• Risks Digest 32.31 (1/2)

    From RISKS List Owner@21:1/5 to All on Sun Oct 11 00:34:33 2020
    RISKS-LIST: Risks-Forum Digest Saturday 10 October 2020 Volume 32 : Issue 31

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.31>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Too many passengers at front of plane caused take-off issue at Luton Airport
    (BBC)
    Tesla owner says he butt-dialed a $4,280 Autopilot upgrade (CNBC)
    Why cars are more "fragile": more technology has reduced reobustness
    (Paul Robinson)
    Polestar 2 EV recalled over glitch that can cut power while driving
    (Engadget)
    Space is becoming too crowded, Rocket Lab CEO warns (CNN)
    Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
    (Thomas Dzubin plus others)
    Psychology study indicates that narcissists are more involved in politics
    than the rest of us (SagePub)
    Doctor gave an inept diagnosis for a neurological problem (WashPost)
    Can AI Detect Disinformation? A New Special Operations Program May Find Out
    (Defense One)
    California bar exam has facial recognition problems (SanFranChronicle)
    Nuclear Waste and Nuclear Waste Management at the Hanford Site
    (ContentSharing)
    Charges filed in hack that caused NFL athlete's nude pics to be posted on
    Twitter (Ars Technica)
    A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)
    Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs (Ars Technica)
    DHS warns that Emotet malware is one of the most prevalent threats today
    (Ars Technica))
    'Smart' male chastity device vulnerable to locking by hackers: researchers
    (AFP)
    Hackers targeting IoT devices with a new P2P botnet malware
    (The Hacker News)
    Supreme Court takes on Google vs. Oracle: The biggest software development
    case ever (ZDNet)
    55 New Security Flaws Reported in Apple Software and Services
    (The Hacker News)
    Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
    (The Hacker News)
    Microsoft Office 365, Outlook down again (ZDNet)
    CyberCommand has sought to disrupt the world's largest botnet, hoping to
    reduce its potential impact on the election (WashPost)
    Pennsylvania voter services website crashes as 2020 election mail ballot
    deadlines loom (Inquirer)
    Clinical Trials Hit by Ransomware Attack on Health Tech Firm
    (Nicole Perlroth)
    Flawed Algorithm Used to Determine UK Welfare Payments Is 'Pushing People
    Into Poverty' (Thomas Macaulay)
    'The Wire' inspired a fake turtle egg that spies on poachers (WiReD)
    The robot shop worker controlled by a faraway human (bbc.com)
    "A friend of a friend at Google interviewed at Facebook right as the virus
    hit" (unnamed via twitter)
    Documents Show How The LAPD Was Trained To Use Palantir (BuzzFeed)
    Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk
    to You (ProPublica)
    Digital pioneer Geoff Huston apologises for bringing the Internet to
    Australia (ZDNet)
    Psychographic Profiling cartoon (Tom Fishburne -- Marketoonist)
    Re: Maryland's web-delivered ballots must be hand-copied to be counted
    (Amos Shapir)
    Re: Apple marches to a different beat (Steve Klein, John Levine, Alan Ralph,
    Craig S. Cottingham)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 10 Oct 2020 12:30:32 -0500
    From: Allen Bonneau <alnbonneau@gmail.com>
    Subject: Too many passengers at front of plane caused take-off issue at
    Luton Airport (BBC)

    Downstream impact from an unavailable system

    The automated system had a technical issue preventing a plane change from
    being passed to downstream systems. Operators noticed the change and manual updates were performed as a workaround. Either the workaround was not
    complete or did [not?] address all affected systems.

    https://www.bbc.com/news/uk-england-beds-bucks-herts-54477819

    ------------------------------

    Date: Fri, 9 Oct 2020 14:02:15 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Tesla owner says he butt-dialed a $4,280 Autopilot upgrade
    Luton Airport (CNBC)

    It seems that the Tesla app on iPhone somehow makes an update purchase as
    the default action, and doesn't require a confirmation password or code.

