The RISKS Digest
Volume 32 Issue 42

Friday, 25th December 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Navalny Says Russian Agent Confessed to Plot to Poison Him
NYTimes
Report accuses Saudi Arabia, UAE of probably hacking phones of over three dozen journalists in London, Qatar
Alternet
A Massive Fraud Operation Stole Millions From Online Bank Accounts
WiReD
Zoom helped China suppress U.S. calls about Tiananmen, prosecutors allege
WashPost
Zoom scam alert: Never click on this kind of invite
Fast Company
Zoom encryption “with one exception”
Gabe Goldberg
New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices
The Hacker News
Over 70 West Point Cadets Accused Of Cheating In Academic Scandal
NPR
Should We Use Search History for Credit Scores? IMF Says Yes
Gizmodo
Maverick astrophysicist calls for unusually intense solar cycle, straying from consensus view
WashPost
There's a disturbing provision buried in the government spending bill that could upend the way we use the Internet
Alternet
Re: SolarWinds, SunBurst, Russians, et al.
Keith Medcalf
Re: SolarWinds Hack Attribution
Dick Mills
Re: DrDoctor & Mjog & Sending SMS To Elderly Patients
Chris J Brady
Re: An Internal Medicine: Levels of medical evidence
Robert R. Fenichel
Info on RISKS (comp.risks)

Navalny Says Russian Agent Confessed to Plot to Poison Him (NYTimes)

Monty Solomon <monty@roscom.com>
Mon, 21 Dec 2020 18:36:07 -0500

Aleksei A. Navalny, the Russian opposition leader, published a recording of a phone call in which he says he tricked a security official into exposing the plot.

https://www.nytimes.com/2020/12/21/world/europe/russia-navalny-poisoning-putin.html


Report accuses Saudi Arabia, UAE of probably hacking phones of over three dozen journalists in London, Qatar (Alternet)

Monty Solomon <monty@roscom.com>
Mon, 21 Dec 2020 19:21:10 -0500

Report accuses Saudi Arabia, UAE of probably hacking phones of over three dozen journalists in London, Qatar

Using a so-called “zero-click exploit,” NSO Group's Pegasus spyware allegedly broke into cellphones without any interaction from their targets, Citizen Lab found.

https://www.washingtonpost.com/world/2020/12/20/saudi-arabia-uae-behind-phone-hacks-more-than-three-dozen-journalists-london-qatar-report-finds/


A Massive Fraud Operation Stole Millions From Online Bank Accounts (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Mon, 21 Dec 2020 00:26:56 -0500

The crooks used emulators to mimic the phones of more than 16,000 customers whose mobile bank accounts had been compromised.

https://www.wired.com/story/massive-fraud-operation-stole-millions-online-bank-accounts/


Zoom helped China suppress U.S. calls about Tiananmen, prosecutors allege (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 20 Dec 2020 01:11:16 -0500

The case is a stunning blow for the $100 billion video-call giant and raises questions about how the California-based company protects users’ data around the world

A security executive with the video-tech giant Zoom worked with the Chinese government to terminate Americans’ accounts and disrupt video calls about the 1989 massacre of pro-democracy activists in Tiananmen Square, Justice Department prosecutors said Friday.

The case is a stunning blow for Zoom, one of the most popular new titans of American tech, which during the pandemic became one of the main ways people work, socialize and share ideas around the world. The California-based company is now worth more than $100 billion.

But the executive’s work with the Chinese government, as alleged by FBI agents in a criminal complaint unsealed Friday in a Brooklyn federal court, highlights the often-hidden threats of censorship on a forum promoted as a platform for free speech. It also raises questions about how Zoom is protecting users’ data from governments that seek to surveil and suppress people inside their borders and abroad.

