The RISKS Digest
Volume 32 Issue 8

Tuesday, 7th July 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

No Injuries In Red Line Metro Derailment Outside Silver Spring
DCist
In Hong Kong, a Proxy Battle Over Internet Freedom Begins
NYTimes
Looks Like Russian Hackers Are on an Email Scam Spree
WiReD
Supreme Court bans debt collection robocalling to cellphones
TypePad
Goodbye to the Wild Wild Web
NYTimes
Encrypted Phone Network of Mob is Hacked in Europe
Adam Nossiter
Risks of Editing Wikipedia
Aida Chavez
Not so random acts: Science finds that being kind pays off
APNews
How my dad got scammed for $3,000 worth of gift cards
Zachary Crockett
Japanese startup creates ‘connected’ face mask for coronavirus new normal
Reuters
What we need is social-media distancing
Spectator
Early Covid-19 tracking apps easy prey for hackers, and it might get worse before it gets better
Jumbo Privacy
Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse
Keith Medcalf
Re: Jane Goodall on conservation, climate change and COVID-19
CBS News Dennis Allison
Re: A Doctor Confronts Medical Errors
Amos Shapir
Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System
Bill Matthews
Quote of The Day
Calvin Coolidge
Info on RISKS (comp.risks)

No Injuries In Red Line Metro Derailment Outside Silver Spring (DCist)

Gabe Goldberg <gabe@gabegold.com>
Tue, 7 Jul 2020 17:49:41 -0400

The Washington Metrorail Safety Commission, the independent body overseeing Metro safety, says its preliminary investigation found the operator ran a red signal, which has been a fireable offense in previous instances.

How can modern trains run red signals? Even without Positive Train Control, automatic stop-on-red has been around for a long time. That seems better than firing after offenses.

https://dcist.com/story/20/07/07/first-two-cars-of-wmata-train-comes-off-tracks-outside-silver-spring-no-serious-injuries/


In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 7 Jul 2020 12:11:49 -0400

As the city grapples with new restrictions on online speech, American tech giants are on the front line of a clash between China and the United States over the Internet's future.

https://www.nytimes.com/2020/07/07/business/hong-kong-security-law-tech.html


Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Tue, 7 Jul 2020 17:26:21 -0400

A group dubbed Cosmic Lynx uses surprisingly sophisticated methods—and targets big game.

For years, costly email grifts have largely been the provenance of West African scammers, particularly those based in Nigeria <https://www.wired.com/story/feds-bust-nigerian-email-scammers/>. A newly discovered “business email compromise” campaign, though, appears to come from a criminal group in a part of the world better known for a different brand of online mayhem: Russia.

Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles. The researchers, who have worked extensively on tracking Nigerian BEC scammers, say they don't have a clear sense of how often Cosmic Lynx actually succeeds at obtaining a payout. Given that the group hasn't lowered its asks in a year, though, and has been prolific about developing new campaigns—including some compelling Covid-19“related scams—Agari reasons that Cosmic Lynx must be raking in a fair amount of money.

https://www.wired.com/story/russian-hackers-email-scams/


Supreme Court bans debt collection robocalling to cellphones (TypePad)

Monty Solomon <monty@roscom.com>
Tue, 7 Jul 2020 10:23:14 -0400

https://pubcit.typepad.com/clpblog/2020/07/supreme-court-bans-debt-collection-robocalling-to-cellphones.html https://pubcit.typepad.com/clpblog/2020/07/severability-to-the-rescue-again-a-further-note-on-todays-supreme-court-robocalling-decision.html https://www.supremecourt.gov/opinions/19pdf/19-631_2d93.pdf


Goodbye to the Wild Wild Web (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 3 Jul 2020 15:58:26 -0400

The Internet is changing, and the freewheeling, anything-goes culture of social media is being replaced by something more accountable.

https://www.nytimes.com/2020/07/02/technology/goodbye-to-the-wild-wild-web.html


Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)

“Peter G. Neumann” <neumann@csl.sri.com>
Sat, 4 Jul 2020 17:18:04 PDT

Adam Nossiter, The New York Times, 3 July 2020

Paris—The police in Europe arrested hundreds of people on suspicion of drug trafficking and other crimes, after successfully hacking into an encrypted phone network being used by organized criminals around the world. Millions of messages were read in real time. PGN-ed


