The RISKS Digest
Volume 32 Issue 13

Thursday, 23rd July 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

Russia report reveals UK government failed to investigate Kremlin
WashPost
Iranian state hackers caught with their pants down in intercepted videos
Ars Technica
Crooks have acquired proprietary Diebold software to jackpot ATMs
Ars Technica
Major new climate study rules out less-severe global warming scenarios
MSN
Is it time to reassess our relationship with nature?
BBC
European Public Sphere Towards Digital Sovereignty for Europe
ACATech
How Berkshire Hathaway May Have Been Snookered in Germany
NYTimes
Ongoing Meow attack has nuked >1,000 databases without telling anyone why
Ars Technica
Corporate giants shut down Trump texting program
Politico
Thieves Are Emptying ATMs Using a New Form of Jackpotting
WIRED
AT&T tells customers to change their phones or they won't work anymore
Android Police
CBP does end run around warrants, simply buys license plate-reader data
Ars Technica
Wattpad warns of data breach that stole user info
CBC-CA
There's a reason your inbox has more malicious spam—Emotet is back
Ars Technica
Hackers use recycled backdoor to keep a hold on hacked e-commerce server
Ars Technica
Uber helping public health officials contact-trace riders and drivers for Covid-19
Forbes
Banks' unique pandemic problem: Now everyone is wearing a mask
WashPost
The Spanish government prepares to implement facial recognition tech
Voz Populi
Phone carriers that profit from robocalls could have all calls blocked
FCC
CBP does end run around warrants, simply buys license-plate reader data
Ars Technica
Hackers Tell the Story of the Twitter Attack From the Inside
NYTimes
Re: When tax prep is free, you may be paying with your privacy
David E. Ross Amos Shapir Pete Resiak
Re: Boeing's future is cloudy as it tries to restore credibility
Martin Ward Gabe Goldberg Martin Ward
Re: Darwin's tautology?
John Harper
Info on RISKS (comp.risks)

Russia report reveals UK government failed to investigate Kremlin interference (Dan Sabbagh]

“Peter G. Neumann” <neumann@csl.sri.com>
Tue, 21 Jul 2020 8:09:49 PDT

Dan Sabbagh, The Guardian, 21 Jul 2020

Russia report reveals UK government failed to investigate Kremlin interference. <https://www.theguardian.com/world/2020/jul/21/russia-report-reveals-uk-government-failed-to-address-kremlin-interference-scottish-referendum-brexit>

British government and British intelligence failed to prepare or conduct any proper assessment of Kremlin attempts to interfere with the 2016 Brexit referendum, according to the long-delayed Russia report. <https://www.theguardian.com/politics/eu-referendum>

The damning conclusion is contained within the 50-page document from parliament's intelligence and security committee, which said ministers “had not seen or sought evidence of successful interference in UK democratic processes”.

The committee, which scrutinises the work of Britain's spy agencies, said: “We have not been provided with any post-referendum assessment of Russian attempts at interference”—and contrasted the response with that of the US. […] This situation is in stark contrast to the US handling of allegations of Russian interference in the 2016 presidential election, where an intelligence community assessment was produced within two months of the vote, with an unclassified summary being made public.”

Committee members said they could not definitively conclude whether the Kremlin had or had not successfully interfered in the Brexit vote because no effort had been made to find out. “Even if the conclusion of any such assessment were that there was minimal interference, this would nonetheless represent a helpful reassurance to the public that the UK's democratic processes had remained relatively safe,” the report added.

The cross-party committee noted that publicly available studies have pointed to “the preponderance of pro-Brexit or anti-EU stories” on the Russia Today and Sputnik TV channels at the time of the vote and “the use of ‘bots' and ‘trolls' on Twitter, as evidence of Russian attempt to influence the process.

Committee members complained that when they asked for written evidence from MI5 at the start of their inquiry, the domestic spy agency “initially provided just six lines of text” prompting criticism from the committee.

It accused MI5 of operating with “extreme caution” and said its “attitude is illogical” because the issue at hand was “the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security agencies”.

The keenly anticipated document was completed last October, but was sat on by Boris Johnson before the general election and only declassified and cleared for release by the prime minister in December.

