RISKS-LIST: Risks-Forum Digest Thursday 16 July 2020 Volume 32 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.11>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
High-profile Twitter accounts hacked (Sundry sources)
Russian Hackers Trying to Steal Coronavirus Vaccine Research
Intelligence Agencies Say (NYTimes)
Iranian Spies Accidentally Leaked Videos of Themselves Hacking (WiReD)
NOAA storm-spotting app was suspended after being overrun with
false and hateful reports (WashPost)
An invisible hand: Patients aren't being told about the AI systems
advising their care (StatNews)
CJEU rejects EU-US Privacy Shield (EAID-Berlin)
EU court rules U.S. servers not private enough for its citizens' data
(WashPost)
When tax prep is free, you may be paying with your privacy (WashPost)
Re: Why Some Birds Are Likely To Hit Buildings (Keith Medcalf)
Re: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch
(Martin Ward)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 15 Jul 2020 15:10:24 -0700
From: Paul Saffo <paul@saffo.com>
Subject: High-profile Twitter accounts hacked (Sundry sources)

https://www.nbcnews.com/tech/security/suspected-bitcoin-scammers-take-over-twitter-accounts-bill-gates-elon-n1233948

The Twitter accounts of Barack Obama, Jeff Bezos, Joe Biden, Elon Musk and
many other high-profile people and companies became pawns Wednesday in one
of the most visible cyberscams in the Internet's history.

Suspected bitcoin scammers grabbed control of accounts belonging to the rich and famous, as well as lower-profile accounts, for more than two hours
during the afternoon and tricked at least a few hundred people into transferring the cryptocurrency.

A tweet typical of the attack sent from the account of Bill Gates, the
software mogul who is the world's second-wealthiest person, promised to
double all payments sent to his Bitcoin address for the next 30 minutes.

``Everyone is asking me to give back, and now is the time. You send $1,000,
I send you back $2,000.''

Similar tweets appeared on the accounts of rapper Kanye West, investor
Warren Buffett and corporations including Apple, Wendy's, Uber and the money transfer app Cash.

Twitter said it was looking into the attack.

``We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly,'' the company said in a tweet.

[See also https://www.nytimes.com/2020/07/15/technology/twitter-hack-bill-gates-elon-musk.html
https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/
A Twitter insider was responsible for a wave of high profile account
takeovers on Wednesday, according to leaked screenshots obtained by
Motherboard and two sources who took over accounts. [...]
Hackers Convinced Twitter Employee to Help Them Hijack Accounts
After a wave of account takeovers, screenshots of an internal Twitter user
administration tool are being shared in the hacking underground:. https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos
]

[Assume everything can be hacked -- and most easily by insiders.
Perhaps the only sane policy is this: Always say/write what you believe
to be true, because everyone may be listening or someone may hack into
it. And damn the torpedos. The truth will out, even if it may take a
long time. PGN]

[Lauren Weinstein also noted (with no URL):
Twitter shutdown of verified accounts blocked NWS from issuing tornado
warnings. PGN]

------------------------------

Date: Thu, 16 Jul 2020 15:44:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Russian Hackers Trying to Steal Coronavirus Vaccine Research,
Intelligence Agencies Say

The hackers have been targeting British, Canadian and American organizations researching vaccines using spear-phishing and malware.

https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html

------------------------------

Date: Thu, 16 Jul 2020 08:32:32 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Iranian Spies Accidentally Leaked Videos of Themselves Hacking
(WiReD)

https://www.wired.com/story/iran-apt35-hacking-video/

------------------------------

Date: Tue, 14 Jul 2020 21:20:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: NOAA storm-spotting app was suspended after being overrun with
false and hateful reports (WashPost)

The NOAA's "mPING" application was compromised, sending false severe weather data to forecasters and the public.

https://www.washingtonpost.com/weather/2020/07/14/noaa-app-mping-suspended/

------------------------------

Date: July 16, 2020 at 22:08:12 GMT+9
From: Richard Forno <rforno@infowarrior.org>
Subject: An invisible hand: Patients aren't being told about the AI systems
advising their care (StatNews)

Rebecca Robbins and Erin Brodwin, 15 Jul 2020, via Dave Farber

Since February of last year, tens of thousands of patients hospitalized at
one of Minnesota's largest health systems have had their discharge planning decisions informed with help from an artificial intelligence model. But few
if any of those patients has any idea about the AI involved in their care.

