The RISKS Digest
Volume 33 Issue 02

Friday, 15th January 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

A High-Risk Medical Device Didn't Meet Federal Standards. The Government Paid Millions for More.
ProPublica
Software glitch snarls New York City schools
NYTimes
Why planes might soon have just one pilot
CNN Travel
How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App
Vice
Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware
CitizenLab
New Apple Warning Affects All iPhone Users
Forbes
German interior minister threatens to ban Telegram
Thomas Koenig
Fake QR Codes on Parking Meters
Bruce Schneier
Metaverse's Dark Side: Here Come Harassment and Assaults
NYTimes
Metro says timing for return of suspended railcars is unknown
WashPost
Norton 360 Now Comes With a Cryptominer
Krebs on Security
Hackers Are Exploiting a Flaw Microsoft Fixed 9 Years Ago
WiReD
New Chrome security measure aims to curtail an entire class of Web attack
Ars Technica
Black box that could record collapse of civilisation set to be installed on Earth
The Mirror
Automakers Rev Up Subscription Services
Washington Consumers' Checkbook
Biden Administration Warns Against Spyware Targeting Dissidents
NYTimes
Tackling Hard Computational Problems
Steve Nasis MIT News
How Game Theory Changed Poker
Oliver Roeder WSJ
Paper on finance and technology manias
Andrew Odlyzko
Wearing Many Hats: The Rise of the Professional Security Hacker
Gabriella Coleman via PGN
Info on RISKS (comp.risks)

A High-Risk Medical Device Didn't Meet Federal Standards. The Government Paid Millions for More. (ProPublica)

“Gabe Goldberg” <gabe@gabegold.com>
Fri, 7 Jan 2022 23:22:59 -0500

For years after federal inspectors found serious problems with the HeartWare heart pump, agencies like the Department of Veterans Affairs and Centers for Medicare & Medicaid Services continued paying to implant it in patients.

https://www.propublica.org/article/a-high-risk-medical-device-didnt-meet-federal-standards-the-government-paid-millions-for-more


Software glitch snarls New York City schools (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Sat, 15 Jan 2022 11:48:48 PST

Lola Fadula, The New York Times, 15 Jan 2022

Skedula, a platform that helps NYC teachers post assignments and track grades and attendance—and even helps track Covid test results—stopped working a week ago on 8 Jan, and was still down at the end of the week. This is apparently a particularly bad time for the outage. The contractor Illuminate Education said this was the result of “an attempted security threat”—an investigation of which is still ongoing. [PGN-ed]


Why planes might soon have just one pilot (CNN Travel)

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Jan 2022 23:53:45 -0500

(CNN) If you boarded a passenger plane in 1950 and peeked into the cockpit, you would have seen five people in there (almost certainly men): two pilots, a radio operator, a navigator, and a flight engineer.

Over the years, technical advances in radio communications, navigation systems and on-board monitoring equipment gradually removed the need for the last three, making it possible to safely fly a passenger plane with just two pilots. That has been the norm in commercial aviation for about 30 years.

Soon, however, things could streamline further, and one of the two remaining pilots—technically the first officer—could soon go, leaving behind only the captain. Many smaller and military aircraft are already manned by a single pilot, but for commercial aviation this would mean venturing into a brave new world. […]

However, removing a pilot from the cockpit will help develop the very technology required for the next, and final, step: removing human pilots altogether and fly planes remotely or autonomously. That, however, sounds like an even more complicated conversation: “Two pilots to one pilot is a major step,” says Smith, “but one pilot to no pilots is an immense one.”

https://www.cnn.com/travel/article/single-pilot-planes/index.html


How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App (Vice)

geoff goodfellow <geoff@iconia.com>
Thu, 13 Jan 2022 16:34:55 -1000

A security researcher found flaws in a third-party open-source app that allowed him to track and unlock some Teslas.

A 19-year-old hacker and security researcher said he was able to control some features of dozens of Tesla cars all over the world thanks to a vulnerability in a third-party app that allows car owners to track their car's movements, remotely unlock doors, open windows, start keyless driving, honk, and flash lights.

David Colombo, the researcher who found the issue, asked Motherboard not to reveal all the details about his findings—such as the name of the third-party app—given that some of the vulnerabilities he discovered are yet to be fixed. Colombo allowed Motherboard to review his upcoming blog post, which contained the details.

