RISKS-LIST: Risks-Forum Digest Friday 25 September 2020 Volume 32 : Issue 29

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.29>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Tesla network outage -- massive (Electrek and The Sun)
5G Wireless May Lead to Inaccurate Weather Forecasts (Rutgers Today)
Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone
(The Hacker News)
Tribune staff furious as cybersecurity test email makes cruel promises
(WashPost)
World's Biggest DataBreaches and Hacks (Information Is Beautiful)
UK COVID-19 test booking website bugs tell some user no test slots are
available (Schools Week)
Pandemic spurs journalists to go it alone via email (Axios)
Re: Old TV caused village broadband outages for 18 months (Attila the Hun)
Re: Unsecured Microsoft Bing Server Exposed Users' Search Queries and
Location (paul wallich)
Re: D.C.'s New Area Code Will Be... 771 (John Levine)
Re: UK Companies House (Peter Bernard Ladkin)
Re: Boeing cuts flight training pilots, will outsource jobs overseas: Link
fix (Steve Klein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 23 Sep 2020 08:05:25 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Tesla network outage -- massive (Electrek and The Sun)

*TESLA's network completely dropped in a massive outage on Wednesday that
left drivers unable to connect to their cars.*

According to Electrek, internal systems were fully down and around 11am ET, users couldn't connect their vehicles to the mobile app.

<https://electrek.co/2020/09/23/tesla-suffers-complete-network-outage-internal-systems-and-connectivity-features-down/>

The outage -- which appeared to be global -- is said to be one of the "most wide-ranging" in Tesla's history...

https://www.the-sun.com/news/1521051/tesla-network-outage-down-elon-musk-cars-connectivity/

Connectivity was reportedly returning for some users' cars. <https://www.the-sun.com/topic/electric-cars/>

------------------------------

Date: Fri, 25 Sep 2020 13:11:35 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: 5G Wireless May Lead to Inaccurate Weather Forecasts
(Rutgers Today)

5G Wireless May Lead to Inaccurate Weather Forecasts
Rutgers Today, 24 Sep 2020 via AM TechNews 25 Sep 2020

A study by Rutgers University researchers found upcoming 5G wireless
networks that expedite cellphone service may lead to inaccurate weather forecasts. Signals from 5G frequency bands could leak into the band used by weather sensors on satellites that quantify atmospheric water vapor. The Rutgers team used computer modeling to examine the impact of unintended 5G leakage into an adjacent frequency band in predicting the 2008 Super Tuesday Tornado Outbreak in the South and Midwestern regions of the U.S. The
modeling found 5G leakage of -15 to -20 decibel Watts impacted the accuracy
of rainfall forecasting by up to 0.9 millimeters during the tornado
outbreak, and also affected forecasting of temperatures near ground level by
up to 2.34 degrees Fahrenheit. Rutgers' Narayan B. Mandayam said, "If we
want leakage to be at levels preferred by the 5G community, we need to work
on more detailed models as well as antenna technology, dynamic reallocation
of spectrum resources, and improved weather forecasting algorithms that can take into account 5G leakage." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-272d2x2251b5x065481&

------------------------------

Date: Thu, 24 Sep 2020 08:24:15 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Major Instagram App Bug Could've Given Hackers Remote Access to
Your Phone (The Hacker News)

Ever wonder how hackers can hack your smartphone remotely?

In a report shared with The Hacker News today, Check Point researchers disclosed details about a *critical vulnerability* <https://www.facebook.com/security/advisories/cve-2020-1895> in Instagram's Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image.

What's more worrisome is that the flaw not only lets attackers perform
actions on behalf of the user within the Instagram app -- including spying
on victim's private messages and even deleting or posting photos from their accounts -- but also execute arbitrary code on the device.

According to an *advisory* <https://m.facebook.com/security/advisories/cve-2020-1895> published by Facebook, the heap overflow security issue (tracked as CVE-2020-1895, CVSS score: 7.8) impacts all versions of the Instagram app prior to
128.0.0.26.128, which was released on February 10 earlier this year.

"This [flaw] turns the device into a tool for spying on targeted users
without their knowledge, as well as enabling malicious manipulation of their Instagram profile," Check Point Research said in *an analysis published
today. <https://blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/>*

"In either case, the attack could lead to a massive invasion of users'
privacy and could affect reputations -- or lead to security risks that are
even more serious."

After the findings were reported to Facebook, the social media company addressed the issue with a patch update released six months ago. The public disclosure was delayed all this time to allow the majority of Instagram's
users to update the app, thereby mitigating the risk this vulnerability may introduce.

Although Facebook confirmed there were no signs that this bug was exploited globally, the development is another reminder of why it's essential to keep apps up to date and be mindful of the permissions granted to them. A Heap Overflow Vulnerability. [...]

https://thehackernews.com/2020/09/instagram-android-hack.html

------------------------------

Date: Thu, 24 Sep 2020 09:46:03 +0200
From: Peter Houppermans <peter@houppermans.net>
Subject: Tribune staff furious as cybersecurity test email makes cruel
promises (WashPost)

Source: https://www.washingtonpost.com/media/2020/09/23/tribune-bonus-email-phishing-hoax/

"Employees of the Tribune Publishing Company were momentarily thrilled Wednesday after they received a company email announcing that they were each getting a bonus of up to $10,000, to 'thank you for your ongoing commitment
to excellence.'

