The RISKS Digest
Volume 32 Issue 29

Friday, 25th September 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tesla network outage—massive
Electrek and The Sun
5G Wireless May Lead to Inaccurate Weather Forecasts
Rutgers Today
Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone
The Hacker News
Tribune staff furious as cybersecurity test email makes cruel promises
WashPost
World's Biggest DataBreaches and Hacks
Information Is Beautiful
UK COVID-19 test booking website bugs tell some user no test slots are available
Schools Week
Pandemic spurs journalists to go it alone via email
Axios
Re: Old TV caused village broadband outages for 18 months
Attila the Hun
Re: Unsecured Microsoft Bing Server Exposed Users' Search Queries and Location
paul wallich
Re: D.C.'s New Area Code Will Be… 771
John Levine
Re: UK Companies House
Peter Bernard Ladkin
Re: Boeing cuts flight training pilots, will outsource jobs overseas: Link fix
Steve Klein
Info on RISKS (comp.risks)

Tesla network outage—massive (Electrek and The Sun)

geoff goodfellow <geoff@iconia.com>
Wed, 23 Sep 2020 08:05:25 -1000

TESLA's network completely dropped in a massive outage on Wednesday that left drivers unable to connect to their cars.

According to Electrek, internal systems were fully down and around 11am ET, users couldn't connect their vehicles to the mobile app.

<https://electrek.co/2020/09/23/tesla-suffers-complete-network-outage-internal-systems-and-connectivity-features-down/>

The outage—which appeared to be global—is said to be one of the “most wide-ranging” in Tesla's history…

https://www.the-sun.com/news/1521051/tesla-network-outage-down-elon-musk-cars-connectivity/

Connectivity was reportedly returning for some users' cars. <https://www.the-sun.com/topic/electric-cars/>


5G Wireless May Lead to Inaccurate Weather Forecasts (Rutgers Today)

ACM TechNews <technews-editor@acm.org>
Fri, 25 Sep 2020 13:11:35 -0400 (EDT)

5G Wireless May Lead to Inaccurate Weather Forecasts Rutgers Today, 24 Sep 2020 via AM TechNews 25 Sep 2020

A study by Rutgers University researchers found upcoming 5G wireless networks that expedite cellphone service may lead to inaccurate weather forecasts. Signals from 5G frequency bands could leak into the band used by weather sensors on satellites that quantify atmospheric water vapor. The Rutgers team used computer modeling to examine the impact of unintended 5G leakage into an adjacent frequency band in predicting the 2008 Super Tuesday Tornado Outbreak in the South and Midwestern regions of the U.S. The modeling found 5G leakage of -15 to -20 decibel Watts impacted the accuracy of rainfall forecasting by up to 0.9 millimeters during the tornado outbreak, and also affected forecasting of temperatures near ground level by up to 2.34 degrees Fahrenheit. Rutgers' Narayan B. Mandayam said, “If we want leakage to be at levels preferred by the 5G community, we need to work on more detailed models as well as antenna technology, dynamic reallocation of spectrum resources, and improved weather forecasting algorithms that can take into account 5G leakage.” https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-272d2x2251b5x065481&


Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 24 Sep 2020 08:24:15 -1000

Ever wonder how hackers can hack your smartphone remotely?

In a report shared with The Hacker News today, Check Point researchers disclosed details about a critical vulnerability <https://www.facebook.com/security/advisories/cve-2020-1895> in Instagram's Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image.

What's more worrisome is that the flaw not only lets attackers perform actions on behalf of the user within the Instagram app—including spying on victim's private messages and even deleting or posting photos from their accounts—but also execute arbitrary code on the device.

According to an advisory <https://m.facebook.com/security/advisories/cve-2020-1895> published by Facebook, the heap overflow security issue (tracked as CVE-2020-1895, CVSS score: 7.8) impacts all versions of the Instagram app prior to 128.0.0.26.128, which was released on February 10 earlier this year.

“This [flaw] turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile,” Check Point Research said in an analysis published today. <https://blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/>

“In either case, the attack could lead to a massive invasion of users' privacy and could affect reputations—or lead to security risks that are even more serious.”

After the findings were reported to Facebook, the social media company addressed the issue with a patch update released six months ago. The public disclosure was delayed all this time to allow the majority of Instagram's users to update the app, thereby mitigating the risk this vulnerability may introduce.

