The RISKS Digest
Volume 32 Issue 85

Wednesday, 1st September 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tesla on autopilot smashes into police car helping motorist at side of road
CNN
Toyota suspends use of self-driving vehicle in Olympic Village after collision with Paralympic athlete
CNN
'Copilot' "highly likely" to introduce bugs and vulnerabilities
Techradar
Keeping Your Family Safe From Vehicle Rollaways
NBC4 WashDC
Lights Flickered in New York City. Why Did the Subways Grind to a Halt?
NYTimes
Fraud Alert: Malicious QR Codes Now Used by Online Scammers
Washington Consumers' Checkbook
A Fix for Ransomeware Attacks
Paul Rosenzweig
Falsehoods diminish trust in Califonia recall vote
Kaylee Fagan
Manned Mars mission viable if it doesn't exceed four years, concludes international research team
phys.org
Lying with statistics
Ars Technica
Iceland has reported more cases in the past month than they had in the previous 9 months combined
ianmSC
T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’
WSJ
Reddit CEO rejects call for a crackdown on coronavirus misinformation
Engadget
Australian preprint ban in grant applications deemed ‘plain ludicrous’
Nature
One more position on the Apple Appleplexy
Susan Landau
Re: UK to SORT-OF Hang Up on Landline Phones in 2025
Lindsay Marshall John Levine
Info on RISKS (comp.risks)

Tesla on autopilot smashes into police car helping motorist at side of road (CNN)

Lauren Weinstein <lauren@vortex.com>
Mon, 30 Aug 2021 13:52:16 -0700
The feds should order "autopilot" shut down completely while these
investigations continue. -L

https://www.cnn.com/2021/08/30/business/tesla-crash-police-car/index.html


Toyota suspends use of self-driving vehicle in Olympic Village after collision with Paralympic athlete (CNN)

Lauren Weinstein <lauren@vortex.com>
Sat, 28 Aug 2021 18:41:21 -0700
https://www.cnn.com/2021/08/27/cars/toyota-self-driving-vehicle-paralympics-accident/index.html


'Copilot' "highly likely" to introduce bugs and vulnerabilities (Techradar)

"Henry Baker" <hbaker1@pipeline.com>
Sun, 29 Aug 2021 18:53:35 +0000
'AI' proves once again that BS in == BS out. There is no free lunch.

GitHub autopilot "highly likely" to introduce bugs and vulnerabilities

https://www.techradar.com/news/github-autopilot-highly-likely-to-introduce-bugs-and-vulnerabilities-report-claims

Academic researchers discover that nearly 40% of the code suggestions by
GitHub&rsquo;s Copilot tool are erroneous, from a security point of view.

Since Copilot draws on publicly available code in GitHub repositories, the
researchers theorize that the generated vulnerable code could perhaps just
be the result of the system mimicking the behavior of buggy code in the
repositories.

https://arxiv.org/pdf/2108.09293.pdf

An Empirical Cybersecurity Evaluation of GitHub Copilot&rsquo;s Code
Contributions


Keeping Your Family Safe From Vehicle Rollaways (NBC4 WashDC)

"Gabe Goldberg" <gabe@gabegold.com>
Sun, 29 Aug 2021 18:49:34 -0400
Families across the country are raising safety questions involving deadly
vehicle rollaway accidents that kill nearly 150 people every year.

https://www.nbcwashington.com/news/local/keeping-your-family-safe-from-vehicle-rollaways/2756126/

Novel implementation of familiar gearshift technology, uninformed dealers,
lack of instruction/practice, inattentive drivers, massive manuals nobody
reads burying critical safety information.

ALWAYS set parking brake. I didn't, once, and my stick-shift car went for an
adventure—made sharp right turn in reverse, crossed a street, killed a
neighbor's mailbox.


Lights Flickered in New York City. Why Did the Subways Grind to a Halt? (NYTimes)

"Gabe Goldberg" <gabe@gabegold.com>
Tue, 31 Aug 2021 00:26:30 -0400
https://www.nytimes.com/2021/08/30/nyregion/power-outage-nyc.html

...because one thing led to another.


Fraud Alert: Malicious QR Codes Now Used by Online Scammers (Washington Consumers' Checkbook)

"Gabe Goldberg" <gabe@gabegold.com>
Wed, 1 Sep 2021 14:58:33 -0400
A couple lost $1,600 trying to rent a vacation house. The “rental agent”
said to use his QR code to pay the deposit using a Bitcoin ATM machine.

A caller, who claimed to be with the power company, threatened to turn off
the electricity in 20 minutes because of an outstanding bill of $973.  The
homeowners were sent a QR code and told to use it at a nearby kiosk. It
turned out to be the QR code to download the bitcoin app.  Thankfully, the
transaction was not completed.

A consumer in Hawaii sent $1,000 via QR code to an investment company that
made contact via Instagram. After the trading period ended, the scammer
demanded a fee of $4,102 to withdraw the supposed $20,500 profit in the
account. Again, the money was sent via a bitcoin machine to the address in
the QR Code. Total loss: $5,102.

https://www.checkbook.org/washington-area/consumers-notebook/articles/Fraud-Alert-Malicious-QR-Codes-Now-Used-by-Online-Scammers-7587

Well, yes. But don't be an idiot.


