RISKS-LIST: Risks-Forum Digest Monday 13 July 2020 Volume 32 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.09>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (Esquire)
A Marine called customer service when his M107 failed during gunfight
(Business Insider)
Microsoft neuters Office 365 account attacks that used clever ruse
(Ars Technica)
How Universities Can Keep Foreign Governments from Stealingo Intellectual
Capital (Scientific American)
Poochin' Mnuchin? (Michael LeVine)
Mental health, stress, and moral injury (Rob Slade)
Home Security Camera Wi-Fi Signals Can be Hacked to Tell When People Are
Home (Jonathan Chadwick)
Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and Google
Assistant (Dan Goodin)
Can an Algorithm Predict the Pandemic's Next Moves? (Benedict Carey)
Supreme Court Preserves Limits on Autodialed Calls to Cell Phones,
Overturns Government Debt Collection Exception (Cooley)
Re: Not so random acts: Science finds that being kind pays off
(Neil Youngman)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 11 Jul 2020 16:03:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch
(Esquire)

On 17 Apr 2015, a Sydney District Court sentenced Milky to four years and
six months in prison after he was found guilty of the charges. Not surprisingly, St. George was not forthcoming with details as to what had happened. A spokesperson for the bank would say only, to *The Sunday Telegraph*, that the glitch had been the result of a *human error* that had since been corrected. ``The issue has been resolved and the customer has
been convicted,'' the spokesperson went on. ``The bank is now seeking to recover funds.'' The police confiscated Milky's belongings and turned them over to the bank. Judge Stephen Norrish said the twenty-seven-year-old's
excuse that he was going to keep spending until the bank contacted him was ``almost laughable... he thought he could get away with anything and he
almost did.''

According to Milky's contract with the bank, he was perfectly authorized to receive overdrafts subject to the bank's approval. In practice, when Milky
put in an overdraft request, it would get sent up from his local bank to a corporate relationship officer for sign-off. But if the officer didn't
respond within a certain time frame, the request would automatically get approved -- which is what kept happening for him. In other words, as the
bank admitted in court, it was its own human error, and had nothing to do
with his getting unauthorized access to a computer at all. It was
scapegoating him for its own mistake and his lawyers had botched the case,
he fumed. ``It was a long shot for the prosecution to even come after me
the way they did. And I don't think anyone in the jury understood it.''
...

On December 1, 2016, the New South Wales Court of Appeal ruled in his favor too. ``The unusual aspect of Mr. Moore's conduct was that there was nothing covert about it,'' Justice Mark Leeming noted in his judgment, adding that
St. George bank had chronicled ``with complete accuracy Mr. Moore's growing indebtedness.'' St. George declined to comment on the acquittal, though it later contacted Milky to tell him it was not coming after him for his
remaining debt. It was obviously in the bank's best interest to let this
fade as quickly as possible. As Milky left the courthouse a free man, a reporter from the tabloid TV show /A Current Affair /trailed him, cheekily asking if he was going to drive home in a Maserati. ``Not today,'' Milky
told her with a laugh. ``Not today.'' [...\

Instead, he plans to make his fortune the old-fashioned way: by working, as
a criminal lawyer. After successfully representing himself in his case, he found his calling. He's currently enrolled in law school and expects to get
his degree this spring. And what will he do if he ends up making millions again? ``I reckon I'll have to move back here,'' he says with a smile,
which would be the most *beauuuutiful ending* of all.

https://www.esquire.com/lifestyle/a19834127/luke-milky-moore-money-glitch/

At least the bank didn't call it a computer error. And the bank deservedly
took the hit.

------------------------------

Date: Thu, 9 Jul 2020 23:37:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Marine called customer service when his M107 failed during
gunfight (Business Insider)

The Barrett M107 .50-caliber long-range sniper rifle is a firearm made for
the modern war on terrorism. Officially adopted by the U.S. Army in 2002 and boasting a 2,000-meter range, a suppressor-ready muzzle brake, and recoil-minimizing design, the semi-automatic offers "greater range and lethality against personnel and materiel targets than other sniper systems
in the U.S. inventory," according to an assessment by Military.com.

