RISKS Forum mailing list archives
Risks Digest 31.72
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 25 Apr 2020 13:36:44 PDT
RISKS-LIST: Risks-Forum Digest Saturday 25 April 2020 Volume 31 : Issue 72 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.72> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Zoom 5.0 update will bring much-needed security upgrades (Engadget) A critical iPhone and iPad bug that lurked for 8 years may be under active attack (Ars Technica) Security Vulnerability Discovered in iOS Mail App (LifeWire) Facebook agreed to censor posts after Vietnam slowed traffic (Reuters) Cox email creation policy change I'd missed! (Gabe Goldberg) An ESPN Commercial Hints at Advertising's Deepfake Future (NYTimes) Twitter Bans 5G Conspiracy Theorists From Sharing Harmful Misinformation (TechCrunch) Israel stops using phone tracking to enforce COVID-19 quarantines (Engadget) Internet online voting, once again (WashPost editorial) New York payments startup exposed millions of credit-card numbers (TechCrunch) To Understand the Medical Supply Shortage, It Helps to Know How the U.S. lost the lithium battery (Propublica) 'Pandemic drone' test flights are monitoring social distancing (The Boston Globe) Coronavirus Antibody Tests: Can You Trust the Results? (NYTimes) Nearly 50% of Twitter Accounts Talking about Coronavirus Might Be Bots (Vice) Re: asymptomatic coronavirus (Dmitri Maziuk) Re: Computer Fraud and Abuse Act (Kelly Bert Manning) Re: Internet Usage update (Chris Drewe, Paul Edwards) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 22 Apr 2020 18:45:27 -0400 From: Monty Solomon <monty () roscom com> Subject: Zoom 5.0 update will bring much-needed security upgrades (Engadget) https://www.engadget.com/zoom-5-update-security-privacy-154453587.html ------------------------------ Date: Wed, 22 Apr 2020 19:02:21 -0400 From: Monty Solomon <monty () roscom com> Subject: A critical iPhone and iPad bug that lurked for 8 years may be under active attack (Ars Technica) https://arstechnica.com/information-technology/2020/04/a-critical-iphone-and-ipad-bug-that-lurked-for-8-years-is-under-active-attack/ ------------------------------ Date: Thu, 23 Apr 2020 12:12:04 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Security Vulnerability Discovered in iOS Mail App (LifeWire) A patch from Apple is forthcoming. A security researcher at ZecOps discovered a vulnerability in the iOS Mail app that he claims has been exploited since 2018. Apple confirmed the exploit with Reuters, and said a patch to address the issue was forthcoming. The details: According to the researcher, the attack starts with an email made to overwhelm the Mail app. Once the email is received (iOS 13) or clicked (iOS 12), it could allow a remote hacker access to your device. The attack does not require a large email, either, according to the researcher. Since when? The vulnerability has reportedly existed since iOS 6 and the iPhone 5, though the researcher only claims 2018 as the earliest examples found "in the wild." https://www.lifewire.com/security-vulnerability-discovered-in-ios-mail-app-4843022 ------------------------------ Date: Fri, 24 Apr 2020 08:05:21 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Facebook agreed to censor posts after Vietnam slowed traffic (Reuters) EXCERPT: Facebook's local servers in Vietnam were taken offline early this year, slowing local traffic to a crawl until it agreed to significantly increase the censorship of anti-state posts for local users, two sources at the company told Reuters on Tuesday. The restrictions, which the sources said were carried out by state-owned telecommunications companies, knocked the servers offline for around seven weeks, meaning the website became unusable at times. ``We believe the action was taken to place significant pressure on us to increase our compliance with legal takedown orders when it comes to content that our users in Vietnam see,'' the first of the two Facebook sources told Reuters. In an emailed statement, Facebook confirmed it had reluctantly complied with the government's request to ``restrict access to content which it has deemed to be