The RISKS Digest
Volume 32 Issue 09

Monday, 13th July 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

24-Year-Old Australian Man Spent $2 Million After a Bank Glitch
Esquire
A Marine called customer service when his M107 failed during gunfight
Business Insider
Microsoft neuters Office 365 account attacks that used clever ruse
Ars Technica
How Universities Can Keep Foreign Governments from Stealingo Intellectual Capital
Scientific American
Poochin' Mnuchin?
Michael LeVine
Mental health, stress, and moral injury
Rob Slade
Home Security Camera Wi-Fi Signals Can be Hacked to Tell When People Are Home
Jonathan Chadwick
Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and Google Assistant
Dan Goodin
Can an Algorithm Predict the Pandemic's Next Moves?
Benedict Carey
Supreme Court Preserves Limits on Autodialed Calls to Cell Phones, Overturns Government Debt Collection Exception
Cooley
Re: Not so random acts: Science finds that being kind pays off
Neil Youngman
Info on RISKS (comp.risks)

24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (Esquire)

Gabe Goldberg <gabe@gabegold.com>
Sat, 11 Jul 2020 16:03:27 -0400

On 17 Apr 2015, a Sydney District Court sentenced Milky to four years and six months in prison after he was found guilty of the charges. Not surprisingly, St. George was not forthcoming with details as to what had happened. A spokesperson for the bank would say only, to The Sunday Telegraph, that the glitch had been the result of a human error that had since been corrected. “The issue has been resolved and the customer has been convicted,” the spokesperson went on. “The bank is now seeking to recover funds.” The police confiscated Milky's belongings and turned them over to the bank. Judge Stephen Norrish said the twenty-seven-year-old's excuse that he was going to keep spending until the bank contacted him was “almost laughable… he thought he could get away with anything and he almost did.”

According to Milky's contract with the bank, he was perfectly authorized to receive overdrafts subject to the bank's approval. In practice, when Milky put in an overdraft request, it would get sent up from his local bank to a corporate relationship officer for sign-off. But if the officer didn't respond within a certain time frame, the request would automatically get approved—which is what kept happening for him. In other words, as the bank admitted in court, it was its own human error, and had nothing to do with his getting unauthorized access to a computer at all. It was scapegoating him for its own mistake and his lawyers had botched the case, he fumed. “It was a long shot for the prosecution to even come after me the way they did. And I don't think anyone in the jury understood it.” …

On December 1, 2016, the New South Wales Court of Appeal ruled in his favor too. “The unusual aspect of Mr. Moore's conduct was that there was nothing covert about it,” Justice Mark Leeming noted in his judgment, adding that St. George bank had chronicled “with complete accuracy Mr. Moore's growing indebtedness.” St. George declined to comment on the acquittal, though it later contacted Milky to tell him it was not coming after him for his remaining debt. It was obviously in the bank's best interest to let this fade as quickly as possible. As Milky left the courthouse a free man, a reporter from the tabloid TV show /A Current Affair /trailed him, cheekily asking if he was going to drive home in a Maserati. “Not today,” Milky told her with a laugh. “Not today.” […\

Instead, he plans to make his fortune the old-fashioned way: by working, as a criminal lawyer. After successfully representing himself in his case, he found his calling. He's currently enrolled in law school and expects to get his degree this spring. And what will he do if he ends up making millions again? “I reckon I'll have to move back here,” he says with a smile, which would be the most beauuuutiful ending of all.

https://www.esquire.com/lifestyle/a19834127/luke-milky-moore-money-glitch/

At least the bank didn't call it a computer error. And the bank deservedly took the hit.


A Marine called customer service when his M107 failed during gunfight (Business Insider)

Gabe Goldberg <gabe@gabegold.com>
Thu, 9 Jul 2020 23:37:12 -0400

The Barrett M107 .50-caliber long-range sniper rifle is a firearm made for the modern war on terrorism. Officially adopted by the U.S. Army in 2002 and boasting a 2,000-meter range, a suppressor-ready muzzle brake, and recoil-minimizing design, the semi-automatic offers “greater range and lethality against personnel and materiel targets than other sniper systems in the U.S. inventory,” according to an assessment by Military.com.

