The RISKS Digest
Volume 33 Issue 12

Friday, 1st April 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

This year there are apparently too many fools in the world.
PGN
CPAP murder mystery
Charles C. Mann
NYC Skyscraper's Elevator Breakdowns Strand Tenants
NYTimes
The never-stopping car
Geoff Kuenning
Please hold on to the handrails while entering or exiting the escalator
Brian Roemmele via PGN
Hackers Steal About $600 Million in One of the Biggest Crypto Heists
Blomberg
Cryptocurrency Cryptotheft (Reuters via Stephen J. Greenwald) A Sinister Way to Beat Multifactor Authentication Is on the Rise
WiReD
AI-Influenced Weapons Need Better Regulation
Scientific American
Waymo to Send Driverless Cars Through San Francisco
WSJ
Hackers who crippled Viasat modems in Ukraine are still active—company official
Reuters
Apple & Meta Gave User Data to Hackers Who Used Forged Legal Requests
Bloomberg
Election officials targeted by phishing, according to FBI
A.J. Vicens
Hackers gaining subpoena power via fake emergency requests
Krebsonsecurity
Corporate Media Wants Copyright Law to Rewrite the Internet
EFF
Climate change: Wind and solar reach milestone as demand surges
Ember-climate
The Milky Way's ‘thick disk’ is 2 billion years older than scientists thought
Live Science
You're eating a credit card's worth of plastic every week, and it's altering your gut makeup
GutNews
Re: One problem with permanent daylight saving time: Geography
Henry Baker
Re: URL problem on the Doug Jones op-ed
Mark Brader
Info on RISKS (comp.risks)

This year there are apparently too many fools in the world.

Peter Neumann <neumann@csl.sri.com>
Fri, 1 Apr 2022 12:58:06 PDT

As a consequence, I am declaring a moratorium on April Fools' Day pranks for this year's 1 April issue of RISKS. We don't need any more misleading messages to confuse people who might already be confused, or alternatively spreading and amplifying false information. Perhaps 2023 will have fewer people who are already fooled.


CPAP murder mystery

“Charles C. Mann” <ccmann@comcast.net>
Wed, 30 Mar 2022 15:58:11 -0400 (EDT)

Recently a friend told me he was looking for a CPAP machine. For those who don't know, CPAP machines are vaguely snorkel-like gizmos that people with sleep apnea put on their faces at night to help them breathe properly and thus sleep properly. I don't know much about them, so I looked them up.

From what I could tell, there seem to be two new technologies that are coming up in the CPAP world. The first is remotely programmable CPAP machines. This both allows doctors to adjust the way they work and insurance companies to monitor whether the users are deploying them properly. Presumably the latter is because the machines are expensive.

The second is a CPAP machine that is small and implantable. It goes into your body right above the breathing tube. For obvious reasons, the implantable version has been a hit with patients—you don't have to put this monstrous thing on your face at night.

There are, of course, CPAP bulletin boards. I looked at one, and almost the first post I saw was somebody wishing his implantable CPAP machine could be remotely monitored, so that he wouldn't have to go to the doctor's office to have it adjusted. I assume this will soon happen, and that as a result there will be thousands of Americans who have their breathing directly connected to the Internet. The murder-mystery possibilities present themselves immediately.

[This seems like a new area of badness for the Internet of Things. I hope to heaven that my assumption that the implantable devices will soon be net-enabled is incorrect. CCM]


NYC Skyscraper's Elevator Breakdowns Strand Tenants (NYTimes)

Gabe Goldberg <gabe@gabegold.com>
Tue, 29 Mar 2022 00:10:01 -0400

High-Rise_Hell

A luxury residential building in the financial district with more than 750 apartments has been experiencing lengthy elevator outages since the fall.

The building's owners, DTH Capital, say that Con Edison must step in to resolve the problems, which they maintain are likely related to electrical surges from Con Edison equipment. The owners say they have hired teams with elevator, electrical and engineering expertise to get to the bottom of the problem, which is affecting eight elevators.

“These experts have so far been unable to determine the source of the surges and believe that we will not be able to do so without the full collaboration and 24/7 support of Con Edison,” DTH Capital said in a statement.

