Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is “off.”
The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC <https://en.wikipedia.org/wiki/Near-field_communication>), and ultra-wideband (UWB <https://en.wikipedia.org/wiki/Ultra-wideband>) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).
While this is done so as to enable features like Find My <https://thehackernews.com/2022/02/experts-create-apple-airtag-clone-that.html> and facilitate Express Card transactions <https://support.apple.com/en-us/guide/security/sec90cd29d1f/web>, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO <https://www.seemoo.tu-darmstadt.de/>) at the Technical University of Darmstadt said <https://arxiv.org/pdf/2205.06114.pdf> in a paper entitled “Evil Never Sleeps.”
“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.
“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”
The findings are set to be presented <https://wisec2022.cs.utsa.edu/accepted-papers/> at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week. […]
https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html
Andrew Appel:
A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified
https://freedom-to-tinker.com/2022/05/19/a-pdf-file-is-not-paper-so-pdf-ballots-cannot-be-verified/
A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas.
“An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack,” UK-based cybersecurity company NCC Group said. “This may enable unauthorized access to devices in BLE-based proximity authentication systems.”
Relay attacks <https://en.wikipedia.org/wiki/Relay_attack>, also called two-thief attacks, are a variation of person-in-the-middle attacks in which an adversary intercepts communication between two parties, one of whom is also an attacker, and then relays it to the target device without any manipulation.
While various mitigations have been implemented to prevent relay attacks, including imposing response time limits during data exchange between any two devices communicating over BLE and triangulation-based localization techniques, the new relay attack can bypass these measures. […]
https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example. […]
https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/
https://twitter.com/tulipsmg/status/1525976684998144005
The global credit-card rivals maintain a strikingly permissive relationship with companies that have been accused of fraud. For one of Mastercard' top executives, that relationship went even further. A BuzzFeed News investigation.
https://www.buzzfeednews.com/article/rosalindadams/mastercard-visa-fraud
From an OPED in Nikkei Asia 5/20 by David Farber and Dan Gilmor
You have to feel a twinge of sympathy for the people who “invested” their savings in cryptocurrencies during the past few months and who subsequently lost most or all of their money when the cryptocurrency marketplace collapsed during the past several weeks.
The words “invested” is in quotes for a reason. This bubble was a classic in the genre, and the people who are collectively losing the most money are low-information gamblers, not investors, just as they are when every economic bubble deflates.
And they were warned. Anyone paying the slightest attention had to have heard the ever-more-strident cautions, including ours, that cryptocurrencies were not what they seemed and that this “marketplace” was in large part a mirage. And, as we said in the article, “Cryptocurrencies remain a gamble best avoided,” published online on Feb. 5, a rigged game.
Jade Boyd, Rice University News, 16 May 2022, via ACM TechNews, 18 May 2022
Hackers can use common tools to construct a metasurface that allows them to listen in on 6G wireless transmissions. Researchers at Rice and Brown universities demonstrated that attackers could employ a sheet of office paper covered with two-dimensional foil symbols to reroute part of a 150-gigahertz “pencil beam” signal between two users, calling it a Metasurface-in-the-Middle exploit. In such a situation, the eavesdropper designs a metasurface to diffract part of a signal to their location; Rice's Zhambyl Shaikhanov said they then laser-print the metasurface by feeding metal foil through a laminator. Brown's Daniel Mittleman said the hot-stamping technique was developed to simplify metasurface manufacturing for quick, affordable testing. Warns Rice's Edward Knightly, “Next-generation wireless will use high frequencies and pencil beams to support wide-band applications like virtual reality and autonomous vehicles.”
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ea62x233db0x071353&
For years China's censors have relied on a trusted tool kit to control the country's Internet. They have deleted posts, suspended accounts, blocked keywords, and arrested the most outspoken.
Now they are trying a new trick: displaying social media users' locations beneath posts.
Authorities say the location tags, which are displayed automatically, will help unearth overseas disinformation campaigns intended to destabilize China. In practice, they have offered new fuel for pitched online battles that increasingly link Chinese citizens' locations with their national loyalty. Chinese people posting from overseas, and even from provinces deemed insufficiently patriotic, are now easily targeted by nationalist influencers, whose fans harass them or report their accounts.
The tags, based on a user's Internet Protocol, or I.P., address that can reveal where a person is located, were first applied to posts that mentioned the Russian invasion of Ukraine, a topic authorities said was being manipulated with foreign propaganda. Now they are being expanded to most social media content, further chilling speech on a Chinese Internet dominated by censorship and isolated from the world.
The move marks a new step in a decade-long push by Chinese officials to end anonymity online and exert a more perfect control over China's digital town squares.
https://www.nytimes.com/2022/05/18/business/china-internet-censors-ip-address.html
I got data-breach notice today from Assurance IQ, LLC and some of its affiliated companies. (I'm dang sure they wouldn't have told me if they weren't forced to by law.) Of course they said that “keeping personal data safe and secure is very important” to them.
I guess that's why they didn't notice for 16 months that someone was repeatedly using their site to extract personal data. Based on their description, it sounds like if you filled out a life insurance application with someone's “name, address, and other information”, they then “retrieved a driver's license number that was then displayed…in the online application.” Yup, either they helpfully auto-filled that number (if they knew it, why did they need it filled in?) or, more likely, displayed it as a method of identity verification. “Please click here if you are the person with DL number 1234567.”