A Fix for Ransomeware Attacks (Paul Rosenzweig)

Peter Neumann <neumann@csl.sri.com>
Wed, 1 Sep 2021 13:30:39 PDT
Paul Rosenzweig, *The New York Times*, 1 Sep 2021

Tighter cryptocurrency rules would interfere with criminals' toll collection

The last paragraph is this: The U.S. “does not have a ransomware problem so
much as it has an anonymous ransom problem.  If we can change the payment
system to make the kidnapping less profitable, we will go a long way to a
solution.''


Falsehoods diminish trust in Califonia recall vote (Kaylee Fagan)

Peter Neumann <neumann@csl.sri.com>
Mon, 30 Aug 2021 20:07:27 PDT
Kaylee Fagan, *The San Francisco Chronicle*, 29 Aug 2021  [Or not?  PGN]

“The campaign to recall Califonia Governor Gavin Newsome has a conspiracy
theory problem, and it just might siphon off votes that aid its cause.''

  [The disinformation campaign is running rampant, complicating a crazy law
  that provides an up-or-down yes-no vote to recall the Governor, and 46
  candidates to replace him if the first vote is yes.  Thus, an elected
  replacement Governor could win with as little as three or four percent of
  the votes from those who bother to vote, and maybe half of that if half of
  the eligible voters don't even bother to vote .  This is democracy at
  work?  PGN]


Manned Mars mission viable if it doesn't exceed four years, concludes international research team (phys.org)

"Richard Stein" <rmstein@ieee.org>
Fri, 27 Aug 2021 11:25:39 +0800
https://phys.org/news/2021-08-mars-mission-viable-doesnt-years.html

"Shprits and colleagues from UCLA, MIT, Moscow's Skolkovo Institute of
Science and Technology and GFZ Potsdam combined geophysical models of
particle radiation for a solar cycle with models for how radiation would
affect both human passengers”including its varying effects on different
bodily organs”and a spacecraft. The modeling determined that having a
spacecraft's shell built out of a relatively thick material could help
protect astronauts from radiation, but that if the shielding is too thick,
it could actually increase the amount of secondary radiation to which they
are exposed."

For the curious, and those inclined to "Boldly go where no one has gone
before," see "How bad is the radiation on Mars?" from
https://phys.org/news/2016-11-bad-mars.html to discover the hard facts about
Martian Surface radiation: ~22 rads per day (~0.22 Sv per day from
https://www.unitsconverters.com/en/Rad-To-Sievert/Unittounit-3966-3988?MeasurementId=33&From=3966&To=3988&textBoxBufferedValue=0)
which is ~220 chest x-rays.

In space, timing is everything. If the cosmic radiation doesn't 'get
you,' the Sun's (and/or secondary/shield-induced) radiation will.


Lying with statistics (Ars Technica)

"Arthur T." <risks202108.6.atsjbt@xoxy.net>
Sat, 28 Aug 2021 01:23:39 -0400
'Microsoft says that Insider Program PCs that didn't meet Windows 11's
minimum requirements "had 52% more kernel-mode crashes" than PCs that did,
and that "devices that do meet the system requirements had a 99.8%
crash-free experience."'

This is from an Ars Technica story, and the writer didn't do the math. An
52% increased probability of crash yields barely under a 99.7% crash-free
experience. When expressed in the same terms (probability of not crashing),
it shows that there's not really a big difference.

Risk: Blithely quoting a company's statistics without questioning them.

https://arstechnica.com:443/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/

(Yes, I know that total crashes might be more than just kernel-mode crashes.
But I think that would make the crash-free percentages even less different.)


Iceland has reported more cases in the past month than they had in the previous 9 months combined (ianmSC)

geoff goodfellow <geoff@iconia.com>
Thu, 26 Aug 2021 09:07:05 -1000
Iceland has reported more cases in the past month than they had in the
previous 9 months combined 91.2% of their adult population is at least
partially vaccinated, 86.5% are fully vaccinated Fauci said with 50%
vaccinated, we wouldn’t see surges like those in the past.  Whoops!

https://twitter.com/ianmSC/status/1428407830093041664


T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’

geoff goodfellow <geoff@iconia.com>
Thu, 26 Aug 2021 11:22:40 -1000
A 21-year-old American said he used an unprotected router to access millions
of customer records in the mobile carrier’s latest breach

The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s
systems said the wireless company’s lax security eased his path into a cache
of records with personal details on more than 50 million people and
counting.

John Binns, a 21-year-old American who moved to Turkey a few years ago, told
*The Wall Street Journal* he was behind the security breach. Mr. Binns, who
since 2017 has used several online aliases, communicated with the Journal in
Telegram messages from an account that discussed details of the hack before
they were widely known.

The August intrusion was the latest in a string of high-profile breaches at
U.S. companies that have allowed thieves to walk away with troves of
personal details on consumers. A booming industry of cybersecurity
consultants, software suppliers and incident-response teams have so far
failed to turn the tide against hackers and identity thieves who fuel their
businesses by tapping these deep reservoirs of stolen corporate data.