    Full story at: https://www.cnbc.com/2020/10/07/tesla-app-butt-dial-purchases-still-possible-refunds-hard-to-get.html

    ------------------------------

    Date: Fri, 2 Oct 2020 20:37:12 +0000 (UTC)
    From: Paul Robinson <rfc1394@yahoo.com>
    Subject: Why cars are more "fragile": more technology has reduced reobustness

    Some associates of mine have noticed problems with automobiles, often with changes they do not like or want, like forcing the use of a start button
    (and stepping on the brake) instead of simply turning the key. It means
    things like the passenger being able to turn on he car just by turning the
    key have gone the way of the AM-only radio or the crank starter. Now,
    turning the engine on, even if you're not going to drive, requires getting
    out of the car, sitting in the driver's seat, stepping on the brake, then pushing the starter. Another problem is that a relatively inexpensive device (like keys) that even in the most expensive cases never reached US$20, are
    now replaced by transponders or keyfobs costing as much as $1,000.

    And the cost of repairs has gone up as the capacity of most people to do anything beyond routine maintenance has gone down. Technology has improved features cars have, but it has come at a cost.

    Cars in the past used relays to control functions because it was the least expensive way to provide these functions. As microprocessors became ever cheaper and had more functionality, they became ideal for use to do multiple things in place of relays, programmable logic controllers, and other
    circuitry. All that they had to do was connect them. Previously they ran one connection (wire) to each thing being controlled. Then they got an idea:
    create a network (bus) to connect the components. If the components could simply only listen on the bus for commands addressed to them, you only need
    one wire for everything, to send messages everywhere. This provides lots
    more flexibility as all you have to do as add new messages with a different command code and you can control a new device, but it makes everything more "fragile."

    Now, when I say "fragile," I don't mean the comment of Doc Brown in "Back to the Future" in which he says a 1954 Buick crashing into a Delorean would
    tear through it like tissue paper, i mean the systems are less "robust,"
    less resistant to failure.

    Systems built with centralized or "concentrated" architecture are more
    fragile, more subject to failure because there are more critical points that
    if any one point fails, the whole thing fails. On a car from the past, short
    of the engine or transmission suffering catastrophic damage, the car would continue to operate. Today, if the computer or the bus is damaged, your car
    is inoperable.

    Previously, a failure of the air conditioning didn't mean the car couldn't drive, or if there was a problem with the power steering it doesn't prevent
    you from putting the car in reverse. But today, so many systems are
    connected in a very centralized architecture that one system can affect
    another due to side effects. It also means that where before, just about
    anyone with ordinary education and skils could repair most things on an automobile with ordinary tools, today it takes a skilled mechanic with a master's degree and $40,000 in equipment.

    Distributed architecture increases robustness. Here are two examples.

    The development of Blockchain technology has caused other industries to use
    it beyond cryptocurrency. An example being a bank: crack their mainframe and you can steal just about anything. But, if instead of breaking one computer
    you have to get, say, all or a majority of all 100 branches to agree, it
    makes it much harder to almost impossible to create a fraudulent
    transaction.

    During the Gulf War, despite saturation bombing, the coalition forces were unable to shut down Iraq's military Command & Control systems; the messages still got through. The reason being that the systems were built using
    TCP/IP, the same communications protocol used by the Internet, and was
    invented specifically for the US military to be able to continue to operate communications infrastructure capable of communicating to troops in the
    event of nuclear war. We found out under actual battlefield conditions that "the damn stuff actually works."

    These and other examples show that distributed architecture makes systems
    more robust, while concentrated architecture makes systems more fragile. We have traded increased functionality and cost savings, while sacrificing robustness and less complexity. and the trend is likely to continue, unless people get sick of these failures and demand better, or someone comes up
    with better systems that are more robust and possibly simpler.

    While that would be nice, I don't see that happening any time soon.

    ------------------------------

    Date: Sat, 3 Oct 2020 12:08:30 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Polestar 2 EV recalled over glitch that can cut power while driving
    (Engadget)

    https://www.engadget.com/polestar-2-ev-recall-over-power-glitch-151046269.html

    ------------------------------

    Date: Fri, 9 Oct 2020 05:07:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Space is becoming too crowded, Rocket Lab CEO warns (CNN)

    In 1978, NASA scientist Donald Kessler warned of a potential catastrophic, cascading chain reaction in outer space. Today known as "Kessler Syndrome,"
    the theory posited that space above Earth could one day become so crowded,
    so polluted with both active satellites and the detritus of space
    explorations past, that it could render future space endeavors more
    difficult, if not impossible. Last week, the CEO of Rocket Lab, a launch startup, said the company is already beginning to experience the effect of growing congestion in outer space. Rocket Lab CEO Peter Beck said that the sheer number of objects in space right now -- a number that is growing
    quickly thanks in part to SpaceX's satellite Internet constellation,
    Starlink -- is making it more difficult to find a clear path for rockets to launch new satellites. "This has a massive impact on the launch side," he
    told CNN Business. Rockets "have to try and weave their way up in between these [satellite] constellations."

