RISKS-LIST: Risks-Forum Digest Sunday 15 March 2020 Volume 31 : Issue 61
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.61>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents: [WAY BACKLOGGED!!!]
A lawsuit against ICE reveals the danger of government-by-algorithm
(WashPost)
This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
(PTSecurity)
How the Cloud Has Opened Doors for Hackers (WashPost)
Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)
Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich
(The New York Times)
How Hackers and Spies Could Sabotage the Coronavirus Fight
(Bruce Schneier and Margaret Bourdeaux, Foreign Policy)
Cybersecurity label for smart home devices (The Straits Times)
South Korea warns when potential virus carriers are near (BBC)
COVID-19, toilet paper, hoarding, and emergency preparedness (Rob Slade)
U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus
Group (Treasury via geoff goodfellow)
Black Market White Washing- Why You Shouldn't Take Legal Advice From
Criminals (Disruptive Labs)
Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)
Risks of publishing web browser screenshots (MarketWatch)
China's Geely invests $326M to build satellites for autonomous cars
(Reuters)
Congress Must Stop the Graham-Blumenthal Anti-Security Bill (Gabe Goldberg) Empty Promises Won't Save the .ORG Takeover (EFF)
How to clean up the mess we've made that's orbiting the Earth (The Hill)
How fake audio, such as deepfakes, could plague business, politics
(Bakersfield)
Ransomware Attacks Prompt Tough Question for Local Officials:: To Pay or
Not to Pay? (Pew)
Through apps, not warrants, Locate X allows federal law enforcement to track
phones (Protocol)
A hybrid AI model lets it reason about the world's physics like a child
(MIT Tech Review)
This Satellite Startup Raised $110 Million To Make Your Cellphone Work
Everywhere (Forbes)
Your smartphone is dirtier than a toilet seat. Here's how to disinfect it.
(Mashable)
PCI Fireside Chat: Vint Cerf and Ian Bremmer (The Unstable Globe)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 6 Mar 2020 15:07:46 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: A lawsuit against ICE reveals the danger of
government-by-algorithm (The Washington Post)
https://www.washingtonpost.com/outlook/2020/03/05/lawsuit-against-ice-reveals-danger-government-by-algorithm/
``The immigration agency's New York office tweaked risk-evaluation software
to keep thousands in jail, watchdog groups say.''
------------------------------
Date: Fri, 6 Mar 2020 11:45:14 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
(PTSecurity)
All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.
The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded
firmware running on the ROM (read-only memory) of the Intel's Converged Security and Management Engine (CSME), which can't be patched without
replacing the silicon.
Intel CSME is a separate security micro-controller incorporated into the processors that provides an isolated execution environment protected from
the host opening system running on the main CPU.
It is responsible for the initial authentication of Intel-based systems by loading and verifying firmware components, root of trust based secure boot,
and also cryptographically authenticates the BIOS, Microsoft System Guard, BitLocker, and other security features.
Although this insufficient access control vulnerability is not new and was previously patched by Intel last year when the company described it just as
a privilege escalation and arbitrary code execution in Intel CSME firmware modules, the extent of the flaw remained undervalued.
Researchers at Positive Technologies have now found that the issue can also
be exploited to recover the Chipset Key, a root cryptographic key or sort of
a master password that could help unlock and compromise a chain of trust for other security technologies, including digital rights management (DRM), firmware Trusted Platform Module (TPM), and Identity Protection Technology (IPT). <
https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html#more>
That means the flaw could be exploited to extract data from encrypted hard-drives and to bypass DRM protections and access copyright-protected digital content. [...]
https://thehackernews.com/2020/03/intel-csme-vulnerability.html
------------------------------
Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: How the Cloud Has Opened Doors for Hackers (WashPost)
Craig S. Smith, *The Washington Post*, 2 Mar 2020
via ACM TechNews; Wednesday, March 4, 2020
Corporate transfers of operations to the cloud have elevated the threat of hacking, as the cloud can be accessed remotely with ease. Manav Mital, co-founder of cloud security startup Cryal, said cloud companies manage the upkeep and security of physical servers, but client requirements for ease of access have spawned new apps and databases, and increasingly complex
services that are difficult to manage and monitor. Although companies still shield private data behind firewalls and other security measures, more
people and programs require access to data in the cloud, making it easier
for bad actors to find potential vulnerabilities. The Ponemon Institute estimated that cloud breaches cost each individual company $3.92 million on average.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c61x069057&
------------------------------
Date: Fri, 6 Mar 2020 11:19:24 -0500
From: Gabe Goldberg <
ggoldberg@apcug.org>
Subject: Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)
Encryption flaws in a common anti-theft feature expose vehicles from major manufacturers.