Prosecutors said the China-based executive, Xinjiang Jin, worked as Zoom’s primary liaison with Chinese law enforcement and intelligence services, sharing user information and terminating video calls at the Chinese government’s request.

https://www.washingtonpost.com/technology/2020/12/18/zoom-helped-china-surveillance/


Zoom scam alert: Never click on this kind of invite

Gabe Goldberg <gabe@gabegold.com>
Mon, 21 Dec 2020 00:28:35 -0500

Zoom phishing scams are the latest conduit for planting malware to steal identities, passwords, and financial information.

https://www.fastcompany.com/90582864/never-click-on-this-kind-of-zoom-invite-youll-thank-us-forever


Zoom encryption “with one exception”

Gabe Goldberg <gabe@gabegold.com>
Mon, 21 Dec 2020 16:14:35 -0500

On Zoom event today, looked at Zoom details—encrypted “with one exception”.

I wasn't host and people running were very non-tech so I didn't bother asking who the exception might have been, if hosts see that information. Has anyone else seen that on Zoom connections?

https://support.zoom.us/hc/en-us/articles/360053104471-New-updates-for-December-7-2020

New and enhanced features General features

Partially encrypted meeting warning—Windows, macOS, Linux, Android, iOS, web client

Unencrypted connections, such as audio through phone dial-in, unencrypted SIP/H.323 devices, or streaming via RTMP, will alert the host and other attendees that some aspects of the meeting are not fully encrypted.


New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Wed, 23 Dec 2020 14:51:50 -1000

The US Cybersecurity Infrastructure and Security Agency (CISA) has warned of critical vulnerabilities in a low-level TCP/IP software library developed by Treck that, if weaponized, could allow remote attackers to run arbitrary commands and mount denial-of-service (DoS) attacks.

The four flaws affect Treck TCP/IP stack version 6.0.1.67 and earlier and were reported to the company by Intel. Two of these are rated critical in severity.

Treck's embedded TCP/IP stack is deployed worldwide in manufacturing, information technology, healthcare, and transportation systems.

The most severe of them is a heap-based buffer overflow vulnerability (CVE-2020-25066) in the Treck HTTP Server component that could permit an adversary to crash or reset the target device and even execute remote code. It has a CVSS score of 9.8 out of a maximum of 10. […] https://thehackernews.com/2020/12/new-critical-flaws-in-treck-tcpip-stack.html


Over 70 West Point Cadets Accused Of Cheating In Academic Scandal (NPR)

Dave Farber <farber@gmail.com>
Tue, 22 Dec 2020 15:08:51 +0900

https://www.npr.org/2020/12/21/949025580/more-than-70-west-point-cadets-accused-of-cheating-in-academic-scandal


Should We Use Search History for Credit Scores? IMF Says Yes

Gabe Goldberg <gabe@gabegold.com>
Sun, 20 Dec 2020 01:13:34 -0500

With more services than ever collecting your data, it’s easy to start asking why anyone should care about most of it. This is why. Because people start having ideas like this.

In a new blog post for the International Monetary Fund, four researchers presented their findings from a working paper that examines the current relationship between finance and tech as well as its potential future. Gazing into their crystal ball, the researchers see the possibility of using the data from your browsing, search, and purchase history to create a more accurate mechanism for determining the credit rating of an individual or business. They believe that this approach could result in greater lending to borrowers who would potentially be denied by traditional financial institutions.

At its heart, the paper is trying to wrestle with the dawning notion that the institutional banking system is facing a serious threat from tech companies like Google, Facebook, and Apple. The researchers identify two key areas in which this is true: Tech companies have greater access to soft-information, and messaging platforms can take the place of the physical locations that banks rely on for meeting with customers.

