Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Inspectors repeatedly found manufacturing and device quality problems with the HeartWare heart pump. But the FDA did not penalize the company, and patients had the device implanted on their hearts without knowing the facts.
https://www.propublica.org/article/heartware-patients-implanted-fda
In this posting and paper pre-print,
https://lukeoakdenrayner.wordpress.com/2021/08/02/ai-has-the-worst-superpower-medical-racism/ https://arxiv.org/abs/2107.10356
Luke Oakden-Rayner describes a jaw-dropping accomplishment of a medical AI system: it learned to recognize the self-reported racial identity of medical patients by analyzing their X-rays(!). Even more remarkable, it has thus far proven infeasible to discover how it does so, in part because humans are unable to perform the same feat.
On one level, this is a bad risk for medical care driven by inscrutable black boxes. But there are potential counter-measures to mitigate the effect.
On another level, this is a fascinating intellectual and research challenge: how does it do that, and why can people apparently not do the same thing?
And on yet another level, what does this result imply for fooling AI-driven systems in all sorts of other contexts? Or for making tamper-resistant AI systems?
The vulnerabilities the Armis researchers found in TransLogic PTS offerings aren't directly exploitable from the open Internet. But they're all relatively simple flaws to take advantage of, a smattering of hardcoded passwords, buffer overflows, memory corruption bugs, and the like. An attacker on the same network as the web of pneumatic tubes and control panels would have multiple paths to manipulate the system. And by exploiting certain flaws, they could even install their own unvalidated firmware on a Translogic Nexus Control Panel. For attackers, this would be an avenue to establishing deep, lasting control”hospitals would need to install another curative firmware update to eradicate the intruders.
https://www.wired.com/story/pneumatic-tubes-hospitals-hacking/
Must be present to hack—so insider/intruder threat only?
Drills involving swarms of drones raise questions about whether machines could outperform a human operator in complex scenarios.
https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/
Smells like a cyber-attack https://www.timesofisrael.com/4-ships-in-gulf-of-oman-lose-control-days-after-drone-strike-on-vessel/
At least six ships off the coast of the United Arab Emirates broadcast warnings [on 3 Aug 2021] that they had lost control of their steering under unclear circumstances as British authorities reported “a potential hijack” was underway in the area.
The six vessels announced around the same time via their Automatic Identification System trackers that they were “not under command,” according to MarineTraffic.com. That typically means a vessel has lost power and can no longer steer.
“At the same time, if they are in the same vicinity and in the same place, then very rarely that happens,” said Ranjith Raja, an oil and shipping expert with data firm Refintiv. “Not all the vessels would lose their engines or their capability to steer at the same time.”
The Greenland ice sheet experienced a massive melting event last week; The melting event could have short-term and long-term implications for sea-level rise.
https://www.washingtonpost.com/weather/2021/08/05/greenland-melt-event-season-2021/
A critical ocean system may be heading for collapse due to climate change, study finds. Studies of ancient climate change show that a shutdown of the Atlantic Meridional Overturning Circulation could lead to wild temperature swings and major shifts in global weather systems.
https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/ <https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/>
Risks? Ignorance, stupidity, politics. Always a nice confluence.
The semiconductor suoply crunch came for cars and phones. Now consumers are facing higher prices.
On that Australian employee's PC, someone had used a tool that pulled credentials out of the machine's memory and then reused those usernames and passwords to log into other machines on the network. They'd then scraped those computers' memories for more usernames and passwords—finding some that belonged to more privileged administrators. The hackers eventually got to a server containing hundreds of users' credentials. Today that credential-stealing hopscotching technique is common. But in 2011 the analysts were surprised to see how the hackers fanned out across the network. “It was really just the most brutal way to blow through our systems that I’d ever seen,” Duane says.
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
“Tool”?
Spyware sold to authoritarian regimes used to target activists, politicians and journalists, data suggests
Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak.
The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO's hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.
Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.
The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.
The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO's government clients identified in advance of possible surveillance attempts.
Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware.
The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.
The list also contains the numbers of close family members of one country's ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives.
The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.
The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected. […]
I just spotted this on a BBC website, probably not a surprise (2.3 billion pounds is about US$3.22 billion; when I worked in telecomms, we used Y2K as an opportunity to review/update our software as needed):
https://www.bbc.co.uk/news/uk-politics-58085316
James Clayton, BBC News, 5 Aug 2021 via ACM TechNews, 6 Aug, 2021
Apple has unveiled a system designed to scan U.S. customers' iPhones to determine if they contain child sexual abuse material (CSAM). The system compares photo files on each handset to a database of known CSAM gathered by the National Center for Missing and Exploited Children and other organizations. Before an iPhone can be used to upload an image to the iCloud Photos platform, the technology will look for matches to known CSAM; matches are evaluated by human reviewers who report confirmed matches to law enforcement. The company said the system's privacy benefits are significantly better than existing techniques, because Apple only learns about users' images if their iCloud Photos accounts contain collections of known CSAM.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c341x22cb98x071038&
“Home Depot says their new anti-theft strategy is now being used […] the store will use Bluetooth technology to activate the tool.”
And from the comments: “I'd expect the simplest fix to this is to buy your tools from a vendor that does not sabotage them.”
Security researcher Kya Supa was staying at a capsule hotel in Japan while on vacation and had a noisy neighbor.
Every day at around 2 a.m., the neighbor would be on the phone making a loud call. Supa politely asked the neighbor to not be so loud, but the neighbor didn't listen. What happened next was the subject of Supa's session at the Black Hat US 2021 hybrid event, where he detailed how he was able to hack the hotel's system to get back at his noisy neighbor, whom he referred to as Bob.
“Some people just don't take anything seriously,” Supa said about Bob. “So I thought it would be nice if I could take control of his room and make him have a lovely night.”
https://www.infosecurity-magazine.com/news/bhusa-hacking-a-capsule-hotel/
Citing a ProPublica report on the high numbers of complaints about involuntary Chime account closures and other problems, Sherrod Brown asked the Consumer Financial Protection Bureau to lay out a plan for overseeing neobanks.
And there are commercials for Credit Karma gamifying checking accounts — use your debit card, maybe purchase (but only up to $5,000) will be free. Plus, they say, there's a maximum balance limit—give us your money, but not too much.
Making banking fun, what could go wrong.
Threat actors are increasingly shifting to “exotic” programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts.
“Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric Milam, Vice President of threat research at BlackBerry. “That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products.”
On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>, but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render them powerless.
Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. […]
https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html
Headline from the Prohibition Era:
“Bootleggers using powerful cars and speedboats to outrun police and Coast Guard”
‘Exotic’ PL's is a “dog bites man” headline, if I ever saw one.
What's the takeaway?
Should ‘exotic’ programming languages be banned, because criminals use them? Perhaps high-quality food should also be banned, because criminals eat it?
High-quality ‘exotic’ programming languages can dramatically reduce the types of bugs that enable malware in the first place, much like better locks can reduce theft.
Perhaps the criminals are doing us all a favor & dramatically demonstrating the advantages of these ‘exotic’ languages?
> Surprisingly a real-life scenario and not a plotline from The Simpsons. > Dan Jacobson
Earlier than the Simpsons. Very like Peter Ustinov in Hot Millions from 1968, cleaning staff and all:
Hot Millions (1968), Directed by Eric Till. With Peter Ustinov, Maggie Smith, Karl Malden, Bob Newhart. Paroled London …
Please report problems with the web pages to the maintainer