    Part of the problem is that outer space remains largely unregulated. The
    last widely agreed upon international treaty hasn't been updated in five decades, and that's mostly left the commercial space industry to police
    itself. Rocket Lab set out to create lightweight rockets -- far smaller
    than SpaceX's 230-foot-tall Falcon rockets -- that can deliver batches of
    small satellites to space on a monthly or even weekly basis. Since 2018,
    Rocket Lab has launched 12 successful missions and a total of 55 satellites
    to space for a variety of research and commercial purposes. Beck said the in-orbit traffic issues took a turn for the worst over the past 12 months.
    It was over that time that SpaceX has rapidly built up its Starlink constellation, growing it to include more than 700 Internet-beaming
    satellites. It's already the largest satellite constellation by far, and the company plans to grow it to include between 12,000 and 40,000 total
    satellites. That's five times the total number of satellites humans have *launched since the dawn of spaceflight* in the late 1950s. <https://www.cnn.com/2020/07/02/tech/spacex-starlink-planet-9-x-scn/index.html>

    It's not clear if traffic from its own satellites has also caused
    frustrations for SpaceX. The company did not respond to a request for
    comment. Orbital junkyards. [...] https://www.cnn.com/2020/10/07/business/rocket-lab-debris-launch-traffic-scn/index.html

    ------------------------------

    Date: Mon, 5 Oct 2020 13:48:04 -0700 (PDT)
    From: Thomas Dzubin <dzubint@vcn.bc.ca>
    Subject: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases

    "The problem is that the PHE developers picked an old file format to do this
    - known as XLS."

    As a consequence, each template could handle only about 65,000 rows of data rather than the one million-plus rows that Excel is actually capable of."

    https://arstechnica.com/tech-policy/2020/10/excel-glitch-may-have-caused-uk-to-underreport-covid-19-cases-by-15841/

    "Asked if it was likely that some people will have got coronavirus due to
    the IT failure, Work and Pensions Secretary Therese Coffey told Sky News: "There may well be."

    The error is believed to have been caused by a spreadsheet containing lab results reaching its maximum size, and failing to update.

    https://www.standard.co.uk/news/uk/covid-testing-technical-issue-excel-spreadsheet-a4563616.html

    So, the problem hasn't actually been fixed... just pushed down the road a
    bit for someone else to deal with in the next Pandemic

    [danny burstein noted a Twitter item from Max Roser, Univ. of Oxford
    researcher:
    https://twitter.com/MaxCRoser/status/1313046638915706880
    ah.... I had some trouble copying those URLs, but here:
    https://www.bbc.co.uk/news/uk-54412581
    https://www.dailymail.co.uk/news/article-8805697/Furious-blame-game-16-000-Covid-cases-missed-Excel-glitch.html
    PGN]

    [Regarding this item, Arthur T. noted:
    What I thought at least as interesting for RISKS readers, though, was
    that a follow-up article pointed to "The European Spreadsheet Risks
    Interest Group - EuSpRIG - ("yewsprig") for short." It's a site
    specifically for Spreadsheet Risk Management. It includes a page of
    spreadsheet errors which were egregious enough to make it into the news:
    <http://www.eusprig.org/horror-stories.htm>. As of when I checked, this
    news item had not yet appeared.
    PGN]

    ------------------------------

    Date: Fri, 2 Oct 2020 09:56:38 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Psychology study indicates that narcissists are more involved in
    politics than the rest of us (SagePub)

    Those higher in narcissism are disproportionately taking part in the
    democratic process, according to new research published in *Personality and Social Psychology Bulletin <https://journals.sagepub.com/doi/10.1177/0146167220919212>*.

    The study found a positive correlation between narcissism and political participation. In other words: The more narcissistic someone is, the more likely they are to contact politicians, sign petitions, donate money, and
    vote in midterm elections.

    ``We have entered into an *Age of Entitlement* and a *post-truth* world
    that combine to form an unprecedented cultural movement where large portions
    of the public pursue self-interest and self-promotion above all things and truth is whatever you want it to be, where alternative facts are given equal standing with credible sources,'' said study author *Pete Hatemi* <https://scholar.google.com/citations?hl=en&user=Ci8Ix08AAAAJ&view_op=list_works&sortby=pubdate>,
    a distinguished professor at Penn State University.