Risks of Editing Wikipedia (Aida Chavez)

Henry Baker <hbaker1@pipeline.com>
Sat, 04 Jul 2020 06:56:17 -0700
[Right on cue re: Orwell, from the Ministry of Truth (Minitrue).. HB]

Aida Chavez, The Intercept, 2 Jul 2020 https://theintercept.com/2020/07/02/kamala-harris-wikipedia/

There's a War Going On Over Kamala Harris's Wikipedia Page, with Unflattering Elements Vanishing

California Democratic Sen. Kamala Harris is widely seen as a frontrunner for a spot on the ticket with presumptive nominee Joe Biden, with vetting well underway.

Presidential vetting operations have entire teams of investigators, but for the public, when the pick is announced, the most common source for information about the person chosen is Wikipedia. And there, a war has broken out over how to talk about Harris's career.


Not so random acts: Science finds that being kind pays off

geoff goodfellow <geoff@iconia.com>
Sun, 5 Jul 2020 01:16:00 -1000

Acts of kindness may not be that random after all. Science says being kind pays off.

Research shows that acts of kindness make us feel better and healthier. Kindness is also key to how we evolved and survived as a species, scientists say. We are hard-wired to be kind.

Kindness “is as bred in our bones as our anger or our lust or our grief or as our desire for revenge,” said University of California San Diego psychologist Michael McCullough, author of the forthcoming book, *Kindness of Strangers*. It's also, he said, “the main feature we take for granted.”

Scientific research is booming into human kindness and what scientists have found so far speaks well of us.

“Kindness is much older than religion. It does seem to be universal,” said University of Oxford anthropologist Oliver Curry, research director at Kindlab. “The basic reason why people are kind is that we are social animals.”

We prize kindness over any other value. When psychologists lumped values into ten categories and asked people what was more important, benevolence or kindness, comes out on top, beating hedonism, having an exciting life, creativity, ambition, tradition, security, obedience, seeking social justice and seeking power, said University of London psychologist Anat Bardi, who studies value systems.

“We're kind because under the right circumstances we all benefit from kindness,” Oxford's Curry said.

When it comes to a species' survival, “kindness pays, friendliness pays,” said Duke University evolutionary anthropologist Brian Hare, author of the new book Survival of the Friendliest <https://amzn.to/2NS4JDs>

Kindness and cooperation work for many species, whether it's bacteria, flowers or our fellow primate bonobos. The more friends you have, the more individuals you help, the more successful you are, Hare said.

For example, Hare, who studies bonobos and other primates, compares aggressive chimpanzees, which attack outsiders, to bonobos where the animals don't kill but help out strangers. Male bonobos are far more successful at mating than their male chimp counterparts, Hare said.

McCullough sees bonobos as more the exceptions. Most animals aren't kind or helpful to strangers, just close relatives so in that way it is one of the traits that separate us from other species, he said. And that, he said, is because of the human ability to reason.

Humans realize that there's not much difference between our close relatives and strangers and that someday strangers can help us if we are kind to them, McCullough said. […] https://apnews.com/f487b63befb2f4c3181404bcc87be1c1


How my dad got scammed for $3,000 worth of gift cards (Zachary Crockett)

Monty Solomon <monty@roscom.com>
Sun, 5 Jul 2020 09:27:01 -0400

At 2:30 pm on a recent Monday, my dad received a jarring phone call.

A man claiming to be a federal agent (David White, ID #US2607-12) told him there was an abandoned car in El Paso, Texas, rented in his name. Inside the car, they'd found a pile of cash, blood, and drugs. His Social Security number had been linked to 7 different bank accounts, $230k in wired funds, and a rental unit stocked with 22 lbs. of cocaine.

If my dad — a 66-year-old retiree with cancer — didn't cooperate, Agent White would freeze his bank account and pursue criminal charges. …

https://thehustle.co/phone-scam-gift-cards/


Japanese startup creates ‘connected’ face mask for coronavirus new normal (Reuters)

geoff goodfellow <geoff@iconia.com>
Sun, 5 Jul 2020 01:14:00 -1000

As face coverings become the norm amid the coronavirus pandemic, Japanese startup Donut Robotics has developed an Internet-connected ‘smart mask’ that can transmit messages and translate from Japanese into eight other languages.

