RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.63>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The Plane Paradox: More Automation Should Mean More Training (WiReD)
VPN hacks are a slow-motion disaster (WiReD)
AirDrop could make 1.5 billion Apple devices vulnerable to hackers (Fortune) Hundreds lose Internet service in northern B.C. after beaver chews through
cable (CBC.CA)
NYPD Robot Dog's Run Is Cut Short After Fierce Backlash (NYTimes)
Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy
Bug (Mike Snider)
Why the FCC Keeps Shooting Down Requests From Companies That Want To Shoot
Down Drones (IEEE Spectrum)
How Close Is Ordinary Light to Doing Quantum Computing? (Niel Savage) SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
(James Rundle)
Outlook/Exchange accounts under attack? (Rob Slade)
U.S. investigating possible mysterious directed energy attack near White
House (CNNPolitics)
An Ambitious Plan to Tackle Ransomware Faces Long Odds (WiReD)
Man arrested over fake QR codes (South Australia Police)
Spending on Cloud Computing Hits US$42 Billion Worldwide (Canalys)
Fighting patent trolls (Rob Slade)
Re: Eversource Energy data breach caused by unsecured cloud storage
(Anthony Thorn)
Re: Fiery Tesla crash with no one driving (Goldy)
Re: IBM Clarifies Stance On Developers Working On Open-Source Projects In
Off-Hours (Amos Shapir)
Re: Masking the CoVID-19 problem (Robert Weaver)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 25 Apr 2021 21:23:37 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Plane Paradox: More Automation Should Mean More Training
(WiReD)

Today's highly automated planes create surprises pilots aren't familiar
with. The humans in the cockpit need to be better prepared for the machine's quirks.

Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, 2018, all four of the aircraft's flight control computers stopped working. Each performed precisely as designed, taking themselves offline after
(incorrectly) sensing a fault. The problem, later discovered, was an
actuator that had been serviced with oil that was too viscous. A design
created to prevent a problem created a problem. Only the skill of the instructor pilot on board prevented a fatal crash.

Now, as the Boeing 737 MAX returns to the skies worldwide following a
21-month grounding, flight training and design are in the crosshairs.
Ensuring a safe future of aviation ultimately requires an entirely new
approach to automation design using methods based on system theory, but
planes with that technology are 10 to 15 years off. For now we need to train pilots how to better respond to automation's many inevitable quirks.

https://www.wired.com/story/opinion-the-plane-paradox-more-automation-should-mean-more-training/

[This leads us to the old paradox. The more automated everything is, the
fewer trained system administrators will know what to do when the
resiliency fails to provide self-recovering automated systems. PGN]

------------------------------

Date: Sun, 25 Apr 2021 21:27:54 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: VPN hacks are a slow-motion disaster (WiReD)

Recent spying attacks against Pulse Secure VPN are just the latest example
of a long-simmering cybersecurity meltdown.

https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/

------------------------------

Date: Mon, 26 Apr 2021 01:09:23 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: AirDrop could make 1.5 billion Apple devices vulnerable to hackers
(Fortune)

Apple's AirDrop feature could allow hackers to gain personal information via your Apple device, according to security researchers in Germany.

A report from Technische Universitat Darmstadt says it has found a
`significant privacy leak' in Apple's file-sharing service. When users begin sharing files with each other using AirDrop, others with malicious intent
can also tap into the data and gain access to the phone number and email of users.

Researchers say 1.5 billion Apple devices are vulnerable, and Apple has not issued a security update since the report was issued.

Researchers say they alerted Apple to the problem in May 2019 but said, “Apple has neither acknowledged the problem nor indicated that they are working on a solution.” The team added it had also offered a fix for the flaw, but have not heard back from Apple about the proposal.

https://fortune.com/2021/04/23/airdrop-security-privacy-leak-apple-devices-iphones-hackers/

Linked article gives a bit more information: https://www.informatik.tu-darmstadt.de/fb20/ueber_uns_details_231616.en.jsp

...but it requires proximity AND a brute force attack. So claiming 1.5B
devices at risk is a bit overwrought. So if this gets wider coverage, don't panic.

