RISKS-LIST: Risks-Forum Digest Saturday 10 October 2020 Volume 32 : Issue 31
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.31>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Too many passengers at front of plane caused take-off issue at Luton Airport
(BBC)
Tesla owner says he butt-dialed a $4,280 Autopilot upgrade (CNBC)
Why cars are more "fragile": more technology has reduced reobustness
(Paul Robinson)
Polestar 2 EV recalled over glitch that can cut power while driving
(Engadget)
Space is becoming too crowded, Rocket Lab CEO warns (CNN)
Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
(Thomas Dzubin plus others)
Psychology study indicates that narcissists are more involved in politics
than the rest of us (SagePub)
Doctor gave an inept diagnosis for a neurological problem (WashPost)
Can AI Detect Disinformation? A New Special Operations Program May Find Out
(Defense One)
California bar exam has facial recognition problems (SanFranChronicle)
Nuclear Waste and Nuclear Waste Management at the Hanford Site
(ContentSharing)
Charges filed in hack that caused NFL athlete's nude pics to be posted on
Twitter (Ars Technica)
A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)
Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs (Ars Technica)
DHS warns that Emotet malware is one of the most prevalent threats today
(Ars Technica))
'Smart' male chastity device vulnerable to locking by hackers: researchers
(AFP)
Hackers targeting IoT devices with a new P2P botnet malware
(The Hacker News)
Supreme Court takes on Google vs. Oracle: The biggest software development
case ever (ZDNet)
55 New Security Flaws Reported in Apple Software and Services
(The Hacker News)
Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
(The Hacker News)
Microsoft Office 365, Outlook down again (ZDNet)
CyberCommand has sought to disrupt the world's largest botnet, hoping to
reduce its potential impact on the election (WashPost)
Pennsylvania voter services website crashes as 2020 election mail ballot
deadlines loom (Inquirer)
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
(Nicole Perlroth)
Flawed Algorithm Used to Determine UK Welfare Payments Is 'Pushing People
Into Poverty' (Thomas Macaulay)
'The Wire' inspired a fake turtle egg that spies on poachers (WiReD)
The robot shop worker controlled by a faraway human (bbc.com)
"A friend of a friend at Google interviewed at Facebook right as the virus
hit" (unnamed via twitter)
Documents Show How The LAPD Was Trained To Use Palantir (BuzzFeed)
Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk
to You (ProPublica)
Digital pioneer Geoff Huston apologises for bringing the Internet to
Australia (ZDNet)
Psychographic Profiling cartoon (Tom Fishburne -- Marketoonist)
Re: Maryland's web-delivered ballots must be hand-copied to be counted
(Amos Shapir)
Re: Apple marches to a different beat (Steve Klein, John Levine, Alan Ralph,
Craig S. Cottingham)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 10 Oct 2020 12:30:32 -0500
From: Allen Bonneau <
alnbonneau@gmail.com>
Subject: Too many passengers at front of plane caused take-off issue at
Luton Airport (BBC)
Downstream impact from an unavailable system
The automated system had a technical issue preventing a plane change from
being passed to downstream systems. Operators noticed the change and manual updates were performed as a workaround. Either the workaround was not
complete or did [not?] address all affected systems.
https://www.bbc.com/news/uk-england-beds-bucks-herts-54477819
------------------------------
Date: Fri, 9 Oct 2020 14:02:15 +0300
From: Amos Shapir <
amos083@gmail.com>
Subject: Tesla owner says he butt-dialed a $4,280 Autopilot upgrade
Luton Airport (CNBC)
It seems that the Tesla app on iPhone somehow makes an update purchase as
the default action, and doesn't require a confirmation password or code.
Full story at:
https://www.cnbc.com/2020/10/07/tesla-app-butt-dial-purchases-still-possible-refunds-hard-to-get.html
------------------------------
Date: Fri, 2 Oct 2020 20:37:12 +0000 (UTC)
From: Paul Robinson <
rfc1394@yahoo.com>
Subject: Why cars are more "fragile": more technology has reduced reobustness
Some associates of mine have noticed problems with automobiles, often with changes they do not like or want, like forcing the use of a start button
(and stepping on the brake) instead of simply turning the key. It means
things like the passenger being able to turn on he car just by turning the
key have gone the way of the AM-only radio or the crank starter. Now,
turning the engine on, even if you're not going to drive, requires getting
out of the car, sitting in the driver's seat, stepping on the brake, then pushing the starter. Another problem is that a relatively inexpensive device (like keys) that even in the most expensive cases never reached US$20, are
now replaced by transponders or keyfobs costing as much as $1,000.
