The RISKS Digest
Volume 32 Issue 6

Monday, 29th June 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit
Chuck Petras
76-year-old American jailed in Spain was unwitting drug mule, U.S. says
The Boston Globe
Ripple20 IP stack vulnerability may affect literally billion devices
Chiaki Ishikawa
Security breach impacts Maine State Police database
BostonGlobe
How a Good Scam Can Bypass Our Defences
Bruce Grierson
E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata
The Hacker News
Moroccan Journalist Targeted With Network Injection Attacks Using NSO Groups Tools
Amnesty International
Netgear moves to plug vulnerability in routers after researchers find zero-day
Sean Lyngaas
TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data
Ars Technica
Zoom chats short circuit a brain function essential for trust— and that's bad for business
Don Pittis
EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital Library Against Publishers
Andy Maxwell
Re: 40 milliseconds to go halfway around the Earth? *NOT*
Fred Cohen
Re: 0.5% of coronavirus stimulus checks went to dead people according to the GAO
James Cloos
Re: Smells Fishy? The Fish That Prevent Iran From Hacking
Michael Grant Phil Nasadowski
Quote of The Day
George Orwell 1984
Info on RISKS (comp.risks)

Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit

Chuck Petras <Chuck_Petras@selinc.com>
Mon, 29 Jun 2020 20:55:51 +0000
Where to begin?

"The man's relatives then took an air conditioner to the hospital “ as
daytime temps reportedly topped out at 106 degrees ” and allegedly unplugged
the ventilator after not finding an open socket to cool down the room,
according to the report. Hospital staffers had deactivated air conditioners
in the unit in an effort to curb the spread of COVID-19 []."

Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit
https://www.24x7mag.com/medical-equipment/patient-care-equipment/ventilators/man-dies-unplug-ventilator-air-conditioner/


76-year-old American jailed in Spain was unwitting drug mule, U.S. says (The Boston Globe)

Monty Solomon <monty@roscom.com>
Sun, 28 Jun 2020 10:00:05 -0400
Victor Stemberger wasn't about to ignore the emails inviting him into a
multimillion-dollar business opportunity, so he pitched himself as perfect
for the job. In a way he was ” but for all the wrong reasons.

https://www.boston.com/news/crime/2020/06/27/76-year-old-american-jailed-in-spain-was-unwitting-drug-mule-us-says


Ripple20 IP stack vulnerability may affect literally billion devices

"ISHIKAWA,chiaki" <ishikawa@yk.rim.or.jp>
Mon, 29 Jun 2020 07:22:08 +0900
Recently found vulnerability, called Ripple20. of an IP stack software
created by Treck, may literally affect billion devices.

The IP stack originally developed by Treck is meant for embedded devices and
runs on embedded OS, such as real-time OS.  It is also marketed by a
Japanese company Zuken Elmic after the joint development diverged.

Looking at the few advisories [1][2] and the original report by JSOF [3], an
Israeli company which first reported the vulnerability, one can't ignore the
fact that so many companies already published a list of devices affected by
the vulnerability.  HP and HP enterprise, for example, alone listed
printers, notebook and desktop PCs, and workstations.  I don't have the
marketing figure handy, but the list includes popular models and so I think
it could be millions of devices(?)  Finding names like Aruba, Cisco among
companies whose products are affected was a surprise to me. These companies
are known for the networking software. But they used third party network
stack for certain products, obviously.

As a matter of fact, I once used the early version of the stack from Elmic
(a Japanese company before it was bought by Zuken).  It was an old version
in the early 2000s I am a bit concerned since some partner companies used
the stack back then for prototyping.  At the time, it was one of the few IP
stacks for embedded devices that had the support of IPv6.

I am afraid the list of Japanese companies whose products are affected may
grow.  I suspect the response may be slow due to Covid-19 outbreak and many
people work from home. Zuken Elmic web page (in Japanese) claimed the stack,
marketed under the name of Kasago,  has been used by 300 companies for 500
different products.[5] Ouch.

The last years' Urgent/11 [4] was also bad, but Ripple20 may turn out to be
worse according to already reported products.

We may see more of these vulnerabilities in the future now that security
community turn its eyes toward embedded device domain.