Even so, the researchers say that they decided to publish their findings to reveal the real state of immobilizer security and allow car owners to decide for themselves if it's enough. Protective car owners with hackable
immobilizers might decide, for instance, to use a steering wheel lock.
``It's better to be in a place where we know what kind of security we're getting from our security devices. Otherwise, only the criminals know.'' [Garcia quoted]
https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/
That paragraph -- last in article -- is ridiculous. I once put steering
wheel lock on a borrowed car, then realized owner hadn't given me key for
it. Locksmith took about two minutes to pick the lock -- not needing to cut
it off -- saying that with practice anyone can do that.
------------------------------
Date: Fri, 6 Mar 2020 11:39:15 -0500
From: Gabe Goldberg <
ggoldberg@apcug.org>
Subject: Before Clearview Became a Police Tool, It Was a Secret
Plaything of the Rich (The New York Times)
Investors and clients of the facial recognition start-up freely used the
app on dates and at parties œôòô and to spy on the public.
https://www.nytimes.com/2020/03/05/technology/clearview-investors.html
------------------------------
Date: Fri, 06 Mar 2020 17:57:30 +0100
From: "Diego.Latella" <
diego.latella@isti.cnr.it>
Subject: How Hackers and Spies Could Sabotage the Coronavirus Fight
(Bruce Schneier and Margaret Bourdeaux, Foreign Policy)
https://foreignpolicy.com/2020/02/28/hackers-spies-coronavirus-espionage/
------------------------------
Date: Fri, 6 Mar 2020 15:23:10 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Cybersecurity label for smart home devices (The Straits Times)
https://www.straitstimes.com/singapore/cyber-security-label-for-smart-home-devices
``Market research firm Gartner has estimated that the number of IoT devices
in use globally will grow from 8.4 billion in 2017 to 20.4 billion this
year, with twice as many consumer installations as industrial ones. But the rules surrounding how IoT devices are designed for cybersecurity are lax, raising concerns about major privacy and security risks as such devices proliferate.''
The `cybersecurity' label might grow larger than the device package. When,
or if, it does switch to an alternate rating indicator: 'Stars' or
'Smileys'?
There's always `human error' when testing for product release readiness characteristics: performance, reliability, function, ease of use, or device security/safety for example. Latent defect escape potential elevates
deployment exploitation risk.
What about correlating IoT software (or hardware) component integration
against CVEs (
https://cve.mitre.org/), and using this outcome to establish a `security' or `defect' escape risk rating? Given their perfect operational record, a HAL-9000 would be ideal for this exercise.
Risk: Inaccurate `cybersecurity label' indicators misguide consumer IoT
product purchase decisions.
------------------------------
Date: Thu, 5 Mar 2020 11:42:24 -0800
From: Mark Thorson <
eee@dialup4less.com>
Subject: South Korea warns when potential virus carriers are near (BBC)
And where they've been, like bars, love motels, etc. Deanonymization of the data is sometimes a trivial exercise for social media users.
https://www.bbc.com/news/world-asia-51733145
``He was at his work in Mapo district attending a sexual harassment class. He contracted the virus from the instructor of the class.''
------------------------------
Date: Fri, 6 Mar 2020 11:55:31 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: COVID-19, toilet paper, hoarding, and emergency preparedness
Toilet paper? *Really*?
Of course, I've seen the news stories showing streams of shoppers with carts full of toilet paper. The news stories all showed Costco, so I was hoping
that maybe it was only Costco members who were that stupid. But, no. On my
way home last night I stopped for some groceries and the toilet paper aisle
in my local Save-On was pretty bare. (Not, fortunately, completely denuded,
so my neighbours aren't completely deluded.) (And, if you're looking, the Safeway had a decent stock, albeit with some bare sections.)