illegal.'' [...] https://www.reuters.com/article/us-vietnam-facebook-exclusive/exclusive-facebook-agreed-to-censor-posts-after-vietnam-slowed-traffic-sources-idUSKCN2232JX ------------------------------ Date: Sat, 25 Apr 2020 11:26:57 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Cox email creation policy change I'd missed! In recent years, fewer customers have taken advantage of a Cox Email account, so we decided to modify our email service to better serve our customers. As of August 15, 2019, Cox no longer offers the ability for new and existing Cox Internet customers to create new Cox Email accounts. Customers with Cox Email accounts created prior to 15 Aug 2019 will continue to receive support for those email accounts. https://www.cox.com/residential/support/cox-email-creation-policy.html Exactly how does this better serve customers?! Commentary: https://www.edhat.com/news/cox-announces-cutback-of-email-service ------------------------------ Date: Fri, 24 Apr 2020 08:07:23 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: An ESPN Commercial Hints at Advertising's Deepfake Future (NYTimes) EXCERPT: Unable to film new commercials during the coronavirus pandemic, advertising agencies are turning to technologies that can seamlessly alter old footage, sometimes putting viewers in a position of doubting what they are seeing. During Sunday's episodes of The Last Dance, <https://www.nytimes.com/2020/04/17/sports/basketball/michael-jordan-bulls-documentary.html> the ESPN documentary series about Michael Jordan and the Chicago Bulls <https://www.nytimes.com/article/the-last-dance-jordan.html>, State Farm ran a commercial <https://twitter.com/NBA/status/1251556094960234496?s=3D20> featuring expertly doctored footage of the longtime SportsCenter anchor Kenny Mayne. In the ad, a much younger Mr. Mayne is seated at the SportsCenter desk in 1998. He reports on the Bulls' sixth championship title -- before taking a turn toward the prophetic. ``This is the kind of stuff that ESPN will eventually make a documentary about. They'll call it something like The Last Dance. They'll make it a 10-part series and release it in the year 2020. It's going to be lit. You don't even know what that means yet.'' As a vintage State Farm logo appears in the background, he adds, ``And this clip will be used to promote the documentary in a State Farm commercial.'' [...] https://dnyuz.com/2020/04/22/an-espn-commercial-hints-at-advertisings-deepfake-future/ ------------------------------ Date: Fri, 24 Apr 2020 08:06:20 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Twitter Bans 5G Conspiracy Theorists From Sharing Harmful Misinformation (TechCrunch) EXCERPT: Twitter has updated its coronavirus guidelines, stating it will remove unverified claims that cause widespread panic or encourage people to act on conspiracy theories, after phone masts across the U.K. were set alight following bogus claims about 5G. KEY FACTS The social media platform said on Wednesday that content such as ``5G causes coronavirus! Go destroy the cell towers in your neighborhood!'' would violate their policy and be removed. Tweets that also violate the policy by causing widespread panic, including content such as ``The National Guard just announced that no more shipments of food will be arriving for two months! Run to the grocery store and buy everything!'' will also be deleted. However, the platform stopped short of saying it would take down coronavirus misinformation altogether. ``As we've said previously, we will not take enforcement action on every Tweet that contains incomplete or disputed information about COVID-19'', a spokesperson told *TechCrunch*. <https://techcrunch.com/2020/04/22/twitter-will-remove-dubious-5g-tweets-that-could-potentially-cause-harm/> CRUCIAL QUOTE ``We have broadened our guidance on unverified claims that incite people to engage in harmful activity, could lead to the destruction or damage of critical 5G infrastructure, or could lead to widespread panic, social unrest, or large-scale disorder,'' Twitter TWTR said on Wednesday. <https://www.forbes.com/companies/twitter> BIG NUMBER 2,230. That's how many tweets taken down by Twitter that contain misleading and potentially harmful content, since March 18. https://www.forbes.com/sites/isabeltogoh/2020/04/23/twitter-bans-5g-conspiracy-theorists-from-sharing-harmful-misinformation/ ------------------------------ Date: Wed, 22 Apr 2020 18:43:52 -0400 From: Monty Solomon <monty () roscom com> Subject: Israel stops using phone tracking to enforce COVID-19 quarantines (Engadget) https://www.engadget.com/israel-halts-phone-tracking-for-covid-19-quarantine-184622314.html ------------------------------ Date: Fri, 24 Apr 2020 13:20:15 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Internet online voting, once again (WashPost editorial) https://www.washingtonpost.com/opinions/why-cant-we-just-vote-online-let-us-count-the-ways/2020/04/24/68ecea92-7850-11ea-9bee-c5bf9d2e3288_story.html [Let me count the ways? Russian hacking? Foreign interference? Insider misuse and vendor malware? Compromised servers? Internet disinformation? Voter coercion, vote selling, vote buying, loss of privacy? Network and access "failures" (intentional or accidental), and lots more. The WashPost editorial barely scratches the surface. PGN] ------------------------------ Date: Wed, 22 Apr 2020 19:28:14 -0400 From: Monty Solomon <monty () roscom com> Subject: New York payments startup exposed millions of credit-card numbers (TechCrunch) https://techcrunch.com/2020/04/22/paay-unencrypted-credit-card-data/ ------------------------------ Date: Wed, 22 Apr 2020 19:27:53 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: To Understand the Medical Supply Shortage, It Helps to Know How the U.S. lost the lithium battery (Propublica) The failed U.S. effort to dominate global production of the lithium ion battery -— which is key to energy independence, automobile innovation and more -— holds lessons for leaders grappling with the U.S.’s reliance on China for emergency medical supplies. https://www.propublica.org/article/to-understand-the-medical-supply-shortage-it-helps-to-know-how-the-us-lost-the-lithium-ion-battery-to-china Too long, but interesting. ------------------------------ Date: Fri, 24 Apr 2020 08:04:32 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: 'Pandemic drone' test flights are monitoring social distancing (The Boston Globe) The flights taking place in a COVID-19 hotspot in Connecticut use sensors to detect the virus' symptoms from afar. EXCERPT: A series of "pandemic drones <https://www.cnet.com/topics/drones/>" is taking part in a test flight in a COVID-19 hotspot in Connecticut with the goal of monitoring social distancing efforts and detecting the virus' symptoms. <https://www.cbsnews.com/feature/coronavirus/> Drone manufacturer Draganfly is working with the police department in Westport, Connecticut, to test the drones. Located in Fairfield County -- adjacent to New York City -- Westport was the first town in the state to report several coronavirus infections, according to a Wednesday press release from Draganfly. <https://www.globenewswire.com/news-release/2020/04/21/2019221/0/en/Draganfly-s-Pandemic-Drone-technology-Conducts-Initial-Flights-Near-New-York-City-to-Detect-COVID-19-Symptoms-and-Identify-Social-Distancing.html> The drones include specialized sensor and computer vision systems that can display a person's temperature, heart and respiratory rates, as well as detect people sneezing or coughing in a crowd, the release said. The technology can accurately detect infectious conditions from 190 feet away, as well as measure social distancing efforts, according to Draganfly. [...] https://www.cnet.com/news/pandemic-drone-test-flights-will-monitor-social-distancing/ ------------------------------ Date: Thu, 23 Apr 2020 19:59:32 -0400 From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema () rinzewind org> Subject: Free online threat blocker launched in Canada as successful COVID-19 scams multiply (CBC News) Yet another DNS blocker: https://www.cbc.ca/news/politics/free-cyber-blocker-cse-1.5542888
The Canadian Internet Registration Authority (CIRA, the not-for-profit agency that manages the .CA Internet domain) and the Communications Security Establishment, Canada's foreign signals intelligence agency, teamed up on the CIRA Canadian Shield — a protected domain name system (DNS) service that prevents Canadians from connecting to malicious websites that might infect their devices and steal their personal information.
