.wired.com/story/ransomware-task-force-proposal/ ------------------------------ Date: Thu, 29 Apr 2021 20:11:30 -0600 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: Man arrested over fake QR codes (South Australia Police) 28 Apr 2021 An Edwardstown man has been arrested after he allegedly placed fake QR codes over business COVID check-in QR codes. On 28 Apr 2021, members of SAPOL's COVID Compliance Section attended an address in Edwardstown following allegations that false QR codes has been placed over business QR Codes at South Plympton on Sunday 25 April. https://www.police.sa.gov.au/sa-police-news-assets/front-page-news/man-arrested-over-fake-qr-codes#.YImYQrVKiUl "Anti-vaxxers are to blame for a QR code scam in Blackwood. Fake QR codes were placed over genuine COVID safe check-ins and once scanned, it is understood it led people to a website with information against vaccinations. 7NEWS Adelaide at 6pm" https://t.co/8ftPfFYTVQ #7NEWS pic.twitter.com/NFAMNTdCrz ------------------------------ Date: Fri, 30 Apr 2021 12:25:23 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Spending on Cloud Computing Hits US$42 Billion Worldwide (Canalys) Business Times (Singapore), 30 Apr 2021. via ACM TechNews, 30 Apr 2021 Market tracker Canalys said global cloud computing spending reached a record-high US$41.8 billion in the first quarter of 2021 as businesses used the Internet heavily to weather the pandemic. Worldwide spending on cloud infrastructure services rose nearly US$11 billion year over year, according to Canalys. The company's Blake Murray said, "Organizations depended on digital services and being online to maintain operations and adapt to the unfolding situation," although most businesses have not yet made the "digital transformation." Canalys ranked Amazon Web Services as the world's top cloud service provider, accounting for 32% of the market, followed by Microsoft's Azure platform with 19% and Google Cloud with 7%. Going forward, Murray expects continued migration to the cloud amid improving economic confidence and the revitalization of postponed projects. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ac19x22adb1x070550& [Too much trusting of potentially untrustworthy third-parties? PGN] ------------------------------ Date: Wed, 28 Apr 2021 10:12:46 -0700 From: Rob Slade <rsl...@gmail.com> Subject: Fighting patent trolls Even though I'm an author, I'm not really big on "intellectual property." Not that I'm against the idea of a creator benefitting from control over what they've created: I just don't see it working out very well in the real world. As is usual, the Golden Rule is that ``they that have the gold make the rules,'' and intellectual property law tends not to protect creators as much as it makes it possible for large corporations, with hordes of lawyers, to pay a pittance to originators and then make fabulous profits off the creation. But what *really* gets my goat is patent trolls. People or companies that file for hugely overbroad patents, generally on things they never plan to produce, and then sue people who actually produce usable products that stray into the patent's clutches. I have wasted *far* too much time over the past decade and more, helping defend companies that have been hit by patent trolls. Much of the time, the situation goes like this. ABC Corp makes a product. XYZ Corp, the patent troll, figures that it infringes on their patent. XYZ sues ABC for a hundred million dollars. ABC goes to their lawyers. Their lawyers go to IP lawyers. The IP lawyers get someone to do prior art searches. At this point they find me. (This is mostly in the field of antimalware stuff, and I reviewed basically everything that was available between 1987 and 1996.) So, the IP lawyers tell me about the XYZ patent, and I list off all the programs that invalidate the XYZ patent because they did what the XYZ patent talks about before it was filed. So the IP lawyers go back to the ABC lawyers, and ABC says to XYZ, "Well, we could invalidate your patent, but it would be a long and expensive process: here's a hundred thousand dollars. Go away." So, XYZ, who only wanted $100,000, is happy, ABC is happy that they saved $100,000,000, the IP lawyers are happy they got to charge lots of billable hours, and the only one *not* happy is me. So I am delighted that Cloudflare has taken umbrage at being sued by a patent troll, and encourage everyone to support their prior art search: https://blog.cloudflare.com/project-jengo-redux-cloudflares-prior-art-search-bounty-returns/ ------------------------------ Date: Mon, 26 Apr 2021 08:40:42 +0200 From: Anthony Thorn <anthony.th...@atss.ch> Subject: Re: Eversource Energy data breach caused by unsecured cloud storage (Wolitzky, RISKS-32.62) Did he become suspicious too late? Jan Wolitzky describes a possible/probable phishing attempt: > "I went to the website provided to sign up, but around the point where > they asked for my Social Security number, I got suspicious." How hard would it be to send a mass mailing on utility company letterhead, warning people of a non-existent data breach, and sending them to some website to sign up for credit monitoring, thereby quickly collecting all the information you'd otherwise have to wait for a careless utility company to provide?" I do hope that he did not follow a link in the email because his computer might already be compromised... ------------------------------ Date: Sun, 25 Apr 2021 19:40:59 -0600 From: goldy <gold2...@gmail.com> Subject: Re: Fiery Tesla crash with no one driving (RISKS-32.61 & 62) We have now had items in two RISKS issues repeating the "news" that a Tesla crash took over four hours and 30,000 gallons of water to extinguish. The RISK? Not checking facts before repeating rumors. https://www.houstonchronicle.com/neighborhood/woodlands/article/Woodlands-fire-chief-says-Tesla-fire-example-of-16113029.php It seems that there is a difference between putting out a fire and keeping a scene cool so that a fire does not reignite. [I do have dupes now and then, especially when an item is submitted well after an issue has already appeared. (I often check for duplicates, but tend to miss a few now and then, because I do not have a lot of time to check everything. However, I always try to run corrections when a submitted item is incorrect, and rely on readers to help keep the archival record straight, as you have done. So yours is greatly appreciated. PGN] ------------------------------ Date: Tue, 27 Apr 2021 17:51:26 +0300 From: Amos Shapir <amos...@gmail.com> Subject: Re: IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours (RISKS-32.61) I worked at IBM 10 years ago, but it seems they still keep their spirit... IBM views itself not as a company, but as a Kingdom (which used to be an Empire). The claim "You are an IBM employee 100% of the time" is not a whim of a bad manager, but a direct quote from their Business Conduct Guide -- a 200-page document every candidate should read, before given access to any system. In there, employees are taught that every person on Earth is either an IBM Employee, an IBM Supplier, an IBM Customer, or else (implied consequently) an IBM Enemy. The 100% Employee is warned that anyone s/he may meet on a bus, in a bar, or PTA meeting, may belong in one of these categories, and should be approached accordingly. ------------------------------ Date: Tue, 27 Apr 2021 10:50:42 -0400 (EDT) From: Robert Weaver <woody.wea...@comcast.net> Subject: Re: Masking the CoVID-19 problem (Weaver, RISKS-31.68) If memory serves, Rob Slade had a bit of a screed on masks (see RISKS-31.65), and was taken to task for it. Then I commented on the 6-foot thing, and there was some response around that issue, partly by Herr Doctor Professor Peter Ladkin -- who had been watching it, and referred to a study and to a movie, "the Sneeze". We now have better science to design controls, such as https://www.pnas.org/content/118/17/e2018995118 and while the guidance doesn't quite invert the previous recommendations, it deeply changes the advice. The risks are subtle, and perhaps not precisely computer-related, but more [generally] "science" related: the risks of jumping to a control with limited scientific information, applying controls inexpertly, failure to change the control regime in a timely fashion when the data changes, etc. [In retrospect, the Pandemic is still an evolving exercise a year later. PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.63 ************************