The RISKS Digest
Volume 32 Issue 76

Saturday, 10th July 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

RFI on scientific integrity
White House OSTP
A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate
geoff goodfellow
Social-credit score system for Germany
Vorausschau
Developer Infinidash joke ends up as job requirement
The Register
Europe makes the case to ban biometric surveillance
Matt Burgess
Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how.
NBC News
Researchers examine burden of electronic health record on primary care clinicians
medicalxpress.com
How California's new Digital Vaccine Records can be easily abused
EFF
NY's “Excelsior” vaccine “passport” is a mess
TechReview
Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability
MS
Human Risk Management /HRM/ is the FIX.
The Hacker News
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
Krebs on Security
Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk
KTVU
GOP Congressman in leaked video: “We want chaos and inability to get things done for the next 18 months!”
Common Dreams
Re: Supreme Court sides with credit agency
Richard Stein Stanley Chow
Info on RISKS (comp.risks)

RFI on scientific integrity (White House OSTP)

Peter G Neumann <neumann@csl.sri.com>
Mon, 5 Jul 2021 19:56:58 PDT

The White House Office of Science and Technology Policy (OSTP) seeks information by 28 July 2021 to help improve the effectiveness of Federal scientific integrity policies to enhance public trust in science. The January 27, 2021 Presidential Memorandum on Restoring Trust in Government Through Scientific Integrity and Evidence-Based Policymaking (Memorandum) directs OSTP to convene an inter-agency task force under the National Science and Technology Council to review the effectiveness of policies developed since the issuance of the Presidential Memorandum on scientific integrity issued on March 9, 2009 in preventing improper political interference in the conduct of scientific research and the collection of data; preventing the suppression or distortion of findings, data, information, conclusions, or technical results; supporting scientists and researchers of all genders, races, ethnicities, and backgrounds; and advancing the equitable delivery of the Federal Government's programs. To support this assessment, OSTP seeks information about: (1) The effectiveness of Federal scientific integrity policies and needed areas of improvement; (2) good practices Federal agencies could adopt to improve scientific integrity, including in the communication of scientific information, addressing emerging technologies and evolving scientific practices, supporting professional development of Federal scientists, and promoting transparency in the implementation of agency scientific integrity policies; and (3) other topics or concerns that Federal scientific integrity policies should address. Please note the purpose of this RFI is not to receive reports on alleged offenses that are in violation of Federal scientific integrity policies. If you have witnessed or experienced any harmful acts that may undermine scientific integrity and you would like to report these allegations, please contact the Scientific Integrity Officer or Office of the Inspector General at the relevant Federal agency.

https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies


A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate

geoff goodfellow <geoff@iconia.com>
Mon, 5 Jul 2021 12:37:23 -1000

And here is the code grabber hidden in the Game Boy case.

https://twitter.com/it4sec/status/1411902542993412096


Social-credit score system for Germany (Vorausschau)

Thomas Koenig <tkoenig@netcologne.de>
Mon, 5 Jul 2021 08:46:32 +0200

The German ministry for education and science (BMBF) has published a study in which it puts forward a Chinese-style social credit system for Germany.

A translated quote from the long version on an official BMBF https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the web site's design is atrocious, trying to find the information is quite difficult).

“Highly controversial at the beginning, the bonus point system is largely accepted in the 2030s. It establishes new norms in everyday life that were not possible before. The participatory development of the rules also ensures greater acceptance among the population. Approval of the bonus system is growing, particularly in view of the increasing dynamics of climate change. A point-based evaluation, for example, the of ecological footprint—helps to make the polluter-pays principle transparent.''

Participation in the point system would be voluntary in the sense that not participating would bring very real drawbacks. Another quote:

“The bonus system is also helpful for the labor market, which continues to suffer from a shortage of skilled workers. system is helpful. It helps to identify qualification potential and efficiently organize the spatial mobility of the workforce.''