[1] Treck IP stacks contain multiple vulnerabilities, CERT/CC,
      https://kb.cert.org/vuls/id/257161
[2] ICS Advisory (ICSA-20-168-01) - Treck TCP/IP Stack,
      https://www.us-cert.gov/ics/advisories/icsa-20-168-01
[3] Ripple20 - 19 Zero-Day Vulnerabilities Amplified by the Supply
Chain, JSOF,
      https://www.jsof-tech.com/ripple20/
[4]  URGENT/11 - UPDATE: URGENT/11 affects additional RTOSs - Highlights
Risks on Medical Devices, ARMIS,
      https://www.armis.com/urgent11/
[5] KASAGO®IPv4、KASAGO®IPv4Light
https://www.elwsc.co.jp/wp-content/uploads/2020/02/KASAGOv4_201912.pdf


Security breach impacts Maine State Police database (BostonGlobe)

Monty Solomon <monty@roscom.com>
Sun, 28 Jun 2020 09:54:45 -0400
State police said the most common documents shared on the database are crime
information and situational awareness bulletins.

https://www.boston.com/news/local-news/2020/06/27/security-breach-impacts-maine-state-police-database


How a Good Scam Can Bypass Our Defences (Bruce Grierson)

"Matthew Kruk" <mkrukg@gmail.com>
Sat, 27 Jun 2020 16:46:26 -0600
Bruce Grierson:

Cons exploit our cognitive biases. I learned the hard way that some of us
are more vulnerable than others

The email popped up on my screen at 6:45 a.m. on December 24. I'd already
been up for a couple of hours, working to deadline. It was from someone I
know quite well: the minister of the North Shore Unitarian Church, which we
attend.

"I need a favor from you," the message said. "Email me as soon as you get my
message."

"Ahoy Ron," I replied.

A friend was in the hospital battling cancer, he said, and he'd just learned
she was scheduled for surgery tonight. Could I possibly pick up some iTunes
gift cards? "She needs the cards to download her favorite music and videos
to boost her confidence on her next phase of surgery." He'd do it himself,
but he was tied up, he explained. "I will surely reimburse you as soon as I
can." [...]

https://thewalrus.ca/how-a-good-scam-can-bypass-our-defenses/


E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata (The Hacker News)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 29 Jun 2020 09:27:50 -1000
In what's one of the most innovative hacking campaigns, cybercrime gangs are
now hiding malicious code implants in the metadata of image files to
covertly steal payment card information entered by visitors on the hacked
websites.

"We found skimming code hidden within the metadata of an image file (a form
of steganography) and surreptitiously loaded by compromised online stores,"
Malwarebytes researchers said last week.
<https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/>

"This scheme would not be complete without yet another interesting variation
to exfiltrate stolen credit card data. Once again, criminals used the
disguise of an image file to collect their loot."

The evolving tactic of the operation, widely known as web skimming or a
Magecart attack, comes as bad actors are finding different ways to inject
JavaScript scripts, including misconfigured AWS S3 data

<https://thehackernews.com/2020/06/magecart-skimmer-amazon.html>storage
buckets and exploiting content security policy to transmit data to a Google
Analytics account under their control.
<https://thehackernews.com/2020/06/google-analytics-hacking.html>

Using Steganography to Hide Skimmer Code in EXIF...
[...]
https://thehackernews.com/2020/06/image-credit-card-skimmers.html


Moroccan Journalist Targeted With Network Injection Attacks Using NSO Groups Tools (Amnesty International)

Monty Solomon <monty@roscom.com>
Sun, 28 Jun 2020 10:16:21 -0400
Amnesty International, 22 June 2020

In October 2019 Amnesty International published a first report on the use of
spyware produced by Israeli company NSO Group against Moroccan human rights
defenders Maati Monjib and Abdessadak El Bouchattaoui. Through our continued
investigation, Amnesty International's Security Lab identified similar
evidence of the targeting of Omar Radi, a prominent activist and journalist
from Morocco from January 2019 until the end of January 2020.

Evidence gathered through our technical analysis of Omar Radi's iPhone
revealed traces of the same “network injection” attacks we described in our
earlier report that were used against Maati Monjib. This provides strong
evidence linking these attacks to NSO Group's tools.