Hoarding is a particularly insidious threat. It's hard to protect against. Unless you're going to ration, how do you tell people what (and how much)
they can and cannot buy? (Yes, I know. Rationing smacks of socialism, or
some other type of non-or-anti-capitalist system. But hoarding is the
inherent weakness of capitalism: unrestricted, capitalism tends to
concentrate capital, which then becomes useless.) Now, we are not only
faced with the coronavirus, but with the COVID-19 toilet paper meme virus. People see that there is a run on, or shortage of, toilet paper, so they run out and drive around (wasting gas) trying to buy toilet paper. Creating a shortage of toilet paper.
(It's particularly galling here in BC. We have trees. We make toilet
paper. By the ton.)
Why toilet paper? I mean, I defer to no one in my admiration for the stuff.
It is one of the marvels of the modern age. (Toilet paper, and the
Internet.) It has lots of uses besides that originally intended. But it
has no magical medicinal properties.
Yes, I know. We, in the emergency management field, have been trying, for years, to get people to build emergency prep kids. Have enough supplies to tide you over for three days. Or seven days. Or, in this case, two weeks. Fine. I get it. But do you know how much toilet paper you use in two
weeks? You don't need to clear out stores.
(I have noticed gaps in the canned beans section, and also in the soup
aisle. Although, for some reason, Campbell's Chunky soups are completely stocked. Personally, I *like* chunky soups ...)
And, if you are going to build an emergency prep kit, *during* an emergency
is not the time to do it. You have to put some thought into it. How much toilet paper do you use in a week? How much soup do you eat in a week?
*Do* you eat soup? Yes, I advise you to build an emergency prep kit. But *build* one. Don't just rush out and buy toilet paper.
Besides, COVID-19 is not going to be the type of `stock up on water and
canned beans' type of regional disaster. You will still be able to get
Amazon to deliver toilet paper to you if you get sick and have absolutely no friends in all the world to take care of you. (They may want to drop it and run, and you may have to keep watch on your Ring-camera-that-is-insecure- because-you-haven't-changed-the-default-password-have-you to prevent
doorstep thieves from stealing your toilet paper, but they will deliver.)
(So, by the way, will Save-On.) Travel is going to be a problem, and stocks may be a problem, and there may be lots of other problems. But toilet paper
is not going to be a problem. Unless people hoard it.
------------------------------
Date: Tue, 3 Mar 2020 13:36:10 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for
Lazarus Group
EXCERPT:
The U.S. Department of the Treasury's Office of Foreign Assets Control
(OFAC) today sanctioned two Chinese nationals involved in laundering stolen cryptocurrency from a 2018 cyber-intrusion against a cryptocurrency
exchange. This cyber-intrusion is linked to Lazarus Group, a U.S.-designated North Korean state-sponsored malicious cybergroup. Specifically, OFAC is designating Tian Yinyin (Tian) and Li Jiadong (Li), for having materially assisted, sponsored, or provided financial, material, or technological
support for, or goods or services to or in support of, a malicious cyber-enabled activity. Tian and Li are also being designated for having materially assisted, sponsored or provided financial, material, or technological support for, or goods or services to or in support of, Lazarus Group.
``The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial institutions to steal funds. The United States
will continue to protect the global financial system by holding accountable those who help North Korea engage in cybercrime.'' (Secretary Steven
T. Mnuchin)
*Tian and Li's Activities*
The Democratic People's Republic of Korea (DPRK) trains cyber-actors to
target and launder stolen funds from financial institutions. Tian and Li received from DPRK-controlled accounts approximately $91 million stolen in
an April 2018 hack of a cryptocurrency exchange (referred to hereinafter as *the exchange*D), as well as an additional $9.5 million from a hack of
another exchange. Tian and Li transferred the currency among addresses they held, obfuscating the origin of the funds.
In April 2018, an employee of the exchange unwittingly downloaded DPRK-attributed malware through an email, which gave malicious cyber-actors remote access to the exchange and unauthorized access to customers' personal information, such as private keys used to access virtual currency wallets stored on the exchange's servers. Lazarus Group cyber-actors used the
private keys to steal virtual currencies ($250 million dollar equivalent at date of theft) from this exchange, accounting for nearly half of the DPRK's estimated virtual currency heists that year.