Although Facebook confirmed there were no signs that this bug was exploited globally, the development is another reminder of why it's essential to keep apps up to date and be mindful of the permissions granted to them. A Heap Overflow Vulnerability. […]

https://thehackernews.com/2020/09/instagram-android-hack.html


Tribune staff furious as cybersecurity test email makes cruel promises (WashPost)

Peter Houppermans <peter@houppermans.net>
Thu, 24 Sep 2020 09:46:03 +0200

Source: https://www.washingtonpost.com/media/2020/09/23/tribune-bonus-email-phishing-hoax/

“Employees of the Tribune Publishing Company were momentarily thrilled Wednesday after they received a company email announcing that they were each getting a bonus of up to $10,000, to ‘thank you for your ongoing commitment to excellence.’”

To see how big their bonus would be, they just had to click on a link that's well, that's when they learned they had failed the test. This test ran into a history of furloughs and layoffs, and thus created considerable anger amongst staff.

This leads to a number of interesting questions:

  1. Employees: given this history, just how likely was the contents of that email? The fact that many clicked illustrated that a phishing campaign using this exact contents for real would have worked. This is PRECISELY how such scams work.
  2. li> If the case of a real email hoax or phishing attempt, who would the staff have blamed for the consequences such as ransomware shutting the company down and potentially causing even more layoffs? I assume the wrath would than go to the people who did this test?
  3. What else could this company have done to prove this point?

There is not enough information to assess if the company ran a staff security awareness training beforehand, but it certainly appears to be required.


World's Biggest DataBreaches and Hacks (Information Is Beautiful)

geoff goodfellow <geoff@iconia.com>
Wed, 23 Sep 2020 12:21:51 -1000

https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


UK COVID-19 test booking website bugs tell some user no test slots are available (Schools Week)

Matthew Pittman <matthew@pittman.me.uk>
Fri, 25 Sep 2020 13:58:27 +0100

https://schoolsweek.co.uk/anger-as-government-admits-test-and-trace-website-coding-error/

This article has a good description of the bug(s), but the implication (that some infected people were being told there were no test slots available) have not, as far as I can tell, been explored in depth by mainstream media.

It seems to me that if even a modest number of infected people were turned away and were not subsequently tested then there is a very good chance that a few generations of contacts down the track some infected patients will inevitably die. To me this means that the software defect was a material factor in loss of human life.

The article contains an analysis of testing by Adam Leon Smith, chair of the software testing specialist group of British Computer Society, The Chartered Institute for IT. I'm reading between the lines when I suggest that it sounds like this part of the web was basically untested.

There have been other articles in the press following up the connection with Deloitte, apparently the prime contractor for the testing service, but none I could find had the detail of this description.

I have not fact checked the linked article.


Pandemic spurs journalists to go it alone via email (Axios)

geoff goodfellow <geoff@iconia.com>
Thu, 24 Sep 2020 08:18:52 -1000

A slew of high-profile journalists have recently announced they are leaving newsrooms to launch their own, independent brands, mostly via email newsletters.

Context: Many of those writers, working with new technology companies like Substack, TinyLetter, Lede, or Ghost, have made the transition amid the pandemic.

Driving the news: Several prominent businesses and technology or political journalists have left their news companies to launch their own newsletters, including:

By the numbers: […] https://www.axios.com/pandemic-spurs-journalists-to-go-it-alone-via-email-613ca2d5-e8d5-4235-9582-48cc028e9d8b.html


Re: Old TV caused village broadband outages for 18 months (BBC, RISKS-32.29)

Attila the Hun <attilathehun1900@tiscali.co.uk>
Wed, 23 Sep 2020 09:30:15 +0100

A longer article on the matter included the following:

“However, despite Openreach's triumphant claims, villagers including Mr and Mrs Rees's own son, Aled, insisted yesterday that their Internet problems persisted, long after the offending television had been scrapped.”

Aled Rees told The Telegraph: “This Mr Jones must be smoking something funny if he thinks it's got anything to do with the TV. My parents had only had the TV a few months. The problems in the village had been going on for much longer than that and are continuing today, even after they got rid of the TV.

“I've no idea why Openreach are saying this—they've got to blame somebody and they're not going to blame themselves.”

Eirian Hughes, 63, said: “This story is just a smokescreen, and the fact is, it's costing too much to connect to fibre. The broadband service is rubbish.”