“There are those Teslas around the world right now in 13 countries and I'm able to disable the sentry mode, unlock the doors, start keyless driving, and take them on a road trip,” Colombo told Motherboard in an interview. […]

https://www.vice.com/en/article/akv7z5/how-a-hacker-controlled-dozens-of-teslas-using-a-flaw-in-third-party-app

[See also Katrina Nicholas and Jordan Robertson, Bloomberg, 12 Jan 2022]


Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware (CitizenLab)

Jan Wolitzky <jan.wolitzky@gmail.com>
Fri, 14 Jan 2022 20:45:09 -0500

The Citizen Lab and Access Now have conducted a joint investigation into Pegasus hacking in El Salvador in collaboration with Frontline Defenders, SocialTIC, and Fundaci=C3=B3n Acceso.

We confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO's Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International's Security Lab which independently confirms the findings.

Targets included journalists at El Faro, GatoEncerrado, La Prensa Gr=C3=A1fica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundaci=C3=B3n DTJ, Cristosal, and another NGO.

The hacking took place while the organizations were reporting on sensitive issues involving the administration of President Bukele, such as a scandal involving the government's negotiation of a pact with the MS-13 gang for a reduction in violence and electoral support.

While evidence linking a particular infection to a particular Pegasus customer is often unavailable, in this case we identified a Pegasus customer operating almost exclusively in El Salvador since at least November 2019 that we call TOROGOZ, and have connected this operator to an infection attempt against El Faro.

https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/


New Apple Warning Affects All iPhone Users (Forbes)

geoff goodfellow <geoff@iconia.com>
Sat, 8 Jan 2022 15:50:42 -1000

Last year saw the biggest hack in iPhone history, complete with individual horror stories from affected users. Now a haunting new discovery could make all iPhone attacks a lot worse. <https://www.forbes.com/sites/gordonkelly/2021/11/27/apple-iphone-warning-security-hack-pegasus-nso-group-iphone-warning-notifications/>, <https://www.forbes.com/sites/gordonkelly/2021/10/27/apple-iphone-warning-pegasus-hack-upgrade-ios-15-security/>

It is called NoReboot and was discovered by (highly respected mobile security specialists ZecOps. The company describes it as “the ultimate persistence bug” because it can stop iPhones affected by even temporary attacks from escaping their hacker. Moreover, it affects every iPhone model and every version of iOS and Apple cannot fix it which sets alarm bells ringing. <https://www.forbes.com/sites/gordonkelly/2021/07/17/apple-iphone-12-pro-max-warning-wifi-hack-zero-click-exploit-new-iphone-ios-upgrade/> <https://www.forbes.com/sites/gordonkelly/2020/05/13/apple-iphone-exploit-vulnerability-ios-13-mail-problem-update-iphone-11-pro-max-u-iphone-xs-max-xr-upgrade/?sh=5fafe8d3c07b>)

The concept behind NoReboot is simple, but this is also what makes it so dangerous: it tricks users into thinking they have switched off or restarted their iPhones. It works by hijacking the InCallService, SpringBoard <https://apple.fandom.com/wiki/SpringBoard> and backboardd <https://iphonedev.wiki/index.php/Backboardd> background processes which handle the reboot process on iPhones and shows them a fake shutdown or startup sequence instead when users try to initiate either process. In reality, the iPhone remains on at all times.

Why is this dangerous? Because it is easier for hackers to access iPhones with non-persistent attacks but—as the name implies—these are removed when a user shuts down or restarts their phone. But the damage these hacks can now do supersizes when combined with NoReboot code because the user cannot (by design or by accident) rid themselves of the hack. ZecOps illustrates this in the video below. […] https://www.forbes.com/sites/gordonkelly/2022/01/08/apple-warning-iphone-hack-attack-vulnerability-new-iphone-update/


German interior minister threatens to ban Telegram

Thomas Koenig <tkoenig@netcologne.de>
Sat, 15 Jan 2022 14:51:16 +0100

The new German minister of the interior, Nancy Fraeser, has threatened to shut down Telegram:

https://www.dw.com/de/innenministerin-nimmt-telegram-ins-visier/a-60397720

If this threat is carried out, Germany would join the ranks of the countries listed in

https://en.wikipedia.org/wiki/Government_censorship_of_Telegram_Messenger


Fake QR Codes on Parking Meters

Bruce Schneier <schneier@schneier.com>
Sat, 15 Jan 2022 09:46:19 +0000

The City of Austin is warning about QR codes stuck to parking meters that take people to fraudulent payment sites. https://www.bitdefender.com/blog/hotforsecurity/us-police-parking-meters-phishing-qr-codes/>


Metaverse's Dark Side: Here Come Harassment and Assaults (NYTimes)

“Gabe Goldberg” <gabe@gabegold.com>
Thu, 6 Jan 2022 13:34:02 -0500

As Meta and other companies bet big on an immersive digital world, questions about its harms are rising.