These findings are especially significant because Omar Radi was targeted
just three days after NSO Group released its human rights policy. These
attacks continued after the company became aware of Amnesty International's
first report that provided evidence of the targeted attacks in Morocco. This
investigation thus, demonstrates NSO Group's continued failure to conduct
adequate human rights due diligence and the inefficacy of its own human
rights policy.

https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/


Netgear moves to plug vulnerability in routers after researchers find zero-day (Sean Lyngaas)

ACM TechNews <technews-editor@acm.org>
Mon, 29 Jun 2020 12:32:09 -0400 (EDT)
Sean Lyngaas, CyberScoop, 17 Jun, via ACM TechNews; Monday, June 29, 2020

Netgear said it is close to releasing a patch for a newly discovered
software vulnerability that could enable hackers to remotely exploit home
Internet routers and potentially access devices running on those networks.
The cybersecurity company GRIMM and Trend Micro's Zero Day Initiative (ZDI)
reported the vulnerability. GRIMM's Adam Nichols said his team detected a
vulnerable copy of a Web server on the router in 79 different Netgear
devices.  He noted that a hacker does not necessarily need to be on a Wi-Fi
network to launch an attack. Researchers said the vulnerability affects a
version of Netgear firmware dating to 2007. ZDI first reported the bug to
Netgear in January, delaying its analysis so Netgear could address the
issue.  It published its findings on June 15 to raise awareness after
Netgear requested multiple extensions for releasing a fix. Netgear said the
patch has been delayed by the pandemic.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25ccax223244x067564&


TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data (Ars Technica)

geoff goodfellow <geoff@iconia.com>
Mon, 29 Jun 2020 09:26:50 -1000
Passwords, bitcoin addresses, and anything else in clipboards are free for
the taking.

In March, researchers uncovered a troubling privacy grab by more than four
dozen iOS apps including TikTok, the Chinese-owned social media and
video-sharing phenomenon that has taken the Internet by storm. Despite
TikTok vowing to curb the practice, it continues to access some of Apple
users' most sensitive data, which can include passwords,
cryptocurrency wallet addresses, account-reset links, and personal
messages. Another 53 apps identified in March haven't stopped either.

The privacy invasion is the result of the apps repeatedly reading any text
that happens to reside in clipboards, which computers and other devices use
to store data that has been cut or copied from things like password
managers and email programs. With no clear reason for doing so, researchers
Talal Haj Bakry and Tommy Mysk found
<https://www.mysk.blog/2020/03/10/popular-iphone-and-ipad-apps-snooping-on-the-pasteboard/>,
the apps deliberately called an iOS programming interface that retrieves
text from users' clipboards.
Universal snooping

In many cases, the covert reading isn't limited to data stored on the local
device. In the event the iPhone or iPad uses the same Apple ID as other
Apple devices and are within roughly 10 feet of each other, all of them
share a universal clipboard <https://support.apple.com/en-us/HT209460>,
meaning contents can be copied from the app of one device and pasted into
an app running on a separate device.

That leaves open the possibility that an app on an iPhone will read
sensitive data on the clipboards of other connected devices. This could
include bitcoin addresses, passwords, or email messages that are
temporarily stored on the clipboard of a nearby Mac or iPad. Despite
running on a separate device, the iOS apps can easily read the sensitive
data stored on the other machines.

“It's very, very dangerous,'' Mysk said in an interview on Friday, referring
to the apps' indiscriminate reading of clipboard data. “These apps are
reading clipboards, and there's no reason to do this. An app that doest
have a text field to enter text has no reason to read clipboard text.''

The video below demonstrates universal clipboard reading:  [...]
https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/


Zoom chats short circuit a brain function essential for trust—and that's bad for business (Don Pittis)

"Matthew Kruk" <mkrukg@gmail.com>
Mon, 29 Jun 2020 06:59:22 -0600
In-person encounters are crucial for establishing trust and building
successful teams, according to research Ever get the sense there is
something vital missing on those Zoom meetings? If so, you're not alone --
and there is Canadian science to back you up.

As political and business leaders push to reopen the economy hoping to get
restaurants, retailers and factories making money again, there may be good
economic reasons for putting at least some of the work-from-home crowd back
into the office as fast as it's safe to do so.