While Barrett's reputation of "flawless reliability" has made the M107 the sniper weapon of choice, the rifle is just like any other essential tool: It often breaks when you need it most. And that's apparently what happened to
one Marine Corps unit pinned down in a firefight, according to one of
Barrett's longtime armorers.

https://www.businessinsider.com/marines-m107-sniper-rifle-failed-during-firefight-so-he-called-customer-service-2017-4

------------------------------

Date: Fri, 10 Jul 2020 02:50:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Microsoft neuters Office 365 account attacks that used clever ruse
(Ars Technica)

https://arstechnica.com/information-technology/2020/07/microsoft-neuters-office-356-account-attacks-that-used-clever-ruse/

------------------------------

Date: Sun, 12 Jul 2020 12:56:35 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: How Universities Can Keep Foreign Governments from Stealing
Intellectual Capital (Scientific American)

https://www.scientificamerican.com/article/how-universities-can-keep-foreign-governments-from-stealing-intellectual-capital/

The essay enumerates insider risks that can enable theft of intellectual property (IP) and classified information.

"National Institutes of Health have reportedly made inquiries into nearly
200 NIH-funded researchers at more than 60 U.S. institutions for potentially violating NIH conflict-of-interest, conflict-of-commitment or research-integrity rules. Many of these ideas and technologies are important
to national security."

The second to last paragraph's concluding sentence states: "But if
universities fail to police themselves adequately in these areas, we face
the specter of more draconian reactions from lawmakers."

Has the time arrived for the US government to enact a data protection law? Regulating cybersecurity, auditing organizational compliance, and enforcing mandatory penalties for cyber-crime enabled by organizational negligence may yield public benefit. Ongoing voluntary efforts to toughen infrastructure
and organizations against cyber-crime reveal an unchecked scourge.

The surveillance economy's data collection, data exploitation for profit,
and data breach life cycle sponsors an estimated US$ 1T per year global criminal industry (see https://www.accenture.com/us-en/insights/security/cost-cybercrime-study, retrieved on 11JUL2020).

The Privacy Rights Clearinghouse https://privacyrights.org/data-breaches describes a chronology of U.S. incidents totaling ~9000 and ~11.7B records between 2006-2018, and estimates JAN-SEP2019 data breach frequency at ~5200 incidents totaling ~8B records. These statistics prove that voluntary organizational efforts to deter cyber-crime are substantially ineffective. https://www.securitymagazine.com/articles/91366-the-top-12-data-breaches-of-2019

The Computer Misuse Act (USC Section 18) does not punish cyber-crime
enablers: these are the surveillance economy's keepers of vulnerable and
weakly protected Internet-accessible data repositories and computer
systems. Cyber-crimes, especially ID theft, inures public mental health, and imbrues governments, businesses, and educational institutions. Some people
and organizations are enriched by the cyber-crime pandemic.

Most enablers are small or medium-sized organizations (less than 500 people) with parsimonious budgets unaccommodating and ill-equipped to implement vigorous cybersecurity defenses; they outsource cybersecurity capabilities because they can't afford it. The comp.risks forum labels ineffective cybersecurity practice as "security theater."

A few enablers are titans (financial services, and intelligence gathering organizations, data aggregators) that maintain petabytes of repository
content. These leviathans are usually defended by cybersecurity operation centers brimming with gear and people procured from a vast cyber-industrial complex.

Cybersecurity service suppliers are hired to oversee an organization's
digital hygiene, and prevent brand-weakening data breaches that raise
alarm. Yet cyber-crime continues undeterred despite "best in the business" deterrence. The surveillance economy's "moose on the table" facilitates the cyber-crime industry's "cut of the take."

Federal regulations govern vehicle, food, and consumer product safety that protects public health and safety interests. Mandatory enforcement of cyber-security regulations may suffice where voluntary efforts have not.

A "meet or exceed" regulation, propounded by The Cybersecurity and Infrastructure Security Agency @ https://cyber.dhs.gov/directives, may represent a regulation baseline.

Require all Internet-accessible repository owner/operators and technology suppliers to adopt CISA directives and guidelines, then periodically elevate and strengthen them to promote enhancements: frequent patch application, firewall port lockdown, minimal administrative and least privilege
assignment, proactive malware detection measures, multi-factor
authentication, personnel training for malware vigilance, etc. Enforcement compliance auditing will require significant federal sponsorship to reveal
and discipline organizations engaged in security theater charades.

Standardized cyber-security solutions effectively homogenize defenses. When adopted by organizations across industries, they inherit common
technological weaknesses. Open-source contributions integrated into deployed software and hardware reveal this risk. Organizations leverage standardized solutions to avoid in-house expenditures. Cheaper? Certainly. More
effective than do-it-yourself cybersecurity? Apparently not.