Con Edison, in turn, says it has conducted extensive testing at the building and found “no indication that our power supply is deficient or compromised.

https://www.nytimes.com/2022/03/28/nyregion/nyc-elevator-outage-20-exchange-place.html

I guess there's not really a problem, then. GG


The never-stopping car

Geoff Kuenning <geoff@cs.hmc.edu>
Mon, 28 Mar 2022 16:58:45 -0700

I use a car-sharing service (Zipcar) from time to time. Today I rented a 2020 Hyundai Elantra to go to some appointments on a rainy day. When I got to the first destination, the car wouldn't lock because the engine was still running. Odd…obviously I must have accidentally left the key in the ignition.

But no; the key wasn't in the ignition. I tried many experiments without success and finally went to both appointments while leaving the car in public parking lots, running, just hoping that since the engine was quiet nobody would notice how easy it was to steal.

When I returned the car I called the support line; in the end they couldn't shut it off either but at least they were able to remotely lock the doors. I guess that if they didn't get a service technician to it soon, it would eventually run out of gas.

Clearly the Hyndai designers decided to dispense with the old system of having the ignition key actually cut power to the engine system, and instead let the in-car computer do that. And this failure clearly demonstrates why it's critical to have hardware failsafes for important systems. I'm just glad I wasn't in a Prius with a stuck accelerator. GK


Please hold on to the handrails while entering or exiting the escalator (Brian Roemmele via PGN)

Peter G Neumann <Neumann@CSL.SRI.COM>
Wed, 30 Mar 2022 19:50:12 -0700

https://twitter.com/BrianRoemmele/status/1508888318745800707

The robo-suitcase on the escalator probably lacked physical and software requirements for the robot, lacked a suitable system architecture, and was poorly programmed. Also, the escalator was not ready for it.

Dan Eakins replied to my sharing this fiasco with him:

I think with these devices that rely on computer vision systems have to programmed (robots, cars, self-propelled things) not do more than they are programmed to do. So you have to train it to recognize situations after it fails - maybe it was intended to go down an escalator - but seems like it should have been constrained from that altogether.
Every time I see those little delivery carts in downtown Mountain View trying to cross an intersection, I think hmm. Maybe it isn't programmed for someone who could intercept it an intersection, break it open, and eat what is inside. But maybe it would have a cameras that would be able to track me down.
In Oakland CA, those delivery robots wouldn't last long at all.

PGN's reaction:

Typically the designer and the programmer never think along those lines. Reliable? perhaps. Secure? probably not.

I suspect hijacking the robocarts for meals will quickly become a new micro-industry.


Hackers Steal About $600 Million in One of the Biggest Crypto Heists (Blomberg)

David Farber <farber@keio.jp>
Wed, 30 Mar 2022 12:10:22 +0900

https://www.bloomberg.com/news/articles/2022-03-29/hackers-steal-590-million-from-ronin-in-latest-bridge-attack

Funds can be moved out of the bridge if five of the nine validators approve it. The hacker managed to get hold of the private cryptographic keys belonging to five of the validators—so that was enough to steal the crypto assets.


Cryptocurrency Cryptotheft

“Steven J. Greenwald” <greenwald.steve@gmail.com>
Wed, 30 Mar 2022 09:50:52 -0400

https://www.reuters.com/breakingviews/hackers-turn-cryptos-strength-into-achilles-heel-2022-03-30/


A Sinister Way to Beat Multifactor Authentication Is on the Rise (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 1 Apr 2022 01:06:59 -0400

Lapsus$ and the group behind the SolarWinds hack have utilized prompt bombing to defeat weaker MFA protections in recent months.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That's where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.

It's this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia's Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end-user's legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/


AI-Influenced Weapons Need Better Regulation (Scientific American)

Richard Stein <rmstein@ieee.org>
Thu, 31 Mar 2022 20:29:59 +0800

https://www.scientificamerican.com/article/ai-influenced-weapons-need-better-regulation/

“The technology behind some of these weapons systems is immature and error-prone, and there is little clarity on how the systems function and make decisions. Some of these weapons will invariably hit the wrong targets, and competitive pressures might result in deployment of more systems that are not ready for the battlefield.”

Read that paragraph, and substitute ‘weapons’ for a popular AI-based product (driverless vehicles) and then substitute ‘battlefield’ with marketplace.