It could not be released until No 10 had nominated Conservative members to the committee, although its nominee for chair Chris Grayling was ambushed by opposition members who voted instead for Julian Lewis.

Downing Street is expected to publish its own response shortly.


Iranian state hackers caught with their pants down in intercepted videos (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:35:48 -0400

IBM researchers steal 40GB of data from group targeting presidential campaigns.

https://arstechnica.com/information-technology/2020/07/iran-state-hackers-caught-with-their-pants-down-in-intercepted-videos/


Crooks have acquired proprietary Diebold software to jackpot ATMs (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:27:56 -0400

ATM maker is investigating the use of its software in black boxes used by thieves.

https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/


Major new climate study rules out less-severe global warming scenarios (MSN)

geoff goodfellow <geoff@iconia.com>
Wed, 22 Jul 2020 14:39:06 -1000

The current pace of human-caused carbon emissions is increasingly likely to trigger irreversible damage to the planet, according to a comprehensive international study <https://agupubs.onlinelibrary.wiley.com/doi/abs/10.1029/2019RG000678> released Wednesday. Researchers studying one of the most important and vexing topics in climate science—how sensitive the Earth's climate is to a doubling of the amount of carbon dioxide in the atmosphere—found that warming is extremely unlikely to be on the low end of estimates.

These scientists now say it is likely that if human activities—such as burning oil, gas and coal along with deforestation—push carbon dioxide to such levels, the Earth's global average temperature will most likely increase between 4.1 to 8.1 degrees Fahrenheit (2.3 and 4.5 degrees Celsius). The previous and long-standing estimated range of climate sensitivity, as first laid out in a 1979 report, was 2.7 to 8.1 degrees Fahrenheit (1.5 to 4.5 Celsius).

If the warming reaches the midpoint of this new range, it would be extremely damaging, said Kate Marvel, a physicist at NASA's Goddard Institute of Space Studies and Columbia University, who called it the equivalent of a *five-alarm fire* for the planet. […] https://www.washingtonpost.com/weather/2020/07/22/climate-sensitivity-co2/

https://www.msn.com/en-us/news/weather/major-new-climate-study-rules-out-less-severe-global-warming-scenarios/ar-BB173tL8


Is it time to reassess our relationship with nature? (BBC)

geoff goodfellow <geoff@iconia.com>
Wed, 22 Jul 2020 14:40:05 -1000

*Western societies tend to see nature and humanity as separate. But are there other ways of relating to the natural world?* […] https://www.bbc.co.uk/ideas/videos/is-it-time-to-reassess-our-relationship-with-natur/p08l2xcb


European Public Sphere Towards Digital Sovereignty for Europe (ACATech)

Dave Farber <farber@gmail.com>
Thu, 23 Jul 2020 08:02:59 +0900

https://www.acatech.de/wp-content/uploads/2020/07/aca_IMP_EPS_en_WEB_FINAL.pdf

Executive Summary

Europe can strengthen its digital sovereignty by creating a sovereign European digital ecosystem that is democratically accountable to its citizens. A digital ecosystem that observes European values such as transparency, openness and privacy protection, even in its technical design, can create a digital public sphere that offers fair terms of access and use, strengthens the public debate and safeguards the plurality that forms a key part of Europe's identity. This sphere would be open to everyone, both within Europe and beyond—the key to Europe's digital sovereignty lies not in isolationism but in the creation of ambitious alternatives.

The current coronavirus crisis has shone a light not only on how digital technology is increasingly penetrating every area of our lives, but also on just how dependent Europe has become on non-European platform operators. Europe is losing its influence over the digital public sphere at a time when it has taken on a central role in the continent's economic and social life. As well as diminishing Europe's economic competitiveness and thus the prosperity of European society, this poses a particularly serious threat to people's individual freedom and privacy and to Europe's democratic values. The time has come for both the member state and European Union levels to demonstrate the common political will to actively shape a digital public sphere that provides a basis for democratic debate, public opinion-forming and respect for European values, and to develop and establish an open European digital ecosystem that offers a genuine alternative. If incorporated into the special funding measures to overcome the coronavirus crisis, this European Public Sphere (EPS) can also provide a huge opportunity for European companies and start-ups, thereby helping to boost value creation in Europe.