SAN FRANCISCO—Chanelle Siggens recently strapped on an Oculus Quest virtual reality headset to play her favorite shooter game, Population One. Once she turned on the game, she maneuvered her avatar into a virtual lobby in the immersive digital world and waited for the action to begin.

But as she waited, another player's avatar approached hers. The stranger then simulated groping and ejaculating onto her avatar, Ms. Siggens said. Shocked, she asked the player, whose avatar appeared male, to stop.

“He shrugged as if to say: ‘I don't know what to tell y'u. It's the metaverse—I'll do what I want,’ and then he walked away.” […]

Meta has asked its employees to volunteer to test the metaverse, according to an internal memo viewed by The New York Times. A stranger recently groped the avatar of one tester of a Meta virtual reality game, Horizon Worlds, a company spokeswoman said. The incident, which Meta has said it learned from, was reported earlier by The Verge.

Misbehavior in virtual reality is typically difficult to track because incidents occur in real time and are generally not recorded.

Titania Jordan, the chief parent officer at Bark, which uses artificial intelligence to monitor children's devices for safety reasons, said she was especially concerned about what children might encounter in the metaverse. She said abusers could target children through chat messages in a game or by speaking to them through headsets, actions that are difficult to document.

https://www.nytimes.com/2021/12/30/technology/metaverse-harassment-assaults.html

Today's Internet in VR, what could go wrong…


Metro says timing for return of suspended railcars is unknown (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Wed, 12 Jan 2022 23:39:55 -0500

The latest hang-up: Technicians didn't know whether to pass or fail a railcar if its wheels moved precisely 1/32 of an inch.

After a second suspension in late December, transit officials acknowledged Friday they don't know when the cars will return to service. The latest hang-up: Technicians didn't know whether to pass or fail a rail car if its wheels moved precisely 1/32 of an inch—a scenario not spelled out in Metro's restoration plan. In such cases, Metro acted on its own accord and against the wishes of an oversight commission. …

The latest violation the safety commission cited stems from a small tweak Metro made while measuring the width between wheels, transit officials said. In its plan to the commission, Metro said its technicians would flag any car with wheels that deviated more than 1/32 of an inch on their axles from the standard width of 53 5/16 inches.

Several cars, however, landed right at that limit, and technicians were unclear on whether to fail those cars or to allow them back into service. The confusion among technicians was compounded because the distance was so small that widths on a car could fluctuate from the heat they generated if a car was coming directly out of service.

Without consulting the safety commission, Metro supervisors told technicians to pass the limit, a decision that placed them back into service.

Swink Benson said, “the modification of the process was not submitted to the [safety commission] for their approval prior to implementation.

https://www.washingtonpost.com/transportation/2022/01/08/metro-ntsb-railcar-investigation/

The risk? Not understanding mathematical relationships. “More than” seems pretty clear, not needing interpretation.


Norton 360 Now Comes With a Cryptominer (Krebs on Security)

Gabe Goldberg <gabe@gabegold.com>
Thu, 6 Jan 2022 14:29:47 -0500

Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers' computers. Norton's parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme—in which the company keeps 15 percent of any currencies mined—is opt-in,

Norton users complain the mining program is difficult to remove, and reactions from longtime customers have ranged from unease and disbelief to, “Dude, where's my crypto?” […]

From reading user posts on the Norton Crypto community forum, it seems some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“How on Earth could anyone at Norton think that adding crypto mining within a security product would be a good thing? Norton should be detecting and killing off crypto-mining hijacking, not installing their own. the post reads. The product people need firing.

