The RISKS Digest
Volume 32 Issue 76

Saturday, 10th July 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

RFI on scientific integrity
White House OSTP
A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate
geoff goodfellow
Social-credit score system for Germany
Vorausschau
Developer Infinidash joke ends up as job requirement
The Register
Europe makes the case to ban biometric surveillance
Matt Burgess
Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how.
NBC News
Researchers examine burden of electronic health record on primary care clinicians
medicalxpress.com
How California's new Digital Vaccine Records can be easily abused
EFF
NY's "Excelsior" vaccine "passport" is a mess
TechReview
Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability
MS
Human Risk Management /HRM/ is the FIX.
The Hacker News
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
Krebs on Security
Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk
KTVU
GOP Congressman in leaked video: "We want chaos and inability to get things done for the next 18 months!"
Common Dreams
Re: Supreme Court sides with credit agency
Richard Stein Stanley Chow
Info on RISKS (comp.risks)

RFI on scientific integrity (White House OSTP)

Peter G Neumann <neumann@csl.sri.com>
Mon, 5 Jul 2021 19:56:58 PDT
  [For the entire history of the ACM Risks Forum, we have sought integrity
  and trustworthiness in scientific and engineering efforts, and what we
  might be able to do to ensure it.  This may be first government RFI to be
  included in RISKS, but it seems to be exactly in our wheelhouse.  I
  believe our International audience might want to respond, as well as those
  in the U.S.  PGN]

The White House Office of Science and Technology Policy (OSTP) seeks
information by 28 July 2021 to help improve the effectiveness of Federal
scientific integrity policies to enhance public trust in science. The
January 27, 2021 Presidential Memorandum on Restoring Trust in Government
Through Scientific Integrity and Evidence-Based Policymaking (Memorandum)
directs OSTP to convene an inter-agency task force under the National Science
and Technology Council to review the effectiveness of policies developed
since the issuance of the Presidential Memorandum on scientific integrity
issued on March 9, 2009 in preventing improper political interference in the
conduct of scientific research and the collection of data; preventing the
suppression or distortion of findings, data, information, conclusions, or
technical results; supporting scientists and researchers of all genders,
races, ethnicities, and backgrounds; and advancing the equitable delivery of
the Federal Government's programs. To support this assessment, OSTP seeks
information about: (1) The effectiveness of Federal scientific integrity
policies and needed areas of improvement; (2) good practices Federal
agencies could adopt to improve scientific integrity, including in the
communication of scientific information, addressing emerging technologies
and evolving scientific practices, supporting professional development of
Federal scientists, and promoting transparency in the implementation of
agency scientific integrity policies; and (3) other topics or concerns that
Federal scientific integrity policies should address. Please note the
purpose of this RFI is not to receive reports on alleged offenses that are
in violation of Federal scientific integrity policies. If you have witnessed
or experienced any harmful acts that may undermine scientific integrity and
you would like to report these allegations, please contact the Scientific
Integrity Officer or Office of the Inspector General at the relevant Federal
agency.

https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies


A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate

geoff goodfellow <geoff@iconia.com>
Mon, 5 Jul 2021 12:37:23 -1000
And here is the code grabber hidden in the Game Boy case.

https://twitter.com/it4sec/status/1411902542993412096


Social-credit score system for Germany (Vorausschau)

Thomas Koenig <tkoenig@netcologne.de>
Mon, 5 Jul 2021 08:46:32 +0200
The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany.

A translated quote from the long version on an official BMBF
https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the
web site's design is atrocious, trying to find the information is quite
difficult).

  “Highly controversial at the beginning, the bonus point system is largely
  accepted in the 2030s.  It establishes new norms in everyday life that
  were not possible before.  The participatory development of the rules also
  ensures greater acceptance among the population. Approval of the bonus
  system is growing, particularly in view of the increasing dynamics of
  climate change. A point-based evaluation, for example, the of ecological
  footprint—helps to make the polluter-pays principle transparent.''

Participation in the point system would be voluntary in the sense that not
participating would bring very real drawbacks. Another quote:

  “The bonus system is also helpful for the labor market, which continues
  to suffer from a shortage of skilled workers. system is helpful. It helps
  to identify qualification potential and efficiently organize the spatial
  mobility of the workforce.''

So, not participating would lead to lower chances of getting a job.

China is explicitly mentioned as a role model.


Developer Infinidash joke ends up as job requirement (The Register)

Peter Houppermans <peter@houppermans.net>
Mon, 5 Jul 2021 11:18:19 +0200
From https://www.theregister.com/2021/07/05/infinidash/

  “A tweeted musing that merely mentioning a new AWS product would be
  enough to see it appear in job ads has come true ” even though the product
  mentioned is made up.''