The white plastic ‘c-mask’ fits over standard face masks and connects via Bluetooth to a smartphone and tablet application that can transcribe speech into text messages, make calls, or amplify the mask wearer's voice.

“We worked hard for years to develop a robot and we have used that technology to create a product that responds to how the coronavirus has reshaped society,” said Taisuke Ono, the chief executive of Donut Robotics. […]

https://www.reuters.com/article/us-health-coronavirus-japan-mask-technol/japanese-startup-creates-connected-face-mask-for-coronavirus-new-normal-idUSKBN23X190


What we need is social-media distancing (Spectator)

geoff goodfellow <geoff@iconia.com>
Sun, 5 Jul 2020 01:15:00 -1000

Social media brings out the worst in us because the algorithm rewards us for being tribal, divisive and emotional

Nearly three months into lockdown, 40 million Americans were unemployed. Kids lost out on three months of schooling. Businesses shuttered, many never to open again. Mental health suffered. People lost their homes. Tens of thousands died alone in hospitals, family members were prevented from holding the hands of their loved ones in their final days, and in many cases they weren't allowed to bury them or hold a funeral.

Parents struggled to balance distance learning and work. Teachers worried that their most vulnerable students weren't logging in to class. People couldn't receive medical treatment or attend birthdays and graduations.

But humans are creative, resilient creatures, and it didn't take long before we adjusted to living online. Necessity forced ingenuity. AA meetings, fitness classes, happy hours and business meetings all pivoted to Zoom. We started group chats with family members and college friends to stay connected. Mostly, we shared memes.

We posted pictures of the dog we adopted, or the sourdough we attempted to make, or the projects in our houses we'd been putting off forever that we finally got to finish, just to try to stay optimistic. There were silver linings, too. Much ink was spilled about learning to slow down, finding joy in being home with the family. All that time commuting—was it worth it? Who did we value—and why? Instead of honoring celebrities, athletes and musicians, we applauded nurses, doctors, truck drivers and grocery-store cashiers. We smiled at each other with our eyes as we stood six feet apart in lines. A feeling of solidarity and grit in the face of a common hardship pervaded, for a brief moment.

Pundits wondered, naively, Did COVID-19 kill the culture wars? […] https://spectator.us/need-social-media-distancing-protest-internet/


Early Covid-19 tracking apps easy prey for hackers, and it might get worse before it gets better (Jumbo Privacy)

geoff goodfellow <geoff@iconia.com>
Tue, 7 Jul 2020 01:15:00 -1000

The apps could prove vital to curtailing the virus's spread as states reopen, but security fears may make them unpopular with users.

The push to use smartphone apps to track the spread of coronavirus is creating a potential jackpot for hackers worldwide—and the U.S. offers a fat loosely defended target.

In the Qatar Covid-19 app, researchers found a vulnerability that would've let hackers obtain more than a million people's national ID numbers and health status. In India's app, a researcher discovered a security gap that allowed him to determine who was sick in individual homes. And researchers uncovered seven security flaws in a pilot app in the U.K.

The U.S. is just starting to use these contact tracing apps—which track who an infected person may have had contact with—but at least one app has already experienced a data leak. North Dakota conceded in May that its smartphone app, Care19, had been sending users' location data to th= e digital marketing service Foursquare. The issue has since been fixed, according to the privacy app developer that discovered the leak.

<https://blog.jumboprivacy.com/care19-update-foursquare-allows-developers-to-disable-idfa-collection.html>

To date, the public debate about whether to use contact tracing apps—a potentially crucial strategy for reopening economies during the pandemic — has centered mostly on what data to collect and who should have access to it, but cybersecurity insiders say the apps are also highly vulnerable to attacks that could expose data ranging from user names to location data. <https://www.politico.com/news/2020/06/10/google-and-apples-rules-for-virus= -tracking-apps-sow-division-among-states-312199>

And the U.S. has its own unique vulnerabilities: a fragmented collection of apps, tiny state cybersecurity budgets and stalled legislation in Congress that makes federal government rules unlikely anytime soon. […] https://www.politico.com/news/2020/07/06/coronavirus-tracking-app-hacking-3= 48601


Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers (RISKS-32.07)

“Keith Medcalf” <kmedcalf@dessus.com>
Sun, 05 Jul 2020 07:56:52 -0600
> For instance, the use of insecure communications (e.g., unencrypted HTTP),
> is now only found in a minority of Bishop Fox client product assessments,
> which gives a somewhat positive (and admittedly biased) picture of IoT
> security trends.