While Barrett's reputation of “flawless reliability” has made the M107 the sniper weapon of choice, the rifle is just like any other essential tool: It often breaks when you need it most. And that's apparently what happened to one Marine Corps unit pinned down in a firefight, according to one of Barrett's longtime armorers.

https://www.businessinsider.com/marines-m107-sniper-rifle-failed-during-firefight-so-he-called-customer-service-2017-4


Microsoft neuters Office 365 account attacks that used clever ruse (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 10 Jul 2020 02:50:53 -0400

https://arstechnica.com/information-technology/2020/07/microsoft-neuters-office-356-account-attacks-that-used-clever-ruse/


How Universities Can Keep Foreign Governments from Stealing Intellectual Capital (Scientific American)

Richard Stein <rmstein@ieee.org>
Sun, 12 Jul 2020 12:56:35 +0800

https://www.scientificamerican.com/article/how-universities-can-keep-foreign-governments-from-stealing-intellectual-capital/

The essay enumerates insider risks that can enable theft of intellectual property (IP) and classified information.

“National Institutes of Health have reportedly made inquiries into nearly 200 NIH-funded researchers at more than 60 U.S. institutions for potentially violating NIH conflict-of-interest, conflict-of-commitment or research-integrity rules. Many of these ideas and technologies are important to national security.”

The second to last paragraph's concluding sentence states: “But if universities fail to police themselves adequately in these areas, we face the specter of more draconian reactions from lawmakers.”

Has the time arrived for the US government to enact a data protection law? Regulating cybersecurity, auditing organizational compliance, and enforcing mandatory penalties for cyber-crime enabled by organizational negligence may yield public benefit. Ongoing voluntary efforts to toughen infrastructure and organizations against cyber-crime reveal an unchecked scourge.

The surveillance economy's data collection, data exploitation for profit, and data breach life cycle sponsors an estimated US$ 1T per year global criminal industry (see https://www.accenture.com/us-en/insights/security/cost-cybercrime-study, retrieved on 11JUL2020).

The Privacy Rights Clearinghouse https://privacyrights.org/data-breaches describes a chronology of U.S. incidents totaling ~9000 and ~11.7B records between 2006-2018, and estimates JAN-SEP2019 data breach frequency at ~5200 incidents totaling ~8B records. These statistics prove that voluntary organizational efforts to deter cyber-crime are substantially ineffective. https://www.securitymagazine.com/articles/91366-the-top-12-data-breaches-of-2019

The Computer Misuse Act (USC Section 18) does not punish cyber-crime enablers: these are the surveillance economy's keepers of vulnerable and weakly protected Internet-accessible data repositories and computer systems. Cyber-crimes, especially ID theft, inures public mental health, and imbrues governments, businesses, and educational institutions. Some people and organizations are enriched by the cyber-crime pandemic.

Most enablers are small or medium-sized organizations (less than 500 people) with parsimonious budgets unaccommodating and ill-equipped to implement vigorous cybersecurity defenses; they outsource cybersecurity capabilities because they can't afford it. The comp.risks forum labels ineffective cybersecurity practice as “security theater.”

A few enablers are titans (financial services, and intelligence gathering organizations, data aggregators) that maintain petabytes of repository content. These leviathans are usually defended by cybersecurity operation centers brimming with gear and people procured from a vast cyber-industrial complex.

Cybersecurity service suppliers are hired to oversee an organization's digital hygiene, and prevent brand-weakening data breaches that raise alarm. Yet cyber-crime continues undeterred despite “best in the business” deterrence. The surveillance economy's “moose on the table” facilitates the cyber-crime industry's “cut of the take.”

Federal regulations govern vehicle, food, and consumer product safety that protects public health and safety interests. Mandatory enforcement of cyber-security regulations may suffice where voluntary efforts have not.

A “meet or exceed” regulation, propounded by The Cybersecurity and Infrastructure Security Agency @ https://cyber.dhs.gov/directives, may represent a regulation baseline.

Require all Internet-accessible repository owner/operators and technology suppliers to adopt CISA directives and guidelines, then periodically elevate and strengthen them to promote enhancements: frequent patch application, firewall port lockdown, minimal administrative and least privilege assignment, proactive malware detection measures, multi-factor authentication, personnel training for malware vigilance, etc. Enforcement compliance auditing will require significant federal sponsorship to reveal and discipline organizations engaged in security theater charades.

Standardized cyber-security solutions effectively homogenize defenses. When adopted by organizations across industries, they inherit common technological weaknesses. Open-source contributions integrated into deployed software and hardware reveal this risk. Organizations leverage standardized solutions to avoid in-house expenditures. Cheaper? Certainly. More effective than do-it-yourself cybersecurity? Apparently not.