Tian ultimately moved the equivalent of more than $34 million of these
illicit funds through a newly added bank account linked to his exchange account. Tian also transferred nearly $1.4 million dollars' worth of
Bitcoin into prepaid Apple iTunes gift cards, which at certain exchanges
can be used for the purchase of additional Bitcoin. [...]
https://home.treasury.gov/news/press-releases/sm924
------------------------------
Date: Tue, 3 Mar 2020 13:35:36 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Black Market White Washing- Why You Shouldn't Take Legal
Advice From Criminals (Disruptive Labs)
Fraudsters who operate shops in criminal marketplaces are constantly
massaging their marketing pitches to assure prospective customers (and
lurking law enforcement) that their service is legal. It's become clear recently that some infosec professionals can't seem to identify these
services as bad, so these marketing efforts may have succeeded for one audience.
That is what happened recently when WeLeakInfo was taken down and a number
of infosec people expressed shock and dismay that their favorite OSINT tool
was gone. This isn't the first time a password shop was taken down, but this one was unusually successful at whitewashing its origins in fraud and, disturbingly, some professionals seemed either unaware of this or did not
care. Some even recommended the site, or a competitor, to their industry
peers. Those professionals risk financing the same criminal gangs they are
paid to stop.
A number of other cybercrime tools have attempted to make their way into mainstream use, with mixed success.
DDOS-FOR-HIRE AND THE TOS FIGLEAF
One example is *booter* AKA *network stresser* services. These services were sold on criminal marketplaces as a way to knock video game opponents offline with DDoS attacks. Despite a business model obviously centered around abuse
-- shown both in advertisements and target demographic, booter owners
believed they had an ace up their sleeve. Their ToS informed users that the booter was ``for legal purposes only'', as a sort of legal figleaf. Under
this speculative legal theory which was copied by nearly every vendor,
booter owners assured their customers that the service was entirely legal
and safe to use.
To quote the FBI in a 2018 indictment against a booter service named *Downthem*. [...]
https://labs.unit221b.com/2020/03/03/black-market/
------------------------------
Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)
Jack Nicas, *The New York Times*, 2 Mar 2020
via ACM TechNews; Wednesday, March 4, 2020
University of California, Berkeley (UC Berkeley) researchers found that
while YouTube has reduced how often its algorithm recommends conspiracy theory-related videos, its progress in dealing with conspiracy theories has been uneven, and the service still promotes certain types of fictional
stories. The study examined 8 million recommendations by the video-sharing platform over a 15-month period and found that while YouTube has almost completely removed some conspiracy theories from its recommendations, other falsehoods continue to flourish. Said UC Berkeley's Hany Farid, ``It is a technological problem, but it is really at the end of the day also a policy problem. ... If you have the ability to essentially drive some of the particularly problematic content close to zero, well then you can do more on lots of things.''
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c68x069057&
------------------------------
Date: Thu, 5 Mar 2020 13:39:53 -0500
From: David Tarabar <
dtarabar@acm.org>
Subject: Risks of publishing web browser screenshots (MarketWatch)
A Fox News analyst posted a web browser screenshot on Twitter. The
screenshot displayed the intended political info. It also displayed browser tabs of websites that had been previously visited - including
*Sexy Vixen Vinyl*.
https://www.marketwatch.com/story/fox-news-analyst-brit-humes-morning-inter= net-session-politics-stock-market-coronavirus-and-uh-sexy-vixen-vinyl-2020-= 03-03
------------------------------
Date: Tue, 3 Mar 2020 13:38:06 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: China's Geely invests $326M to build satellites for autonomous
cars (Reuters)
China's Zhejiang Geely Holding Group said on Tuesday it was investing 2.27 billion yuan ($326 million) in a new satellite manufacturing plant, where it plans to build low-orbit satellites to provide more accurate data for self-driving cars.
Geely, one of China's most internationally-known companies due to its investments in Daimler, Volvo and Proton, is building the facilities in Taizhou, where it has car plants. *It aims to produce 500 satellites a year
by around 2025*, with around 300 highly-skilled staff, it said in a
statement.
Geely's technology development arm, Geely Technology Group, launched
Geespace to research, launch, and operate low-orbit satellites in 2018.