Canadian research on "computer-mediated communication," begun long before
the current lockdown, shows video chat is an inadequate substitute for
real-life interaction. The real thing, dependent on non-verbal cues, is
extraordinarily more effective in creating rapport and getting ideas across.

https://www.cbc.ca/news/business/zoom-trust-business-pandemic-1.5628638


EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital Library Against Publishers (Andy Maxwell)

Dewayne Hendricks <dewayne@warpspeed.com>
June 28, 2020 20:35:32 JST
Andy Maxwell, Torrent Freak,  Jun 26 2020 (via Dave Farber)
<https://torrentfreak.com/eff-heavyweight-legal-team-will-defend-internet-archives-digital-library-against-publishers-200626/>

The EFF has revealed it is teaming up with law firm Durie Tangri to defend
the Internet Archive against a lawsuit targeting its Open Library. According
to court filings, the impending storm is shaping up to be a battle of the
giants, with opposing attorneys having previously defended Google in book
scanning cases and won a $1bn verdict for the RIAA against ISP Cox.

In March and faced with the chaos caused by the coronavirus pandemic, the
Internet Archive (IA) launched its National Emergency Library (NEL)

Built on its existing Open Library, the NEL provided users with unlimited
borrowing of more than a million books, something which the IA hoped would
help *displaced learners* restricted by quarantine measures.

Publishers Sue Internet Archive

After making a lot of noise in opposition to both the Open and Emergency
libraries, publishers Hachette, HarperCollins, John Wiley and Penguin Random
House filed a massive copyright infringement lawsuit against the Internet
Archive.

Declaring the libraries little more than `pirate' services that have no
right to scan books and lend them out, even in a controlled fashion, the
publishers bemoaned the direct threat to their businesses and demanded
millions of dollars in statutory damages.

Earlier this month the IA announced the early closure of the NEL, with IA
founder Brewster Kahle calling for an end to litigation and the start of
cooperation. There are no public signs of either. Indeed, the opposing sides
are preparing for action.

EFF and Attorneys Team Up to Defend IA

Last evening the EFF announced that it is joining forces with
California-based law firm Durie Tangri to defend the Internet Archive
against a lawsuit which they say is a threat to IA's Controlled Digital
Lending (CDL) program.

The CDL program allows people to check out scanned copies of books for which
the IA and its partners can produce physically-owned copies. The publishers
clearly have a major problem with the system but according to IA and EFF,
the service is no different from that offered by other libraries.

“EFF is proud to stand with the Archive and protect this important public
service,'' says EFF Legal Director Corynne McSherry.  “Controlled digital
lending helps get books to teachers, children and the general public at a
time when that is more needed and more difficult than ever. It is no threat
to any publisher's bottom line.''  [... PGN-truncated]


Re: 40 milliseconds to go halfway around the Earth? *NOT* (Bacon, RISKS-32.05)

Fred Cohen <fc@all.net>
Sun, 28 Jun 2020 07:10:51 -0700
Today the "lie" travels around the globe in 40 milliseconds, and is
solidified by, and enhanced in, each retelling.

Hmmm.... 40 milliseconds = 4*10^-2 Speed of light... 3*10^8 meters/second
Distance in 40 msec = 12,000,000 meters (1.2*10^7) Circumference of the
Earth (pole to pole in meters) ~40,000,000 (4*10^7) Half way around the
world = 20,000,000 meters.  40 ms is really only about a quarter of the way
around the Earth—at the speed of light!  Note that since radio can go all
directions you could perhaps cover half the Earth by going in all
directions.  HOWEVER, lies typically travel via Internet, where routers
typically slow things down considerably.  If you actually try to get packets
half way around the world (e.g., from California to Mumbai) you will find
that routing takes lots of additional time:

> traceroute mu.ac.in
traceroute to mu.ac.in (14.139.125.195), 30 hops max, 60 byte packets
  1  10.0.2.1 (10.0.2.1)  0.513 ms  0.818 ms  0.793 ms
  2  192.168.1.254 (192.168.1.254)  2.539 ms  2.512 ms  2.486 ms
  3  162-200-148-1.lightspeed.mtryca.sbcglobal.net (162.200.148.1) 6.802
ms  7.207 ms  7.696 ms
  4  99.161.44.106 (99.161.44.106)  8.041 ms  8.533 ms  17.439 ms
  5  * * *
  6  12.83.47.137 (12.83.47.137)  19.002 ms  8.016 ms  8.152 ms
  7  sffca402igs.ip.att.net (12.122.114.29)  13.986 ms  15.078 ms 14.440 ms
  8  192.205.37.58 (192.205.37.58)  16.560 ms  16.911 ms  17.543 ms
  9  ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2)  15.533 ms 15.869
ms  24.884 ms
...