    ``It is hard not to notice how much more of *me* is part of our world -- projecting one's status at the cost of others, whether using social media
    such as Facebook or Instagram or Twitter. Gone are the days when
    children's goals were to be something or do something important, replaced
    by the desire to be famous. Tom Wolfe's vision seems to have come to
    pass.''

    ``It was hard for my colleague Zoltan Fazekas and I to ignore the rampant narcissism in our elected leaders, and the outcomes of their decisions. And
    it seemed likely that higher public narcissism has some role in the growing instability of our democracy, and in 2009 we began collecting data to see
    if those higher in narcissism are taking a greater part in the political process,'' Hatemi explained.

    The researchers examined data from two nationally representative surveys in
    the U.S. and in Denmark, with 500 and 2,450 participants in each,
    respectively, and a web-based U.S. survey with 2,280 participants.

    All of the surveys assessed narcissism and eight types of political participation: signing a petition, boycotting or buying products for
    political reasons, participating in a demonstration, attending political meetings, contacting politicians, donating money, contacting the media, and taking part in political forums and discussion groups.

    The surveys also collect information about voting behavior and
    sociodemographic variables such as gender, age, race, education, and
    political ideology. [...] https://www.psypost.org/2020/09/psychology-study-indicates-that-narcissists-are-more-involved-in-politics-than-the-rest-of-us-58112

    ------------------------------

    Date: Mon, 5 Oct 2020 16:51:37 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Doctor gave an inept diagnosis for a neurological problem (WashPost)

    Steven H. Horowitz, *The Washinton Post*

    Perspective: "A doctor gave me an inept diagnosis for a neurological
    problem. I should know: I'm a neurologist."

    "I offered to teach the staff at this medical center, but I got nowhere.
    I could not have been the first patient so poorly evaluated. Without
    doubt, I won't be the last."

    https://www.washingtonpost.com/health/hospital-misdiagnosis-mistakes-ignored/2020/10/02/7bac2d10-f851-11ea-be57-d00bb9bc632d_story.html

    ------------------------------

    Date: Mon, 5 Oct 2020 08:39:26 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Can AI Detect Disinformation? A New Special Operations Program May
    Find Out (Defense One)

    *Air Force, U.S. Special Operations Command fund year-long effort to train
    a neural net to rank credibility and sort news from misinformation.*

    For all the U.S. military's technical advantages over adversaries, it
    still struggles to counter disinformation. A new software tool to be
    developed for the U.S. Air Force and Special Operations Command, or SOCOM,
    may help change that.

    ``If you don't compete in the information space, regardless of how good your operations are, your activities are, you will probably eat a shit sandwich

    of disinformation or false reporting later on,'' Raymond `Tony' Thomas, a former SOCOM chief, said in an interview*.* ``We certainly experienced that
    at the tactical level. That was the epiphany where we would have good raids, good strikes, etc. and the bad guys would spin it so fast that we would be eating collateral damage claims, etc. So the information space in that very tactical space is key.

    It even ``stretches to the strategic space,'' said Thomas, meaning that disinformation can spread until it affects larger geopolitical realities.

    Thomas now serves as an advisory board member for Primer, a company that on Thursday *announced* a Small Business Innovation Research contract to
    develop software over the next year to help analysts better -- and much more quickly -- survey the information landscape and hopefully detect false narratives that show up in the public space. [...] <https://www.prnewswire.com/news-releases/socom-and-us-air-force-enlist-primer-to-combat-disinformation-301143716.html>

    https://www.defenseone.com/technology/2020/10/can-ai-detect-disinformation-new-special-operations-program-may-find-out/168972/

    ------------------------------

    Date: Thu, 8 Oct 2020 07:24:54 -0700
    From: Al Stangenberger <forags@sbcglobal.net>
    Subject: California bar exam has facial recognition problems
    (SanFranChronicle)

    Despite the software vendor's protestations, it appears that facial
    recognition software is not ready for prime time... https://www.sfchronicle.com/business/article/California-bar-exam-takers-say-facial-recognition-15629617.php

    ------------------------------

    Date: Tue, 6 Oct 2020 15:25:00 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Nuclear Waste and Nuclear Waste Management at the Hanford Site