[...]
https://www.reuters.com/article/geely-china-satellite-autonomous/chinas-geely-invests-326-mln-to-build-satellites-for-autonomous-cars-idUSL4N2AV45H
------------------------------
Date: Wed, 04 Mar 2020 04:58:21 +0000 (UTC)
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Congress Must Stop the Graham-Blumenthal Anti-Security Bill
There's a new and serious threat to both free speech and security
online. Under a draft bill that Bloomberg recently leaked, the Attorney
General could unilaterally dictate how online platforms and services must operate. If those companies don't follow the Attorney General's rules, they could be on the hook for millions of dollars in civil damages and even state criminal penalties.
The bill, known as the Eliminating Abusive and Rampant Neglect of
Interactive Technologies (EARN IT) Act, grants sweeping powers to the
Executive Branch. It opens the door for the government to require new
measures to screen users' speech and even backdoors to read your private communications -- a stated goal of one of the bill's authors.
Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) have been
quietly circulating a draft version of EARN IT. Congress must forcefully
reject this dangerous bill before it is introduced.
https://u15235517.ct.sendgrid.net/
------------------------------
Date: Wed, 04 Mar 2020 04:57:29 +0000 (UTC)
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Empty Promises Won't Save the .ORG Takeover
(Electronic Frontier Foundation)
The Internet Society's (ISOC) November announcement that it intended to sell the Public Interest Registry (PIR, the organization that oversees the .ORG domain name registry) to a private equity firm sent shockwaves through the global NGO sector. The announcement came just after a change to the .ORG registry agreement -- the agreement that outlines how the registry operator must run the domain - that gives PIR significantly more power to raise registration fees and implement new measures to censor organizations'
speech.
It didn't take long for the global NGO sector to put two and two together:
take a new agreement that gives the registry owner power to hurt NGOs;
combine it with a new owner whose primary obligation is to its investors,
not its users; and you have a recipe for danger for nonprofits and NGOs all over the world that rely on .ORG. Since November, over 800 organizations and 24,000 individuals from all over the world have signed an open letter urging ISOC to stop the sale of PIR. Members of Congress, UN Special Rapporteurs,
and US state charity regulators [pdf] have raised warning flags about the
sale.
------------------------------
Date: Tue, 3 Mar 2020 13:39:08 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: How to clean up the mess we've made that's orbiting the Earth
(The Hill)
*One company is building a space garbage truck. But experts say it will take more than that to rid our outer atmosphere of decades of floating debris.*
We've been shooting large metal objects into space since 1957. Satellites, rockets, space stations, missiles. So it's no wonder that a garbage truck is set to launch in 2025 to start cleaning up the mess.
The pioneering ClearSpace <
https://clearspace.today/> device is designed to locate, capture and remove large items that threaten to crash into the satellites orbiting the planet. The problem, experts say, is that there's probably more than 34,000 pieces of space junk larger that 10 centimeters -- and all of it is a hazard. <
https://www.esa.int/Safety_Security/Space_Debris/Space_debris_by_the_numbers>
Orbiting at 17,000 miles per hour, these bits of metal can pierce anything
they hit with the velocity of a bullet.
Sure, there's a lot of space in space. Our atmosphere starts at about 62
miles above sea level and items can continue orbiting as high as 150 miles.
But experts agree that we must think ahead. Every year, countries and
private companies launch a steadily increasing number of satellites and
other equipment skyward on a collective arsenal of more than 100 rockets
every year. [...]
https://thehill.com/changing-america/sustainability/infrastructure/482336-how-do-you-take-out-the-trash-when-youre-in
------------------------------
Date: Wed, 4 Mar 2020 10:21:58 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: How fake audio, such as deepfakes, could plague business, politics
(Bakersfield)
Fake voices generated by artificial intelligence tools may be the next
frontier in scams that could trick companies into forking over cash or fool voters into believing a politician said something he or she didn't.
Computer-synthesized voices are not new. Anyone familiar with Amazon's Echo
and Google's Home devices, or Apple's Siri, already knows the soothing
female voice that answers queries.
But that same technology can be adapted for devious means, said Vijay Balasubramaniyan, co-founder and CEO of Pindrop, a technology company that
uses machine-learning techniques to identify voice fraud.
Criminals can use publicly available video and audio of top corporate executives to analyze and create a fake voice of a CEO and use that in combination with an email hack to trick the company's executives into
sending money. Or they can apply similar tactics to make politicians appear
to say something they never did.
At a brief demonstration during the RSA Conference in San Francisco, Balasubramaniyan logged on to a secure company computer network that held artificial intelligence algorithms able to analyze publicly available
YouTube video and audio of major political and business leaders and produce
a voice file of a person saying something they had never uttered.
