RISKS-LIST: Risks-Forum Digest Thursday 26 August 2021 Volume 32 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.84>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
General Motors expands Chevrolet Bolt recall over battery fire issue
(Neal E. Boudett)
Why Teslas Keep Striking Parked Firetrucks and Police Cars (Slate)
Aurora Releases Tool to Gauge Safety of Self-Driving Systems (Reuters)
Further on the Fatal Tesla Autopilot Accident report (Stephen Mason)
An Obstacle to Amtrak Expansion That Money Won’t Solve (NYTimes)
Rain falls on peak of Greenland ice cap for first time on record
(The Guardian)
Why Bad Science Is Sometimes More Appealing Than Good Science
(Scientific American)
Implantable AI system developed for early detection and treatment of
illnesses (medicalxpress.org)
Body cams alone not enough to prevent police violence (phys.org)
The fix is in: How it can cost you more to get medical treatment with
insurance than without (NYTimes)
How your employer may be tracking your remote work (WashPost)
As delta variant spreads, some companies with vaccine mandates deploy tech
to verify records (WashPost)
Cortana is AWOL in the war against COVID-19 disinfo (Computerworld)
Critical flaw found in older Cisco Small Business Routers won't be fixed
(The Hacker News)
Google announces commitment of $10 billion to advance cybersecurity (LW) Cybercrime Group Asking Insiders for Help in Planting Ransomware
(The Hacker News)
Wanted: Disgruntled Employees to Deploy Ransomware (Krebs on Security)
A simple software fix could limit location-data sharing (WiReD)
Princeton: We built a system like Apple's to flag child sexual abuse
material -- and concluded the tech was dangerous (WashPost)
Another source for Apple's anti-CSAM proposal (NYTimes)
Edward Snowden on Apple's approach to CSAM (PGN)
Apple’s Double Agent (Vice)
UK to Hang Up on Landline Phones in 2025 (Jonathan Spira)
VPNs Could Be Vulnerable to Attacks That Send You to Fake Websites
(New Scientist)
Folly: eBay "security" notice (Gabe Goldberg)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 21 Aug 2021 19:19:51 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: General Motors expands Chevrolet Bolt recall over battery fire issue
(Neal E. Boudett)

Neal E. Boudette, *The New York Times*, 20 Aug 2021

GM said the move announced [on 20 Aug 2021] ``would cost the company $1
billion on top of the $800M it had allocated for the previous Bolt recall.'' This means that all 141,000 Bolts produced (since 2017) are under recall.
The battery packs are made by LG Chem in S.Korea. This is third Bolt recall
in a year. The National Highway Traffic Safety Administration is quoted on
the November recall (an `offer') to add software to address concerns that
some of the high-voltage batteries ``may pose a risk of fire when charged to full, or very close to full, capacity.'' The NYTimes article says ``Two
fires occurred after that recall, including one in a Bolt that had the
updated software.'' (PGN-ed from the National print Edition.]

------------------------------

Date: Fri, 20 Aug 2021 13:18:02 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Why Teslas Keep Striking Parked Firetrucks and Police Cars (Slate)

Something appears to be confusing a system that Tesla drivers frequently misuse.

On Monday, the National Highway Traffic Safety Administration opened an investigation <https://www.reuters.com/business/autos-transportation/us-opens-formal-safety-probe-into-tesla-autopilot-crashes-2021-08-16/>
into Tesla. The agency claims that there have been 11 incidents since 2018
in which Tesla vehicles struck stationary first-responder vehicles attending
to the scene of an emergency; there’s allegedly <https://static.nhtsa.gov/odi/inv/2021/INOA-PE21020-1893.PDF> been 17
injuries and one fatality as a result. The NHTSA is narrowing in on the company’s Autopilot system, noting that the Teslas in these incidents “were all confirmed to have been engaged in either Autopilot or Traffic Aware
Cruise Control during the approach to the crashes.” The investigation will cover Tesla models Y, X, S, and 3 that were released between 2014 and 2021. Autopilot’s difficulties with sensing firetrucks and other emergency
vehicles has been a known problem for years <https://www.wired.com/story/tesla-autopilot-why-crash-radar/>, and the
feature has also been criticized as encouraging drivers to rely on it as
though it is a self-driving system when in fact it is only meant to assist
an engaged driver. To better understand the issue, I spoke with Raj
Rajkumar, an electrical and computer engineering professor at Carnegie
Mellon University who specializes in self-driving vehicles. Our conversation has been condensed and edited for clarity.