How does one specify a “Do not harm innocent civilians” rule that holds creators and operators of AI systems accountable for errors and accidents?


Waymo to Send Driverless Cars Through San Francisco (WSJ)

geoff goodfellow <geoff@iconia.com>
Wed, 30 Mar 2022 09:39:02 -1000

Waymo, Google's sister company, is sending fully autonomous vehicles onto the streets of the city, marking its first attempt to send cars without any human control into a major metropolitan area. […]

https://www.wsj.com/articles/waymo-to-send-driverless-cars-through-san-francisco-11648648800


Hackers who crippled Viasat modems in Ukraine are still active—company official (Reuters)

geoff goodfellow <geoff@iconia.com>
Thu, 31 Mar 2022 10:18:49 -1000

Hackers who crippled tens of thousands of satellite modems in Ukraine and across Europe are still trying to hobble U.S. telecommunications company Viasat as it works to bring its users back online, a company official told Reuters.

Viasat Inc. has been working to recover after a cyberattack remotely disabled satellite modems just as Russian forces pushed into Ukraine in the early hours of Feb. 24. The official said a parallel attack was launched at almost exactly the same time and used “high volumes of focused, malicious traffic” to try and overwhelm Viasat's network and was still ongoing.

“We're still witnessing some deliberate attempts,” the official said Tuesday. He said that Viasat was so far resisting the hackers with defensive measures but that “we've been seeing repeated attempts by this attacker to alter that pattern to test those new mitigations and defenses.”

The official—who spoke on the condition that he not be identified — briefed Reuters ahead of a report being published early Wednesday which outlines how the hackers systematically sabotaged satellite modems across Europe - and in Ukraine in particular - on the morning of Russia's invasion. […]

https://www.reuters.com/business/media-telecom/exclusive-hackers-who-crippled-viasat-modems-ukraine-are-still-active-company-2022-03-30/


Apple & Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg)

geoff goodfellow <geoff@iconia.com>
Wed, 30 Mar 2022 09:33:29 -1000

Hackers compromised the emails of law enforcement agencies. Data was used to enable harassment, may aid financial fraud.

Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.

Apple and Meta provided basic subscriber details, such as a customer's address, phone number and IP address, in mid-2021 in response to the forged emergency data requests. Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don't require a court order.

Snap Inc. received a forged legal request from the same hackers, but it isn't known whether the company provided data in response. It's also not clear how many times the companies provided data prompted by forged legal requests. […]

https://www.bloomberg.com/news/articles/2022-03-30/apple-meta-gave-user-data-to-hackers-who-forged-legal-requests https://ca.finance.yahoo.com/news/apple-meta-gave-user-data-175918825.html


Election officials targeted by phishing, according to FBI

Peter Neumann <neumann@csl.sri.com>
Wed, 30 Mar 2022 10:35:11 PDT

https://www.cyberscoop.com/election-officials-phishing-email-2022-midterms-fbi/

A.J. Vicens, CYBERSCOOP, 29 Mar 2022

An invoice-themed phishing campaign targeted elections officials in at least nine states in October 2021, according to a warning the FBI issued Tuesday. The attackers sought to steal login credentials and could have had sustained and undetected access to election administrators' systems. Batches with common attachments send over three days with compromised email addresses. suggesting a concerted effort to target US election officials. [PGN-ed]


Hackers gaining subpoena power via fake emergency requests

Peter Neumann <neumann@csl.sri.com>
Tue, 29 Mar 2022 11:02:10 PDT

Another example of the escalating spiral of defense running behind offense?

https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/


Corporate Media Wants Copyright Law to Rewrite the Internet (EFF)

“EFFector List” <editor@eff.org>
Wed, 30 Mar 2022 16:34:14 +0000

The New Filter Mandate Bill Is An Unmitigated Disaster

Industry groups are pushing a new bill, the SMART Copyright Act that would give the Copyright Office the power to set the rules for Internet technology and services to address copyright infringement, with precious little opportunity for appeal. Remaking the Internet to serve the entertainment industry was a bad idea ten years ago and it's a bad idea today.

Read more: https://www.eff.org/deeplinks/2022/03/new-filter-mandate-bill-unmitigated-disaster

EFFector Vol. 34, No. 2 Wednesday, March 30, 2022 editor@eff.org A Publication of the Electronic Frontier Foundation, ISSN 1062-9424 [effector: n, Computer Sci. A device for producing a desired change.]