Balasubramaniyan chose President Donald Trump from a drop-down menu and
typed in the words ``This morning American forces gave North Korea the
bloody nose they deserve.'' into a box and hit enter. [...]
https://www.bakersfield.com/ap/news/how-fake-audio-such-as-deepfakes-could-plague-business-politics/article_bc6b7a55-8a15-57df-90d2-5352d3980b00.html
------------------------------
Date: Thu, 5 Mar 2020 12:25:16 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Ransomware Attacks Prompt Tough Question for Local Officials: To
Pay or Not to Pay? (Pew)
When cybercriminals struck Lake City, Florida, last June, city officials had
to make a tough choice: Pay the hackers or restore systems on their own.
A ransomware attack had hijacked the government's computer network and held
it hostage for several weeks. While the attack didn't affect the police,
fire or financial departments, it wreaked havoc on phone lines, email,
utility records and many other services.
The hackers first demanded about $750,000 in bitcoin, a cryptocurrency, from the small, rural city to give it back control of its network.
The city tried to recover the data on its own, City Manager Joseph
Helfenberger recalled, but that failed. Its insurance company negotiated
with the hackers and got the ransom down to about $470,000. It recommended paying, and officials figured that was the best option because the city
would have to cover only the $10,000 deductible. ``This is not a rich community. They can't afford to spend money they don't have. You have to
look at what is going to serve the community the best.''
There were at least 113 successful ransomware attacks on state and local governments last year, according to global cybersecurity company Emsisoft,
and in each case, officials had to figure out how to respond. <
https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/>
Some states have passed laws to target cybercriminals who deploy ransomware, but prosecutors have rarely used them. And local officials often are left vulnerable.
In Baltimore last May, hackers crippled thousands of computers, then
demanded a ransom of about $76,000 in bitcoin. Democratic Mayor Bernard C. `Jack' Young refused to pay. Workers were unable to access online accounts
and payment systems for weeks.
The attack ended up costing the city at least $18 million -- a combination
of lost or delayed revenue and the expense of restoring systems. Young said
in a statement last June that the FBI advised the city not to pay, and that
it was ``just not the way we operate. ... We won't reward criminal
behavior.'' The mayor's office did not respond to *Stateline* requests for comment. <
https://twitter.com/mayorbcyoung/status/1136377418325864448>
Baltimore and Lake City aren't alone. The majority of publicized ransomware attacks in the United States last year targeted local governments, according
to a recent report by the National Governors Association and the National Association of State Chief Information Officers. <
https://www.nga.org/center/publications/hsps-publications/stronger-together-state-and-local-cybersecurity-collaboration/>
Yet no one knows how many local and state governments have been hit by a ransomware attack. There is no national clearinghouse that collects all that information. Nor is every attack publicly reported. The FBI, which tracks national crime data, couldn't be reached for comment before publication.
[...]
https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2020/03/03/ransomware-attacks-prompt-tough-question-for-local-officials-to-pay-or-not-to-pay
------------------------------
Date: Thu, 5 Mar 2020 12:26:12 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Through apps, not warrants, Locate X allows federal law enforcement
to track phones (Protocol)
*Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you've traveled, your movements may be in the company's data.*
U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data
from popular mobile apps to track the movement of people's cell phones, according to federal contracting records and six people familiar with the software.
The product, called Locate X and sold by Babel Street <
https://www.babelstreet.com/>, allows investigators to draw a digital
fence around an address or area, pinpoint mobile devices that were within
that area, and see where else those devices have traveled, going back
months, the sources told Protocol.
They said the tool tracks the location of devices anonymously, using data
that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers.
Babel Street has kept Locate X a secret, not mentioning it in public-facing marketing materials and stipulating in federal contracts that even the existence of the data is *confidential information*. Locate X must be
``used for internal research purposes only,'' according to terms of use distributed to agencies, and law enforcement authorities are forbidden from using the technology as evidence -- or mentioning it at all -- in legal proceedings. <
https://www.gsaadvantage.gov/ref_text/47QTCA18D0081/0V3LLR.3QTYM6_47QTCA18D0081_EISGSA2TERMS.PDF>
Federal records show that U.S. Customs and Border Protection purchased
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)