The concept of using your web history to inform credit ratings is framed around the notion that lenders rely on hard-data that might obscure the worthiness of a borrower or paint an unnecessarily dire picture during hard times. Citing soft-data points like “the type of browser and hardware used to access the Internet, the history of online searches and purchases” that could be incorporated into evaluating a borrower, the researchers believe that when a lender has a more intimate relationship with the potential client’s history, they might be more willing to cut them some slack. […]

But how would all this data be incorporated into credit ratings? Machine learning, of course. It’s black boxes all the way down.

https://gizmodo.com/your-credit-score-should-be-based-on-your-web-history-1845912592


Maverick astrophysicist calls for unusually intense solar cycle, straying from consensus view (WashPost)

Paul Saffo <paul@saffo.com>
Sun, 20 Dec 2020 21:58:24 -0800

If the prediction of Scott McIntosh of the National Center for Atmospheric Research is right, it could mean more frequent and energetic solar storms in the coming years

Matthew Cappucci, The Washington Post, 19 Dec 2020 https://www.washingtonpost.com/weather/2020/12/19/solar-cycle-prediction-mcintosh/

When the chips are down and a big storm is brewing on Earth, odds are that forecasters are predicting close to the same thing. But when it comes to space weather and storms that flare up on the surface of the sun, that's not always the case. The sun has begun a new 11-year cycle, and scientists have very different ideas on just how much energy will be available to fuel its eruptions.

The consensus view of an international panel of 12 scientists calls for the new cycle, Solar Cycle 25, to be small to average, much like its predecessor, Solar Cycle 24.

But a prominent astrophysicist at the National Center for Atmospheric Research, Scott McIntosh, foresees the sun going gangbusters. The cycle is already off to a fast start, coinciding with the recent publication of McIntosh;s paper in Solar Physics. The study, with contributions from several of his colleagues, forecasts the nascent sunspot cycle to become one of the strongest ever recorded.

The weather on the sun matters because solar outbursts can unleash radiation into the Earth's atmosphere that is dangerous for air travelers; interfere with spacecraft and satellites; and, in a worst-case scenario, inflict significant damage on Earth's power grids. The forecasts for the new solar cycle, which are so divergent, regard the number of sunspots that the sun will cook up over the coming 11 years. Sunspots are like bruises on the surface of the sun, cooler discolorations that throb and pulsate. Forecasting sunspots is important, since coronal mass ejections that originate from them can send disruptive bursts of magnetic energy toward the Earth.

Predicting sunspots in the new solar cycle

In September, NASA announced that solar cycle 24 ended in December 2019, and that solar cycle 25 had begun.

The number of sunspots crowding the solar disk at one time varies significantly over the course of the solar cycle. During solar minimum — which we're emerging from right now—weeks can pass without a single sunspot. In fact, 206 days in 2020 (or 58 percent of the year) haven't featured any Earth-facing sunspots.

But at the peak of a solar cycle, the average monthly sunspot number ranges from 140 to 220.

Solar cycle 24's sunspot activity proved underwhelming—with the sunspot number averaging 110 at its peak.

An international panel co-chaired by scientists from NOAA and NASA, which featured six U.S. solar scientists and half a dozen from abroad, is anticipating a similarly quiet cycle 25.

They're calling for that peak to occur in July 2025, give or take about eight months.

But McIntosh, who is now NCAR's deputy director and previously directed its High Altitude Observatory, estimates a sunspot number more than double what the joint panel is predicting. The panel's prediction: A quiet cycle

The scientists on the Solar Cycle 25 Prediction Panel produced their outlook by reviewing and vetting a number of predictions across the solar science and astrophysics community. Among them is Doug Biesecker, the panel's co-chair and a scientist at NOAA's Space Weather Prediction Center.

Among the diverse panel, different ideas were discussed and debated. Disagreements often stemmed from the state of the science, Biesecker explained, and how poorly understood the underlying physics of the sun are.

“We concluded it would be similar in strength to the cycle that's just died,” said Gordon Petrie, a scientist at the National Solar Observatory. “This is a comparatively weak number. [Cycle 23] was about 50 percent stronger than [cycle 24], and going back to the 1950s, the cycles were much stronger [still.]”

The lone wolf with a shocking forecast

In stark contrast to the panel's forecast are the prophecies of McIntosh, who anticipates that the upcoming solar cycle could be the most active in half a century. He has developed a prediction technique he says foreshadows a coming period of solar volatility.

“If the relationship, [which] was developed off 24 cycles, holds, the number [of sunspots] coming out is double what the consensus prediction was from the various panel members was,” McIntosh said.