    History, Environmental Issues and Policies

    Cited as being the most contaminated site in the Western Hemisphere, Mr.
    Weil will cover the history of Hanford from its beginning as part of the Manhattan Project in 1943.  He will discuss the construction and operation
    of multiple processing facilities for the production of plutonium (for more than 60,000 nuclear weapons).  He will also discuss waste management activities from the 1940s to today and current activities at the Hanford Site.  The presentation will review major activities including the
    development and impact of the Hanford Federal Facility Compliance Agreement
    and Consent Order, the construction and operation of the Environmental Restoration Disposal Facility (a huge landfill on the site receiving remediation waste), the cocooning of production reactors, and the closing
    and dismantling of large numbers of production facilities on site (including the Plutonium Finishing Plant).

    http://contentsharing.net/actions/email_web_version.cfm?ep=Kj_xdJ-0JVJIqqPQAeqUL9PFzB2cyVMeq4O4KPvoOMMkk20cH7CRQUqLr9Acr_Qu67LSb73pM6fsmZenSms-I5PLieqgow6a2sNgxWm_EL4~

    ------------------------------

    Date: Sat, 3 Oct 2020 12:19:31 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Charges filed in hack that caused NFL athlete's nude pics to be
    posted on Twitter (Ars Technica)

    Men accused of taking part in scheme to phish credentials and sell account access.

    https://arstechnica.com/information-technology/2020/09/2-men-charged-with-hacking-social-media-accounts-of-nfl-and-nba-players/

    ------------------------------

    Date: Wed, 7 Oct 2020 18:22:30 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)

    The class action lawsuit alleges that the video game company hasn't done
    enough to address a known problem with its controllers.

    https://www.wired.com/story/nintendo-joy-con-lawsuit/

    The risks? Technology, lawyers, greed...

    ------------------------------

    Date: Wed, 7 Oct 2020 18:50:15 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs
    (Ars Technica)

    https://arstechnica.com/gadgets/2020/10/eero-for-service-providers-eero-wi-fi-mesh-targeted-at-isps/

    ------------------------------

    Date: Wed, 7 Oct 2020 18:51:06 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: DHS warns that Emotet malware is one of the most prevalent threats
    today (Ars Technica))

    https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/

    ------------------------------

    Date: Wed, 7 Oct 2020 07:48:14 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: 'Smart' male chastity device vulnerable to locking by
    hackers: researchers (AFP)

    A security flaw in an Internet-connected male chastity device could allow hackers to remotely lock it -- leaving users trapped, researchers have
    warned.

    The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the
    base of the male genitals with a hardened steel ring, and does not have a physical key or manual override.

    The locking mechanism is controlled with a smartphone app via Bluetooth -- marketed as both an anti-cheating and a submission sex play device -- but security researchers have found multiple flaws that leave it vulnerable to hacking.

    "We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no
    physical unlock," British security firm Pen Test Partners said Tuesday.

    "An angle grinder or other suitable heavy tool would be required to cut the wearer free."

    The firm also found other security flaws in the Cellmate -- listed for $189
    on Qiui's website -- that could expose sensitive user information such as names, phone numbers, birthdays and location data. [...] https://sports.yahoo.com/smart-male-chastity-device-vulnerable-053135255.html

    This gives new meaning to the WOPR response at the end of the movie
    WarGames: The only winning strategy is not to play.

    [Richard Stein commented on
    Cellmate: Male chastity gadget hack could lock users in (bbc.com)
    https://www.bbc.com/news/technology-54436575 --
    "A bug that gives new meaning to being held by the b*lls."
    PGN]

    ------------------------------

    Date: Wed, 7 Oct 2020 08:16:50 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Hackers targeting IoT devices with a new P2P botnet malware
    (The Hacker News)

    *Cybersecurity researchers have taken the wraps off a new #botnet that's hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly #DDoS attacks, and illicit #cryptocurrency coin mining.*

    Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks,
    mostly DDoS attacks, and illicit cryptocurrency coin mining.

    Discovered by Qihoo 360's Netlab security team, the HEH Botnet <https://blog.netlab.360.com/heh-an-iot-p2p-botnet/> -- written in Go
    language and armed with a proprietary peer-to-peer (P2P) protocol, spreads
    via a brute-force attack of the Telnet service on ports 23/2323 and can
    execute arbitrary shell commands.

    The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC).

    The botnet, despite being in its early stages of development, comes with
    three functional modules: a propagation module, a local HTTP service module, and a P2P module.

