• Risks Digest 33.03

    From RISKS List Owner@21:1/5 to All on Sun Jan 23 01:12:19 2022
    RISKS-LIST: Risks-Forum Digest Saturday 22 January 2022 Volume 33 : Issue 03

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/33.03>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks
    (NYTimes)
    The Rise of AI Fighter Pilots (Sue Halpern)
    AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)
    More Than Half of Medical Devices Have Critical Vulnerabilities (ZDNet) European Parliament uses Google Analytics, which is illegal in the EU
    (Handelsblatt)
    Hotel chain switches to Chrome OS to recover from ransomware attack
    (The Record)
    My 2020 app (Rob Slade with URL from Lauren Weinstein)
    Google Voice Authentication Scam Leaves Victims on the Hook (Threatpost)
    Spam, spam, spam, spam ... (Rob Slade)
    FAA/FCC food fight (John Levine)
    U.S. airline officials warn of crisis in aviation with new 5G service
    (paul cornish)
    FAA sets rules for some Boeing 787 landings near 5G service (techxplore) Palomar survey instrument analyzes impact of Starlink satellites (phys.org) Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)
    Cross-country Exposure: Analysis of the MY2022 Olympics app (Citizen Lab) Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador
    with Pegasus Spyware (Jan Wolitzky)
    Re: Alexa tells 10-year-old girl to touch live plug with penny (Frank Sudia) Re: Automakers Rev Up Subscription Services (Martin Ward)
    Re: Fake QR Codes on Parking Meters (Jerry Leichter)
    Re: Metro says timing for return of suspended railcars is unknown
    (Martin Ward, dave russo)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 16 Jan 2022 07:19:35 -0500
    From: Jan Wolitzky <jan.wolitzky@gmail.com>
    Subject: Microsoft Warns of Destructive Cyberattack on Ukrainian Computer
    Networks (NYTimes)

    The malware was revealed as Russian troops remain massed at the Ukrainian border, and after Ukrainian government agencies had their websites defaced.

    https://www.nytimes.com/2022/01/16/us/politics/microsoft-ukraine-cyberattack.html

    https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

    ------------------------------

    Date: Mon, 17 Jan 2022 16:33:46 -0500
    From: Jan Wolitzky <jan.wolitzky@gmail.com>
    Subject: The Rise of AI Fighter Pilots (Sue Halpern)

    Sue Halpern, *The New Yorker*, 17 Jan 2022

    Artificial intelligence is being taught to fly warplanes. Can the
    technology be trusted?

    https://www.newyorker.com/magazine/2022/01/24/the-rise-of-ai-fighter-pilots

    ------------------------------

    Date: Fri, 21 Jan 2022 14:44:33 PST
    From: ACM TechNews <technews-editor@acm.org>
    Subject: AI Hiring Bias Spurs Scrutiny, Regulations (Bloomberg)

    Erin Mulvaney, *Bloomberg Law*, 29 Dec 2021, via ACM TechNews, 10 Jan 2022

    Artificial intelligence (AI)-related hiring discrimination has prompted regulatory action, with New York City banning employers from using automated employment decision tools for screening job applicants in lieu of a bias
    audit. Meanwhile, District of Columbia Attorney General Karl Racine has announced proposed legislation to address algorithmic discrimination by mandating annual corporate technology audits. The U.S. Equal Employment Opportunity Commission's Charlotte Burrows said up to 83% of employers, and
    as many as 90% of Fortune 500 companies, use automated tools to screen or
    rank job candidates; she warned these technologies "could be used to mask or even perpetuate existing discrimination and create new discriminatory
    barriers to jobs." Civil rights groups like the Surveillance Technology Oversight Project (STOP) worry that New York's measure could enable more AI bias, and have proposed banning biased technology altogether.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dbd4x23061ex072805&

    ------------------------------

    Date: Fri, 21 Jan 2022 12:20:57 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: More Than Half of Medical Devices Have Critical Vulnerabilities
    (ZDNet)

