1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.81

    From RISKS List Owner@21:1/5 to All on Sun Aug 8 03:07:01 2021
    RISKS-LIST: Risks-Forum Digest Saturday 7 August 2021 Volume 32 : Issue 81

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.81>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Thousands of Patients Were Implanted With Heart Pumps That the FDA
    Knew Could Be Dangerous (ProPublica)
    Reading Race: A Remarkable AI/ML Achievemento (WordPress)
    Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked (WiReD)
    The Pentagon inches toward letting AI control weapons (WiReD)
    Cyber-attack against steering of ships? (Times of Israel)
    What, me worry? (WashPost via Gabe Goldberg)
    The chip shortage is getting worse (Vox)
    The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
    Revealed: leak uncovers global abuse of cyber-surveillance weapon
    (The Guardian)
    Keeping old computers going costs government 2.3bn pounds a year, says
    report (Richard Morris -- BBC)
    Apple to Scan iPhones for Child Sex Abuse Images (James Clayton -- BBC)
    DRM on hand power tools (TechDirt)
    Hacking a Capsule Hotel to Silence a Noisy Neighbor (Infosecurity Magazine) Senate Banking Chair Asks CFPB How It Plans to Address Risks of Chime and
    Other Banking Apps (ProPublica)
    Hackers Turning to 'Exotic' Programming Languages for Malware Development
    (The Hacker News)
    Re: Hackers using 'Exotic' PLs for Malware (Henry Baker)
    Re: Chair moved to clean in control room, bumps switch, shutting reactor in
    Taiwan (JC Cantrell)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 6 Aug 2021 17:49:17 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Thousands of Patients Were Implanted With Heart Pumps That the FDA
    Knew Could Be Dangerous (ProPublica)

    Inspectors repeatedly found manufacturing and device quality problems with
    the HeartWare heart pump. But the FDA did not penalize the company, and patients had the device implanted on their hearts without knowing the facts.

    https://www.propublica.org/article/heartware-patients-implanted-fda

    ------------------------------

    Date: Wed, 4 Aug 2021 10:40:04 -0400
    From: "Olin Sibert" <osibert@oxfordsystemsinc.com>
    Subject: Reading Race: A Remarkable AI/ML Achievement (WordPress)

    In this posting and paper pre-print,

    https://lukeoakdenrayner.wordpress.com/2021/08/02/ai-has-the-worst-superpower-medical-racism/
    https://arxiv.org/abs/2107.10356

    Luke Oakden-Rayner describes a jaw-dropping accomplishment of a medical AI system: it learned to recognize the self-reported racial identity of medical patients by analyzing their X-rays(!). Even more remarkable, it has thus far proven infeasible to discover how it does so, in part because humans are
    unable to perform the same feat.

    On one level, this is a bad risk for medical care driven by inscrutable
    black boxes. But there are potential counter-measures to mitigate the
    effect.

    On another level, this is a fascinating intellectual and research challenge: how *does* it do that, and why can people apparently not do the same thing?

    And on yet another level, what does this result imply for fooling AI-driven systems in all sorts of other contexts? Or for making tamper-resistant AI systems?

    ------------------------------

    Date: Fri, 6 Aug 2021 17:46:04 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked | WIRED
    (WiReD)

    The vulnerabilities the Armis researchers found in TransLogic PTS offerings aren't directly exploitable from the open Internet. But they're all
    relatively simple flaws to take advantage of, a smattering of hardcoded passwords, buffer overflows, memory corruption bugs, and the like. An
    attacker on the same network as the web of pneumatic tubes and control
    panels would have multiple paths to manipulate the system. And by
    exploiting certain flaws, they could even install their own unvalidated firmware on a Translogic Nexus Control Panel. For attackers, this would be
    an avenue to establishing deep, lasting control—hospitals would need to install another curative firmware update to eradicate the intruders.

    https://www.wired.com/story/pneumatic-tubes-hospitals-hacking/

    Must be present to hack -- so insider/intruder threat only?

    ------------------------------

    Date: Fri, 6 Aug 2021 19:34:23 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: The Pentagon inches toward letting AI control weapons (WiReD)

    Drills involving swarms of drones raise questions about whether machines
    could outperform a human operator in complex scenarios.

    https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/

    ------------------------------

    Date: Tue, 3 Aug 2021 16:54:04 -0700
    From: "Mabry Tyson" <Tyson@AI.SRI.COM>
    Subject: Cyber-attack against steering of ships? (Times of Israel)

    Smells like a cyber-attack https://www.timesofisrael.com/4-ships-in-gulf-of-oman-lose-control-days-after-drone-strike-on-vessel/

    At least six ships off the coast of the United Arab Emirates broadcast
    warnings [on 3 Aug 2021] that they had lost control of their steering under unclear circumstances as British authorities reported “a potential hijack” was underway in the area.