[Norton should be detecting and killing off crypto mining hijacking, not installing their own. The product people need firing. GG]

https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/


Hackers Are Exploiting a Flaw Microsoft Fixed 9 Years Ago (WiReD)

Jan Wolitzky <jan.wolitzky@gmail.com>
Wed, 5 Jan 2022 19:55:08 -0500

Unless you go out of your way to install the patch, your system could be exposed.

<https://www.wired.com/story/zloader-microsoft-signature-verification-hack/>

The widely used malware ZLoader crops up in all sorts of criminal hacking, from efforts that aim to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.


New Chrome security measure aims to curtail an entire class of Web attack (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 14 Jan 2022 14:19:03 -0500

https://arstechnica.com/information-technology/2022/01/new-chrome-security-measure-aims-to-curtail-an-entire-class-of-web-attack/


Black box that could record collapse of civilisation set to be installed on Earth (The Mirror)

geoff goodfellow <geoff@iconia.com>
Thu, 13 Jan 2022 16:16:12 -1000

The black box, which is set to built on the west coast of Tasmania, will be connected to the Internet and will record information to help a future civilisation if humanity suffers a major apocalyptic event. […]

https://www.mirror.co.uk/news/weird-news/black-box-could-record-collapse-25936553


Automakers Rev Up Subscription Services (Washington Consumers' Checkbook)

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 Jan 2022 20:45:50 -0500

When you buy or lease your next car, you might be required to pay a monthly or yearly subscription fee to activate some of its features.

Although automakers are making record profits despite pandemic-induced production problems, they continue to look for ways to increase revenue beyond sales, financing, and repairs. Stellantis, the world's fourth largest automaker (formerly known as Fiat Chrysler), announced last month that it plans to generate about $22.5 billion (20 billion euros) in new annual revenue by 2030 from software services and subscriptions. […]

Most car companies now offer a subscription package of some type, whether it’s satellite radio, enhancements to the entertainment system, or a connectivity package that provides roadside assistance, concierge services, and triggers 911 calls in an accident (such as OnStar).

But until recently, most of these subscriptions didn't relate to the functioning of the vehicle. And because of that, after the free-trial period, many drivers cancel their subscriptions.

“Manufacturers are struggling to make these subscription services more valuable, and one way to do that is to require a subscription for some pretty basic services.”Eisenstein told Checkbook. Manufacturers say the subscription model allows them to meet the diverse needs of their customers.

But what if you had to subscribe to driver assistance software, or voice-recognition technology? Would you pay a monthly fee to activate optional safety features, such as automatic emergency braking, forward-collision warning, or blind-spot warning? […]

Toyota owners have been unpleasantly surprised to discover that when their complimentary subscription to the automaker's Remote Connect service expires — after three years in some cases, 10 years in others—the remote start feature on their key fob no longer works.

“That's absurd. It's a clear attempt to gouge consumers and drive up the real cost of buying their vehicles.”

According to a blog post on The Drive, Toyota appears to be the first company to charge for full use of a physical key fob—either $8 a month or $80 a year at the Remote Connect plan's current price.

https://www.checkbook.org/washington-area/consumers-notebook/articles/Automakers-Rev-Up-Subscription-Services-7623


Biden Administration Warns Against Spyware Targeting Dissidents (NYTimes)

Jan Wolitzky <jan.wolitzky@gmail.com>
Fri, 7 Jan 2022 14:08:50 -0500

The U.S. intelligence community offered steps that would mitigate—but not stop—spyware developed by firms like the NSO Group.

The federal government on Friday warned the public about the risks of commercial surveillance tools that have been used to spy on journalists and political dissidents by infecting their phones with malware.

https://www.nytimes.com/2022/01/07/us/politics/spyware-warning-cybersecurit= y.html https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_Jan-7-= 2022_Protect_Yourself_Commercial_Surveillance_Tools.pdf


Tackling Hard Computational Problems (MIT News)

ACM TechNews <technews-editor@acm.org>
Wed, 12 Jan 2022 12:22:31 -0500 (EST)

Steve Nadis, MIT News. 10 Jan 2022, via ACM TechNews, 12 Jan 2022

The Massachusetts Institute of Technology's David Gamarnik and colleagues have developed the overlap gap property (OGP) tool to analyze difficult computational problems that involve randomness. “We discovered that all known problems of a random nature that are algorithmically hard have a version of this property,” Gamarnik said. “This provides a more precise measure of algorithmic hardness.” Scientists can evaluate the challenge of creating fast algorithms to solve particular problems with the OGP, and Gamarnik said the tool has already shown that stable algorithms, including quantum approximation optimization algorithms, cannot handle such problems.