------------------------------

Date: Mon, 26 Apr 2021 13:19:38 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: Hundreds lose Internet service in northern B.C. after beaver chews
through cable (CBC.CA)

Telus calls damage 'uniquely Canadian turn of events' affecting about 900 customers.

https://www.cbc.ca/news/canada/british-columbia/beaver-internet-down-tumbler-ridge-1.6001594

[This event was noted in Tumbler Ridge, British Columbia.
However, it is not the first such case reported in RISKS:
Eager beaver blamed for killing Internet, cell service" (RISKS-27.36)
Nevertheless, beavers have a long way to go in competing with squirrel
stories. PGN]

------------------------------

Date: Fri, 30 Apr 2021 12:12:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: NYPD Robot Dog's Run Is Cut Short After Fierce Backlash (NYTimes)

The Police Department will return the device earlier than planned after
critics seized on it as a dystopian example of overly aggressive policing.

When the Police Department acquired a robotic dog last year, officials
heralded the four-legged device as a futuristic tool that could go places
that were too dangerous to send officers.

“This dog is going to save lives,” Inspector Frank Digiacomo of the department's technical Assistance Response Unit said in a television
interview in December. “It's going to protect people. It's going to protect officers.”

Instead, the machine, which the police named Digidog, became a source of
heated debate. After it was seen being deployed as part of the response to a home invasion in the Bronx in February, critics likened it to a dystopian surveillance drone.

And when officers used it at a public housing building in Manhattan this
month, a backlash erupted again, with some people describing the device as emblematic of how overly aggressive the police can be when dealing with poor communities.

Now, the robotic dog's days in New York have quietly been cut short.

https://www.nytimes.com/2021/04/28/nyregion/nypd-robot-dog-backlash.html

Blindingly stupid citizens. Robodog is cute, capable, and unarmed yet people feel threatened while worse issues ignored.

------------------------------

Date: Mon, 26 Apr 2021 12:22:14 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researchers Say Changing Simple iPhone Setting Fixes Long-Standing
Privacy Bug (Mike Snider)

Mike Snider, *USA Today*, 24 Apr 2021, via ACM TechNews, 26 Apr 2021

Scammers could exploit a bug in iPhones and MacBooks' AirDrop feature to
access owners' email and phone numbers, according to researchers at
Germany's Technical University of Darmstadt (TU Darmstadt). AirDrop allows users with both Bluetooth and Wi-Fi activated to discover nearby Apple
devices, and share documents and other files; however, strangers in range of such devices can extract emails and phone numbers when users open AirDrop, because the function checks such data against the other user's address book during the authentication process. The researchers said they alerted Apple
to the vulnerability nearly two years ago, but the company "has neither acknowledged the problem nor indicated that they are working on a solution." They recommend users disable AirDrop and not open the sharing menu, and to
only activate the function when file sharing is needed, then deactivate it
when done.

https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2aad0x22aafax070412&

------------------------------

Date: Thu, 29 Apr 2021 00:22:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why the FCC Keeps Shooting Down Requests From Companies
That Want To Shoot Down Drones (IEEE Spectrum)

Regulators have denied testing permits to at least four electronic warfare systems in the last six months

https://spectrum.ieee.org/tech-talk/aerospace/military/fcc-shoot-down-drones

------------------------------

Date: Wed, 28 Apr 2021 12:19:27 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: How Close Is Ordinary Light to Doing Quantum Computing?
(Niel Savage)

Neil Savage, *IEEE Spectrum*, 27 Apr 2021
via ACM TechNews, Wednesday, April 28, 2021

