The RISKS Digest
Volume 32 Issue 85

Wednesday, 1st September 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tesla on autopilot smashes into police car helping motorist at side of road
CNN
Toyota suspends use of self-driving vehicle in Olympic Village after collision with Paralympic athlete
CNN
‘Copilot’ “highly likely” to introduce bugs and vulnerabilities
Techradar
Keeping Your Family Safe From Vehicle Rollaways
NBC4 WashDC
Lights Flickered in New York City. Why Did the Subways Grind to a Halt?
NYTimes
Fraud Alert: Malicious QR Codes Now Used by Online Scammers
Washington Consumers' Checkbook
A Fix for Ransomeware Attacks
Paul Rosenzweig
Falsehoods diminish trust in Califonia recall vote
Kaylee Fagan
Manned Mars mission viable if it doesn't exceed four years, concludes international research team
phys.org
Lying with statistics
Ars Technica
Iceland has reported more cases in the past month than they had in the previous 9 months combined
ianmSC
T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’
WSJ
Reddit CEO rejects call for a crackdown on coronavirus misinformation
Engadget
Australian preprint ban in grant applications deemed ‘plain ludicrous’
Nature
One more position on the Apple Appleplexy
Susan Landau
Re: UK to SORT-OF Hang Up on Landline Phones in 2025
Lindsay Marshall John Levine
Info on RISKS (comp.risks)

Tesla on autopilot smashes into police car helping motorist at side of road (CNN)

Lauren Weinstein <lauren@vortex.com>
Mon, 30 Aug 2021 13:52:16 -0700

The feds should order “autopilot” shut down completely while these investigations continue. -L

https://www.cnn.com/2021/08/30/business/tesla-crash-police-car/index.html


Toyota suspends use of self-driving vehicle in Olympic Village after collision with Paralympic athlete (CNN)

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Aug 2021 18:41:21 -0700

https://www.cnn.com/2021/08/27/cars/toyota-self-driving-vehicle-paralympics-accident/index.html


‘Copilot’ “highly likely” to introduce bugs and vulnerabilities (Techradar)

“Henry Baker” <hbaker1@pipeline.com>
Sun, 29 Aug 2021 18:53:35 +0000

‘AI’ proves once again that BS in == BS out. There is no free lunch.

GitHub autopilot “highly likely” to introduce bugs and vulnerabilities

https://www.techradar.com/news/github-autopilot-highly-likely-to-introduce-bugs-and-vulnerabilities-report-claims

Academic researchers discover that nearly 40% of the code suggestions by GitHub&rsquo;s Copilot tool are erroneous, from a security point of view.

Since Copilot draws on publicly available code in GitHub repositories, the researchers theorize that the generated vulnerable code could perhaps just be the result of the system mimicking the behavior of buggy code in the repositories.

https://arxiv.org/pdf/2108.09293.pdf

An Empirical Cybersecurity Evaluation of GitHub Copilot&rsquo;s Code Contributions


Keeping Your Family Safe From Vehicle Rollaways (NBC4 WashDC)

“Gabe Goldberg” <gabe@gabegold.com>
Sun, 29 Aug 2021 18:49:34 -0400

Families across the country are raising safety questions involving deadly vehicle rollaway accidents that kill nearly 150 people every year.

https://www.nbcwashington.com/news/local/keeping-your-family-safe-from-vehicle-rollaways/2756126/

Novel implementation of familiar gearshift technology, uninformed dealers, lack of instruction/practice, inattentive drivers, massive manuals nobody reads burying critical safety information.

ALWAYS set parking brake. I didn't, once, and my stick-shift car went for an adventure—made sharp right turn in reverse, crossed a street, killed a neighbor's mailbox.


Lights Flickered in New York City. Why Did the Subways Grind to a Halt? (NYTimes)

“Gabe Goldberg” <gabe@gabegold.com>
Tue, 31 Aug 2021 00:26:30 -0400

https://www.nytimes.com/2021/08/30/nyregion/power-outage-nyc.html

…because one thing led to another.


Fraud Alert: Malicious QR Codes Now Used by Online Scammers (Washington Consumers' Checkbook)

“Gabe Goldberg” <gabe@gabegold.com>
Wed, 1 Sep 2021 14:58:33 -0400

A couple lost $1,600 trying to rent a vacation house. The “rental agent” said to use his QR code to pay the deposit using a Bitcoin ATM machine.