This paper describes how a European Public Sphere can be established as an alternative European ecosystem, and sets out the concrete measures that will be necessary in order to do so. These include:

These measures will enable the establishment of a trusted digital public sphere for the citizens of Europe that puts European values first and that facilitates cross-border services and a dialogue between people who live in different countries and speak different languages.

Together with key partner France, and in conjunction with the European Commission and European Parliament, the Trio Presidency of Germany, Portugal and Slovenia can initiate the European Public Sphere as an ambitious, pan-European development project. Provided that they receive the necessary backing and financial support from government, stakeholders from the private sector, culture, civil society and academia are ready to create an alternative European digital ecosystem.


How Berkshire Hathaway May Have Been Snookered in Germany (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 21 Jul 2020 12:08:48 -0400

A unit of Warren Buffett's empire paid an inflated price for a pipe maker that used fake sales to look profitable, an arbitration panel concluded. The firm was close to bankruptcy.

https://www.nytimes.com/2020/07/01/business/berkshire-hathaway-fraud-germany.html


Ongoing Meow attack has nuked >1,000 databases without telling anyone why (Ars Technica)

Monty Solomon <monty@roscom.com>
Thu, 23 Jul 2020 08:36:47 -0400

Ongoing attack hitting unsecured data leaves the word “meow” as its calling card.

https://arstechnica.com/information-technology/2020/07/more-than-1000-databases-have-been-nuked-by-mystery-meow-attack/


Corporate giants shut down Trump texting program (Politico)

Monty Solomon <monty@roscom.com>
Tue, 21 Jul 2020 12:20:47 -0400

It took days to resolve anti-spam concerns that halted a 4 July 2020 test run, costing Trump donations and raising GOP fears about November.

https://www.politico.com/news/2020/07/20/trump-massive-texting-program-suspended-372302


Thieves Are Emptying ATMs Using a New Form of Jackpotting (WIRED)

Gabe Goldberg <gabe@gabegold.com>
Wed, 22 Jul 2020 23:23:28 -0400

The new hardware-based attack, which has targeted machines across Europe, can yield a stream of cash for the attacker.

https://www.wired.com/story/thieves-are-emptying-atms-using-a-new-form-of-jackpotting/


AT&T tells customers to change their phones or they won't work anymore (Android Police)

Monty Solomon <monty@roscom.com>
Thu, 23 Jul 2020 08:19:21 -0400

Even recent unlocked phones like the Galaxy S10e or the Nokia 6.1 are affected

Amid an economy-crushing pandemic, AT&T has decided that now is the best time to send a scaremongering email to some customers, telling them that their device “is not compatible with the new network and you need to replace it to continue receiving service.” The email conveniently doesn't explicitly mention that this will only affect customers as late as February 2022, only linking to that information. […]

https://www.androidpolice.com/2020/07/22/att-tells-customers-to-change-their-phones-or-they-wont-work-anymore/


CBP does end run around warrants, simply buys license plate-reader data (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Tue, 21 Jul 2020 23:49:30 -0400

How does “unreasonable search” work when any agency can buy data from anywhere?

https://arstechnica.com/tech-policy/2020/07/cbp-does-end-run-around-warrants-simply-buys-license-plate-reader-data/


Wattpad warns of data breach that stole user info (CBC-CA)

“Matthew Kruk” <mkrukg@gmail.com>
Tue, 21 Jul 2020 22:37:10 -0600

Wattpad Corp. has provided more details about a breach of user data provided to its online storytelling platform. The Toronto-based company has sent out a note to users that says hackers may have had access to email addresses, birth dates, the gender of members and encrypted passwords.

