The RISKS Digest
Volume 32 Issue 11

Thursday, 16th July 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

High-profile Twitter accounts hacked
Sundry sources
Russian Hackers Trying to Steal Coronavirus Vaccine Research Intelligence Agencies Say
NYTimes
Iranian Spies Accidentally Leaked Videos of Themselves Hacking
WiReD
NOAA storm-spotting app was suspended after being overrun with false and hateful reports
WashPost
An invisible hand: Patients aren't being told about the AI systems advising their care
StatNews
CJEU rejects EU-US Privacy Shield
EAID-Berlin
EU court rules U.S. servers not private enough for its citizens' data
WashPost
When tax prep is free, you may be paying with your privacy
WashPost
Re: Why Some Birds Are Likely To Hit Buildings
Keith Medcalf
Re: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch
Martin Ward
Info on RISKS (comp.risks)

High-profile Twitter accounts hacked (Sundry sources)

Paul Saffo <paul@saffo.com>
Wed, 15 Jul 2020 15:10:24 -0700

https://www.nbcnews.com/tech/security/suspected-bitcoin-scammers-take-over-twitter-accounts-bill-gates-elon-n1233948

The Twitter accounts of Barack Obama, Jeff Bezos, Joe Biden, Elon Musk and many other high-profile people and companies became pawns Wednesday in one of the most visible cyberscams in the Internet's history.

Suspected bitcoin scammers grabbed control of accounts belonging to the rich and famous, as well as lower-profile accounts, for more than two hours during the afternoon and tricked at least a few hundred people into transferring the cryptocurrency.

A tweet typical of the attack sent from the account of Bill Gates, the software mogul who is the world's second-wealthiest person, promised to double all payments sent to his Bitcoin address for the next 30 minutes.

“Everyone is asking me to give back, and now is the time. You send $1,000, I send you back $2,000.”

Similar tweets appeared on the accounts of rapper Kanye West, investor Warren Buffett and corporations including Apple, Wendy's, Uber and the money transfer app Cash.

Twitter said it was looking into the attack.

“We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly,” the company said in a tweet.

[See also https://www.nytimes.com/2020/07/15/technology/twitter-hack-bill-gates-elon-musk.html https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/ A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts. […] Hackers Convinced Twitter Employee to Help Them Hijack Accounts After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground:. https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos ]

Russian Hackers Trying to Steal Coronavirus Vaccine Research, Intelligence Agencies Say

Monty Solomon <monty@roscom.com>
Thu, 16 Jul 2020 15:44:54 -0400

The hackers have been targeting British, Canadian and American organizations researching vaccines using spear-phishing and malware.

https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html


Iranian Spies Accidentally Leaked Videos of Themselves Hacking (WiReD)

Lauren Weinstein <lauren@vortex.com>
Thu, 16 Jul 2020 08:32:32 -0700

https://www.wired.com/story/iran-apt35-hacking-video/


NOAA storm-spotting app was suspended after being overrun with false and hateful reports (WashPost)

Monty Solomon <monty@roscom.com>
Tue, 14 Jul 2020 21:20:17 -0400

The NOAA's “mPING” application was compromised, sending false severe weather data to forecasters and the public.

https://www.washingtonpost.com/weather/2020/07/14/noaa-app-mping-suspended/


An invisible hand: Patients aren't being told about the AI systems advising their care (StatNews)

Richard Forno <rforno@infowarrior.org>
July 16, 2020 at 22:08:12 GMT+9

Rebecca Robbins and Erin Brodwin, 15 Jul 2020, via Dave Farber

Since February of last year, tens of thousands of patients hospitalized at one of Minnesota's largest health systems have had their discharge planning decisions informed with help from an artificial intelligence model. But few if any of those patients has any idea about the AI involved in their care.

That's because frontline clinicians at M Health Fairview generally don't mention the AI whirring behind the scenes in their conversations with patients.

At a growing number of prominent hospitals and clinics around the country, clinicians are turning to AI-powered decision support tools—many of them unproven—to help predict whether hospitalized patients are likely to develop complications or deteriorate, whether they're at risk of readmission, and whether they're likely to die soon. But these patients and their family members are often not informed about or asked to consent to the use of these tools in their care, a STAT examination has found.

The result: Machines that are completely invisible to patients are increasingly guiding decision-making in the clinic.

Hospitals and clinicians “Care operating under the assumption that you do not disclose, and that's not really something that has been defended or really thought about,” Harvard Law School professor Glenn Cohen said. Cohen is the author of one of only a few articles examining the issue, which has received surprisingly scant attention in the medical literature even as research about AI and machine learning proliferates.

https://www.statnews.com/2020/07/15/artificial-intelligence-patient-conse-hospitals/


CJEU rejects EU-US Privacy Shield (EAID-Berlin)

Martyn Thomas <martyn@72f.org>
Thu, 16 Jul 2020 16:01:25 +0100

https://www.eaid-berlin.de/dejavu-cjeu-rejects-eu-us-privacy-shield/

If you are baffled by the penultimate sentence, replace “wear” by “carry”. (with thanks to Judith Rauhofer for the explanation that “tragen” in German has both meanings).


EU court rules U.S. servers not private enough for its citizens' data (WashPost)

<farber@gmail.com>
Thu, 16 Jul 2020 18:32:51 +0900

https://www.washingtonpost.com/world/europe/top-eu-court-ruling-throws-transatlantic-digital-commerce-into-disarray-over-privacy-concerns/2020/07/16/d2c0fe06-c736-11ea-a825-8722004e4150_story.html


When tax prep is free, you may be paying with your privacy (WashPost)

Monty Solomon <monty@roscom.com>
Wed, 15 Jul 2020 09:47:57 -0400

Free tax software is not all created equal. Some want to upsell you. Others want the data in your tax return.

https://www.washingtonpost.com/technology/2019/03/07/when-tax-prep-is-free-you-may-be-paying-with-your-privacy/


Re: Why Some Birds Are Likely To Hit Buildings (Scientific American)

“Keith Medcalf” <kmedcalf@dessus.com>
Tue, 14 Jul 2020 21:46:33 -0600

While this may be entertaining, I would point out that it is unlikely that the bird was responsible for the collision. I would suggest that the more realistic situation is that the bird was just flying along minding its own business when a bloody big fat and fast moving airplane that was not watching where it was going ran into the poor bird.

Calling it a “bird strike” is ridiculous. The bird did not strike the aeroplane, the aeroplane ran down the bird. And then the aeroplane and its operator carried on away from the scene of the mishap—in actual fact the aeroplane pilot committed a hit and run.

I suppose we should also call pedestrian collisions with automobiles “pedestrian strikes” and blame it on the pedestrian deliberately striking the automobiles. It would certainly put an end to a lot of issues if we did this.


Re: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (RISKS-32.09)

Martin Ward <martin@gkc.org.uk>
Wed, 15 Jul 2020 15:05:01 +0100

Given that the court ruled that the overdraft was perfectly legal, and Milky therefore had a legal right to spend the money, it may well have been the bank that acted illegally in confiscated Milky's belongings. So, writing off the rest of his debt and hoping that he wouldn't go after them is the best that they can do, under the circumstances.

Please report problems with the web pages to the maintainer

Top