More information about this: https://www.cira.ca/cybersecurity-services/canadian-shield José María (Chema) Mateos ------------------------------ Date: Fri, 24 Apr 2020 22:35:06 -0400 From: Monty Solomon <monty () roscom com> Subject: Coronavirus Antibody Tests: Can You Trust the Results? (NYTimes) A team of scientists worked around the clock to evaluate 14 antibody tests. A few worked as advertised. Most did not. https://www.nytimes.com/2020/04/24/health/coronavirus-antibody-tests.html ------------------------------ Date: Sat, 25 Apr 2020 09:57:11 -0400 From: Monty Solomon <monty () roscom com> Subject: Nearly 50% of Twitter Accounts Talking about Coronavirus Might Be Bots (Vice) Twitter is dealing with a pandemic of bots jamming the platform with misinformation about COVID-19. https://www.vice.com/en_asia/article/dygnwz/if-youre-talking-about-coronavirus-on-twitter-youre-probably-a-bot ------------------------------ Date: Wed, 22 Apr 2020 18:42:41 -0500 From: Dmitrik Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: asymptomatic coronavirus [RISKS-31.71] What you really want to do is forget the headline and scroll down to "Testing" part. It's worth reading. ------------------------------ Date: Fri, 24 Apr 2020 16:19:02 -0400 (EDT) From: Kelly Bert Manning <bo774 () freenet carleton ca> Subject: Re: Computer Fraud and Abuse Act Misuse of access to Personally Identifiable Data by police has been showing up in comp.risks for at least a quarter of a century. https://catless.ncl.ac.uk/Risks/17/21#subj5 Delta BC Constable Steve Parker misused his access to the CPIC computer network to retrieve home addresses of cars parked near a Vancouver BC abortion clinic. The only penalty he received was being suspended with pay. BC Information and Privacy Commissioner Dr. David Flaherty seemed frustrated about that, but speculated that if Constable Parker chose to remain as a police officer his career would be remarkably undistinguished. Parker's 20 year police career ended with him still at the rank of constable,so that seems to have happened. Without meaningful consequences we are unlikely to see an end to this type of abuse by police, or by other trusted insiders. Regular reviews of access policy with staff are also important to reinforce staff understanding of what is appropriate access and what would be improper access. Digital record access is easier to log and audit. A BC Medical Services Plan employee convicted of Breach of Trust in the 1970s for using BC Medical Services Plan paper account files to pull addresses for skip tracers and do on was only caught because they boasted to a relative of earning extra income doing that. The largest Data Breach in Canadian History involved an oath sworn Revenue Canada employee who had been hired as a Junior Assessor in 1984 despite having 17 criminal convictions. His name was Andreas Hackner (not Hacker -). https://www.orlandosentinel.com/news/os-xpm-1987-12-17-0170010297-story.html https://archive.macleans.ca/article/1986/12/1/the-case-of-the-missing-microfiche#!&pid=30 ------------------------------ Date: Thu, 23 Apr 2020 22:01:31 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Internet Usage update (Fist, RISKS-31.70) As stated by me in RISKS-29:12, one thing that I found when I worked in telecomms was how billing for services in traditional ways is a mighty costly activity. Telecomms and other utility businesses have to sign up customers (and probably do creditworthiness checks) for a contract initially, then measure their usage, periodically compile a bill to notify them of what they owe, get the money off them, chase up late/non-payers, handle any disputes, deal with taxes if applicable, etc. as well as capturing and storing the required information, which all make a big administrative overhead. As I understand it, with e-mail the traffic goes in and out of multiple servers in various countries so there's the complication of different legislatures' taxation and accounting requirements, not forgetting data protection laws of course. Just identifying the bill payer could be problematic. Who gets the revenues? And getting agreement on doing this on a global scale..? The idea of billing e-mail traffic has been around for a long time, but adding an insignificant charge to an existing service would likely be a not-insignificant cost. ------------------------------ Date: Thu, 23 Apr 2020 12:53:19 +1000 From: Paul Edwards <paule () cathicolla com> Subject: Re: Internet Usage update (Fist, RISKS-31.70)
Would the Information Technology Community promote the idea that we should all pay a low fee for sending each email.
I once consulted for a large organization in east Asia where they did just that. In an effort to reduce the amount of time their workers spent on email, they somehow hacked their Exchange server to produce the following effects: 1. Every email that was sent to an internal address (To:, CC:, or BCC:) was charged a low fee per recipient (it was about AUD0.03 in the local currency per email per recipient); 2. Emails to distributions lists would be unpacked and charged at the same rate (e.g., sending an email to 100 internal people would cost AUD3.00); 3. Emails to external addresses were not charged; 4. Charging came out of the sender's opex cost centre; 5. Monies raised by the initiative were put to acquiring more storage for email. They did shadow charging for the first month, and then went live. The first month caused some real issues for opex budgets, and angst for the P&L owners! I came in a couple of months after it went live, and email volumes were down 66% compared with the same period in the previous year. Quite remarkable. (The same company also changed the default times for meetings to start at 5 past the hour (e.g., 10:05) and end at five to the hour (e.g., 10:55). This gave people a chance to actually get to meetings on time, and if a meeting ran over by a couple of minutes it didn't impact on the following meeting starting). ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.72 ************************
Current thread:
- Risks Digest 31.72 RISKS List Owner (Apr 25)