So, not participating would lead to lower chances of getting a job.

China is explicitly mentioned as a role model.


Developer Infinidash joke ends up as job requirement (The Register)

Peter Houppermans <peter@houppermans.net>
Mon, 5 Jul 2021 11:18:19 +0200

From https://www.theregister.com/2021/07/05/infinidash/

“A tweeted musing that merely mentioning a new AWS product would be enough to see it appear in job ads has come true — even though the product mentioned is made up.”

Amusingly, enough people picked up the joke and ran with it (my personal favourite was the announcement of an O RLY book) for it to indeed expose quite a few bandwagons, not in the least the aforementioned job specs which have long demonstrated a remarkable ability to remain disconnected from reality.

Entertaining - and educational.


Europe makes the case to ban biometric surveillance (Matt Burgess)

Peter G Neumann <neumann@csl.sri.com>
Thu, 8 Jul 2021 19:40:11 PDT

Matt Burgess, WiReD, 7 Jul 2021

Companies are racing to track your emotions, how you walk and your voiceprint. Should Europe ban biometric tracking entirely?

Your body is a data goldmine. From the way you look to how you think and feel, firms working in the burgeoning biometrics industry are developing new and alarming ways to track everything we do. And, in many cases, you may not even know you're being tracked. But the biometrics business is on a collision course with Europe's leading data protection experts. Both the European Data Protection Supervisor, which acts as the EU's independent data body, and the European Data Protection Board, which helps countries implement GDPR consistently, have called for a total ban on using AI to automatically recognise people. […]

https://www.wired.co.uk/article/europe-ai-biometrics


Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News)

“Lauren Weinstein” <lauren@vortex.com>
Tue, 6 Jul 2021 15:07:19 -0700

[Why is this still legal?]

https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma


Researchers examine burden of electronic health record on primary care clinicians (medicalxpress.com)

“Richard Stein” <rmstein@ieee.org>
Sat, 10 Jul 2021 09:43:30 +0800

https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html

Health record data entry by physicians interferes with patient quality of care. Data entry streamlines healthcare billing, but should it be prioritized over positive patient outcome? Apparently yes.

What can be done to mitigate this conflict?

“Virtual or AI-powered scribes could reduce the burden of note-taking across primary care specialties and can be evaluated in future studies, the authors state. Interventions that streamline messaging and placing orders are also research priorities.”

Naturally enough, these medical incidents are known to arise from old-fashioned, hands-on medicine. How common are these medical errors?

The abstract from “Your Health Care May Kill You: Medical Errors,” via https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform 2017;234:13-17.

“Recent studies of medical errors have estimated errors may account for as many as 251,000 deaths annually in the United States (U.S)., making medical errors the third leading cause of death. Error rates are significantly higher in the U.S. than in other developed countries such as Canada, Australia, New Zealand, Germany and the United Kingdom (U.K).”

I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic procedure will be ordered and performed? Fortunately, the pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography) has been retired.


How California's new Digital Vaccine Records can be easily abused (EFF)

“Lauren Weinstein” <lauren@vortex.com>
Thu, 8 Jul 2021 13:18:34 -0700

https://www.eff.org/deeplinks/2021/06/decoding-californias-new-digital-vaccine-records-and-potential-dangers


NY's “Excelsior” vaccine “passport” is a mess (TechReview)

“Lauren Weinstein” <lauren@vortex.com>
Wed, 7 Jul 2021 08:34:15 -0700

Just say no. -L

https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/


Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability (MS)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Jul 2021 19:03:09 -1000

Even as Microsoft expanded patches https://docs.microsoft.com/en-us/windows/release-health/windows-message-center for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the patch for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.

On Tuesday, the Windows maker issued an emergency out-of-band update <https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html> to address CVE-2021-34527 <https://thehackernews.com/2021/07/microsoft-warns-of-critical.html> (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug — tracked as CVE-2021-1675—that was patched by Microsoft on June 8. <https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>

“Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,” Yaniv Balmas, head of cyber-research at Check Point, told The Hacker News. “These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.”