HTTPS is not a security protocol. It is a privacy protocol. It has absolutely ZERO impact on security, which is quite a different thing entirely than privacy. Simply wrapping a security vulnerability inside private transport does absolutely nothing for security.


Re: Jane Goodall on conservation, climate change and COVID-19

geoff goodfellow <geoff@iconia.com>
Sat, 4 Jul 2020 01:13:00 -1000
“If we carry on with business as usual, we're going to destroy ourselves”

While COVID-19 and protests for racial justice the world's collective attention, ecological destruction, species extinction and climate change continue unabated. While the world's been focused on other crises, an alarming study was released warning that species extinction is now progressing so fast that the consequences of “biological annihilation” may soon be “unimaginable.” <https://www.cbsnews.com/news/species-extinction-risk-biological-annihilation-study/>

Dr. Jane Goodall <https://www.janegoodall.org/>, the world-renowned conservationist, desperately wants the world to pay attention to what she sees as the greatest threat to humanity's existence.

CBS News recently spoke to Goodall over a video conference call and asked her questions about the state of our planet. Her soft-spoken grace somehow helped cushion what was otherwise extremely sobering news: “I just know that if we carry on with business as usual, we're going to destroy ourselves. It would be the end of us, as well as life on Earth as we know it,” warned Goodall. […]

https://www.cbsnews.com/news/jane-goodall-climate-change-coronavirus-environment-interview/


Re: Jane Goodall on conservation, climate change and COVID-19 (RISKS-32.07)

Dennis Allison <dennis.allison@gmail.com>
Sat, Jul 4, 2020 at 6:27 AM
> “If we carry on with business as usual, we're going to destroy ourselves”

Geoff, anyone tracking the posts you've made knows that Jane Goodall has gotten her tense wrong; we are already extinct. We might be able to save ourselves from extinction were we to mount a cooperative global effort to mitigate the impacts that are going to occur no matter what we do. The likelihood of that is about the same as a snowball's chance of survival in the antarctic where temperatures reached 65 degrees Fahrenheit.


Re: A Doctor Confronts Medical Errors (RISKS-32.07)

Amos Shapir <amos083@gmail.com>
Sat, 4 Jul 2020 12:03:03 +0300

Every documentary I've ever watched about a rare disease or medical condition, always repeats the same story: A patient develops some symptoms, doctors diagnose it as some common condition, treatment is not effective. It might takes a long time—sometimes years—for one curious doctor to realize it's a rare condition, and try to analyze it correctly.

It seems that doctors use analysis algorithms that always come up pointing to a common condition—which may be correct in a large majority of cases, but is never “this may be a rare case, further investigation is needed”.

Such methods may be understandable when working under constant pressure and diminishing budgets, but doctors now employ computerized systems, which can present them with a greater variety of options—but do not. It seems that the same old algorithms had just been computerized with no added sophistication. AI systems wouldn't help either, if they are trained using data which is generated by the old methods.


Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System (RISKS-32.06)

Bill Matthews <yellow.tropicana@gmail.com>
Sat, 4 Jul 2020 21:30:21 -0400

What kind of fish is it that can live in chlorinated water?

When our local potable water supplier intends to change the level of chlorination or the kind of chlorinating-chemical in our water, it's advertised in the local paper prior to their making the change. It's advertised prior to the event so that aquarists can appropriately adapt to the change in chlorination.


Quote of The Day

geoff goodfellow <geoff@iconia.com>
Sat, 4 Jul 2020 01:10:00 -1000

Calvin Coolidge, 150th Anniversary of the Declaration of Independence:

“We live in an age of science and of abounding accumulation of material things. These did not create our Declaration. Our Declaration created them.”

https://nsjonline.com/article/2020/06/hill-president-calvin-coolidge-on-the-150th-anniversary-of-the-declaration-of-independence-july-5-1926/

Please report problems with the web pages to the maintainer

x
Top