And the cost of repairs has gone up as the capacity of most people to do anything beyond routine maintenance has gone down. Technology has improved features cars have, but it has come at a cost.
Cars in the past used relays to control functions because it was the least expensive way to provide these functions. As microprocessors became ever cheaper and had more functionality, they became ideal for use to do multiple things in place of relays, programmable logic controllers, and other
circuitry. All that they had to do was connect them. Previously they ran one connection (wire) to each thing being controlled. Then they got an idea:
create a network (bus) to connect the components. If the components could simply only listen on the bus for commands addressed to them, you only need
one wire for everything, to send messages everywhere. This provides lots
more flexibility as all you have to do as add new messages with a different command code and you can control a new device, but it makes everything more "fragile."
Now, when I say "fragile," I don't mean the comment of Doc Brown in "Back to the Future" in which he says a 1954 Buick crashing into a Delorean would
tear through it like tissue paper, i mean the systems are less "robust,"
less resistant to failure.
Systems built with centralized or "concentrated" architecture are more
fragile, more subject to failure because there are more critical points that
if any one point fails, the whole thing fails. On a car from the past, short
of the engine or transmission suffering catastrophic damage, the car would continue to operate. Today, if the computer or the bus is damaged, your car
is inoperable.
Previously, a failure of the air conditioning didn't mean the car couldn't drive, or if there was a problem with the power steering it doesn't prevent
you from putting the car in reverse. But today, so many systems are
connected in a very centralized architecture that one system can affect
another due to side effects. It also means that where before, just about
anyone with ordinary education and skils could repair most things on an automobile with ordinary tools, today it takes a skilled mechanic with a master's degree and $40,000 in equipment.
Distributed architecture increases robustness. Here are two examples.
The development of Blockchain technology has caused other industries to use
it beyond cryptocurrency. An example being a bank: crack their mainframe and you can steal just about anything. But, if instead of breaking one computer
you have to get, say, all or a majority of all 100 branches to agree, it
makes it much harder to almost impossible to create a fraudulent
transaction.
During the Gulf War, despite saturation bombing, the coalition forces were unable to shut down Iraq's military Command & Control systems; the messages still got through. The reason being that the systems were built using
TCP/IP, the same communications protocol used by the Internet, and was
invented specifically for the US military to be able to continue to operate communications infrastructure capable of communicating to troops in the
event of nuclear war. We found out under actual battlefield conditions that "the damn stuff actually works."
These and other examples show that distributed architecture makes systems
more robust, while concentrated architecture makes systems more fragile. We have traded increased functionality and cost savings, while sacrificing robustness and less complexity. and the trend is likely to continue, unless people get sick of these failures and demand better, or someone comes up
with better systems that are more robust and possibly simpler.
While that would be nice, I don't see that happening any time soon.
------------------------------
Date: Sat, 3 Oct 2020 12:08:30 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Polestar 2 EV recalled over glitch that can cut power while driving
(Engadget)
https://www.engadget.com/polestar-2-ev-recall-over-power-glitch-151046269.html
------------------------------
Date: Fri, 9 Oct 2020 05:07:00 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Space is becoming too crowded, Rocket Lab CEO warns (CNN)
In 1978, NASA scientist Donald Kessler warned of a potential catastrophic, cascading chain reaction in outer space. Today known as "Kessler Syndrome,"
the theory posited that space above Earth could one day become so crowded,
so polluted with both active satellites and the detritus of space
explorations past, that it could render future space endeavors more
difficult, if not impossible. Last week, the CEO of Rocket Lab, a launch startup, said the company is already beginning to experience the effect of growing congestion in outer space. Rocket Lab CEO Peter Beck said that the sheer number of objects in space right now -- a number that is growing
quickly thanks in part to SpaceX's satellite Internet constellation,
Starlink -- is making it more difficult to find a clear path for rockets to launch new satellites. "This has a massive impact on the launch side," he
told CNN Business. Rockets "have to try and weave their way up in between these [satellite] constellations."