I should note that the "lie" (40ms) spread by RISKS got around the World
literally before I got my pants on this morning, and to get the truth out
will likely take days before it is even sent out by RISKS.

One more note. The lie also has to get from someone's brain (or some
mechanism's mechanism) and into someone (or something) else's brain
(mechanism), and while getting lies out may be pretty quick, penetrating the
brain to the point where the meme is formed in the recipient also takes
considerable time relative to 40ms.


Re: 0.5% of coronavirus stimulus checks went to dead people according to the GAO (Goldberg, RISKS-32.04)

James Cloos <cloos@jhcloos.com>
Sun, 28 Jun 2020 15:49:02 -0400
Given that the stimulus is a refundable discount on 2020 income tax, any
estate that is open and could file a 2020 1040 is due the stimulus anyway.

So there was nothing at all wrong with his estate receiving it.

And the same for probably most of the estates which received them.

The article is an example of low quality journalism.


Re: Smells Fishy? The Fish That Prevent Iran From (via GG)

Michael Grant <mgrant@grant.org>
Sat, Jun 27, 2020 at 10:36 AM
Here's a great little experiment that I encourage everyone to do!
Next time you're at the swimming pool and you see the lifeguard
testing the chlorine level in the pool, kindly ask them if they would mind
testing the water in the drinking fountain.

Last time I did this in Washington DC, the lifeguard was so astonished that
he had to do the reading 3 times.  He showed me that the levels of chlorine
in the Washington DC water were in the danger zone, all the way at the top
of his chart!  He said if the water was in the pool, he'd have to take
everyone out of the pool!


Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System (RISKS-32.04)

Phil Nasadowski <pnasadowski@pcsintegrators.com>
Sun, 28 Jun 2020 12:38:04 -0400
Geoff Kuenning <geoff@cs.hmc.edu> brings up some very valid points.  Having
15 years experience in water/wastewaters controls (and by no means saying
his views are invalid in any way, they certainly are valid), I'd like to
point out that even in "major metropolitan areas", in the suburbs, the
amount of remote control over chlorine injection is often "none".  As a
matter of fact, a lot of operations prefer this, because if there's
something wrong, they WANT the operator on duty to go out and check the
station.  (Naturally, notification often comes via a SCADA system which has
stupidly poor security 99% of the time.  Sometimes notification comes when
the call center is flooded with angry calls from residents with bad water.)

That assumes there's even computerized control over chemical injection.
Most places, it's a simple pump, sitting on a chemical tank, that gets set
and left that way, until the flow changes.  If the flow is computer
controlled, the operator has the ability to remotely stop the well, assuming
that the relay-based hard logic mandated in (some) places doesn't stop the
out of control chemical injection, first.

It won't stop against a Stuxnet kind of attack (and I'm sure others I can't
think of, never mind just breaking into the station and turning the knob on
the pump up all the way), but it's some hope...Until something else comes
along that nobody thought of.

Years ago, a few vendors were offering systems that were basically
electronic fishtanks.  I don't think really anyone took the bait...

Philip Nasadowski, Chief Engineer, PCS Integrators (973) 575-7464 x155


Quote of The Day (George Orwell, 1984)

the keyboard of geoff goodfellow <geoff@iconia.com>
Sun, 28 Jun 2020 10:42:24 -1000
  "Every book has been rewritten, every picture has been repainted, every
  statue and street and building has been renamed, every date has been
  altered...History has stopped. Nothing exists except an endless present in
  which the Party is always right."

https://twitter.com/benshapiro/status/1275045608106209281

Please report problems with the web pages to the maintainer

Top