Amusingly, enough people picked up the joke and ran with it (my personal
favourite was the announcement of an *O RLY* book) for it to indeed expose
quite a few bandwagons, not in the least the aforementioned job specs which
have long demonstrated a remarkable ability to remain disconnected from
reality.

Entertaining - and educational.


Europe makes the case to ban biometric surveillance (Matt Burgess)

Peter G Neumann <neumann@csl.sri.com>
Thu, 8 Jul 2021 19:40:11 PDT
Matt Burgess, WiReD, 7 Jul 2021

Companies are racing to track your emotions, how you walk and your
voiceprint.  Should Europe ban biometric tracking entirely?

Your body is a data goldmine. From the way you look to how you think and
feel, firms working in the burgeoning biometrics industry are developing new
and alarming ways to track everything we do. And, in many cases, you may not
even know you're being tracked.  But the biometrics business is on a
collision course with Europe's leading data protection experts. Both the
European Data Protection Supervisor, which acts as the EU's independent data
body, and the European Data Protection Board, which helps countries
implement GDPR consistently, have called for a total ban on using AI to
automatically recognise people. [...]

https://www.wired.co.uk/article/europe-ai-biometrics


Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News)

"Lauren Weinstein" <lauren@vortex.com>
Tue, 6 Jul 2021 15:07:19 -0700
[Why is this still legal?]

https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma


Researchers examine burden of electronic health record on primary care clinicians (medicalxpress.com)

"Richard Stein" <rmstein@ieee.org>
Sat, 10 Jul 2021 09:43:30 +0800
https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html

Health record data entry by physicians interferes with patient quality of
care. Data entry streamlines healthcare billing, but should it be
prioritized over positive patient outcome? Apparently yes.

What can be done to mitigate this conflict?

"Virtual or AI-powered scribes could reduce the burden of note-taking across
primary care specialties and can be evaluated in future studies, the authors
state. Interventions that streamline messaging and placing orders are also
research priorities."

Naturally enough, these medical incidents are known to arise from
old-fashioned, hands-on medicine. How common are these medical errors?

The abstract from "Your Health Care May Kill You: Medical Errors," via
https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform
2017;234:13-17.

"Recent studies of medical errors have estimated errors may account for as
many as 251,000 deaths annually in the United States (U.S)., making medical
errors the third leading cause of death. Error rates are significantly
higher in the U.S. than in other developed countries such as Canada,
Australia, New Zealand, Germany and the United Kingdom (U.K)."

I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic
procedure will be ordered and performed? Fortunately, the
pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography)
has been retired.

  [I almost misread this as pneumann ... has been retired.  PNeumann]


How California's new Digital Vaccine Records can be easily abused (EFF)

"Lauren Weinstein" <lauren@vortex.com>
Thu, 8 Jul 2021 13:18:34 -0700
https://www.eff.org/deeplinks/2021/06/decoding-californias-new-digital-vaccine-records-and-potential-dangers


NY's "Excelsior" vaccine "passport" is a mess (TechReview)

"Lauren Weinstein" <lauren@vortex.com>
Wed, 7 Jul 2021 08:34:15 -0700
Just say no. -L

https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/


Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability (MS)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Jul 2021 19:03:09 -1000
Even as Microsoft *expanded patches*
https://docs.microsoft.com/en-us/windows/release-health/windows-message-center
for the so-called PrintNightmare vulnerability for Windows 10 version 1607,
Windows Server 2012, and Windows Server 2016, it has come to light that the
patch for the remote code execution exploit in the Windows Print Spooler
service can be bypassed in certain scenarios, effectively defeating the
security protections and permitting attackers to run arbitrary code on
infected systems.

On Tuesday, the Windows maker issued an *emergency out-of-band update*
<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>
to address *CVE-2021-34527*
<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html> (CVSS
score: 8.8) after the flaw was accidentally disclosed by researchers from
Hong Kong-based cybersecurity firm Sangfor late last month, at which point
it emerged that the issue was different from another bug ” tracked as
CVE-2021-1675—that was patched by Microsoft on June 8.
<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>

"Several days ago, two security vulnerabilities were found in Microsoft
Windows' existing printing mechanism," Yaniv Balmas, head of cyber-research
at Check Point, told The Hacker News. "These vulnerabilities enable a
malicious attacker to gain full control on all windows environments that
enable printing."

"These are mostly working stations but, at times, this relates to entire
servers that are an integral part of very popular organizational networks.
Microsoft classified these vulnerabilities as critical, but when they were
published they were able to fix only one of them, leaving the door open for
explorations of the second vulnerability," Balmas added.  [...]
https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html


Human Risk Management /HRM/ is the FIX. (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Jul 2021 11:01:15 -1000
Humans are an organization's strongest defence against evolving
cyber-threats, but security awareness training alone often isn't enough to
transform user behaviour.