*Aaron Mak: Why might Teslas be having this issue with stationary emergency vehicles?*. [...] https://slate.com/technology/2021/08/teslas-allegedly-hitting-emergency-vehicles-why-it-could-be-happening.html

------------------------------

Date: Fri, 20 Aug 2021 12:39:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Aurora Releases Tool to Gauge Safety of Self-Driving Systems
(Reuters)

Paul Lienert, *Reuters*, 18 Aug 2021, via ACM TechNews, 20 Aug 2021

Silicon Valley-based self-driving startup Aurora has unveiled what it
describes as the industry's first tool for assessing the relative safety of autonomous vehicles. Aurora's Chris Urmson said the Safety Case Framework provides a "structured approach" to assessing the safety of autonomous
vehicles on actual streets, featuring four levels of claims associated with
the safe development, testing, and evaluation of the company's self-driving systems, as well as required supporting evidence. The framework supports a systematic approach to assessing the vehicles' safety, as well as metrics
for measuring progress across their full development cycle. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c69cx22d045x073748&

------------------------------

Date: Fri, 20 Aug 2021 17:00:39 +0100
From: "Stephen Mason" <stephenmason@stephenmason.co.uk>
Subject: Further on the Fatal Tesla Autopilot Accident report

It is about time the autopilot in Tesla and other vehicles is investigated properly. I have not been able to find any criminal prosecutions. Maybe
your readers might be interested to know the only prosecution I am aware of, from Switzerland:

Case translation: Switzerland

Case citation: PEN 17 16 DIP, Regionalgericht Emmental-Oberaargau,
Strafabteilung (Regional Court Emmental-Oberaargau, Criminal Division), 30
May 2018

Key words: Switzerland; criminal law; traffic violation; Autobahn; Tesla
motor vehicle ‘Traffic-Aware Cruise Control’ and ‘Autosteer’ mode engaged;
collision; driver failed to control vehicle; Convention on Road Traffic,
Vienna; evidential value of report by Tesla Motors Switzerland GmbH

Citation in journal: Case translation from Switzerland, PEN 17 16 DIP,
Regionalgericht Emmental-Oberaargau, Strafabteilung (Regional Court
Emmental-Oberaargau, Criminal Division), 30 May 201817 Digital Evidence
and Electronic Signature Law Review (2020) 97 – 111

URL: https://journals.sas.ac.uk/deeslr/article/view/5230

Might somebody alert the U.S. safety regulators who are undertaking the
inquiry (whoever they are)?

Stephen Mason, https://ials.sas.ac.uk/about/about-us/people/stephen-mason
Open-source practitioner text for judges, lawyers and legal academics:

Stephen Mason and Daniel Seng, editors, Electronic Evidence and Electronic
Signatures (5th edition, Institute of Advanced Legal Studies for the SAS
Humanities Digital Library, School of Advanced Study, University of
London, 2021)
https://humanities-digital-library.org/index.php/hdl/catalog/book/electronic-evidence-and-electronic-signatures

Open source journal:

Digital Evidence and Electronic Signature Law Review
https://journals.sas.ac.uk/index.php/deeslr (also available via the
HeinOnline subscription service and British and Irish Legal Information
Institute http://www.bailii.org/)

------------------------------

Date: Fri, 6 Aug 2021 16:14:13 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: An Obstacle to Amtrak Expansion That Money Won’t Solve (NYTimes)

Amtrak and freight rail companies have long clashed over the use of railroad tracks, a dispute that is now playing out along the Gulf Coast, where the agency is seeking to restore service.

https://www.nytimes.com/2021/08/06/us/politics/amtrak-expansion-freight.html

The risk? Aging infrastructure, and fingerpointing over responsibility and access ...