Using mirrors to generate a light beam with multiple, classical
entanglements is possible, according to researchers at China's Tsinghua University, the U.K.'s University of Southampton, and South Africa's
University of Witswaterand (WITS). WITS' Andrew Forbes said this technique
can entangle a potentially infinite number of photonic pathways, and his
team demonstrated eight degrees of freedom within a single beam by changing
the spacing between mirrors in the laser cavity. Said Forbes, "Not only
could we make light that took many different paths at once, but we could
encode information into those paths to make it look like we were holding a high-dimensional multi-photon quantum state." Forbes added that since
quantum computing relies on particles existing in multiple states, some algorithms could be run using classically entangled light, bridging quantum
and classical computers.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ab7fx22ac75x070972&

------------------------------

Date: Wed, 28 Apr 2021 12:19:27 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
(James Rundle)

James Rundle, *The Wall Street Journal*, 26 Apr 2021
via ACM TechNews, Wednesday, April 28, 2021

At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman
said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do
what it is asking to do. Ericom Software Ltd.'s Chase Cunningham said, "No
one who actually understands zero trust says abandon the perimeter. But the reality of it is that you need to understand your perimeter's probably
already compromised, especially when you're in a remote space." Carnegie
Mellon University's Gregory Touhill stressed that zero trust is not a technology but a strategy, and "we've got too many folks in industry that
are trying to peddle themselves as zero-trust vendors selling the same stuff that wasn't good enough the first time."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ab7fx22ac7ax070972&

------------------------------

Date: Thu, 29 Apr 2021 10:06:53 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Outlook/Exchange accounts under attack?

Possibly it's due to all the Exchange servers still "pwned" from the
SolarWinds attack. But I have been noticing a *huge* up-tick in spam (and particularly phishing) messages in my Outlook account, rmslade@outlook.com. (The same account is also rob-the-virus@outlook.com, usual-suspects@outlook.com, isc2@outlook.com, and the-usual-suspect@outlook.com, but most of the spam seems to be addressed to rmslade@outlook.com.)

OK, maybe nine messages a day doesn't seem huge, but bear in mind that this
is an account that I hardly ever use. I generally don't post from it, and almost never to any mailing lists. I don't exactly hide its existence, and
I sometimes note it as an alternate email when people have trouble with my
main Shaw account, or when I'm giving presentations. And, up until a couple
of months ago, I hardly received any email in it at all. (Which is why I wonder about the SolarWinds thing.)

It's not as if Microsoft is really bad at spam filtering. Looking at the
spam folder (which Microsoft insists on labeling "Junk") I note that there
are a number of messages Microsoft has dealt with automatically. Although
an awful lot of the phishing messages that I *do* see (and report,
religiously, one of the reasons that I'm so aware of the growing spam
numbers) are dead copies of each other, even if they come from different
email accounts and sources.

I know that phishing doesn't have to have a high success rate. Sending phishing messages is pretty close to zero cost for phishers, so you can
have a success rate of 0.01% and still consider that a win. But I am
starting to wonder how many people are getting"pwned" by this recent
onslaught ...

------------------------------

Date: Thu, 29 Apr 2021 18:15:52 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: U.S. investigating possible mysterious directed energy attack near
White House (CNNPolitics)

Washington (CNN) -- Federal agencies are investigating at least two possible incidents on US soil, including one near the White House in November of last year, that appear similar to mysterious, invisible attacks that have led to debilitating symptoms for dozens of US personnel abroad.

Multiple sources familiar with the matter tell CNN that while the Pentagon
and other agencies probing the matter have reached no clear conclusions on
what happened, the fact that such an attack might have taken place so close
to the White House is particularly alarming.