Part of the problem is that outer space remains largely unregulated. The
last widely agreed upon international treaty hasn't been updated in five decades, and that's mostly left the commercial space industry to police
itself. Rocket Lab set out to create lightweight rockets -- far smaller
than SpaceX's 230-foot-tall Falcon rockets -- that can deliver batches of
small satellites to space on a monthly or even weekly basis. Since 2018,
Rocket Lab has launched 12 successful missions and a total of 55 satellites
to space for a variety of research and commercial purposes. Beck said the in-orbit traffic issues took a turn for the worst over the past 12 months.
It was over that time that SpaceX has rapidly built up its Starlink constellation, growing it to include more than 700 Internet-beaming
satellites. It's already the largest satellite constellation by far, and the company plans to grow it to include between 12,000 and 40,000 total
satellites. That's five times the total number of satellites humans have *launched since the dawn of spaceflight* in the late 1950s. <
https://www.cnn.com/2020/07/02/tech/spacex-starlink-planet-9-x-scn/index.html>
It's not clear if traffic from its own satellites has also caused
frustrations for SpaceX. The company did not respond to a request for
comment. Orbital junkyards. [...]
https://www.cnn.com/2020/10/07/business/rocket-lab-debris-launch-traffic-scn/index.html
------------------------------
Date: Mon, 5 Oct 2020 13:48:04 -0700 (PDT)
From: Thomas Dzubin <
dzubint@vcn.bc.ca>
Subject: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
"The problem is that the PHE developers picked an old file format to do this
- known as XLS."
As a consequence, each template could handle only about 65,000 rows of data rather than the one million-plus rows that Excel is actually capable of."
https://arstechnica.com/tech-policy/2020/10/excel-glitch-may-have-caused-uk-to-underreport-covid-19-cases-by-15841/
"Asked if it was likely that some people will have got coronavirus due to
the IT failure, Work and Pensions Secretary Therese Coffey told Sky News: "There may well be."
The error is believed to have been caused by a spreadsheet containing lab results reaching its maximum size, and failing to update.
https://www.standard.co.uk/news/uk/covid-testing-technical-issue-excel-spreadsheet-a4563616.html
So, the problem hasn't actually been fixed... just pushed down the road a
bit for someone else to deal with in the next Pandemic
[danny burstein noted a Twitter item from Max Roser, Univ. of Oxford
researcher:
https://twitter.com/MaxCRoser/status/1313046638915706880
ah.... I had some trouble copying those URLs, but here:
https://www.bbc.co.uk/news/uk-54412581
https://www.dailymail.co.uk/news/article-8805697/Furious-blame-game-16-000-Covid-cases-missed-Excel-glitch.html
PGN]
[Regarding this item, Arthur T. noted:
What I thought at least as interesting for RISKS readers, though, was
that a follow-up article pointed to "The European Spreadsheet Risks
Interest Group - EuSpRIG - ("yewsprig") for short." It's a site
specifically for Spreadsheet Risk Management. It includes a page of
spreadsheet errors which were egregious enough to make it into the news:
<
http://www.eusprig.org/horror-stories.htm>. As of when I checked, this
news item had not yet appeared.
PGN]
------------------------------
Date: Fri, 2 Oct 2020 09:56:38 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Psychology study indicates that narcissists are more involved in
politics than the rest of us (SagePub)
Those higher in narcissism are disproportionately taking part in the
democratic process, according to new research published in *Personality and Social Psychology Bulletin <
https://journals.sagepub.com/doi/10.1177/0146167220919212>*.
The study found a positive correlation between narcissism and political participation. In other words: The more narcissistic someone is, the more likely they are to contact politicians, sign petitions, donate money, and
vote in midterm elections.
``We have entered into an *Age of Entitlement* and a *post-truth* world
that combine to form an unprecedented cultural movement where large portions
of the public pursue self-interest and self-promotion above all things and truth is whatever you want it to be, where alternative facts are given equal standing with credible sources,'' said study author *Pete Hatemi* <
https://scholar.google.com/citations?hl=en&user=Ci8Ix08AAAAJ&view_op=list_works&sortby=pubdate>,
a distinguished professor at Penn State University.