    The six vessels announced around the same time via their Automatic Identification System trackers that they were “not under command,” according
    to MarineTraffic.com. That typically means a vessel has lost power and can
    no longer steer.

    “At the same time, if they are in the same vicinity and in the same place,
    then very rarely that happens,” said Ranjith Raja, an oil and shipping
    expert with data firm Refintiv. “Not all the vessels would lose their
    engines or their capability to steer at the same time.”

    ------------------------------

    Date: Thu, 5 Aug 2021 17:35:58 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: What, me worry?

    The Greenland ice sheet experienced a massive melting event last week; The melting event could have short-term and long-term implications for sea-level rise.

    https://www.washingtonpost.com/weather/2021/08/05/greenland-melt-event-season-2021/

    A critical ocean system may be heading for collapse due to climate change, study finds. Studies of ancient climate change show that a shutdown of the Atlantic Meridional Overturning Circulation could lead to wild temperature swings and major shifts in global weather systems.

    https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/
    <https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/>

    Risks? Ignorance, stupidity, politics. Always a nice confluence.

    ------------------------------

    Date: Fri, 6 Aug 2021 10:00:51 -0400
    From: "Monty Solomon" <monty@roscom.com>
    Subject: The chip shortage is getting worse

    The semiconductor suoply crunch came for cars and phones. Now consumers are facing higher prices.

    https://www.vox.com/recode/2021/8/5/22611031/chip-shortage-cars-electronics-automakers-gm-tesla-playstation-xbox

    [... and soon it will come for you. PGN]

    ------------------------------

    Date: Fri, 6 Aug 2021 19:31:42 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)

    On that Australian employee’s PC, someone had used a tool that pulled credentials out of the machine's memory and then reused those usernames and passwords to log into other machines on the network. They’d then scraped those computers’ memories for more usernames and passwords -- finding some that belonged to more privileged administrators. The hackers eventually got
    to a server containing hundreds of users’ credentials. Today that credential-stealing hopscotching technique is common. But in 2011 the
    analysts were surprised to see how the hackers fanned out across the
    network. “It was really just the most brutal way to blow through our systems that I’d ever seen,” Duane says.

    https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

    "Tool"?

    ------------------------------

    Date: Sun, 18 Jul 2021 11:07:31 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Revealed: leak uncovers global abuse of cyber-surveillance weapon
    (The Guardian)

    *Spyware sold to authoritarian regimes used to target activists,
    politicians and journalists, data suggests*

    Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into
    a massive data leak.

    The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which
    the company insists is only intended for use against criminals and
    terrorists.

    Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls
    and secretly activate microphones.

    The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of
    NSO since 2016.

    Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to the leaked list and shared access
    with media partners as part of the Pegasus project, a reporting consortium.

    The presence of a phone number in the data does not reveal whether a device
    was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.

    Forensics analysis of a small number of phones whose numbers appeared on
    the leaked list also showed more than half had traces of the Pegasus
    spyware.

    The Guardian and its media partners will be revealing the identities of
    people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO
    employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.

    The list also contains the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies
    to explore the possibility of monitoring their own relatives.

    The disclosures begin on Sunday, with the revelation that the numbers of
    more than 180 journalists are listed in the data, including reporters,
    editors and executives at the Financial Times, CNN, the New York Times,
    France 24, the Economist, Associated Press and Reuters.

    The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected. [...]

    https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus

    ------------------------------

    Date: Fri, 6 Aug 2021 21:51:17 +0100
    From: "Chris Drewe" <c.drewe0123@btinternet.com>
    Subject: Keeping old computers going costs government 2.3bn pounds a year,
    says report (Richard Morris -- BBC)

    I just spotted this on a BBC website, probably not a surprise (2.3 billion pounds is about US$3.22 billion; when I worked in telecomms, we used Y2K as
    an opportunity to review/update our software as needed):

    https://www.bbc.co.uk/news/uk-politics-58085316

    ------------------------------

    Date: Fri, 6 Aug 2021 12:38:22 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Apple to Scan iPhones for Child Sex Abuse Images (BBC News)

    James Clayton, *BBC News*, 5 Aug 2021 via ACM TechNews, 6 Aug, 2021

    Apple has unveiled a system designed to scan U.S. customers' iPhones to determine if they contain child sexual abuse material (CSAM). The system compares photo files on each handset to a database of known CSAM gathered by the National Center for Missing and Exploited Children and other
    organizations. Before an iPhone can be used to upload an image to the iCloud Photos platform, the technology will look for matches to known CSAM; matches are evaluated by human reviewers who report confirmed matches to law enforcement. The company said the system's privacy benefits are
    significantly better than existing techniques, because Apple only learns
    about users' images if their iCloud Photos accounts contain collections of known CSAM.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c341x22cb98x071038&

    [See also EFF: Apple's Plan to "Think Different" About Encryption Opens a
    Backdoor to Your Private Life: https://www.eff.org/deeplinks/2021/08/apples-plan-think-different-about-encryption-opens-backdoor-your-private-life