Defense officials briefed lawmakers on the Senate and House Armed Services Committees on the matter earlier this month, including on the incident near
the White House. That incident, which occurred near the Ellipse, the large
oval lawn on the south side of the White House, sickened one National
Security Council official, according to multiple current and former US officials and sources familiar with the matter.

https://www.cnn.com/2021/04/29/politics/us-investigating-mysterious-directed-energy-attack-white-house/index.html

------------------------------

Date: Thu, 29 Apr 2021 18:24:59 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: An Ambitious Plan to Tackle Ransomware Faces Long Odds (WiReD)

A task force counting Amazon, Cisco, and the FBI among its members has
proposed a framework to solve one of cybersecurity's biggest problems. Good luck.

https://www.wired.com/story/ransomware-task-force-proposal/

------------------------------

Date: Thu, 29 Apr 2021 20:11:30 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Man arrested over fake QR codes (South Australia Police)

28 Apr 2021

An Edwardstown man has been arrested after he allegedly placed fake QR codes over business COVID check-in QR codes.

On 28 Apr 2021, members of SAPOL's COVID Compliance Section attended an
address in Edwardstown following allegations that false QR codes has been placed over business QR Codes at South Plympton on Sunday 25 April.

https://www.police.sa.gov.au/sa-police-news-assets/front-page-news/man-arrested-over-fake-qr-codes#.YImYQrVKiUl

"Anti-vaxxers are to blame for a QR code scam in Blackwood. Fake QR codes
were placed over genuine COVID safe check-ins and once scanned, it is understood it led people to a website with information against
vaccinations. 7NEWS Adelaide at 6pm"

https://t.co/8ftPfFYTVQ #7NEWS pic.twitter.com/NFAMNTdCrz

------------------------------

Date: Fri, 30 Apr 2021 12:25:23 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Spending on Cloud Computing Hits US$42 Billion Worldwide (Canalys)

Business Times (Singapore), 30 Apr 2021. via ACM TechNews, 30 Apr 2021

Market tracker Canalys said global cloud computing spending reached a record-high US$41.8 billion in the first quarter of 2021 as businesses used
the Internet heavily to weather the pandemic. Worldwide spending on cloud infrastructure services rose nearly US$11 billion year over year, according
to Canalys. The company's Blake Murray said, "Organizations depended on
digital services and being online to maintain operations and adapt to the unfolding situation," although most businesses have not yet made the
"digital transformation." Canalys ranked Amazon Web Services as the world's
top cloud service provider, accounting for 32% of the market, followed by Microsoft's Azure platform with 19% and Google Cloud with 7%. Going forward, Murray expects continued migration to the cloud amid improving economic confidence and the revitalization of postponed projects.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ac19x22adb1x070550&

[Too much trusting of potentially untrustworthy third-parties?
PGN]

------------------------------

Date: Wed, 28 Apr 2021 10:12:46 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Fighting patent trolls

Even though I'm an author, I'm not really big on "intellectual property."
Not that I'm against the idea of a creator benefitting from control over
what they've created: I just don't see it working out very well in the real world. As is usual, the Golden Rule is that ``they that have the gold make
the rules,'' and intellectual property law tends not to protect creators as much as it makes it possible for large corporations, with hordes of lawyers,
to pay a pittance to originators and then make fabulous profits off the creation.

But what *really* gets my goat is patent trolls. People or companies that
file for hugely overbroad patents, generally on things they never plan to produce, and then sue people who actually produce usable products that stray into the patent's clutches. I have wasted *far* too much time over the past decade and more, helping defend companies that have been hit by patent
trolls.

Much of the time, the situation goes like this. ABC Corp makes a product.
XYZ Corp, the patent troll, figures that it infringes on their patent. XYZ sues ABC for a hundred million dollars. ABC goes to their lawyers. Their lawyers go to IP lawyers. The IP lawyers get someone to do prior art
searches. At this point they find me. (This is mostly in the field of antimalware stuff, and I reviewed basically everything that was available between 1987 and 1996.) So, the IP lawyers tell me about the XYZ patent,
and I list off all the programs that invalidate the XYZ patent because they
did what the XYZ patent talks about before it was filed. So the IP lawyers
go back to the ABC lawyers, and ABC says to XYZ, "Well, we could invalidate your patent, but it would be a long and expensive process: here's a hundred thousand dollars. Go away." So, XYZ, who only wanted $100,000, is happy,
ABC is happy that they saved $100,000,000, the IP lawyers are happy they got
to charge lots of billable hours, and the only one *not* happy is me.