A caller, who claimed to be with the power company, threatened to turn off the electricity in 20 minutes because of an outstanding bill of $973. The homeowners were sent a QR code and told to use it at a nearby kiosk. It turned out to be the QR code to download the bitcoin app. Thankfully, the transaction was not completed.

A consumer in Hawaii sent $1,000 via QR code to an investment company that made contact via Instagram. After the trading period ended, the scammer demanded a fee of $4,102 to withdraw the supposed $20,500 profit in the account. Again, the money was sent via a bitcoin machine to the address in the QR Code. Total loss: $5,102.

https://www.checkbook.org/washington-area/consumers-notebook/articles/Fraud-Alert-Malicious-QR-Codes-Now-Used-by-Online-Scammers-7587

Well, yes. But don't be an idiot.


A Fix for Ransomeware Attacks (Paul Rosenzweig)

Peter Neumann <neumann@csl.sri.com>
Wed, 1 Sep 2021 13:30:39 PDT

Paul Rosenzweig, The New York Times, 1 Sep 2021

Tighter cryptocurrency rules would interfere with criminals' toll collection

The last paragraph is this: The U.S. “does not have a ransomware problem so much as it has an anonymous ransom problem. If we can change the payment system to make the kidnapping less profitable, we will go a long way to a solution.''


Falsehoods diminish trust in Califonia recall vote (Kaylee Fagan)

Peter Neumann <neumann@csl.sri.com>
Mon, 30 Aug 2021 20:07:27 PDT

Kaylee Fagan, The San Francisco Chronicle, 29 Aug 2021 [Or not? PGN]

“The campaign to recall Califonia Governor Gavin Newsome has a conspiracy theory problem, and it just might siphon off votes that aid its cause.''


Manned Mars mission viable if it doesn't exceed four years, concludes international research team (phys.org)

“Richard Stein” <rmstein@ieee.org>
Fri, 27 Aug 2021 11:25:39 +0800

https://phys.org/news/2021-08-mars-mission-viable-doesnt-years.html

“Shprits and colleagues from UCLA, MIT, Moscow's Skolkovo Institute of Science and Technology and GFZ Potsdam combined geophysical models of particle radiation for a solar cycle with models for how radiation would affect both human passengers‘including its varying effects on different bodily organs’ and a spacecraft. The modeling determined that having a spacecraft's shell built out of a relatively thick material could help protect astronauts from radiation, but that if the shielding is too thick, it could actually increase the amount of secondary radiation to which they are exposed.”

For the curious, and those inclined to “Boldly go where no one has gone before,” see “How bad is the radiation on Mars?” from https://phys.org/news/2016-11-bad-mars.html to discover the hard facts about Martian Surface radiation: ~22 rads per day (~0.22 Sv per day from https://www.unitsconverters.com/en/Rad-To-Sievert/Unittounit-3966-3988?MeasurementId=33&From=3966&To=3988&textBoxBufferedValue=0) which is ~220 chest x-rays.

In space, timing is everything. If the cosmic radiation doesn't ‘get you,’ the Sun's (and/or secondary/shield-induced) radiation will.


Lying with statistics (Ars Technica)

“Arthur T.” <risks202108.6.atsjbt@xoxy.net>
Sat, 28 Aug 2021 01:23:39 -0400

‘Microsoft says that Insider Program PCs that didn't meet Windows 11's minimum requirements “had 52% more kernel-mode crashes” than PCs that did, and that “devices that do meet the system requirements had a 99.8% crash-free experience.”’

This is from an Ars Technica story, and the writer didn't do the math. An 52% increased probability of crash yields barely under a 99.7% crash-free experience. When expressed in the same terms (probability of not crashing), it shows that there's not really a big difference.

Risk: Blithely quoting a company's statistics without questioning them.

https://arstechnica.com:443/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/

(Yes, I know that total crashes might be more than just kernel-mode crashes. But I think that would make the crash-free percentages even less different.)


Iceland has reported more cases in the past month than they had in the previous 9 months combined (ianmSC)

geoff goodfellow <geoff@iconia.com>
Thu, 26 Aug 2021 09:07:05 -1000

Iceland has reported more cases in the past month than they had in the previous 9 months combined 91.2% of their adult population is at least partially vaccinated, 86.5% are fully vaccinated Fauci said with 50% vaccinated, we wouldn't see surges like those in the past. Whoops!

https://twitter.com/ianmSC/status/1428407830093041664


T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’

geoff goodfellow <geoff@iconia.com>
Thu, 26 Aug 2021 11:22:40 -1000

A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier's latest breach

The hacker who is taking responsibility for breaking into T-Mobile US Inc.'s systems said the wireless company's lax security eased his path into a cache of records with personal details on more than 50 million people and counting.