------------------------------

Dat: Sun, 22 Aug 2021 11:51:22 -1000
From: geoff goodfellow" <geoff@iconia.com>
Subject: Rain falls on peak of Greenland ice cap for first time on record
(The Guardian)

Precipitation was so unexpected, scientists had no gauges to measure it,
and is stark sign of climate crisis.

Rain has fallen on the summit of Greenland’s huge ice cap for the first time on record. Temperatures are normally well below freezing on the 3,216-metre (10,551ft) peak, and the precipitation is a stark sign of the climate
crisis.

Scientists at the US National Science Foundation’s summit station saw rain falling throughout 14 August, but had no gauges to measure the fall because
the precipitation was so unexpected. Across Greenland, an estimated 7bn
tonnes of water was released from the clouds. <https://nsidc.org/greenland-today/2021/08/rain-at-the-summit-of-greenland/>

The rain fell during an exceptionally hot three days in Greenland when temperatures were 18C higher than average in places. As a result, melting
was seen in most of Greenland, across an area about four times the size of
the UK.

The recent report from the Intergovernmental Panel on Climate Change
concluded it was “unequivocal” that carbon emissions from human activities were heating the planet and causing impacts such as melting ice and rising
sea level. <https://www.theguardian.com/environment/2021/aug/09/climate-crisis-unequivocally-caused-by-human-activities-says-ipcc-report>

In May, researchers reported that a significant part of the Greenland ice
sheet was nearing a tipping point, after which accelerated melting would
become inevitable even if global heating was halted. [...] <https://www.theguardian.com/environment/2021/may/17/greenland-ice-sheet-on-brink-of-major-tipping-point-says-study>,

https://www.theguardian.com/world/2021/aug/20/rain-falls-peak-greenland-ice-cap-first-time-on-record-climate-crisis

[Why is this relevant to RISKS? Because so many other risks are related
to climate change. See
http://www.csl.sri.com/neumann/cacm250.pdf
PGN]

------------------------------

Date: Mon, 23 Aug 2021 09:44:43 -0700
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: Why Bad Science Is Sometimes More Appealing Than Good Science
(Scientific American)

https://www.scientificamerican.com/article/why-bad-science-is-sometimes-more-appealing-than-good-science/

------------------------------

Date: Sun, 22 Aug 2021 20:29:57 +0800
From: "Richard Stein" <rmstein@ieee.org>
Subject: Implantable AI system developed for early detection and treatment
of illnesses (medicalxpress.org)

https://medicalxpress.com/news/2021-08-implantable-ai-early-treatment-illnesses.html

"In trials, the AI was able to differentiate between healthy heartbeats from three common arrhythmias with an 88% accuracy rate. In the process, the
polymer network consumed less energy than a pacemaker. The potential applications for implantable AI systems are manifold: For example, they
could be used to monitor cardiac arrhythmias or complications after surgery
and report them to both doctors and patients via smartphone, allowing for
swift medical assistance."

I could not locate statistics on heart attacks directly attributed to rhythm-specific conditions such as atrial fibrillation, ventricular fibrillation, tachycardia, etc. versus those arising from arteriosclerosis, pericarditis, etc.

The CDC estimates that ~805K US persons will experience a heart attack per
year (See "Heart Disease Facts," retrieved from https://www.cdc.gov/heartdisease/facts.htm on 22AUG2021).

By "accuracy," I assume the essay means the technology correctly detects the anticipated/trained arrhythmia it was presented versus a false positive/negative detection outcome.

Assuming there's a 12% false negative/positive arrhythmia detection via this experimental implanted heart monitor technology, that implies 0.12*805K =
96.6K potential false negative/positive incidents per year in the US.

This false negative/positive detection rate implies: (1) For false
negatives, it means the arrhythmia WAS NOT detected by the device, and the patient experienced the symptom, and no therapy was applied by an pacemaker
or cardiodefibrillator; or, (2) for false positive, it means an
unrecognized, possibly fictitious arrhythmia signal WAS detected and the pacemaker or cardiodefibrillator therapy (an electric shock) was inappropriately applied -- meaning it was unnecessary/extraneous.