“These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,” Balmas added. […] https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html


Human Risk Management /HRM/ is the FIX. (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Jul 2021 11:01:15 -1000

Humans are an organization's strongest defence against evolving cyber-threats, but security awareness training alone often isn't enough to transform user behaviour.

Human Risk Management (HRM) is the FIX.

Checkout this new guide from @getusecure: […] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via https://twitter.com/TheHackersNews/status/1413158374057730052


Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software (Krebs on Security)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Jul 2021 11:03:15 -1000

Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program <https://krebsonsecurity.com/?s=revil> began using a zero-day security hole (CVE-2021-30116 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

According to this entry for CVE-2021-30116 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild <https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net <http://portal.kaseya.net> — was vulnerable to CVE-2015-2862 <https://nvd.nist.gov/vuln/detail/CVE-2015-2862>, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness. […]

https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/


Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk (KTVU)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Jul 2021 08:37:59 -1000

New UC Berkeley research draws a strong link between cell phone radiation and tumors, particularly in the brain.

Researchers took a comprehensive look at statistical findings from 46 different studies around the globe and found that the use of a cell phone for more than 1,000 hours, or about 17 minutes a day over a ten year period, increased the risk of tumors by 60 percent.

Researchers also pointed to findings that showed cell phone use for 10 or more years doubled the risk of brain tumors.

Joel Moskowitz <https://publichealth.berkeley.edu/people/joel-moskowitz/>, <https://publichealth.berkeley.edu/people/joel-moskowitz/> director of the Center for Family and Community Health with the <https://publichealth.berkeley.edu/people/joel-moskowitz/>UC Berkeley School of Public Health <https://publichealth.berkeley.edu/> conducted the research in partnership with Korea’s National Cancer Center, and Seoul National University. Their analysis took a comprehensive look at statistical findings from case control studies from 16 countries including the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand. […] https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer


GOP Congressman in leaked video: “We want chaos and inability to get things done for the next 18 months!” (Common Dreams)

“Lauren Weinstein” <lauren@vortex.com>
Wed, 7 Jul 2021 15:32:43 -0700

https://www.commondreams.org/news/2021/07/07/leaked-video-gop-congressman-admits-his-party-wants-chaos-and-inability-get-stuff


Re: Supreme Court sides with credit agency (WashPost, RISKS-32.75)

“Richard Stein” <rmstein@ieee.org>
Mon, 5 Jul 2021 13:20:58 +0800

[Hi Steven—My concern was only hypothetical.]

Suppose the TransUnion data breached, and certain parties had chosen to weaponize or exploit it?

Those unfortunate 8K folks might experience palpable consequences: reduced job eligibility, stigmatization, etc. until or unless they could exonerate themselves by attempting to restore reputation.

Gives one pause about profiling activities in general, and the lists of values/attribute labels contained in profiles.

History suggests the global data breach pandemic is unlikely to subside. Consequences and risks compound with each case.


Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)

“Stanley Chow” <stanley.chow@pobox.com>
Mon, 5 Jul 2021 10:52:28 -0400

In Risks 32.75, Steve Klein points out that we shouldn't get excited about the U.S. Supreme court decision siding with the credit agency for SOME PEOPLE—because “… faulty records that were never shared … could not have suffered any damages.”

I am not a lawyer and have not read the decision, but it sounds like:

  1. Someone has a loaded gun pointed to my head.
  2. The trigger will be pulled - as soon as some random user pays $10 (or whatever fee they charge).
  3. The courts cannot do anything until the trigger is pulled.
  4. So, after I am dead (or my life is ruined), the courts MAY fine the credit agency some nominal amount.

Is this as f**ked up as it sounds?

Please report problems with the web pages to the maintainer

x
Top