    Allison Murray, *ZDNet*, 20 Jan 2022, via ACM TechNews, 21 Jan 2022

    Medical cybersecurity platform Cynerio's 2022 State of Healthcare IoT Device Security Report estimates 53% of connected medical devices in hospitals have critical flaws, including a third of bedside devices. Cynerio analyzed more than 10 million medical devices at over 300 global hospitals and medical facilities and found, among other things, that 73% of infusion pumps, constituting 38% of hospital Internet of Things (IoT) inventory, possess
    some type of vulnerability. Cynerio warns hacked medical devices would
    affect hospital service availability, data confidentiality, and patient
    safety. Said Cynerio's Daniel Brodie, "Hospitals and health systems don't
    need more data--they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security of Technology (MIT) Computer Science and Artificial Intelligence Laboratory is designed to codify quantum computing. Twist can characterize and verify
    which pieces of data are entangled in a quantum algorithm, and applies the concept of purity, which enforces the absence of quantum entanglement, to produce intuitive programs with fewer flaws. MIT's Charles Yuan said,
    "Because understanding quantum programs requires understanding entanglement,
    we hope that Twist paves the way to languages that make the unique
    challenges of quantum computing more accessible to programmers."

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dd2ex230a40x074115&

    ------------------------------

    Date: Sun, 16 Jan 2022 17:29:03 +0100
    From: Thomas Koenig <tkoenig@netcologne.de>
    Subject: European Parliament uses Google Analytics, which is illegal in
    the EU (Handelsblatt)

    Data of European citizens may not be stored in the USA without further considerations. This is stated in a ruling by the European Court of Justice (ECJ) from the summer of 2020. However, many companies violate this
    requirement on a daily basis, as does the European Parliament.

    Parliament had installed cookies from Google Analytics and the payment
    service provider Stripe on its website.

    European Data Protection Supervisor Wojciech Wiewiorowski investigated the cookies and has now concluded that they should not have been used. He
    issued a cease-and-desist order.

    https://www.handelsblatt.com/politik/international/dsgvo-europaparlament-missachtet-datenschutz-warnung-an-unternehmen/27964838.html

    ------------------------------

    Date: Tue, 11 Jan 2022 17:21:52 -0800
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Hotel chain switches to Chrome OS to recover from ransomware attack
    (The Record)

    https://therecord.media/hotel-chain-switches-to-chrome-os-to-recover-from-ransomware-attack/

    ------------------------------

    Date: Thu, 20 Jan 2022 01:49:29 -0800
    From: Rob Slade <rslade@gmail.com>
    Subject: My 2020 app

    The 2020 Olympics are coming up. I have more reason than normal to ignore
    them this year, but I noted a news story about the "My 2020" app, and its security problems.

    All athletes, coaches, officials, and the vanishingly small number of
    "guests" that are allowed at this year's Olympics, are to use the "My 2020" app, which is provided by China. It seems to provide information and schedules, but it also collects detailed information about all attendees, including CoVID test status (on a very regular basis). The thing is, it's insecure.

    As most such apps do, it connects to a central server to collect and dump
    data. Most apps do a bit of verification of that server. My 2020 does
    not. So, of course, it would be relatively trivial to set up a fake
    server, collect all kinds of data and personal information (for example,
    loads of names, birthdates, and passport numbers, as well as the
    aforementioned CoVID results), and give out misinformation or
    Disinformation about schedules, events, locations, and generally mess with
    the games.

    I think I'll have a heart attack and die from *NOT* being surprised that
    the Chinese government failed to take this simple security precaution.

    You have to understand that there is a difference in mindset. Here in "the West" (being from BC, I tend to think of myself as being from the far, far east), the computer security field started with an interest in
    confidentiality. It was only later that we, in information security,
    expanded our interest to include integrity and availability. But the
    Chinese government has never been interested in confidentiality and privacy. (At least, not for their citizens.) The Chinese government always wants to know everything there is to know about anyone in China. (Or anyone outside
    of China, for that matter.) Privacy is a non-issue. (To the government.)
    This is why encryption is almost unheard of in China. Even most government
    and military personnel and officials (with the exception of a very, very
    few) do not have their communications protected by encryption. (Other governments therefore find it trivially easy to snoop on the bulk of
    military and government communications traffic in China.)