Consult https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1039&min_report_year=2016
for a summary of product code LWS, which documents a class of implanted cardiodefibrillator medical device report events between
01JAN2016-31JUL2021.

That TPLC summary contains this URL which documents over 10000
"inappropriate therapy" cardiodefibrillator events experienced by patients during the 01JAN2016 to 31JUL2021 period:

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/results.cfm

------------------------------

Date: Sat, 21 Aug 2021 12:51:43 +0800
From: "Richard Stein" <rmstein@ieee.org>
Subject: Body cams alone not enough to prevent police violence (phys.org)

https://phys.org/news/2021-08-body-cams-police-violence.html

"Unfortunately, there is a tendency of criminologists and policymakers to attempt to reform the criminal justice system using strategies that don't consider community-led initiatives as viable solutions. The emphasis on BWCs [body-worn cameras] over other possibilities offers a similar case in
point."

Risk: Overtrust in technology as a law enforcement accountability measure.

[Quite a few of the RISKS sagas involve trying to use technology to solve
problems that are intrinsically non-technological. Tp the man with a
hammer, everything looks like a nail. PGN]

------------------------------

Date: Sun, 22 Aug 2021 07:29:20 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: The fix is in: How it can cost you more to get medical treatment
with insurance than without (NYTimes)

Hospitals and Insurers Didn't Want You to See These Prices. Here's Why.

https://www.nytimes.com/interactive/2021/08/22/upshot/hospital-prices.html

------------------------------

Date: Wed, 25 Aug 2021 12:49:12 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: How your employer may be tracking your remote work (WashPost)

As remote work gets prolonged because of the delta variant, more companies
are tracking what employees do at home

There are a lot of things your employer doesn’t know right now —- like the future of remote work or when the coronavirus pandemic might end.

But your activity during the workday is less of a mystery.

The pandemic pushed many into work-from-home setups, and companies turned to employee data to keep tabs on their workforces. Your company can get access
to almost everything you do electronically, and monitoring software makes
that data easy to collect and analyze.

As some employees see work-from-home time extended because of the delta
variant spreading across the world, reliance on employee tracking is staying steady at lockdown-level highs, say executives at monitoring software firms.

Elizabeth Harz, chief executive of Connecticut-based employee monitoring software provider InterGuard, said one of her clients came to her convinced that remote work would mean “economic ruin” for his company. That was until
the client saw what InterGuard could do for his newly dispersed workforce,
Harz said. The software tracks employees’ productivity, down to how long it takes to respond to emails. “They woke up in 2021 and said, ‘Half of our employees don’t even work where we are anymore’”

https://www.washingtonpost.com/technology/2021/08/20/work-from-home-computer-monitoring/

------------------------------

Date: Mon, 23 Aug 2021 08:48:09 -0400
From: "Monty Solomon" <monty@roscom.com>
Subject: As delta variant spreads, some companies with vaccine mandates
deploy tech to verify records (WashPost)

Eager to bring back their employees, companies are wrestling with how best to verify vaccination status, and some are using tech tools to help.

https://www.washingtonpost.com/technology/2021/08/19/employers-vaccine-mandate-status-verification/

------------------------------

Date: Thu, 26 Aug 2021 19:48:46 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Cortana is AWOL in the war against COVID-19 disinfo (Computerworld)

At a time when more people use voice assistants to retrieve the most basic information, Microsoft’s Cortana doesn’t provide even the basics about protecting against the coronavirus.

https://www.computerworld.com/article/3630789/cortana-is-awol-in-the-war-against-covid-19-disinfo.html

Asking a voice assistant to search the Internet for essential health information. What could go wrong?

------------------------------

Date: Fri, 20 Aug 2021 13:04:15 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Critical flaw found in older Cisco Small Business Routers won't be
fixed (The Hacker News)

A critical vulnerability in Cisco Small Business Routers will not be
patched by the networking equipment giant, since the devices reached end-of-life in 2019.