The breach is the third major customer data leak that T-Mobile has disclosed
in the past two years. The Bellevue, Wash., company is the second-largest
U.S. mobile carrier with roughly 90 million cellphones connecting to its
networks.

The Seattle office of the Federal Bureau of Investigation is investigating
the T-Mobile hack, according to a person familiar with the matter. “The FBI
is aware of the incident and does not have any additional information at
this time,” the Seattle office said in a statement Wednesday.

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s
defenses after discovering in July an unprotected router exposed on the
internet. He said he had been scanning T-Mobile’s known internet addresses
for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one
goal,” he wrote. He declined to say whether he had sold any of the stolen
data or whether he was paid to breach T-Mobile.

*The 21-year-old hacker shared a screenshot of internal T-Mobile servers
with warnings against unauthorized access.*

Several cybersecurity experts said the public details of the hack and
reports of previous T-Mobile breaches show the carrier’s defenses need
improvement. Many of the records reported stolen were from prospective
clients or former customers long gone. “That to me does not sound like good
data management practices,” said Glenn Gerstell, a former general counsel
for the National Security Agency.

Mr. Binns said he used that entry point to hack into the cellphone carrier’s
data center outside East Wenatchee, Wash., where stored credentials allowed
him to access more than 100 servers.  “I was panicking because I had access
to something big,” he wrote. “Their security is awful.” He said it took
about a week to burrow into the servers that contained personal data about
the carrier’s tens of millions of former and current customers, adding that
the hack lifted troves of data around Aug. 4.

On Aug 13 2021, the security research firm Unit221B LLC reported to T-Mobile
that an account was attempting to sell T-Mobile customer data, according to
the security firm. Two days later, T-Mobile publicly acknowledged it was
investigating a potential breach.

T-Mobile confirmed that more than 50 million customer records have been
stolen. The wireless carrier said it had repaired the security hole that
enabled the breach. “We are confident that we have closed off the access and
egress points the bad actor used in the attack,” it said in a statement. A
T-Mobile spokeswoman declined to comment on specific claims by Mr. Binns or
by cybersecurity experts.

For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the
T-Mobile hack represents a major development in a track record that has
featured various exploits and”four years ago”peripheral involvement in the
creation of a massive network of hacked devices that was used for online
attacks.

Mr. Binns showed the Journal that he could access accounts linked to the
IRDev online personality, which shared screenshots depicting access into
T-Mobile’s network. He declined to be photographed but answered personal
questions to confirm his identity as John Binns.   [...]
https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?st=4nh9nfpmp3o2293

  [ADDED LATER from geoff:]

... Mike Benjamin, vice president of security for network operator Lumen
Technologies Inc., said U.S. prosecutions in past years have limited the
threat from these botnets, though network attacks have started growing in
recent months. He said *many young people, especially in the U.S. and
Europe, first learn basic hacking techniques by sharing tricks and tactics
with fellow gamers online.

“Online video-gaming drives a natural competitiveness,” Mr. Benjamin said.
”Everybody’s looking for that edge. That can reach into this area of outside
of the videogame,” where tactics end up “breaking the internet instead of
just inside the rules of the game.”


Reddit CEO rejects call for a crackdown on coronavirus misinformation

Lauren Weinstein <lauren@vortex.com>
Thu, 26 Aug 2021 14:28:42 -0700
https://www.engadget.com/reddit-211856313.html?src=rss


Australian preprint ban in grant applications deemed ‘plain ludicrous’ (Nature)

"*ァーバーデイ“ッド J" <farber@keio.jp>
Thu, 2 Sep 2021 03:36:33 +0900
https://www.nature.com/articles/d41586-021-02318-8


One more position on the Apple Appleplexy (Susan Landau)

Peter G Neumann <neumann@csl.sri.com>
Mon, 30 Aug 2021 9:02:41 PDT
https://www.lawfareblog.com/normalizing-surveillance


Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Fri, 27 Aug 2021 07:25:03 +0000
This is not true. The move is to an IP-based system, not no landlines.

https://www.ofcom.org.uk/phones-telecoms-and-internet/information-for-industry/telecoms-competition-regulation/future-fixed-telephone-services


Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

"John Levine" <johnl@iecc.com>
27 Aug 2021 14:20:10 -0400
This story suffers from bad reporting.  What's actually going away is the
legacy SS7/TDM signaling, known in the UK as C7, presumably in favor of SIP.

The physical networks in the UK are a mix of fiber and copper, with a lot
of FTTN with copper loops which is migrating at some rate to FTTP with fiber
the whole way.

PS: We can have a metaphysical discussion about what counts as a landline
phone.  I have fiber running into the house, which connects to a
telco-provided battery-backed modem, which is connected to the copper wire
in my house into which I plug a genuine American Bell Mickey Mouse phone.
Is that a landline?  Sure seems like it when the phone rings, and I mean
*rings*.

Please report problems with the web pages to the maintainer

x
Top