Did nobody review this design?
https://techxplore.com/news/2021-05-zero-trust-assume-internet-youand.html
“Using the public health analogy, a zero-trust approach to cybersecurity assumes that an infection is only a cough—or, in this case, a click — away, and focuses on building an immune system capable of dealing with whatever novel virus may come along. Put another way, instead of defending a castle, this model assumes that the invaders are already inside the walls.”
“Zero Trust Architecture,” from https://csrc.nist.gov/publications/detail/sp/800-207/final(retrieved on 19MAY2022) documents a framework for infrastructure, processes, and policies to establish a Zero Trust ecosystem.
A significant shift from the static, network-based Internet perimeter we enjoy today, where trust—too much trust—enables convenient and anonymous access easing navigation through infrastructure, Zero Trust imposes constant credential authentication challenges for users, assets and resources based on a centralized policy enforcement mechanism.
Policy enforcement subjects a user's identity to verification checks for each new resource access request, and access is subject to mediation (via privilege and allocation masks), logging, and analysis.
The US government now requires disclosure of industry cyber incidents. For businesses deemed “critical infrastructure,” regulation will likely be necessary to compel Zero Trust adoption. The days of voluntary business cyber compliance are history.
Commercial enterprises will object to the transition cost. Ransomware and business e-mail compromise payoffs are illegal—but weakly enforced, and indictments of impacted business organizations have not materialized so far. See “Ransomware Payments and the Law,” from https://www.lawfareblog.com/ransomware-payments-and-law (retrieved on 19MAY2022) for background. Incidents are inconvenient and embarrassing, a mere business expense passed onto the customer as cyber-insurance premium prices inflate.
An overview of Zero Trust architecture and prototype of how it operates can be found in the video https://youtu.be/6I6bnNdZ5XU via “Zero-trust architecture may hold the answer to cybersecurity insider threats” https://techxplore.com/news/2022-05-zero-trust-architecture-cybersecurity-insider-threats.html.
[“Get got” is a prerequisite for becoming “got got.”]
https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/
18 May 2022
The three women shrieked and giggled as they plucked the tubular pitchers from rare carnivorous plants in the mountains of Cambodia. The phallic shape of the pitchers reminded them of something, they joked as a friend filmed the scene with a phone.
The women broke off some of the distinctive appendages, which the plants use to trap insects. Holding them suggestively for the camera, they compared the pitchers' sizes to the physique of different men from various parts of Cambodia. “I want all of them,” says the woman in blue, displaying four plucked pitchers for the camera.
The widely viewed video prompted Cambodia's ministry of environment to warn the public last week not to pick the pitchers of the plant, which is an endangered species and protected by law. Conservationists are concerned that the growing popularity of smartphones and selfies could increase pressure on the rare plants.
https://www.nytimes.com/2022/05/18/world/asia/cambodian-plant-video.html
Artificial Intelligence
Lauren Weinstein <lauren@vortex.com>Thu, 19 May 2022 08:47:14 -0700
- Stephen Colbert: “Are you afraid of artificial intelligence taking over?”
- Ricky Gervais: “I'd love for any intelligence to take over.”
Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.21)
Martin Ward <martin@gkc.org.uk>Tue, 17 May 2022 14:00:48 +0100You are not thinking three-dimensionally.
Consider the famous “spaghetti junction” (https://en.wikipedia.org/wiki/Gravelly_Hill_Interchange) where 18 different roads intersect in a free-flowing junction over five different levels. Flying cars can operate on an arbitrarily large number of different levels, so you can indeed “just breeze through the sky”.
Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.20)
“John Levine” <johnl@iecc.com>16 May 2022 21:15:36 -0400>Hasn't anyone considered that once flying cars/taxis are practical and >popularized, the traffic jams will simply migrate from the roads to the >air?Maybe, maybe not. Cars have to stay on the road, but in principle flying vehicles can go point to point so long as they are able to avoid running into each other (admittedly a significant “if”.) Also, flying vehicles can fly at different altitudes. Commercial planes fly at specified altitudes, 1000 vertical feet apart, with alternating levels for alternating directions.
I have my doubts whether flying cars will ever be a mass market item, as opposed to a toy for rich people and a niche item for people who have some business reason that the time savings are worth it. We've had small planes for over a century and the cost to own and run a plane is still a lot more than for a car.
Re: Companies envision taxis flying above jammed traffic
Barry Gold <BarryDGold@ca.rr.com>Thu, 19 May 2022 10:15:54 -0700Except that there's a lot more room in the air. Freeways are limited to whatever land we can afford to buy for the purpose. Airways can use a huge amount of space, and can use it on multiple levels. Even if you restricted air traffic to the space above existing roadways (on the basis that landowners also own the airspace above their land, at least up to wherever the commercial airlanes start), you could stack traffic 2, 3, 5, 10, 20 levels high, where existing roadways are limited to 1 or at most 2 levels.
Re: Finding it hard to get a new job? Robot recruiters might be to blame (RISKS-33.21)
Amos Shapir <amos083@gmail.com>Tue, 17 May 2022 12:32:45 +0300The problem seems to be that such tools are deployed before testing if they are actually adequate for the job. It seems as if the rules are defined by programmers, and if there are people who participate in the process on behalf of the hiring company, they are of HR and not of the hiring departments. The result may give rise to Artificial Stupidity.
Testing such a tool should involve running it in parallel with screening candidates by human managers, for a significant time period (I think at least a year); and then comparing the results to catch any misfeatures or biases in the design.
Please report problems with the web pages to the maintainer
xTop