    So, since the government of China is primarily interested in availability
    (of the opportunity to snoop on visitors), the lack of server authentication
    is unsurprising. It may not have occurred to anyone that it might be a problem. It may even be a design feature, from the Chinese perspective,
    rather than a flaw. After all, if anyone can set up a fake server, collect information, and provide disinformation, so can the Chinese government.
    With impunity and total deniability.

    [Lauren Weinstein suggests visiting this item:
    China's Olympic app contains 'simple but devastating' flaw (CTVnews) https://www.ctvnews.ca/sci-tech/china-s-olympic-app-contains-simple-but-devastating-flaw-1.5744221
    PGN]

    ------------------------------

    Date: Thu, 20 Jan 2022 16:54:07 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Google Voice Authentication Scam Leaves Victims on the Hook
    (Threatpost)

    The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week.

    https://threatpost.com/google-voice-authentication-scam/177421/

    ------------------------------

    Date: Tue, 18 Jan 2022 11:23:44 -0800
    From: Rob Slade <rslade@gmail.com>
    Subject: Spam, spam, spam, spam ....

    Anybody else getting lots of Media Message Service messages, ostensibly from twelve digit phone numbers? I have no idea what they are trying to get me
    to do, since this phone doesn't have a data plan, and, regardless of what
    the cell companies tell you when they sell you the plan, without buying
    extra data you cannot receive MMS messages.

    (I'm also getting lots of robot phone calls warning me about extraneous
    charges on my Visa. Which, presumably, they can catch and fix as long as I wire money somewhere for some reason ...)

    ------------------------------

    Date: 8 Jan 2022 16:10:40 -0500
    From: "John Levine" <johnl@iecc.com>
    Subject: FAA/FCC food fight

    Re: Boeing and Airbus warn US over 5 G safety concerns (bbc.com)

    This is a long running fight between the FAA and FCC. Neither side has
    covered itself in glory but the FAA has been a lot worse.

    For 15 years we have known that old cruddy radio altimeters are subject to interference from adjacent bands including the new 5G C-band. The sensible approach would have been for the FAA and FCC to work together on a
    combination of finding and replacing the old altimeters perhaps with
    subsidies from the telcos, and power limits on C-band cells near runways. Instead we get dueling press releases.

    Forty other countries have worked this out with the same altimeters and same
    5G band. What do they know that we don't?

    ------------------------------

    Date: Tue, 18 Jan 2022 09:40:53 +0000
    From: "paul cornish" <paul.a.cornish@googlemail.com>
    Subject: U.S. airline officials warn of crisis in aviation with new
    5G service (The Guardian)

    Following on from the risk highlighted after Christmas (RISKS-33.01), it now appears that the airline / mobile ( cellular) operator deal was only a temporary halt.

    The risk still remains -- in the U.S. the frequencies used by 5G overlap
    with those used by critical safety devices fitted to aircraft. Aircraft
    systems are built to an international standard and hence can't be changed.

    https://www.theguardian.com/technology/2022/jan/17/us-airline-officials-crisis-5

    Airlines have identified 50+ airports that could be impacted and Bloomberg
    has identified that medevac helicopters could also be impacted.

    https://www.bloomberg.com/news/articles/2022-01-13/medevac-helicopter-flights-risk-grounding-with-5g-deadline-ahead

    ------------------------------

    Date: Tue, 18 Jan 2022 10:17:43 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: FAA sets rules for some Boeing 787 landings near 5G service
    (techxplore.com)

    https://techxplore.com/news/2022-01-faa-boeing-5g.html

    Federal safety officials are directing operators of some Boeing planes to
    adopt extra procedures when landing on wet or snowy runways near impending
    5G service because, they say, interference from the wireless networks could mean that the planes need more room to land.