Cyber-crime arises from negligence: technological vulnerabilities, weak internal controls, shirked professional duties and sloppy fulfillment,
insider actions, etc. Technologically, negligence can materialize from
multiple sources: unpatched platform backdoor exploitation, known but
untrapped malware exploit, ransomware, role impersonation and phishing, advanced persistent threat targeting, no multi-factor authentication access controls, etc.

Internet service usage terms routinely encourage cybersecurity
under-investment by asserting a negligence exemption. If contract law can effectively indemnify organizational liability against negligence, why strengthen technological and organizational protections for collected data troves or core intellectual property? Cybersecurity negligence and liability exemption constraints will motivate compliance investments.

The "terms of service acknowledgment" checkbox found in virtually all
Internet services, once ticked and submitted, grants free reign to
surveillance economy life cycle exploitation for profit or purpose. An effective federal cybersecurity regulation will restrict website terms of service by limiting liability exemptions due to negligence.

This text snippet, retrieved on 10JUL2020 from https://www.experian.com/corporate/legalterms, typifies website usage
terms. It asserts a negligence exemption and unlimited liability indemnification should an adverse outcome arise from use:

"IN NO EVENT WILL EXPERIAN BE LIABLE TO ANY PARTY FOR ANY DAMAGES OF ANY
KIND, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS WEB
SITE, OR ANY LINKED WEB SITE, INCLUDING WITHOUT LIMITATION, LOST PROFITS,
LOSS OF USE, BUSINESS INTERRUPTION, OR OTHER ECONOMIC LOSSES, LOSS OF
PROGRAMS OR OTHER DATA, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, EVEN IF EXPERIAN IS ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES."

Passing and enforcing regulations that constrain negligence exemption is
easier proposed than achieved. Business lobbies frequently pursue their interests on behalf of boardrooms and CxOs above public interests that
mitigate cyber-crime incident frequency.

Cybersecurity regulation penalties enforced per https://en.wikipedia.org/wiki/Classes_of_offenses_under_United_States_federal_law
will signal governance teams to adjust investment priorities. Prosecuting cybersecurity non-compliance can restrain capitalism's capricious
predilection.

The surveillance economy imperils civility with impunity. Cybersecurity regulatory enforcement is unlikely to halt cyber-crime, but can promote restoration of trust, a scarce public virtue desperate for replenishment.

------------------------------

Date: Thu, 9 Jul 2020 14:16:21 -0700
From: Michael LeVine <mlevine@redshift.com>
Subject: Poochin' Mnuchin?

Just got this and think it is some sort of lead in to a scam...

Begin forwarded message:

From: MAIL SERVICE <xavier@immobiliariarosell.com>
Subject: NOTIFICATION!!!
Date: July 9, 2020 at 12:56:35 PM PDT
To: undisclosed-recipients:;
Reply-To: 1brattany@att.net

Attn: Recipient,

The Office of Foreign Assets Control (OFAC) administers and enforces

sanctions based on US foreign policy. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on TRANSACTIONS and assets under US jurisdiction.

However, by the virtue of provision of law which confer [sic] on us powers

to advocate, adjudicate, suspend and authorize. We hereby state without prejudice that according to the security manifest booklet on outstanding transactions due to an extensive investigation after some financial analysis through the assistance of several agencies with resources combined, we
intend to raise awareness to eligible recipients off the record.

All necessary clarifications from our department have commenced and if

there is any information that may succeed our verification, do not hesitate
for confirmation.

Regards,

Mr. Steven T. Mnuchin
Secretary of Treasury,
Office of Foreign Assets Control

------------------------------

Date: Thu, 9 Jul 2020 18:12:50 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Mental health, stress, and moral injury

OK, everybody is under stress, of various types, right now. It's creating mental health challenges in a variety of ways. We need to protect our employees, colleagues, and ourselves, as well.