His group pinned their forecast at “233 [sunspots] with error bars” during the peak of Solar Cycle 25.

“And those error bars are not huge,” McIntosh added. “The data just smacks you in the face.”

Why the forecasts matter

Predicting discolorations on the surface of a star 93 million miles away might seem like an abstract art, but it's actually a vital exercise. That's because the Earth is susceptible to “space weather,” or the effects of “storms” launched from the sun. The storms hurl high-energy particles toward the Earth, along with intense spurts of magnetic energy.

That can have a pretty visible manifestation in the form of the aurora borealis and australis, but other impacts can be much more severe.

“Big [solar] cycles cause things to fall out of low Earth orbit more quickly,” explained Biesecker. That can be problematic for satellites, which are integral for global economies and commerce. “[Energy from solar storms can] heat up the [thermosphere, or upper atmosphere], and that heating basically results in increased density at satellite orbit altitudes.”

That, in turn, slows down the satellites, sometimes to the point of knocking some out of orbit.

This can be problematic too, because decades' worth of satellite launches have cluttered the extreme outer atmosphere with defunct leftovers and space junk. Without drag to scour out the extraterrestrial rubbish, the risk of an operable satellite being damaged by a collision climbs. The solar storms can disrupt or destroy the electronics onboard satellites if precautions aren't taken. A big storm, and “you'll literally see satellites frying,” McIntosh warned. “They cut corners on shielding.”

And the biggest events have even knocked out electrical grids on the ground before—though episodes of that magnitude are rare. On March 12, 1989, a solar storm brought the northern lights as far south as Cuba and Florida, while knocking out power to a large swath of Quebec.

The episode paled in comparison to the infamous Carrington Event, which brought the planet's biggest geomagnetic storm on record in early September 1859. Telegraph wires fried, while the northern lights could be seen across the entire Lower 48.

In 2013, researchers in the United Kingdom published a paper estimating that a similar storm today could cost the U.S. trillions of dollars, slashing the country's GDP by up to 15 percent. Some even speculate that a solar storm of that magnitude would bring the world's economy to a screeching halt, with electrical service restoration taking months.

Solar storms can also boost how much solar radiation passengers and crew onboard commercial flights near the poles are exposed to, at times reaching dangerous levels. Airlines sometimes reroute their flights if they have advance notice.

Leveraging the sun's magnetism to make predictions

By understanding the current magnetic structure and field strength of the sun, it's possible for solar physicists to make forward-looking predictions of sunspot number. The science is still in its early stages at best, with a few main techniques for estimation.

“It's not a mature branch of science, I have to say,” Petrie said. “We have set of calculations that guide us.” Scientists have found a link between how much magnetic energy pours out of the sun at solar minimum and the number of sunspots that form later in the cycle.

Another method of prediction focuses on observed motion and visible signatures on the sun's surface. “It is based on what we see on the [illuminated surface], and tries to project what we'll see on the surface based on what we've already seen,” Petrie said.

A novel approach leads a wildly different prediction

McIntosh has taken an entirely different approach in his strategy. And he thinks it could be revolutionary.

“Up until a couple years ago, I was watching the slow decline of solar activity over the last 30 years, and kind of jumped on the bandwagon that year that's going to continue,” McIntosh said. “But then we did some work about 18 months ago.”

McIntosh has set about trying to figure out how the sun's “internal magnetic machine” works. He deduced that there are as many as four main magnetic bands that encircle the sun at any one time. Sunspots, he argues, are the result of interference and overlap between those bands.

McIntosh postulates that there may not be just one cycle that accounts for sunspot activity but, in fact, several, connected to one of those four main magnetic bands. He thinks they all overlap in different ways, their peaks slightly misaligned. The frequency of sunspots we see is the product of how those subcycles interact.

McIntosh enlisted the help of plasma fusion scientists to review past data and come up with the math to predict what sunspot patterns may arise in the years ahead. What does it mean when the sun is spotless and serene?