So I am delighted that Cloudflare has taken umbrage at being sued by a
patent troll, and encourage everyone to support their prior art search: https://blog.cloudflare.com/project-jengo-redux-cloudflares-prior-art-search-bounty-returns/

------------------------------

Date: Mon, 26 Apr 2021 08:40:42 +0200
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Re: Eversource Energy data breach caused by unsecured cloud storage
(Wolitzky, RISKS-32.62)

Did he become suspicious too late?

Jan Wolitzky describes a possible/probable phishing attempt:

"I went to the website provided to sign up, but around the point where
they asked for my Social Security number, I got suspicious."

How hard would it be to send a mass mailing on utility company letterhead, warning people of a non-existent data breach, and sending them to some
website to sign up for credit monitoring, thereby quickly collecting all the information you'd otherwise have to wait for a careless utility company to provide?"

I do hope that he did not follow a link in the email because his computer
might already be compromised...

------------------------------

Date: Sun, 25 Apr 2021 19:40:59 -0600
From: goldy <gold2718@gmail.com>
Subject: Re: Fiery Tesla crash with no one driving (RISKS-32.61 & 62)

We have now had items in two RISKS issues repeating the "news" that a Tesla crash took over four hours and 30,000 gallons of water to extinguish.
The RISK? Not checking facts before repeating rumors.

https://www.houstonchronicle.com/neighborhood/woodlands/article/Woodlands-fire-chief-says-Tesla-fire-example-of-16113029.php

It seems that there is a difference between putting out a fire and keeping
a scene cool so that a fire does not reignite.

[I do have dupes now and then, especially when an item is submitted well
after an issue has already appeared. (I often check for duplicates, but
tend to miss a few now and then, because I do not have a lot of time to
check everything. However, I always try to run corrections when a
submitted item is incorrect, and rely on readers to help keep the archival
record straight, as you have done. So yours is greatly appreciated. PGN]

------------------------------

Date: Tue, 27 Apr 2021 17:51:26 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: IBM Clarifies Stance On Developers Working On
Open-Source Projects In Off-Hours (RISKS-32.61)

I worked at IBM 10 years ago, but it seems they still keep their
spirit... IBM views itself not as a company, but as a Kingdom (which used
to be an Empire).

The claim "You are an IBM employee 100% of the time" is not a whim of a bad manager, but a direct quote from their Business Conduct Guide -- a 200-page document every candidate should read, before given access to any system.

In there, employees are taught that every person on Earth is either an IBM Employee, an IBM Supplier, an IBM Customer, or else (implied consequently)
an IBM Enemy. The 100% Employee is warned that anyone s/he may meet on a
bus, in a bar, or PTA meeting, may belong in one of these categories, and should be approached accordingly.

------------------------------

Date: Tue, 27 Apr 2021 10:50:42 -0400 (EDT)
From: Robert Weaver <woody.weaver@comcast.net>
Subject: Re: Masking the CoVID-19 problem (Weaver, RISKS-31.68)

If memory serves, Rob Slade had a bit of a screed on masks (see
RISKS-31.65), and was taken to task for it. Then I commented on the 6-foot thing, and there was some response around that issue, partly by Herr Doctor Professor Peter Ladkin -- who had been watching it, and referred to a study
and to a movie, "the Sneeze".

We now have better science to design controls, such as https://www.pnas.org/content/118/17/e2018995118 and while the guidance doesn't quite invert the previous recommendations, it deeply changes the advice.

The risks are subtle, and perhaps not precisely computer-related, but more [generally] "science" related: the risks of jumping to a control with
limited scientific information, applying controls inexpertly, failure to
change the control regime in a timely fashion when the data changes, etc.

[In retrospect, the Pandemic is still an evolving exercise a year later.
PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.63
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)