Cyber-crime arises from negligence: technological vulnerabilities, weak internal controls, shirked professional duties and sloppy fulfillment, insider actions, etc. Technologically, negligence can materialize from multiple sources: unpatched platform backdoor exploitation, known but untrapped malware exploit, ransomware, role impersonation and phishing, advanced persistent threat targeting, no multi-factor authentication access controls, etc.

Internet service usage terms routinely encourage cybersecurity under-investment by asserting a negligence exemption. If contract law can effectively indemnify organizational liability against negligence, why strengthen technological and organizational protections for collected data troves or core intellectual property? Cybersecurity negligence and liability exemption constraints will motivate compliance investments.

The “terms of service acknowledgment” checkbox found in virtually all Internet services, once ticked and submitted, grants free reign to surveillance economy life cycle exploitation for profit or purpose. An effective federal cybersecurity regulation will restrict website terms of service by limiting liability exemptions due to negligence.

This text snippet, retrieved on 10JUL2020 from https://www.experian.com/corporate/legalterms, typifies website usage terms. It asserts a negligence exemption and unlimited liability indemnification should an adverse outcome arise from use:

“IN NO EVENT WILL EXPERIAN BE LIABLE TO ANY PARTY FOR ANY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS WEB SITE, OR ANY LINKED WEB SITE, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSS OF USE, BUSINESS INTERRUPTION, OR OTHER ECONOMIC LOSSES, LOSS OF PROGRAMS OR OTHER DATA, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, EVEN IF EXPERIAN IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.”

Passing and enforcing regulations that constrain negligence exemption is easier proposed than achieved. Business lobbies frequently pursue their interests on behalf of boardrooms and CxOs above public interests that mitigate cyber-crime incident frequency.

Cybersecurity regulation penalties enforced per https://en.wikipedia.org/wiki/Classes_of_offenses_under_United_States_federal_law will signal governance teams to adjust investment priorities. Prosecuting cybersecurity non-compliance can restrain capitalism's capricious predilection.

The surveillance economy imperils civility with impunity. Cybersecurity regulatory enforcement is unlikely to halt cyber-crime, but can promote restoration of trust, a scarce public virtue desperate for replenishment.


Poochin' Mnuchin?

Michael LeVine <mlevine@redshift.com>
Thu, 9 Jul 2020 14:16:21 -0700

Just got this and think it is some sort of lead in to a scam…

> Begin forwarded message:
> From: MAIL SERVICE <xavier@immobiliariarosell.com>
> Subject: NOTIFICATION!!!
> Date: July 9, 2020 at 12:56:35 PM PDT
> To: undisclosed-recipients:;
> Reply-To: 1brattany@att.net

> Attn: Recipient,

> The Office of Foreign Assets Control (OFAC) administers and enforces
sanctions based on US foreign policy. OFAC acts under Presidential national
emergency powers, as well as authority granted by specific legislation, to
impose controls on TRANSACTIONS and assets under US jurisdiction.

> However, by the virtue of provision of law which confer [sic] on us powers
to advocate, adjudicate, suspend and authorize. We hereby state without
prejudice that according to the security manifest booklet on outstanding
transactions due to an extensive investigation after some financial analysis
through the assistance of several agencies with resources combined, we
intend to raise awareness to eligible recipients off the record.

> All necessary clarifications from our department have commenced and if
there is any information that may succeed our verification, do not hesitate
for confirmation.

> Regards,

> Mr. Steven T. Mnuchin
> Secretary of Treasury,
> Office of Foreign Assets Control

Mental health, stress, and moral injury

Rob Slade <rmslade@shaw.ca>
Thu, 9 Jul 2020 18:12:50 -0700

OK, everybody is under stress, of various types, right now. It's creating mental health challenges in a variety of ways. We need to protect our employees, colleagues, and ourselves, as well.

Concentrating on health workers, the Centre of Excellence on Post-Traumatic Stress Disorder at The Royal Ottawa and Phoenix Australia—Centre for Post-traumatic Mental Health have co-developed A Guide to Moral Injury. The Website, outlining the issues, is at: https://www.moralinjuryguide.ca/ You can obtain the full guide, free of charge. https://www.moralinjuryguide.ca/wp-content/uploads/2020/07/Moral-Injury- Guide.pdf An executive summary is available here: https://www.moralinjuryguide.ca/wp-content/uploads/2020/07/MI-Guide-Executive- Summary.pdf


Home Security Camera Wi-Fi Signals Can be Hacked to Tell When People Are Home (Jonathan Chadwick)