Concentrating on health workers, the Centre of Excellence on Post-Traumatic Stress Disorder at The Royal Ottawa and Phoenix Australia -- Centre for Post-traumatic Mental Health have co-developed A Guide to Moral Injury. The Website, outlining the issues, is at: https://www.moralinjuryguide.ca/ You
can obtain the full guide, free of charge. https://www.moralinjuryguide.ca/wp-content/uploads/2020/07/Moral-Injury- Guide.pdf An executive summary is available here: https://www.moralinjuryguide.ca/wp-content/uploads/2020/07/MI-Guide-Executive- Summary.pdf

------------------------------

Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Home Security Camera Wi-Fi Signals Can be Hacked to Tell When
People Are Home (Jonathan Chadwick)

Jonathan Chadwick, *The Daily Mail* (UK), 6 Jul 2020

Scientists at the U.K.'s Queen Mary University of London and the Chinese Academy of Sciences in Beijing have demonstrated exploits of
Internet-connected security camera uploads that track potential burglars, allowing hackers to learn whether homes are occupied or not. Many smart home cameras use Wi-Fi connections to facilitate remote monitoring by homeowners, which hackers can hijack when activated--even if the video content is encrypted. An undisclosed home Internet Protocol security camera provider allowed the researchers access to a dataset covering 15.4 million streams
from 211,000 active users. By studying the rate at which cameras uploaded
data via the Internet, the team could detect when a camera was uploading motion, and even differentiate between certain types of motion. The
researchers also learned that online traffic generated by the cameras, often motion-triggered, could be monitored to predict whether people were at home. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x223498x065969&

------------------------------

Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and
Google Assistant (Dan Goodin)

Dan Goodin, Ars Technica, 1 Jul 2020

Researchers at Ruhr University Bochum and the Max Planck Institute for
Security and Privacy in Germany have identified more than 1,000 word
sequences that incorrectly trigger voice assistants like Alexa, Google Home, and Siri. The researchers found that dialogue from TV shows and other
sources produces false triggers that activate the devices, raising concerns about privacy. Depending on pronunciation, the researchers found that Alexa will wake to the words "unacceptable" and "election," while Siri will
respond to "a city," and Google Home to "OK, cool." They note that when the devices wake, a portion of the conversation is recorded and transmitted to
the manufacturer, where employees may transcribe and check the audio to help improve word recognition. This means each company's logs may contain
fragments of potentially private conversations. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x22349cx065969&

------------------------------

Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Can an Algorithm Predict the Pandemic's Next Moves?
(Benedict Carey)

Benedict Carey, *The New York Times*, 2 Jul 2020

An international team of scientists has developed a computer model to
predict Covid-19 outbreaks about two weeks before they happen. Team leaders Mauricio Santillana and Nicole Kogan of Harvard University created the algorithm, which monitors Twitter, Google searches, and mobility data from smartphones in real time in order to forecast outbreaks 14 days or more
before case counts start rising. Santillana said the model is based on observations rather than assumptions, employing methods responsive to
immediate behavioral changes. The team integrated multiple real-time data streams with a prediction model from Northeastern University, based on
people's movements and interactions in communities, and assessed the value
of trends in the data stream by observing how each correlated with case
counts and deaths over March and April in each state. Santillana said, "We don't see this data as replacing traditional surveillance, but confirming
it." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x223497x065969&

------------------------------

Date: Mon, 13 Jul 2020 09:09:16 -0600
From: Cooley <info@emailcc.com>
Subject: Supreme Court Preserves Limits on Autodialed Calls to Cell Phones,
Overturns Government Debt Collection Exception

In a widely anticipated decision in Barr v. American Association of
Political Consultants, the US Supreme Court determined that an exception to
the Telephone Consumer Protection Act (TCPA) that allowed robocalls to
mobile phones to collect government debts was unconstitutional, but declined
to overturn the broader ban on most robocalls to mobile phones without the prior express consent of the recipient. The decision reveals significant differences among the justices on how to apply the First Amendment to the
TCPA, but also leaves that current regime in place for all but a fraction of entities that use autodialed calls. As a result, entities that make
autodialed calls should continue to obtain prior express written consent
for those calls.

https://i.cooley.com/e/708103/C50814EDFB41B8F669AE9711D--z-z/43q7j/159951937?hyrXwDekXtEKMUTjG6B8lfsrf4HyeCQ5MQcbcPQ9Gswg

------------------------------

Date: Fri, 10 Jul 2020 17:58:21 +0100
From: Neil Youngman <antlists@youngman.org.uk>
Subject: Re: Not so random acts: Science finds that being kind pays off
(RISKS-32.08)

It's long been known that tit-for-tat is a very good social strategy -- it's pretty obvious that anybody who is always kind will be taken advantage of,
and anybody who is never kind will be shunned.

But if we're "forgiving tit-for-tat" (i.e., we're mostly tit-for-tat but
every now and then forgive an unkindness), then people who don't play the
game get punished, but people who do can be pretty much always kind in
safety.

That's old news ...

------------------------------

Date: Mon, 1 Jun 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.09
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)