    The Federal Aviation Administration said Friday that interference could
    delay systems like thrust reversers on Boeing 787s from kicking in, leaving only the brakes to slow the plane.

    That 'could prevent an aircraft from stopping on the runway,' the FAA said."

    ------------------------------

    Date: Tue, 18 Jan 2022 08:17:51 -0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Palomar survey instrument analyzes impact of Starlink satellites
    (phys.org)

    https://phys.org/news/2022-01-palomar-survey-instrument-impact-starlink.html

    ``In 2019, 0.5 percent of twilight images were affected, and now almost 20 percent are affected,'' says Przemek Mróz, study lead author and a former Caltech postdoctoral scholar who is now at the University of Warsaw in
    Poland. ... There is a small chance that we would miss an asteroid or
    another event hidden behind a satellite streak, but compared to the impact
    of weather, such as a cloudy sky, these are rather small effects for ZTF [Zwicky Transient Facility].

    Private satellite constellations pollute Earth-based astronomical
    observations.

    ------------------------------

    Date: Sat, 22 Jan 2022 08:00:59 -0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Robot vacuum cleaner escapes from Cambridge Travelodge (bbc.com)

    https://www.bbc.com/news/uk-england-cambridgeshire-60084347

    Like a page from Asimov's "I, Robot." The article notes that "Nature abhors
    a vacuum." [RS]

    [HOO-VERy-likely other than the BBC might have thought of that? PGN]

    ------------------------------

    Date: Tue, 18 Jan 2022 09:54:40 -0500
    From: Gene Spafford <spaf@purdue.edu>
    Subject: Cross-country Exposure: Analysis of the MY2022 Olympics app
    (The Citizen Lab)

    Not surprising, but that doesn't mean it is okay:

    https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olymp= ics-app/

    ------------------------------

    Date: Fri, 14 Jan 2022 20:45:09 -0500
    From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
    Subject: Project Torogoz: Extensive Hacking of Media & Civil Society in El
    Salvador with Pegasus Spyware

    Key Findings

    The Citizen Lab and Access Now have conducted a joint investigation into Pegasus hacking in El Salvador in collaboration with Frontline Defenders, SocialTIC, and Fundación Acceso.

    We confirmed 35 cases of journalists and members of civil society whose
    phones were successfully infected with NSOâs Pegasus spyware between July
    2020 and November 2021. We shared a sample of forensic data with Amnesty International's Security Lab which independently confirms the findings.

    Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundación DTJ, Cristosal, and another NGO.

    ------------------------------

    Date: Sat, 8 Jan 2022 17:28:31 -0500
    From: "Frank Sudia 128" <fs128@fwsudia.com>
    Subject: Re: Alexa tells 10-year-old girl to touch live plug with penny
    (RISKS-33.01)

    Aren't these so-called smart speakers really driven by humans in the back
    room, pretending to be AI? Which is why I don't use them, both to avoid
    being an unpaid tester to make some co rich, and because it's pathetic that they are nowhere near to having real AI, and so it's a huge privacy
    violation to have dopey humans listening in, and in this case issuing dopey ideas to kids. My take, no AI would have made that suggestion. That was a
    phony AI, like a chess player with a midget inside! A chess player who
    should be fired.

    ------------------------------

    From: Martin Ward <martin@gkc.org.uk>
    Date: Sun, 16 Jan 2022 13:17:55 +0000
    Subject: Re: Automakers Rev Up Subscription Services (Washington Consumers',)
    RISKS-33.02)

    ... one way to do that is to require a subscription for some pretty basic services

    What next?

    "Subscribe to the basic steering wheel package (right turns only) for just
    $5 a month, or opt for the delux package (includes both left *and* right
    turns) for only $8 a month!!!"