    Initially downloaded and executed by a malicious Shell script named "wpqnbw.txt," the HEH sample then uses the Shell script to download rogue programs for all different CPU architectures from a website ("pomf.cat"), before eventually terminating a number of service processes based on their
    port numbers. [...]
    https://thehackernews.com/2020/10/p2p-iot-botnet.html

    ------------------------------

    Date: Thu, 8 Oct 2020 00:32:27 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Supreme Court takes on Google vs. Oracle: The biggest software
    development case ever (ZDNet)

    More than a decade in the marking, the Supreme Court may finally decide if application programming interfaces (APIs) can be copyrighted. If the court decides they are, everything you know about making programs will change for
    the worse.

    https://www.zdnet.com/article/supreme-court-takes-on-google-vs-oracle-the-biggest-software-development-case-ever/

    ------------------------------

    Date: Fri, 9 Oct 2020 12:20:36 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: 55 New Security Flaws Reported in Apple Software and Services
    (The Hacker News)

    A team of five security researchers analyzed several Apple online services
    for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.

    The flaws -- including 29 high severity, 13 medium severity, and 2 low
    severity vulnerabilities -- could have allowed an attacker to "fully
    compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code
    for internal Apple projects, fully compromise an industrial control
    warehouse software used by Apple, and take over the sessions of Apple
    employees with the capability of accessing management tools and sensitive resources."

    The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in
    addition to forwarding the same exploit to all of their contacts.

    The findings were reported by Sam Curry, along with Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between July and September. <https://samcurry.net/hacking-apple/>

    After they were responsibly disclosed to Apple, the iPhone maker took steps
    to patch the flaws within 1-2 business days, with a few others fixed within
    a short span of 4-6 hours.

    So far, Apple has processed about 28 of the vulnerabilities with a total
    payout of $288,500 as part of its bug bounty program. [...]

    https://thehackernews.com/2020/10/apple-security.html

    ------------------------------

    Date: Thu, 8 Oct 2020 08:24:04 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
    (The Hacker News)

    As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important.

    Now according to the latest research, two security flaws in Microsoft's
    Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF <https://portswigger.net/web-security/ssrf>) attacks
    or execute arbitrary code and take over the administration server.

    "This enables an attacker to quietly take over the App Service's git server,
    or implant malicious phishing pages accessible through Azure Portal to
    target system administrators," cybersecurity firm Intezer said in a report published today and shared with The Hacker News. <https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>

    Discovered by Paul Litvak <https://twitter.com/polarply> of Intezer Labs,
    the flaws were reported to Microsoft in June, after which the company subsequently addressed them.

    Azure App Service is a cloud computing-based platform <https://azure.microsoft.com/en-us/services/app-service/> that's used as a hosting web service for building web apps and mobile backends.

    When an App Service is created via Azure, a new Docker environment is
    created with two container nodes -- a manager node and the application node
    -- along with registering two domains that point to the app's HTTP web
    server and the app service's administration page, which in turn leverages
    Kudu <https://github.com/projectkudu/kudu> for continuous deployment of the
    app from source control providers such as GitHub or Bitbucket. [...] <https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment>

    https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html

    ------------------------------

    Date: Thu, 8 Oct 2020 00:34:22 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Microsoft Office 365, Outlook down again (ZDNet)

    Yes, Office 365, Outlook, and all the rest of Microsoft's Software-as-a-Services are down yet again.

    https://www.zdnet.com/article/microsoft-office-365-outlook-down-again/

    The risks? Software, Microsoft, cloud computing, software-as-a-"service"

    ------------------------------

    Date: Fri, 9 Oct 2020 16:17:22 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: CyberCommand has sought to disrupt the world's largest botnet,
    hoping to reduce its potential impact on the election (WashPost)

    *The botnet is often used to drop ransomware, which officials fear could
    snarl voter registration.*

    In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet - one used also to
    drop ransomware, which officials say is one of the top threats to the 2020 election.

    U.S. CyberCommand's campaign against the Trickbot botnet, an army of at
    least 1 million hijacked computers run by Russian-speaking criminals, is
    not expected to permanently dismantle the network, said four U.S.
    officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as
    they seek to restore operations.

    The effort is part of what Gen. Paul Nakasone, the head of CyberCommand,
    calls "persistent engagement," or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom's activities to help protect the election against foreign threats, officials said.

    "Right now, my top priority is for a safe, secure, and legitimate 2020

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)