John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.

The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.

The breach is the third major customer data leak that T-Mobile has disclosed in the past two years. The Bellevue, Wash., company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.

The Seattle office of the Federal Bureau of Investigation is investigating the T-Mobile hack, according to a person familiar with the matter. “The FBI is aware of the incident and does not have any additional information at this time,” the Seattle office said in a statement Wednesday.

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile's defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile's known internet addresses for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.

The 21-year-old hacker shared a screenshot of internal T-Mobile servers with warnings against unauthorized access.

Several cybersecurity experts said the public details of the hack and reports of previous T-Mobile breaches show the carrier's defenses need improvement. Many of the records reported stolen were from prospective clients or former customers long gone. “That to me does not sound like good data management practices,” said Glenn Gerstell, a former general counsel for the National Security Agency.

Mr. Binns said he used that entry point to hack into the cellphone carrier's data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers. “I was panicking because I had access to something big,” he wrote. “Their security is awful.” He said it took about a week to burrow into the servers that contained personal data about the carrier's tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.

On Aug 13 2021, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm. Two days later, T-Mobile publicly acknowledged it was investigating a potential breach.

T-Mobile confirmed that more than 50 million customer records have been stolen. The wireless carrier said it had repaired the security hole that enabled the breach. “We are confident that we have closed off the access and egress points the bad actor used in the attack,” it said in a statement. A T-Mobile spokeswoman declined to comment on specific claims by Mr. Binns or by cybersecurity experts.

For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the T-Mobile hack represents a major development in a track record that has featured various exploits and”four years ago”peripheral involvement in the creation of a massive network of hacked devices that was used for online attacks.

Mr. Binns showed the Journal that he could access accounts linked to the IRDev online personality, which shared screenshots depicting access into T-Mobile's network. He declined to be photographed but answered personal questions to confirm his identity as John Binns. […] https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?st=4nh9nfpmp3o2293

[ADDED LATER from geoff:]

… Mike Benjamin, vice president of security for network operator Lumen Technologies Inc., said U.S. prosecutions in past years have limited the threat from these botnets, though network attacks have started growing in recent months. He said many young people, especially in the U.S. and Europe, first learn basic hacking techniques by sharing tricks and tactics with fellow gamers online.

“Online video-gaming drives a natural competitiveness,” Mr. Benjamin said. ”Everybody's looking for that edge. That can reach into this area of outside of the videogame,” where tactics end up “breaking the internet instead of just inside the rules of the game.”


Reddit CEO rejects call for a crackdown on coronavirus misinformation

Lauren Weinstein <lauren@vortex.com>
Thu, 26 Aug 2021 14:28:42 -0700

https://www.engadget.com/reddit-211856313.html?src=rss


Australian preprint ban in grant applications deemed ‘plain ludicrous’ (Nature)

“�*ァーバーデイ�“ッド J“ <farber@keio.jp>
Thu, 2 Sep 2021 03:36:33 +0900

https://www.nature.com/articles/d41586-021-02318-8


One more position on the Apple Appleplexy (Susan Landau)

Peter G Neumann <neumann@csl.sri.com>
Mon, 30 Aug 2021 9:02:41 PDT

https://www.lawfareblog.com/normalizing-surveillance


Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Fri, 27 Aug 2021 07:25:03 +0000

This is not true. The move is to an IP-based system, not no landlines.

https://www.ofcom.org.uk/phones-telecoms-and-internet/information-for-industry/telecoms-competition-regulation/future-fixed-telephone-services


Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

“John Levine” <johnl@iecc.com>
27 Aug 2021 14:20:10 -0400

This story suffers from bad reporting. What's actually going away is the legacy SS7/TDM signaling, known in the UK as C7, presumably in favor of SIP.

The physical networks in the UK are a mix of fiber and copper, with a lot of FTTN with copper loops which is migrating at some rate to FTTP with fiber the whole way.

PS: We can have a metaphysical discussion about what counts as a landline phone. I have fiber running into the house, which connects to a telco-provided battery-backed modem, which is connected to the copper wire in my house into which I plug a genuine American Bell Mickey Mouse phone. Is that a landline? Sure seems like it when the phone rings, and I mean rings.

Please report problems with the web pages to the maintainer

x
Top