It says user stories, private messages, and phone numbers were not part of this incident.

https://www.cbc.ca/news/business/wattpad-data-breach-1.5657724


There's a reason your inbox has more malicious spam—Emotet is back (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:30:37 -0400

After taking a five-month break, the botnet returns with a short burst of activity.

https://arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/


Hackers use recycled backdoor to keep a hold on hacked e-commerce server (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:22:26 -0400

Easy-to-miss script can give attackers a new access should they ever be booted out.

https://arstechnica.com/information-technology/2020/07/hackers-use-recycled-backdoor-to-keep-a-hold-on-hacked-ecommerce-server/


Uber helping public health officials contact-trace riders and drivers for Covid-19 (Forbes)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 01:55:32 -0400

Uber said Monday that it had established a service to give public health officials access to data within hours on riders and drivers who are presumed to have come in contact with someone infected with Covid-19, helping to fill in a gap in the coronavirus response of the U.S., which does not have a federal contact tracing program.

https://www.forbes.com/sites/elanagross/2020/07/20/uber-helping-public-health-officials-contact-trace-riders-and-drivers-for-covid-19/#a067c957b07e


Banks' unique pandemic problem: Now everyone is wearing a mask (WashPost)

Richard Stein <rmstein@ieee.org>
Thu, 23 Jul 2020 09:47:00 +0800

https://www.washingtonpost.com/business/2020/07/22/face-mask-banks/

“There have already been ‘recent reports of face-covering-related robberies at bank branches…make clear that broadly applicable face mask requirements are not safe or sustainable on a permanent basis.’”

A new bank visitation protocol to deter the criminally inept:

  1. Remove face mask for a photograph to gain unobstructed bank entry. Assumes one does not wear a 2nd disguise.
  2. If undeterred, pass the “Abt natural, I have a gub“ note (per Woody Allen's “Take the Money and Run“) to the teller.

The Spanish government prepares to implement facial recognition tech (Voz Populi)

=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Wed, 22 Jul 2020 14:43:12 -0400

Original article: https://www.vozpopuli.com/economia-y-finanzas/reconocimiento-facial-causas-pendientes_0_1375363234.html.

Automatic translation: https://translate.google.com/translate?sl=auto&tl=en&u=https://www.vozpopuli.com/economia-y-finanzas/reconocimiento-facial-causas-pendientes_0_1375363234.html

> The Ministry of the Interior wants a solution based on facial recognition
> to be installed in large sporting or cultural shows football matches,
> concerts … that allows detecting people with pending cases with the
> Justice.


Phone carriers that profit from robocalls could have all calls blocked (FCC)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:33:31 -0400

Safe harbor lets phone companies block all calls from bad-actor telecoms.

https://arstechnica.com/tech-policy/2020/07/fcc-phone-carriers-that-profit-from-robocalls-could-have-all-calls-blocked/


CBP does end run around warrants, simply buys license-plate reader data (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 22 Jul 2020 08:32:29 -0400

How does “unreasonable search” work when any agency can buy data from anywhere?

US Customs and Border Protection can track everyone's cars all over the country thanks to massive troves of automated license plate scanner data, a new report reveals—and CBP didn't need to get a single warrant to do it. Instead, the agency did just what hundreds of other businesses and investigators do: straight-up purchase access to commercial databases.

CBP has been buying access to commercial automated license plate-reader (ALPR) databases since 2017, TechCrunch reports, and the agency says bluntly that there's no real way for any American to avoid having their movements tracked. […]

https://arstechnica.com/tech-policy/2020/07/cbp-does-end-run-around-warrants-simply-buys-license-plate-reader-data/


Hackers Tell the Story of the Twitter Attack From the Inside (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Thu, 23 Jul 2020 16:03:37 -0400

[Re: High-profile Twitter accounts hacked (RISKS-32.11)]

Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.

OAKLAND, Calif. A Twitter hacking scheme that targeted political, corporate and cultural elites this week began with a teasing message between two hackers late Tuesday on the online messaging platform Discord.

“yoo bro,” wrote a user named Kirk, according to a screenshot of the conversation shared with The New York Times. “i work at twitter / don't show this to anyone / seriously.”

He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company's computer network.

https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html


Re: When tax prep is free, you may be paying with your privacy, (RISKS-32.11)

“David E. Ross” <david@rossde.com>
Mon, 20 Jul 2020 17:11:46 -0700

For several years now, I have been an unpaid AARP (American Association of Retired Persons) volunteer doing U.S. and California income tax returns. Our clients do not pay for the service. Their returns are filed electronically over encrypted Internet connections. Even before the returns are filed, we print paper copies of their returns at the time of service for them to take home.