Only time will tell if McIntosh's predictions for an active Solar Cycle 25 are borne out. He says “the proof is in the pudding.”

For now, the panel has remained quiet about his research, but McIntosh says that—if his predictions are realized—the field will have a lot of work to do. “This work is pointing in a direction which says much of the past physics isn't quite right,” he said. “If we're right, it points to a quite different way in how the sun works.”


There's a disturbing provision buried in the government spending bill that could upend the way we use the Internet (Alternet)

geoff goodfellow <geoff@iconia.com>
Tue, 22 Dec 2020 09:48:43 -1000

Lawmakers in Congress are under fire from digital rights campaigners for embedding three controversial changes to online copyright and trademark laws into the must-pass $2.3 trillion legislative package (which includes a $1.4 trillion omnibus spending bill and a $900 billion Covid-19 relief bill) that could receive floor votes in the House and Senate as early as Monday evening. <https://thehill.com/policy/finance/531164-congress-unveils-23-trillion-government-spending-and-virus-relief-package> <https://www.commondreams.org/news/2020/12/21/slap-face-people-suffering-across-country-critics-slam-watered-down-covid-relief>

The punitive provisions crammed into the enormous bill warned Evan Greer of the digital rights group Fight for the Future, “threaten ordinary Internet users with up to $30,000 in fines for engaging in everyday activity such as downloading an image and re-uploading it… [or] sharing memes.” <https://rules.house.gov/sites/democrats.rules.house.gov/files/BILLS-116HR133SA-RCP-116-68.pdf>

While the citizenry had almost no time to process the actual contents of the 5,593 page legislative text, Greer said Monday afternoon that the CASE Act, Felony Streaming Act, and Trademark Modernization Act “are in fact included in the must-pass omnibus spending bill.” <https://www.fightforthefuture.org/news/2020-12-21-congress-only-has-600-for-covid-relief-but-they/>

As Mike Masnick explained in a piece at TechDirt on Monday: <https://www.techdirt.com/articles/20201221/09573745928/congress-once-again-sells-out-to-hollywood-sneaks-case-act-felony-streaming-bill-into-government-funding-omnibus.shtml> […]

https://www.alternet.org/2020/12/house-bill-copyright/


Re: SolarWinds, SunBurst, Russians, et al. (PGN, RISKS-32.41)

“Keith Medcalf” <kmedcalf@dessus.com>
Sat, 19 Dec 2020 18:37:50 -0700

This is a very long list of affected companies, and they cannot all be “new customers”.

This goes to show that there are QUITE A LOT of “updates for the sake of update” and failure to do adequate Risk Assessments. While the Risks associated with not updating (as it worked yesterday and today will it work tomorrow, for all values of today) is easily determined, the Risk of Change simply for change sake (that is, not for any real purpose) can be an extremely risky business.

One wonders how many of these “victims” installed the malicious software just because they wanted to install the latest software, and did so without first performing a Risk Assessment? One also wonders if the person “ordering” the update will be terminated for their negligence?

Hopefully they will learn the error of their ways and not have such shoddy practices in the future.


Re: SolarWinds Hack Attribution (PGN, RISKS-32.41)

Dick Mills <dickandlibbymills@gmail.com>
Mon, 21 Dec 2020 07:00:15 -0500

I'm appalled that the country is willing to accept “unnamed high ranking sources suspect…” as sufficient reason to promote universal acceptance of the identity of the hacker.

I know that intelligence services must protect sources and methods. However, if they hold back actual evidence from the public, their intelligence product risks being labeled as “fake news”.

We are well past the “trust me” era. Journalists and governments must learn to live with the “show me” era.

The media is quick to condemn those who would blame China for SolarWinds; saying that it is “without evidence.” But nobody has yet shown me evidence of the Russia theory.

The public is not being stupid when they decide what to believe based on political biases. It is their adaptation to loss of trust.

Loss of trust is a huge issue. Rather than wring our hands in lament, everyone needs to learn to deal with it.