Tracked as CVE-2021-34730 (CVSS score: 9.8), the issue resides in the
routers' Universal Plug-and-Play (UPnP) service, enabling an
unauthenticated, remote attacker to execute arbitrary code or cause an
affected device to restart unexpectedly, resulting in a denial of service
(DoS) condition.

The vulnerability, which the company said is due to improper validation of incoming UPnP traffic, could be abused to send a specially-crafted UPnP
request to an affected device, resulting in remote code execution as the
root user on the underlying operating system.

"Cisco has not released and will not release software updates to address the vulnerability," the company noted in an advisory published Wednesday. "The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered
the end-of-life process. Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers." <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>
<https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.pdf>

The issue impacts the following products —
- RV110W Wireless-N VPN Firewalls
- RV130 VPN Routers
- RV130W Wireless-N Multifunction VPN Routers
- RV215W Wireless-N VPN Routers
[...]

https://thehackernews.com/2021/08/critical-flaw-found-in-older-cisco.html

------------------------------

Date: Wed, 25 Aug 2021 14:50:13 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google announces commitment of $10 billion to advance cybersecurity

https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity/

[I remember when IBM announced it was putting $40M into increasing
security -- perhaps in the late 1980s or early 1990s. The joke in the
community was that they spent $39M for public relations, and 1M for
travel. Let's hope Google does much better than that for $10B. PGN]

------------------------------

Date: Fri, 20 Aug 2021 12:48:22 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Cybercrime Group Asking Insiders for Help in Planting Ransomware
(The Hacker News)

A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom
ransomware on companies' networks as part of an insider threat scheme.

"The sender tells the employee that if they're able to deploy ransomware on
a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security said
in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to
contact them if the employee is interested—an Outlook email account and a Telegram username." <https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/>

Black Kingdom, also known as DemonWare and DEMON, attracted attention
earlier this March when threat actors were found exploiting ProxyLogon flaws <https://thehackernews.com/2021/03/black-kingdom-ransomware-hunting.html> impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.

Abnormal Security, which detected and blocked the phishing emails on August
12, responded to the solicitation attempt by creating a fictitious persona
and reached out to the actor on Telegram messenger, only to have the
individual inadvertently spill the attack's modus operandi, which included
two links for an executable ransomware payload that the "employee" could download from WeTransfer or Mega.nz. [...] https://thehackernews.com/2021/08/cybercrime-group-asking-insiders-for.html

------------------------------

Date: Fri, 20 Aug 2021 13:14:05 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Wanted: Disgruntled Employees to Deploy Ransomware (Krebs on Security)

Criminal hackers will try almost anything to get inside a profitable
enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

*Crane Hassold*, director of threat intelligence at *Abnormal Security*, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network. <https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/>

This particular scammer was fairly chatty, and over the course of five days
it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain,
which is freely available on *GitHub*. <https://arstechnica.com/gadgets/2021/03/ransomware-operators-are-piling-on-already-hacked-exchange-servers/>

“According to this actor, he had originally intended to send his targets—all
senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called *Sociogram*. [...] https://krebsonsecurity.com/2021/08/wanted-disgruntled-employees-to-deploy-ransomware/

------------------------------

Date: Sat, 14 Aug 2021 11:42:45 -0400
From: Monty Solomon <monty@roscom.com>
Subject: A simple software fix could limit location-data sharing (WiReD)

https://www.wired.com/story/pretty-good-phone-privacy-imsi-wireless-carriers/

------------------------------

Date: Thu, 19 Aug 2021 18:01:02 -0700
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: Princeton: We built a system like Apple's to flag child sexual
abuse material -- and concluded the tech was dangerous (WashPost)

https://www.washingtonpost.com/s/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/

------------------------------

Date: Sun, 22 Aug 2021 19:17:29 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Another source for Apple's anti-CSAM proposal (NYTimes)

The NYTimes has another excellent podcast of interest, on "The Daily" for
this past Friday, on Apple's new CSAM proposal:

https://www.nytimes.com/2021/08/20/podcasts/the-daily/apple-iphones-privacy.html

[noted by Ron Rivest. PGN]

------------------------------

Date: Thu, 26 Aug 2021 12:44:03 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Edward Snowden on Apple's approach to CSAM

Here's one more take on the situation that is worth reading
``This is not a slippery slope. It is a cliff.''
if you are confused by all of the ongoing back-and-forths.