    ------------------------------

    Date: Sun, 16 Jan 2022 11:29:36 -0500
    From: Jerry Leichter <leichter@lrw.com>
    Subject: Re: Fake QR Codes on Parking Meters (RISKS-33.02)

    I warned about this class of attacks a few months back (RISKS 32.93).
    Although I must admit the attackers took the next step. I was concerned
    about attackers replacing legitimate QR codes (e.g., on menus) with their
    own versions. In this attack, however, Austin doesn't actually put QR codes
    on meters." The attackers just added their own. People have no become so accustomed to scanning QRcodes that they don't question even their presence. This opens the attack surface wide. How about a "scan for hours and menu"
    QR code on the outside glass of a restaurant? If they are closed on Monday, how many passers-by will it catch if placed there early Monday morning --
    with no one from the store even being present to notice until Tuesday?

    Similar attacks work all over the place. Any store window. The doors of
    cars on a dealer lot -- "Scan for our best price on this beauty!" At the entrance to a Mall: "Scan for a map." Or at an office building: "Scan for a tenant list." The commuter rail lines around NY have an app that allows you
    to pay for your ticket; you then show your phone to the conductor when he checks for tickets. For those who don't have the app ... imagine a QR code that says "Beat the rush! Scan here to buy an eTicket."

    The important thing to realize is that an "addition" attack -- unlike a "replacement" attack -- leaves the owner of the physical object where the
    code is presented entirely out of the loop. A restaurant using QR codes for menus, say, could in principle have a sign on the wall with a picture to be matched to the presented menu. It could change very day -- or, if presented
    on a screen, every 10 minutes. How effective this would be -- how often
    people would actually look and compare -- is questionable, but it's at least
    a way to provide some degree of authentication. But what's Austin to do:
    Post signs everywhere telling people "we don't use QR codes"? How effective
    is that likely to be.

    We've spent decades (mainly unsuccessfully) teaching people not to click on links in unsolicited emails. QR codes are even worse. Since they are essentially * never* solicited in any meaningful sense ... "intent" is no longer a meaningful distinction. They are completely unparseable to human beings. Even if a QR code reader showed the URL on the phone's screen with a "click if this is OK" ... given that the whole purpose of the code is
    provide a quick, frictionless interface, what are the odds people will read
    the incomprehensible -- even the legitimate ones are not intended for human comprehension - URL's that result?

    QR codes. Just say no.

    ------------------------------

    Date: Sun, 16 Jan 2022 11:37:47 +0000
    From: Martin Ward <martin@gkc.org.uk>
    Subject: Re: Metro says timing for return of suspended railcars is unknown
    (RISKS-33.01-02)

    The mathematical relationship "more than" does not need further
    interpretation. It is the measurement itself that needs interpreting.

    If the displacement is measured at precisely 1/32 of an inch, then the
    actual measurement is 1/32 of an inch plus or minus the error in the
    reading. This error is very unlikely to be precisely zero. So the
    probability of the actual measurement being *more than* 1/32 of an inch is
    very close to 50%.

    So the question is: should a car be taken out of service if there is close
    to a 50% chance that it is out of spec?

    Put this way, I think it is reasonable to err on the side of safety.

    ------------------------------

    Date: Sun, 16 Jan 2022 13:46:41 -0800
    From: dave russo <david.allen.russo@gmail.com>
    Subject: Re: Metro says timing for return of suspended railcars is unknown
    (RISKS-33.02)

    To be fair, the technicians may well understand both the meaning of "More
    than" and that small length measurements need to be specified as a function
    of their environment.

    The metro specification requires a measurement accuracy of at least
    1/32 of an inch. But steel expands approximately .07% per 100 degrees
    F. For a measurement of 53 5/16 of inches, a 100 degree difference
    works out to be .037 inches > 1/32 inch. Working backwards, an 85
    degree F difference could result in a greater than 1/32 inch
    expansion.

    It seems to me that the real risk is in a specification of an absolute
    length deviation without ALSO specifying the temperature at which the measurement must be made.

    FWIW: Coincidentally, Adam Savage (of Myth Busters) recently produced
    a wonderful video (https://youtu.be/qE7dYhpI_bI) on why all
    sufficiently precise measurements are a function of their environment.
    Perhaps the technicians are Adam Savage fans.

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 33.03
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)