Re: DrDoctor & Mjog & Sending SMS To Elderly Patients UK)

Chris J Brady <chrisjbrady@yahoo.com>
Sun, 20 Dec 2020 02:01:01 +0000 (UTC)

Whilst the pandemic rages through the UK at last a viable vaccine appears soon to be offered. They will start with the 90 and 80 year olds. Apparently patients are invited for the ‘jab’ by SMS aka text sent to their phones. These texts have an embedded weblink to be used for booking a time slot. However - like mine - most elderly folks' phones do not ‘do’ weblinks. Quite why the texts cannot give a phone no. to call is a moot point.

Similarly, two opportunist companies - DrDoctor and Mjog - have signed up hospitals and GP surgeries to send texts to patients reminding them of appointments. The default option is to NOT send a follow-up letter. Yet again these texts fail to mention the details of the appointment, but do include a weblink. And yet again it is the elderly who are victimised by this. If the elderly person's phone does not ‘do’ weblinks or they cannot use a smart phone to access the weblink then they cannot find out when their appoint is for. To access their details they also need to remember a complicated password - useless for those with dementia.

Then trying to choose the option to be sent a letter requires knowledge of the Internet, and how to login incl. how to enter a password, and then how to choose the PRINT option.

And what happens when you go to the weblink from a text; a flood of marketing messages for products of no interest whatsoever. But hospitals and GPs have signed up for this service at a cost to themselves; the main aim being to target their patients with marketing messages.

Emails of concern to DrDoctor and Mjog remain ignored.


Re: An Internal Medicine (R 32.41): Levels of medical evidence

“Robert R. Fenichel” <bob@fenichel.net>
Sat, 19 Dec 2020 18:52:23 -0800

From the first year that I was a medical student, I started receiving free journals, and I paid for a subscription to the New England Journal of Medicine. The free journals had lots of full-color ads, but that isn't why I stopped reading them. They were easy to read, with none of the footnotes, acknowledgements of gaps, and other speed bumps of the sort I found in the NEJM, but by the time I was in my second or third year, I often knew that what the free journals had to say was thrown together by people who didn't know what they were talking about..

Over the course of the next two decades, I served as an occasional peer reviewer for various (non-free) medical journals, at least once including the NEJM. I did what other peer reviewers did: When I felt generous, I'd spend most of a day with a paper, trying to find its flaws. There might have been one or two other peer reviewers working in parallel with me; never more.

Then I started working for FDA. For a typical application, FDA would receive several tens of thousands of pages of documentation, revealing all the raw data from the trials. Sometimes NEJM articles on the trials had appeared, and there would be a few pages of the application devoted to apparent discrepancies between the Journal articles and the true details. We (a team of chemists, pharmacologists, toxicologists, and physicians) usually didn't bother to read the Journal articles. We worked for a few weeks or (more often) months, and we drew our own conclusions.

When we did read the Journal articles, it was very rare to find deliberate misrepresentations. Most often, the authors had tried to condense complex material that couldn't really be condensed. Anyone who has tried to teach an elementary course on a complex subject has faced the problem of seeking the least-misleading short version of a long story.

(Around the world, no other drug regulator looks at raw data. Some of them (Europe and Canada) are remarkably skilled at looking at summaries (which is all they get) with an appropriately jaundiced eye, but others are not.)

In brief: free journals:NEJM::NEJM:FDA.

IMDoc's article (“An Internal Medicine Doctor …”) cited by Geoff Goodfellow in Risks 32.41 seems to be what happens when a cranky internist tries to read a NEJM article more closely than it deserves. The place to look for evaluation of the Pfizer/BioNTech coronavirus vaccine is not the NEJM article. Try the FDA review memo (see https://www.fda.gov/media/144416/download). Only a tiny fraction of what the FDA looked at made it into the review memo, but it's not a puff piece.

As someone who has written scores of FDA reviews and read hundreds, I am satisfied. More data will come in, and the professional labeling of the vaccine will doubtless evolve, but the IMDoc article shouldn't weigh heavily in anyone's thinking.

Please report problems with the web pages to the maintainer

Top