That's because frontline clinicians at M Health Fairview generally don't mention the AI whirring behind the scenes in their conversations with
patients.

At a growing number of prominent hospitals and clinics around the country, clinicians are turning to AI-powered decision support tools -- many of them unproven -- to help predict whether hospitalized patients are likely to
develop complications or deteriorate, whether they're at risk of
readmission, and whether they're likely to die soon. But these patients and their family members are often not informed about or asked to consent to the use of these tools in their care, a STAT examination has found.

The result: Machines that are completely invisible to patients are
increasingly guiding decision-making in the clinic.

Hospitals and clinicians ``Care operating under the assumption that you do
not disclose, and that's not really something that has been defended or
really thought about,'' Harvard Law School professor Glenn Cohen said. Cohen
is the author of one of only a few articles examining the issue, which has received surprisingly scant attention in the medical literature even as research about AI and machine learning proliferates.

https://www.statnews.com/2020/07/15/artificial-intelligence-patient-conse-hospitals/

------------------------------

Date: Thu, 16 Jul 2020 16:01:25 +0100
From: Martyn Thomas <martyn@72f.org>
Subject: CJEU rejects EU-US Privacy Shield (EAID-Berlin)

https://www.eaid-berlin.de/dejavu-cjeu-rejects-eu-us-privacy-shield/

If you are baffled by the penultimate sentence, replace "wear" by "carry".  (with thanks to Judith Rauhofer for the explanation that "tragen" in German
has both meanings).

[Conversely, the German language used to uses "Sicherheit" for both
security and safety. Perhaps that has changed with the use of
Cyber/Kyber/...? PGN]

------------------------------

Date: Thu, 16 Jul 2020 18:32:51 +0900
From: farber@gmail.com
Subject: EU court rules U.S. servers not private enough for its citizens'
data (WashPost)

https://www.washingtonpost.com/world/europe/top-eu-court-ruling-throws-transatlantic-digital-commerce-into-disarray-over-privacy-concerns/2020/07/16/d2c0fe06-c736-11ea-a825-8722004e4150_story.html

------------------------------

Date: Wed, 15 Jul 2020 09:47:57 -0400
From: Monty Solomon <monty@roscom.com>
Subject: When tax prep is free, you may be paying with your privacy
(WashPost)

*Free* tax software is not all created equal. Some want to upsell you.
Others want the data in your tax return.

https://www.washingtonpost.com/technology/2019/03/07/when-tax-prep-is-free-you-may-be-paying-with-your-privacy/

------------------------------

Date: Tue, 14 Jul 2020 21:46:33 -0600
From: "Keith Medcalf" <kmedcalf@dessus.com>
Subject: Re: Why Some Birds Are Likely To Hit Buildings (Scientific American)

While this may be entertaining, I would point out that it is unlikely that
the bird was responsible for the collision. I would suggest that the more realistic situation is that the bird was just flying along minding its own business when a bloody big fat and fast moving airplane that was not
watching where it was going ran into the poor bird.

Calling it a "bird strike" is ridiculous. The bird did not strike the aeroplane, the aeroplane ran down the bird. And then the aeroplane and its operator carried on away from the scene of the mishap -- in actual fact the aeroplane pilot committed a hit and run.

I suppose we should also call pedestrian collisions with automobiles "pedestrian strikes" and blame it on the pedestrian deliberately striking
the automobiles. It would certainly put an end to a lot of issues if we did this.

------------------------------

Date: Wed, 15 Jul 2020 15:05:01 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: 24-Year-Old Australian Man Spent $2 Million After a Bank
Glitch (RISKS-32.09)

Given that the court ruled that the overdraft was perfectly legal, and Milky therefore had a legal right to spend the money, it may well have been the *bank* that acted illegally in confiscated Milky's belongings. So, writing
off the rest of his debt and hoping that he wouldn't go after them is the
best that they can do, under the circumstances.

------------------------------

Date: Mon, 1 Jun 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.11
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)