To see how big their bonus would be, they just had to click on a link that's well, that's when they learned they had failed the test. This test ran into
a history of furloughs and layoffs, and thus created considerable anger
amongst staff.

This leads to a number of interesting questions:

1. Employees: given this history, just how likely was the contents of that email? The fact that many clicked illustrated that a phishing campaign
using this exact contents for real *would have worked*. This is PRECISELY
how such scams work.

2. If the case of a real email hoax or phishing attempt, who would the
staff have blamed for the consequences such as ransomware shutting the
company down and potentially causing even more layoffs? I assume the wrath would than go to the people who did this test?

3. What else could this company have done to prove this point?

There is not enough information to assess if the company ran a staff security awareness training beforehand, but it certainly appears to be required.

------------------------------

Date: Wed, 23 Sep 2020 12:21:51 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: World's Biggest DataBreaches and Hacks (Information Is Beautiful)

https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

------------------------------

Date: Fri, 25 Sep 2020 13:58:27 +0100
From: Matthew Pittman <matthew@pittman.me.uk>
Subject: UK COVID-19 test booking website bugs tell some user no test slots
are available (Schools Week)

https://schoolsweek.co.uk/anger-as-government-admits-test-and-trace-website-coding-error/

This article has a good description of the bug(s), but the implication (that some infected people were being told there were no test slots available)
have not, as far as I can tell, been explored in depth by mainstream media.

It seems to me that if even a modest number of infected people were turned
away and were not subsequently tested then there is a very good chance that
a few generations of contacts down the track some infected patients will inevitably die. To me this means that the software defect was a material factor in loss of human life.

The article contains an analysis of testing by Adam Leon Smith, chair of the software testing specialist group of British Computer Society, The Chartered Institute for IT. I'm reading between the lines when I suggest that it
sounds like this part of the web was basically untested.

There have been other articles in the press following up the connection with Deloitte, apparently the prime contractor for the testing service, but none
I could find had the detail of this description.

I have not fact checked the linked article.

------------------------------

Date: Thu, 24 Sep 2020 08:18:52 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Pandemic spurs journalists to go it alone via email (Axios)

A slew of high-profile journalists have recently announced they are leaving newsrooms to launch their own, independent brands, mostly via email newsletters.

Context: Many of those writers, working with new technology companies like Substack, TinyLetter, Lede, or Ghost, have made the transition amid the pandemic.

- The pandemic strained the finances of traditional newsrooms and
publications and sent most journalists to work from home.

- "I think many people in the journalism world saw how quickly their
business fortunes can change during COVID and decided they would rather
run their own business as opposed to be dependent on another businesses'
ebbs and flows," says Alex Kantrowitz, former Buzzfeed reporter turned
author of the Big Technology newsletter on Substack.
<https://bigtechnology.substack.com/>

Driving the news: Several prominent businesses and technology or political journalists have left their news companies to launch their own newsletters, including:

- Alex Kantrowitz (formerly of Buzzfeed), Casey Newton (formerly of The
Verge), Josh Constine (formerly of TechCrunch), Andrew Sullivan (formerly
of New York Magazine), Emily Atkin (formerly of The New Republic), Anne
Helen Petersen (formerly of Buzzfeed) and Matt Taibbi, (formerly of
Rolling Stone).

- They join a wider cohort of journalists and pundits that have started
independent newsletters in the past few years, including Ben Thompson
(Stratechery <https://stratechery.com/>) and Bill Bishop (Sinocism
<https://sinocism.com/>).

By the numbers: [...] https://www.axios.com/pandemic-spurs-journalists-to-go-it-alone-via-email-613ca2d5-e8d5-4235-9582-48cc028e9d8b.html

------------------------------

Date: Wed, 23 Sep 2020 09:30:15 +0100
From: Attila the Hun <attilathehun1900@tiscali.co.uk>
Subject: Re: Old TV caused village broadband outages for 18 months
(BBC, RISKS-32.29)

A longer article on the matter included the following:

"However, despite Openreach's triumphant claims, villagers
including Mr and Mrs Rees's own son, Aled, insisted yesterday
that their Internet problems persisted, long after the offending
television had been scrapped.

Aled Rees told The Telegraph: ``This Mr Jones must be smoking something
funny if he thinks it's got anything to do with the TV. My parents had only had the TV a few months. The problems in the village had been going on for much longer than that and are continuing today, even after they got rid of
the TV.

``I've no idea why Openreach are saying this -- they've got to blame
somebody and they're not going to blame themselves.''

Eirian Hughes, 63, said: ``This story is just a smokescreen, and the fact
is, it's costing too much to connect to fibre. The broadband service is rubbish.''