Farmer Geraint Jones, 60, said the connection speed was still “worse than appalling.”

An Openreach spokesman said: “It's true to say the villagers were already having to put up with broadband on an old slower copper network—but the faulty TV was clearly interfering with the existing service and we're delighted to have solved that particular mystery.

“We're pleased to say the village is now in line to be upgraded imminently to superfast broadband which will improve matters even more.”

I think the last statement might be more than a little suggestive.


Re: Unsecured Microsoft Bing Server Exposed Users' Search Queries and Location (RISKS-32.28)

paul wallich <pw@panix.com>
Wed, 23 Sep 2020 10:01:48 -0400
> The logging database, however, doesn't include any personal details such as
> names or addresses.

If you have GPS coordinates, device details and query strings, it should be possible to de-anonymize quite a lot of that database using other sources. Even more risky (perhaps) is the possibility that de-anonymization would be mistaken (e.g. as a result of GPS margin of error). For a surveillance state this is particularly pernicious because of the habit search engines now have of putting additional words in their users' search boxes. So someone might get tagged for a search they didn't even intentionally make.


Re: D.C.'s New Area Code Will Be… 771 (RISKS-32.28)

“John Levine” <johnl@iecc.com>
23 Sep 2020 14:43:24 -0400

This is pretty impressive considering that there are over 7 million numbers allocated to 202, and only about 1.2 million people who live or work in the District. When I look at tables that show what numbers are allocated to what carriers, I see vast ranges to mobile carriers and to CLECs, who now mostly provide VoIP numbers. So perhaps there are a few people who want cool 202 numbers even though they really live somewhere else.

>… I wonder how many area codes NANPA … when we'll need four-digit area
>codes. Or hexadecimal >phone keypads, or phone numbers including */#. (Yes,
>latter two are jokes—mostly)

You don't have to guess, it's on their web site:

https://www.nationalnanpa.com/reports/April_2020_NANP_Exhaust_Analysis Final.pdf

Based on current trends, it will be later than 2050 which is as far away as their models go. There was a burst of demand when mobile phones were new, and when CLECs were setting up modem banks. (At the time they had to allocate a 10,000 number block even if the CLEC only needed a handful of numbers, a problem since fixed.) But things have slowed down a lot since everyone now has a phone, and modems are found only in burglar alarms and history museums. —Regards, John Levine, johnl@taugh.com, Primary Perpetrator of “The Internet for Dummies”, Please consider the environment before reading this e-mail. https://jl.ly


Re: UK Companies House (Stein, RISKS-32.28)

Peter Bernard Ladkin <ladkin@causalis.com>
Wed, 23 Sep 2020 13:28:05 +0200
> “The UK's Companies House comprises a core system of record that
> authenticates business ownership and persons of significant control (PSC)
>—corporate directors.”

There are two things wrong with this statement. First, the main point of Companies House is to incorporate and dissolve limited companies. The system of record is its second task. From its Website: “We incorporate and dissolve limited companies. We register company information and make it available to the public.” https://www.gov.uk/government/organisations/companies-house

Second, PSCs are not necessarily directors. Directors of a limited company have always been a part of the publicly-available company record held by Companies House. The introduction of the category of PSC and the legal requirement for their public identification in April 2016 is a significant part of enhanced UK company transparency. Germany, a country with a reputation for careful control of companies, does not (yet) require a declaration of PSCs.

PSCs are people (real people, not just legal individuals) who:

I think it would enhance any country's transparency about companies to have a requirement for identifying PSCs. The report on the UK Government consultation on how to enhance company transparency further, referenced by Stein, does show that a requirement for identifying PSCs is not enough.

I will note that the previously-booming London property market has long been recognised as an area in which large amounts of money are thought to be laundered, and that market has nothing to do with Companies House.

Disclosure: I am majority owner and Director of a UK company registered at Companies House, and I am CEO (“Geschäftsführer”) of a German company fully owned by the English one.


Re: Boeing cuts flight training pilots, will outsource jobs overseas: Link fix (The Stand)

Steve Klein <steven@klein.us>
Fri, 25 Sep 2020 09:05:20 -0400

The posted link is http, and should be https. FIX:

https://www.thestand.org/2020/09/boeing-cuts-flight-training-pilots-will-outsource-jobs-overseas/

Please report problems with the web pages to the maintainer

Top