``This is not a slippery slope. It is a cliff.''

https://edwardsnowden.substack.com/p/all-seeing-i

------------------------------

Date: Fri, 20 Aug 2021 01:30:22 -0400
From: "Monty Solomon" <monty@roscom.com>
Subject: Apple’s Double Agent (Vice)

He spent years inside the iPhone leaks and jailbreak community. He was also spying for Apple.

https://www.vice.com/en/article/3aqyz8/apples-double-agent

------------------------------

Date: August 26, 2021 at 10:22:17 GMT+9
From: jonathan.spira@accuramediagroup.com
Subject: UK to Hang Up on Landline Phones in 2025

[via David Farber <farber@keio.jp>]

[POTS is going to pot. However, there is tons of money invested in
copper, whose repurposing/recycling might deplete the market price. The
Russian thieves who have been harvesting it may go out of business.
PGN]

The traditional landline phone will be consigned to the rubbish bin by
2025, at least as far as telephone companies in the United Kingdom are
concerned.

The move comes as the telecommunications industry wants to no longer have
to maintain the [copper] wires and switching gear required for landline
phones, and also wants to be able to offer more robust Internet services.

------------------------------

Date: Mon, 23 Aug 2021 11:36:19 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: VPNs Could Be Vulnerable to Attacks That Send You to Fake Websites
(New Scientist)

Chris Stokel-Walker, *New Scientist, 17 Aug 2021
via ACM TechNews, 23 Aug 2021

Arizona State University (ASU) researchers have found that hackers could exploit virtual private networks (VPNs) to strip users' anonymity and send
them to bogus websites by tapping what ASU's William Tolley calls "a fundamental networking vulnerability." The vulnerability monitors the
presence and size of the data packets routed along the VPN. Attackers first send different-sized packets to different entry/exit ports, which if
forwarded signals that the targeted port is the correct one; they can then
send packets where they have altered the source address to seem as if they originate from one of the legitimate ends of the connection. The researchers say they have alerted a number of VPN providers to the attack, but it is unlikely that all currently used networks will be patched. Tolley said, "Our advice is to avoid VPNs if you're trying to keep your information private
from government entities, or something like that."

https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c72cx22d12cx073956&

------------------------------

Date: Sat, 21 Aug 2021 15:51:14 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Folly: eBay "security" notice

I received two notices like the one below, minutes apart.

Changed password.

Clicked link for not recognizing activity.

I'm left at a generic eBay page, nothing related to reporting suspicious activity.

Look around, click Contact link, taken to generic list of reasons to contact eBay.

Find "Suspicious activity" link; it takes me to generic advice -- if you can still log on, change password. Do a couple other things. If that doesn't
work, come back and try to reach us.

Since I had no stored payment method, plus I have 2FA turned on, I'm not
sure what my exposure is. But if they actually WANTED to know about bogus attempts, they might make it easier to reach them. So this isn't even very convincing security theater.

Subject: Confirm it's you to access your eBay account - August 20, 2021
Date: Fri, 20 Aug 2021 11:11:33 -0700
From: eBay <eBay@ebay.com>
To: gabe@gabegold.com

We need to confirm you have access to this account, Gabriel.
eBay [horrible URL removed]
Please confirm your identity to access your eBay account

Hi Gabriel,
It looks like you’re having trouble signing into your account.

Please select the ‘confirm’ button to verify your identity and access your
account. (It’s only good for 24 hours.)

If you don’t recognize this activity, please contact us.
Confirm [horrible URL removed]
eBay is committed to your privacy.
Read our user agreement [horrible URL removed]
and privacy notice [horrible URL removed]
Learn how to recognize fake (spoof) emails [horrible URL removed]

We don't check replies sent to this email. If you have questions, we
want to help you find an answer [horrible URL removed]

[Copyright message removed as well. PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.84
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)