Farmer Geraint Jones, 60, said the connection speed was still ``worse than appalling.''

An Openreach spokesman said: ``It's true to say the villagers were already having to put up with broadband on an old slower copper network -- but the faulty TV was clearly interfering with the existing service and we're
delighted to have solved that particular mystery.

``We're pleased to say the village is now in line to be upgraded imminently
to superfast broadband which will improve matters even more.''

I think the last statement might be more than a little suggestive.

------------------------------

Date: Wed, 23 Sep 2020 10:01:48 -0400
From: paul wallich <pw@panix.com>
Subject: Re: Unsecured Microsoft Bing Server Exposed Users' Search
Queries and Location (RISKS-32.28)

The logging database, however, doesn't include any personal details such as names or addresses.

If you have GPS coordinates, device details and query strings, it should be possible to de-anonymize quite a lot of that database using other
sources. Even more risky (perhaps) is the possibility that de-anonymization would be mistaken (e.g. as a result of GPS margin of error). For a
surveillance state this is particularly pernicious because of the habit
search engines now have of putting additional words in their users' search boxes. So someone might get tagged for a search they didn't even
intentionally make.

------------------------------

Date: 23 Sep 2020 14:43:24 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: D.C.'s New Area Code Will Be... 771 (RISKS-32.28)

This is pretty impressive considering that there are over 7 million numbers allocated to 202, and only about 1.2 million people who live or work in the District. When I look at tables that show what numbers are allocated to what carriers, I see vast ranges to mobile carriers and to CLECs, who now mostly provide VoIP numbers. So perhaps there are a few people who want cool 202 numbers even though they really live somewhere else.

... I wonder how many area codes NANPA ... when we'll need four-digit area >codes. Or hexadecimal >phone keypads, or phone numbers including */#. (Yes, >latter two are jokes -- mostly)

You don't have to guess, it's on their web site:

https://www.nationalnanpa.com/reports/April_2020_NANP_Exhaust_Analysis%20Final.pdf

Based on current trends, it will be later than 2050 which is as far away as their models go. There was a burst of demand when mobile phones were new,
and when CLECs were setting up modem banks. (At the time they had to
allocate a 10,000 number block even if the CLEC only needed a handful of numbers, a problem since fixed.) But things have slowed down a lot since everyone now has a phone, and modems are found only in burglar alarms and history museums. -- Regards, John Levine, johnl@taugh.com, Primary
Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly

------------------------------

Date: Wed, 23 Sep 2020 13:28:05 +0200
From: Peter Bernard Ladkin <ladkin@causalis.com>
Subject: Re: UK Companies House (Stein, RISKS-32.28)

"The UK's Companies House comprises a core system of record that authenticates business ownership and persons of significant control (PSC)
-- corporate directors."

There are two things wrong with this statement. First, the main point of Companies House is to incorporate and dissolve limited companies. The system
of record is its second task. From its Website: "We incorporate and dissolve limited companies. We register company information and make it available to
the public." https://www.gov.uk/government/organisations/companies-house

Second, PSCs are not necessarily directors. Directors of a limited company
have always been a part of the publicly-available company record held by Companies House. The introduction of the category of PSC and the legal requirement for their public identification in April 2016 is a significant
part of enhanced UK company transparency. Germany, a country with a
reputation for careful control of companies, does not (yet) require a declaration of PSCs.

PSCs are people (real people, not just legal individuals) who:

* Directly or indirectly hold more than 25% of the shares (all UK limited
companies issue shares; that is how a company is owned); or
* Directly or indirectly hold more than 25% of the voting rights; or
* Directly or indirectly hold the right to appoint or remove a majority of
directors; or
* Otherwise have the right to exercise, or actually exercising, significant
influence or control; or
* Have the right to exercise, or actually exercise, significant influence or
control over the activities of a trust or firm which is not a legal
entity, but would itself satisfy any of the first four conditions if it
were an individual. (See, for example,
https://www.waterfront.law/blog/persons-of-significant-control )

I think it would enhance any country's transparency about companies to have
a requirement for identifying PSCs. The report on the UK Government consultation on how to enhance company transparency further, referenced by Stein, does show that a requirement for identifying PSCs is not enough.

I will note that the previously-booming London property market has long been recognised as an area in which large amounts of money are thought to be *laundered*, and that market has nothing to do with Companies House.

Disclosure: I am majority owner and Director of a UK company registered at Companies House, and I am CEO ("Gesch\344ftsf\374hrer") of a German
company fully owned by the English one.

------------------------------

Date: Fri, 25 Sep 2020 09:05:20 -0400
From: Steve Klein <steven@klein.us>
Subject: Re: Boeing cuts flight training pilots, will outsource jobs
overseas: Link fix (The Stand)

The posted link is http, and should be https. FIX:

https://www.thestand.org/2020/09/boeing-cuts-flight-training-pilots-will-outsource-jobs-overseas/

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.29
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)