``It is hard not to notice how much more of *me* is part of our world -- projecting one's status at the cost of others, whether using social media
such as Facebook or Instagram or Twitter. Gone are the days when
children's goals were to be something or do something important, replaced
by the desire to be famous. Tom Wolfe's vision seems to have come to
pass.''
``It was hard for my colleague Zoltan Fazekas and I to ignore the rampant narcissism in our elected leaders, and the outcomes of their decisions. And
it seemed likely that higher public narcissism has some role in the growing instability of our democracy, and in 2009 we began collecting data to see
if those higher in narcissism are taking a greater part in the political process,'' Hatemi explained.
The researchers examined data from two nationally representative surveys in
the U.S. and in Denmark, with 500 and 2,450 participants in each,
respectively, and a web-based U.S. survey with 2,280 participants.
All of the surveys assessed narcissism and eight types of political participation: signing a petition, boycotting or buying products for
political reasons, participating in a demonstration, attending political meetings, contacting politicians, donating money, contacting the media, and taking part in political forums and discussion groups.
The surveys also collect information about voting behavior and
sociodemographic variables such as gender, age, race, education, and
political ideology. [...]
https://www.psypost.org/2020/09/psychology-study-indicates-that-narcissists-are-more-involved-in-politics-than-the-rest-of-us-58112
------------------------------
Date: Mon, 5 Oct 2020 16:51:37 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Doctor gave an inept diagnosis for a neurological problem (WashPost)
Steven H. Horowitz, *The Washinton Post*
Perspective: "A doctor gave me an inept diagnosis for a neurological
problem. I should know: I'm a neurologist."
"I offered to teach the staff at this medical center, but I got nowhere.
I could not have been the first patient so poorly evaluated. Without
doubt, I won't be the last."
https://www.washingtonpost.com/health/hospital-misdiagnosis-mistakes-ignored/2020/10/02/7bac2d10-f851-11ea-be57-d00bb9bc632d_story.html
------------------------------
Date: Mon, 5 Oct 2020 08:39:26 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Can AI Detect Disinformation? A New Special Operations Program May
Find Out (Defense One)
*Air Force, U.S. Special Operations Command fund year-long effort to train
a neural net to rank credibility and sort news from misinformation.*
For all the U.S. military's technical advantages over adversaries, it
still struggles to counter disinformation. A new software tool to be
developed for the U.S. Air Force and Special Operations Command, or SOCOM,
may help change that.
``If you don't compete in the information space, regardless of how good your operations are, your activities are, you will probably eat a shit sandwich
of disinformation or false reporting later on,'' Raymond `Tony' Thomas, a former SOCOM chief, said in an interview*.* ``We certainly experienced that
at the tactical level. That was the epiphany where we would have good raids, good strikes, etc. and the bad guys would spin it so fast that we would be eating collateral damage claims, etc. So the information space in that very tactical space is key.
It even ``stretches to the strategic space,'' said Thomas, meaning that disinformation can spread until it affects larger geopolitical realities.
Thomas now serves as an advisory board member for Primer, a company that on Thursday *announced* a Small Business Innovation Research contract to
develop software over the next year to help analysts better -- and much more quickly -- survey the information landscape and hopefully detect false narratives that show up in the public space. [...] <
https://www.prnewswire.com/news-releases/socom-and-us-air-force-enlist-primer-to-combat-disinformation-301143716.html>
https://www.defenseone.com/technology/2020/10/can-ai-detect-disinformation-new-special-operations-program-may-find-out/168972/
------------------------------
Date: Thu, 8 Oct 2020 07:24:54 -0700
From: Al Stangenberger <
forags@sbcglobal.net>
Subject: California bar exam has facial recognition problems
(SanFranChronicle)
Despite the software vendor's protestations, it appears that facial
recognition software is not ready for prime time...
https://www.sfchronicle.com/business/article/California-bar-exam-takers-say-facial-recognition-15629617.php
------------------------------
Date: Tue, 6 Oct 2020 15:25:00 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Nuclear Waste and Nuclear Waste Management at the Hanford Site
History, Environmental Issues and Policies
Cited as being the most contaminated site in the Western Hemisphere, Mr.