We retain NO client data when we do taxes, not one piece of paper brought by a client or generated by our volunteers. If a client forgets to take all paper, we contact that client to return to the facility to collect it. Otherwise, the paper is shredded.

We ask our clients whether they want to be contacted by AARP regarding other services, but we do not urge them to say “yes”. We ask our clients whether they want their tax returns made available electronically to other AARP locations the following year to simplify data entry, but we do not urge them to say “yes”. We ask our clients whether they want their tax returns made available electronically to other authorized free services authorized by the Internal Revenue Service the following year, but we do not urge them to say “yes”.

Overall, the AARP Tax-Aide service operates with strict rules protecting the client's data. Using those data for any purpose other than completing a tax return is prohibited.

On top of all that, the state of California's Franchise Tax Board has a Web site where taxpayers can enter their own data and file their returns electronically for free. California has very stringent laws protecting the privacy of its residents. The state is not in the business of selling personal data.


Amos Shapir <amos083@gmail.com>
Tue, 21 Jul 2020 10:22:25 +0300
> “it relied entirely on an algorithm that had taught itself to drive by
> watching a human do it.”

Does this mean that it learned about traffic lights, “Red = stop, Green = go, Yellow == charge forward at top speed to catch it before it turns red”?


Re: When tax prep is free, you may be paying with your privacy (RISKS-32.11)

Pete <djc@resiak.org>
Tue, 21 Jul 2020 17:13:00 +0200
> It seems that the old principle is still valid: “If you're not paying,
> you're not the customer, you're the merchandise.”

The canton of Zurich provides free tax preparation software for private persons: you can do it online, with access to your previous tax records, or you can download the software and do it offline on your own computer — Windows, Mac, or Linux. There the software can pick up and use last year's data if you've kept it; and you generate PDF to print and mail the completed tax forms.

The name of the software is “Private Tax”. It works, and it saves time and money for the tax office as well as for individual taxpayers. I have a hard time thinking of any down side to this.


Re: Boeing's future is cloudy as it tries to restore credibility (WashPost)

Martin Ward <martin@gkc.org.uk>
Tue, 21 Jul 2020 17:43:05 +0100
> It's also reviewed all 1 million lines of code in the spacecraft
> “resulting in increased robustness of flight software”

That sounds reassuring, but is actually rather worrying. Boeing found problems with their software, then uncovered another problem when fixing the first. So they reviewed all 1 million lines of code which resulted in “increased robustness”.

If the review had not found any further problems then the result would have been “increased confidence”. “Increased robustness” on the other hand meant that even more problems were found!

As any software engineer knows, anyone who says “I have just fixed the last bug” is wrong.


Re: Boeing's future is cloudy as it tries to restore credibility (Ward, RISKS-32.12)

Gabe Goldberg <gabe@gabegold.com>
Tue, 21 Jul 2020 13:47:35 -0400

Right. Also, what does “reviewed” mean? And by whom?

Original developer(s)? People see what they want/expect to see. (That's surely true trying to edit my own writing).

And if they don't like what they see—they “fix” it? How many times are new problems introduced when fixing (maybe) old ones?

Combine that with being rushed through the million lines. As you say, it's not reassuring.


Re: Boeing's future is cloudy as it tries to restore credibility (Goldberg, RISKS-32.13)

Martin Ward <martin@gkc.org.uk>
Tue, 21 Jul 2020 22:02:29 +0100

Probably junior programmers get this boring grunt work: senior programmers get to do more interesting jobs, like writing new code!

I think it was IBM's OS/360 operating system that, after release, consistently had several thousand bug fixes per month. There are two possible explanations for this phenomena:

(1) The software contained an infinite number of bugs

(2) Each month the programmers fixed 2,000 bugs and in the process introduced another 2,000 bugs.


Re: Darwin's tautology? (RISKS-32.12)

John Harper <harper@msor.vuw.ac.nz>
Tue, 21 Jul 2020 10:00:42 +1200 (NZST)

Tautologies often need to be pointed out. Mathematics textbooks from Euclid's Elements onward are full of them, but millions still buy them because they are useful.

Please report problems with the web pages to the maintainer

Top