Human Risk Management (HRM) is the FIX.

Checkout this new guide from @getusecure:  [...]
https://thehackernews.com/2021/07/security-awareness-training-is-broken.html
via
https://twitter.com/TheHackersNews/status/1413158374057730052


Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software (Krebs on Security)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Jul 2021 11:03:15 -1000
Last week cybercriminals deployed ransomware to 1,500 organizations that
provide IT security and technical support to many other companies. The
attackers exploited a vulnerability in software from *Kaseya*, a
Miami-based company whose products help system administrators manage large
networks remotely. Now it appears Kaseya’s customer service portal was left
vulnerable until last week to a data-leaking security flaw that was first
identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program
<https://krebsonsecurity.com/?s=revil> began using a zero-day security hole
(CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>) to deploy
ransomware to hundreds of IT management companies running Kaseya’s remote
management software ” known as the *Kaseya Virtual System Administrator*
 (VSA).

According to this entry for CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>, the
security flaw that powers that Kaseya VSA zero-day was assigned a
vulnerability number on April 2, 2021, indicating Kaseya had roughly three
months to address the bug before it was exploited in the wild
<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>.

Also on July 3, security incident response firm *Mandiant* notified Kaseya
that their billing and customer support site ”*portal.kaseya.net
<http://portal.kaseya.net>* ” was vulnerable to CVE-2015-2862
<https://nvd.nist.gov/vuln/detail/CVE-2015-2862>, a “directory traversal”
vulnerability in Kaseya VSA that allows remote users to read any files on
the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years
later, Kaseya’s customer portal was still exposed to the data-leaking
weakness. [...]

https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/


Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk (KTVU)

geoff goodfellow <geoff@iconia.com>
Wed, 7 Jul 2021 08:37:59 -1000
New UC Berkeley research draws a strong link between cell phone radiation
and tumors, particularly in the brain.

Researchers took a comprehensive look at statistical findings from 46
different studies around the globe and found that the use of a cell phone
for more than 1,000 hours, or about 17 minutes a day over a ten year
period, increased the risk of tumors by 60 percent.

Researchers also pointed to findings that showed cell phone use for 10 or
more years doubled the risk of brain tumors.

*Joel Moskowitz* <https://publichealth.berkeley.edu/people/joel-moskowitz/>,
<https://publichealth.berkeley.edu/people/joel-moskowitz/> director of the
Center for Family and Community Health with the
<https://publichealth.berkeley.edu/people/joel-moskowitz/>*UC Berkeley
School of Public Health* <https://publichealth.berkeley.edu/> conducted the
research in partnership with Korea’s National Cancer Center, and Seoul
National University. Their analysis took a comprehensive look at
statistical findings from case control studies from 16 countries including
the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand.  [...]
https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer


GOP Congressman in leaked video: "We want chaos and inability to get things done for the next 18 months!" (Common Dreams)

"Lauren Weinstein" <lauren@vortex.com>
Wed, 7 Jul 2021 15:32:43 -0700
https://www.commondreams.org/news/2021/07/07/leaked-video-gop-congressman-admits-his-party-wants-chaos-and-inability-get-stuff


Re: Supreme Court sides with credit agency (WashPost, RISKS-32.75)

"Richard Stein" <rmstein@ieee.org>
Mon, 5 Jul 2021 13:20:58 +0800
  [Hi Steven—My concern was only hypothetical.]

Suppose the TransUnion data breached, and certain parties had chosen to
weaponize or exploit it?

Those unfortunate 8K folks might experience palpable consequences: reduced
job eligibility, stigmatization, etc. until or unless they could exonerate
themselves by attempting to restore reputation.

Gives one pause about profiling activities in general, and the lists of
values/attribute labels contained in profiles.

History suggests the global data breach pandemic is unlikely to subside.
Consequences and risks compound with each case.


Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)

"Stanley Chow" <stanley.chow@pobox.com>
Mon, 5 Jul 2021 10:52:28 -0400
In Risks 32.75, Steve Klein points out that we shouldn't get excited about
the U.S. Supreme court decision siding with the credit agency for SOME
PEOPLE—because "... faulty records that were never shared ...  could not
have suffered any damages."

I am not a lawyer and have not read the decision, but it sounds like:

 1. Someone has a loaded gun pointed to my head.
 2. The trigger will be pulled - as soon as some random user pays $10
    (or whatever fee they charge).
 3. The courts cannot do anything until the trigger is pulled.
 4. So, after I am dead (or my life is ruined), the courts MAY fine the
    credit agency some nominal amount.

Is this as f**ked up as it sounds?

Please report problems with the web pages to the maintainer

x
Top