Weil will cover the history of Hanford from its beginning as part of the Manhattan Project in 1943. He will discuss the construction and operation
of multiple processing facilities for the production of plutonium (for more than 60,000 nuclear weapons). He will also discuss waste management activities from the 1940s to today and current activities at the Hanford Site. The presentation will review major activities including the
development and impact of the Hanford Federal Facility Compliance Agreement
and Consent Order, the construction and operation of the Environmental Restoration Disposal Facility (a huge landfill on the site receiving remediation waste), the cocooning of production reactors, and the closing
and dismantling of large numbers of production facilities on site (including the Plutonium Finishing Plant).
http://contentsharing.net/actions/email_web_version.cfm?ep=Kj_xdJ-0JVJIqqPQAeqUL9PFzB2cyVMeq4O4KPvoOMMkk20cH7CRQUqLr9Acr_Qu67LSb73pM6fsmZenSms-I5PLieqgow6a2sNgxWm_EL4~
------------------------------
Date: Sat, 3 Oct 2020 12:19:31 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Charges filed in hack that caused NFL athlete's nude pics to be
posted on Twitter (Ars Technica)
Men accused of taking part in scheme to phish credentials and sell account access.
https://arstechnica.com/information-technology/2020/09/2-men-charged-with-hacking-social-media-accounts-of-nfl-and-nba-players/
------------------------------
Date: Wed, 7 Oct 2020 18:22:30 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)
The class action lawsuit alleges that the video game company hasn't done
enough to address a known problem with its controllers.
https://www.wired.com/story/nintendo-joy-con-lawsuit/
The risks? Technology, lawyers, greed...
------------------------------
Date: Wed, 7 Oct 2020 18:50:15 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs
(Ars Technica)
https://arstechnica.com/gadgets/2020/10/eero-for-service-providers-eero-wi-fi-mesh-targeted-at-isps/
------------------------------
Date: Wed, 7 Oct 2020 18:51:06 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: DHS warns that Emotet malware is one of the most prevalent threats
today (Ars Technica))
https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/
------------------------------
Date: Wed, 7 Oct 2020 07:48:14 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: 'Smart' male chastity device vulnerable to locking by
hackers: researchers (AFP)
A security flaw in an Internet-connected male chastity device could allow hackers to remotely lock it -- leaving users trapped, researchers have
warned.
The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the
base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.
The locking mechanism is controlled with a smartphone app via Bluetooth -- marketed as both an anti-cheating and a submission sex play device -- but security researchers have found multiple flaws that leave it vulnerable to hacking.
"We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no
physical unlock," British security firm Pen Test Partners said Tuesday.
"An angle grinder or other suitable heavy tool would be required to cut the wearer free."
The firm also found other security flaws in the Cellmate -- listed for $189
on Qiui's website -- that could expose sensitive user information such as names, phone numbers, birthdays and location data. [...]
https://sports.yahoo.com/smart-male-chastity-device-vulnerable-053135255.html
This gives new meaning to the WOPR response at the end of the movie
WarGames: The only winning strategy is not to play.
[Richard Stein commented on
Cellmate: Male chastity gadget hack could lock users in (bbc.com)
https://www.bbc.com/news/technology-54436575 --
"A bug that gives new meaning to being held by the b*lls."
PGN]
------------------------------
Date: Wed, 7 Oct 2020 08:16:50 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Hackers targeting IoT devices with a new P2P botnet malware
(The Hacker News)
*Cybersecurity researchers have taken the wraps off a new #botnet that's hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly #DDoS attacks, and illicit #cryptocurrency coin mining.*
Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks,
mostly DDoS attacks, and illicit cryptocurrency coin mining.
Discovered by Qihoo 360's Netlab security team, the HEH Botnet <
https://blog.netlab.360.com/heh-an-iot-p2p-botnet/> -- written in Go
language and armed with a proprietary peer-to-peer (P2P) protocol, spreads
via a brute-force attack of the Telnet service on ports 23/2323 and can
execute arbitrary shell commands.
The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC).
The botnet, despite being in its early stages of development, comes with
three functional modules: a propagation module, a local HTTP service module, and a P2P module.