https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2dc33x23071fx072353&100000


How Game Theory Changed Poker (Oliver Roeder)

ACM TechNews <technews-editor@acm.org>
Fri, 14 Jan 2022 12:12:06 -0500 (EST)

Oliver Roeder, The Wall Street Journal, 13 Jan 2022 via ACM TechNews, 14 Jan 2022

Researchers at the University of Alberta's Computer Poker Research Group in Canada pioneered game theory mathematics that has transformed how professional poker players approach the game. Poker's mathematical complexity rivals or surpasses that of chess while adding randomness and hidden data, bringing it closer to the “real world” that artificial intelligence scientists want to control. Many poker-playing algorithms incorporate the minimization of regret, a mathematical concept for decision-making in uncertain environments. Game-theory optimal poker players hire programmers to analyze their game data, finding “leaks” or errors in strategy, and to conduct game-theoretical analyses, calculating optimal plays in any of the innumerable situations that can confront a player.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dc7bx2307b5x072349&


Paper on finance and technology manias

Andrew Odlyzko <odlyzko@umn.edu>
Tue, 11 Jan 2022 19:35:29 -0600 (CST)

Enclosed is a notice of my latest paper on technology and financial manias. As there is currently much concern about the possible instability of the financial system that might lead to a crash, given elevated valuations, unprecedented levels of government intervention, low interest rates, opaque interrelationships, very complex systems, rise of fintech, zombie companies, and so on, it might be of interest to see what happened a century and a half ago, when many similar phenomena reigned and when the “roving cavaliers of credit” (to borrow a phrase from Karl Marx) managed to facilitate a giant expansion of a public transportation infrastructure, and ruined themselves and many others through “financial innovation.” This paper describes a major, but previously undocumented, step in the “financialization” of the economy.

There are also interesting similarities to the Silicon Valley “fake it till you make it” philosophy, to the “alternate reality” concerns about the post-truth world, and other currently hot topics.

Your assistance in the work that led to this paper is gratefully acknowledged, although it may not have affected this manuscript, and may only influence later ones. You are listed, along with everyone else who assisted in this project on the web page

http://www.dtc.umn.edu/~odlyzko/doc/mania-ack.html

[…] if you have any comments on this work, I would be delighted to receive them.

http://www.dtc.umn.edu/~odlyzko/doc/mania18.pdf and if there are any problems with those, also https://ssrn.com/abstract=4006745

The railway mania of the 1860s and financial innovation

The 1860s witnessed Britain's third, and last, large railway mania. Although it added about as much mileage to the rail network as the great Railway Mania of the 1840s, little is known about it in modern literature. This paper documents how this mania managed to delude investors into pouring immense sums into the expansion of a public infrastructure. It did so by stealth, by introducing a variety of “financial innovations” reminiscent of those involved in the Global Financial Crisis of 2008. That period, just like ours, featured new technologies, novel business models, rapid globalization, dramatic increases in speed of information transmission, and proliferation of misinformation and disinformation. Combined with progressive relaxation of government regulation and extremely opaque accounts, the “financial engineering” of the 1860s misled even very knowledgeable and inquisitive observers, such as Walter Bagehot. The results included the Overend, Gurney crash of 1866, ruin to many individuals and businesses, and a large, but inefficient, expansion of the rail network. These in turn likely influenced the legal and institutional foundations of corporate capitalism. There are striking similarities to many aspects of modern financial markets that might be instructive, especially in the widespread reliance on “search for a greater fool” approaches.

As a reminder, the above piece, as well as previous ones in this series, is available at:

http://www.dtc.umn.edu/~odlyzko/doc/bubbles.html

P.S. This draft was written for submission to the proceedings of the 7th International Virtual Early Railways Conference, where a lecture on this material was presented. […]


Wearing Many Hats: The Rise of the Professional Security Hacker (Gabriella Coleman)

Peter Neumann <neumann@csl.sri.com>
Fri, 14 Jan 2022 11:03:20 PST

https://datasociety.net/library/wearing-many-hats-the-rise-of-the-professional-security-hacker/ Gabriella Coleman <biella@riseup.net>

Please report problems with the web pages to the maintainer

x
Top