    This `plan' is causing all sorts of blowback discussions that could
    overwhelm RISKS, so I may hold of on your responses until I get a
    well-reasoned analysis. "It's complicated" no matter how you slice it.
    PGN]

    ------------------------------

    Date: Thu, 05 Aug 2021 14:40:36 -0400
    From: "Arthur T." <risks202107.6.atsjbt@xoxy.net>
    Subject: DRM on hand power tools (TechDirt)

    https://www.techdirt.com/articles/20210802/07490447288/home-depot-tech-will-brick-power-tools-if-theyre-stolen-what-could-possibly-go-wrong.shtml

    "Home Depot says their new anti-theft strategy is now being used [...] the store will use Bluetooth technology to activate the tool."

    And from the comments:
    "I'd expect the simplest fix to this is to buy your tools
    from a vendor that does not sabotage them."

    ------------------------------

    Date: Fri, 6 Aug 2021 00:09:28 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Hacking a Capsule Hotel to Silence a Noisy Neighbor
    (Infosecurity Magazine)

    Security researcher Kya Supa was staying at a capsule hotel in Japan while
    on vacation and had a noisy neighbor.

    Every day at around 2 a.m., the neighbor would be on the phone making a
    loud call. Supa politely asked the neighbor to not be so loud, but the
    neighbor didn't listen. What happened next was the subject of Supa's
    session at the Black Hat US 2021 hybrid event, where he detailed how he
    was able to hack the hotel's system to get back at his noisy neighbor,
    whom he referred to as Bob.

    "Some people just don't take anything seriously," Supa said about Bob.
    "So I thought it would be nice if I could take control of his room and
    make him have a lovely night."

    https://www.infosecurity-magazine.com/news/bhusa-hacking-a-capsule-hotel/

    ------------------------------

    Date: Sun, 1 Aug 2021 00:01:22 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Senate Banking Chair Asks CFPB How It Plans to Address Risks of
    Chime and Other Banking Apps (ProPublica)

    Citing a ProPublica report on the high numbers of complaints about
    involuntary Chime account closures and other problems, Sherrod Brown asked
    the Consumer Financial Protection Bureau to lay out a plan for overseeing neobanks.

    https://www.propublica.org/article/senate-banking-chair-asks-cfpb-how-it-plans-to-address-risks-of-chime-and-other-banking-apps

    And there are commercials for Credit Karma gamifying checking accounts --
    use your debit card, maybe purchase (but only up to $5,000) will be
    free. Plus, they say, there's a maximum balance limit -- give us your money, but not too much.

    Making banking fun, what could go wrong.

    ------------------------------

    Date: Tue, 27 Jul 2021 12:33:46 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
    Development (The Hacker News)

    Threat actors are increasingly shifting to "exotic" programming languages
    such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering
    efforts.

    "Malware authors are known for their ability to adapt and modify their
    skills and behaviors to take advantage of newer technologies," said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric Milam, Vice President of threat research at BlackBerry. "That
    tactic has multiple benefits from the development cycle and inherent
    lack of coverage from protective products."

    On the one hand, languages like Rust are more secure as they offer
    guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
    but they can also be a double-edged sword when malware engineers abuse the
    same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts
    to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
    them powerless.

    Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot
    adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with
    droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...]

    https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html

    ------------------------------

    Date: Tue, 03 Aug 2021 09:01:38 -0700
    From: "Henry Baker" <hbaker1@pipeline.com>
    Subject: Re: Hackers using 'Exotic' PLs for Malware

    Headline from the Prohibition Era:

    "Bootleggers using powerful cars and speedboats to outrun police and Coast
    Guard"

    'Exotic' PL's is a "dog bites man" headline, if I ever saw one.

    What's the takeaway?

    Should 'exotic' programming languages be banned, because criminals use them? Perhaps high-quality food should also be banned, because criminals eat it?

    High-quality 'exotic' programming languages can dramatically reduce the
    types of bugs that enable malware in the first place, much like better
    locks can reduce theft.

    Perhaps the criminals are doing us all a favor & dramatically
    demonstrating the advantages of these 'exotic' languages?

    ------------------------------

    Date: Tue, 3 Aug 2021 18:28:47 +0000 (UTC)
    From: "JC Cantrell" <jc_cantrell1@yahoo.com>
    Subject: Re: Chair moved to clean in control room, bumps switch, shutting
    reactor in Taiwan (The Register, RISKS-32.80)

    Surprisingly a real-life scenario and not a plotline from The Simpsons.
    Dan Jacobson

    Earlier than the Simpsons. Very like Peter Ustinov in Hot Millions from 1968, cleaning staff and all:

    Hot Millions (1968), Directed by Eric Till. With Peter Ustinov, Maggie
    Smith, Karl Malden, Bob Newhart. Paroled London ...

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.81
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)