Initially downloaded and executed by a malicious Shell script named "wpqnbw.txt," the HEH sample then uses the Shell script to download rogue programs for all different CPU architectures from a website ("pomf.cat"), before eventually terminating a number of service processes based on their
port numbers. [...]
https://thehackernews.com/2020/10/p2p-iot-botnet.html
------------------------------
Date: Thu, 8 Oct 2020 00:32:27 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Supreme Court takes on Google vs. Oracle: The biggest software
development case ever (ZDNet)
More than a decade in the marking, the Supreme Court may finally decide if application programming interfaces (APIs) can be copyrighted. If the court decides they are, everything you know about making programs will change for
the worse.
https://www.zdnet.com/article/supreme-court-takes-on-google-vs-oracle-the-biggest-software-development-case-ever/
------------------------------
Date: Fri, 9 Oct 2020 12:20:36 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: 55 New Security Flaws Reported in Apple Software and Services
(The Hacker News)
A team of five security researchers analyzed several Apple online services
for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.
The flaws -- including 29 high severity, 13 medium severity, and 2 low
severity vulnerabilities -- could have allowed an attacker to "fully
compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code
for internal Apple projects, fully compromise an industrial control
warehouse software used by Apple, and take over the sessions of Apple
employees with the capability of accessing management tools and sensitive resources."
The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in
addition to forwarding the same exploit to all of their contacts.
The findings were reported by Sam Curry, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between July and September. <
https://samcurry.net/hacking-apple/>
After they were responsibly disclosed to Apple, the iPhone maker took steps
to patch the flaws within 1-2 business days, with a few others fixed within
a short span of 4-6 hours.
So far, Apple has processed about 28 of the vulnerabilities with a total
payout of $288,500 as part of its bug bounty program. [...]
https://thehackernews.com/2020/10/apple-security.html
------------------------------
Date: Thu, 8 Oct 2020 08:24:04 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
(The Hacker News)
As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important.
Now according to the latest research, two security flaws in Microsoft's
Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF <
https://portswigger.net/web-security/ssrf>) attacks
or execute arbitrary code and take over the administration server.
"This enables an attacker to quietly take over the App Service's git server,
or implant malicious phishing pages accessible through Azure Portal to
target system administrators," cybersecurity firm Intezer said in a report published today and shared with The Hacker News. <
https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>
Discovered by Paul Litvak <
https://twitter.com/polarply> of Intezer Labs,
the flaws were reported to Microsoft in June, after which the company subsequently addressed them.
Azure App Service is a cloud computing-based platform <
https://azure.microsoft.com/en-us/services/app-service/> that's used as a hosting web service for building web apps and mobile backends.
When an App Service is created via Azure, a new Docker environment is
created with two container nodes -- a manager node and the application node
-- along with registering two domains that point to the app's HTTP web
server and the app service's administration page, which in turn leverages
Kudu <
https://github.com/projectkudu/kudu> for continuous deployment of the
app from source control providers such as GitHub or Bitbucket. [...] <
https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment>
https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html
------------------------------
Date: Thu, 8 Oct 2020 00:34:22 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Microsoft Office 365, Outlook down again (ZDNet)
Yes, Office 365, Outlook, and all the rest of Microsoft's Software-as-a-Services are down yet again.
https://www.zdnet.com/article/microsoft-office-365-outlook-down-again/
The risks? Software, Microsoft, cloud computing, software-as-a-"service"
------------------------------
Date: Fri, 9 Oct 2020 16:17:22 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: CyberCommand has sought to disrupt the world's largest botnet,
hoping to reduce its potential impact on the election (WashPost)
*The botnet is often used to drop ransomware, which officials fear could
snarl voter registration.*
In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet - one used also to
drop ransomware, which officials say is one of the top threats to the 2020 election.
U.S. CyberCommand's campaign against the Trickbot botnet, an army of at
least 1 million hijacked computers run by Russian-speaking criminals, is
not expected to permanently dismantle the network, said four U.S.
officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as
they seek to restore operations.
The effort is part of what Gen. Paul Nakasone, the head of CyberCommand,
calls "persistent engagement," or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom's activities to help protect the election against foreign threats, officials said.
"Right now, my top priority is for a safe, secure, and legitimate 2020
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)