ACM TechNews <technews-editor@acm.org>
Wed, 8 Jul 2020 12:40:26 -0400 (EDT)

Jonathan Chadwick, The Daily Mail (UK), 6 Jul 2020

Scientists at the U.K.'s Queen Mary University of London and the Chinese Academy of Sciences in Beijing have demonstrated exploits of Internet-connected security camera uploads that track potential burglars, allowing hackers to learn whether homes are occupied or not. Many smart home cameras use Wi-Fi connections to facilitate remote monitoring by homeowners, which hackers can hijack when activated—even if the video content is encrypted. An undisclosed home Internet Protocol security camera provider allowed the researchers access to a dataset covering 15.4 million streams from 211,000 active users. By studying the rate at which cameras uploaded data via the Internet, the team could detect when a camera was uploading motion, and even differentiate between certain types of motion. The researchers also learned that online traffic generated by the cameras, often motion-triggered, could be monitored to predict whether people were at home. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x223498x065969&


Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and Google Assistant (Dan Goodin)

ACM TechNews <technews-editor@acm.org>
Wed, 8 Jul 2020 12:40:26 -0400 (EDT)

Dan Goodin, Ars Technica, 1 Jul 2020

Researchers at Ruhr University Bochum and the Max Planck Institute for Security and Privacy in Germany have identified more than 1,000 word sequences that incorrectly trigger voice assistants like Alexa, Google Home, and Siri. The researchers found that dialogue from TV shows and other sources produces false triggers that activate the devices, raising concerns about privacy. Depending on pronunciation, the researchers found that Alexa will wake to the words “unacceptable” and “election,” while Siri will respond to “a city,” and Google Home to “OK, cool.” They note that when the devices wake, a portion of the conversation is recorded and transmitted to the manufacturer, where employees may transcribe and check the audio to help improve word recognition. This means each company's logs may contain fragments of potentially private conversations. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x22349cx065969&


Can an Algorithm Predict the Pandemic's Next Moves? (Benedict Carey)

ACM TechNews <technews-editor@acm.org>
Wed, 8 Jul 2020 12:40:26 -0400 (EDT)

Benedict Carey, The New York Times, 2 Jul 2020

An international team of scientists has developed a computer model to predict Covid-19 outbreaks about two weeks before they happen. Team leaders Mauricio Santillana and Nicole Kogan of Harvard University created the algorithm, which monitors Twitter, Google searches, and mobility data from smartphones in real time in order to forecast outbreaks 14 days or more before case counts start rising. Santillana said the model is based on observations rather than assumptions, employing methods responsive to immediate behavioral changes. The team integrated multiple real-time data streams with a prediction model from Northeastern University, based on people's movements and interactions in communities, and assessed the value of trends in the data stream by observing how each correlated with case counts and deaths over March and April in each state. Santillana said, “We don't see this data as replacing traditional surveillance, but confirming it.” https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-25eb9x223497x065969&


Supreme Court Preserves Limits on Autodialed Calls to Cell Phones, Overturns Government Debt Collection Exception

Cooley <info@emailcc.com>
Mon, 13 Jul 2020 09:09:16 -0600

In a widely anticipated decision in Barr v. American Association of Political Consultants, the US Supreme Court determined that an exception to the Telephone Consumer Protection Act (TCPA) that allowed robocalls to mobile phones to collect government debts was unconstitutional, but declined to overturn the broader ban on most robocalls to mobile phones without the prior express consent of the recipient. The decision reveals significant differences among the justices on how to apply the First Amendment to the TCPA, but also leaves that current regime in place for all but a fraction of entities that use autodialed calls. As a result, entities that make autodialed calls should continue to obtain prior express written consent for those calls.

https://i.cooley.com/e/708103/C50814EDFB41B8F669AE9711D—z-z/43q7j/159951937?hyrXwDekXtEKMUTjG6B8lfsrf4HyeCQ5MQcbcPQ9Gswg


Re: Not so random acts: Science finds that being kind pays off (RISKS-32.08)

Neil Youngman <antlists@youngman.org.uk>
Fri, 10 Jul 2020 17:58:21 +0100

It's long been known that tit-for-tat is a very good social strategy—it's pretty obvious that anybody who is always kind will be taken advantage of, and anybody who is never kind will be shunned.

But if we're “forgiving tit-for-tat” (i.e., we're mostly tit-for-tat but every now and then forgive an unkindness), then people who don't play the game get punished, but people who do can be pretty much always kind in safety.

That's old news …

Please report problems with the web pages to the maintainer

x
Top