Climate change: Wind and solar reach milestone as demand surges (Ember-climate)

geoff goodfellow <geoff@iconia.com>
Wed, 30 Mar 2022 09:46:47 -1000

Wind and solar generated 10% of global electricity for the first time in 2021, a new analysis shows. Fifty countries get more than a tenth of their power from wind and solar sources, according to research from Ember.

<https://ember-climate.org/insights/research/global-electricity-review-2022/>, a climate and energy think tank.

As the world's economies rebounded from the Covid-19 pandemic in 2021, demand for energy soared.

Demand for electricity grew at a record pace. This saw a surge in coal power, rising at the fastest rate since 1985. […]

https://www.bbc.com/news/science-environment-60917445


The Milky Way's ‘thick disk’ is 2 billion years older than scientists thought (Live Science)

geoff goodfellow <geoff@iconia.com>
Wed, 30 Mar 2022 09:49:00 -1000

Misjudging someone's age can be awkward—especially when you're off by a few billion years. The thick disk began forming stars just 0.8 billion years after the Big Bang. […]

https://www.livescience.com/milky-way-thick-disc-age


You're eating a credit card's worth of plastic every week, and it's altering your gut makeup (GutNews)

geoff goodfellow <geoff@iconia.com>
Wed, 30 Mar 2022 09:26:58 -1000

How much plastic is sitting on your gut? If you think the answer is zero, think again. A recent review suggests people consume about five grams of plastic particles per week ” the equivalent of the weight of a credit card.

Nanoplastics are any plastics less than 0.001 millimeters in size. Microplastics, on the other hand, are 0.001 to 5 millimeters and on some occasions still visible to the naked eye. Most microplastic and nanoplastics find their way to the human food chain from packaging waste.

Plastic particles <https://www.gutnews.com/microplastics-ibd-cause/> can enter the body through seafood, sea salt, or drinking water. One study referenced in the review found people who drank the recommended 1.5 to 2 liters of water a day from plastic bottles takes in 90,000 plastic particles per year from this way alone. People who opt for tap water reduce their ingested amount to about 40,000 plastic particles.

Research exploring the number of micro-and nanoplastic particles in the gastrointestinal tract has shown its presence is changing the gut microbiome <https://gutnews.com/category/gut-biome> composition. The changes it’s making are linked to the emergence of metabolic diseases such as diabetes, obesity, or chronic liver disease.

Not only are the changes in the gut microbiome apparent, but scientists have also broken ground on the molecular mechanisms behind the uptake of micro- and nanoplastic particles into gut tissue. Both microplastic and nanoplastic particles potentially activate mechanisms involved in local inflammation <https://gutnews.com/tag/inflammation> and immune response. Evidence has shown that nanoplastics, in particular, trigger chemical pathways involved in the formation of cancer. […]

https://www.gutnews.com/microplastics-food-gut-health/


Re: One problem with permanent daylight saving time: Geography

Henry Baker <hbaker1@pipeline.com>
Tue, 29 Mar 2022 03:49:22 +0000

(A timely posting about timezones…)

Only One Time Zone in China

China has one official time zone, China Standard Time (CST), which is 8 hours ahead of UTC (https://www.timeanddate.com/time/aboututc.html (https://www.timeanddate.com/time/china/one-time-zone.html)). In China, the time zone is known as Beijing Time.

In Xinjiang, China's westernmost region, the Uyghur population unofficially uses a different local time known as Xinjiang Time or Ürümqi Time, which is 2 hours behind CST.

(Which is probably why the Uyghurs are being ‘re-educated’ by the millions — because they're ‘behind’ …)


Re: URL problem on the Doug Jones op-ed (Brader, RISKS-33.11)

msb@vex.net (Mark Brader)
Mon, 28 Mar 2022 21:07:49 -0500

I wrote:

> When I tried to open this [msn.com] URL in Firefox, I got a blank> page.  …

A week later, when I saw this in Risks, it occurred to me that in themeantime I had downloaded an update to NoScript.  So I checked theoriginal URL again, and if I enable JavaScript for msn.com, I cannow open the page.

Please report problems with the web pages to the maintainer

x
Top