RISKS Forum mailing list archives
Risks Digest 33.22
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 19 May 2022 16:13:37 PDT
RISKS-LIST: Risks-Forum Digest Thursday 19 May 2022 Volume 33 : Issue 22 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.22> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (The Hacker News) PDF election ballots (Andrew Appel) New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (The Hacker News) When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity) Sadly, this food delivery robot got caught on the tracks while trying to cross (Twitter) Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers (Buzzfeed News) Crypto meltdown highlights need for urgent regulatory intervention (Dave Farber) Eavesdroppers Can Hack 6G Frequency with DIY Metasurface (Jake Boyd) China's Internet Censors Try a New Trick: Revealing Users' Locations? (NYTimes) Exposure through identity verification? (Geoff Keunning) 463 people's COVID benefits accidentally sent to one of them (Mark Brader) Zero-trust security: Assume everyone on the Internet is out to get you -- and already has (techxplore) DOJ says it will no longer prosecute good-faith hackers under CFAA (TechCrunch) Selfies Further Endanger Rare Phallic Plant, Conservationists Fear (Richard C. Paddock) Artificial Intelligence (Colbert/Gervais via Lauren Weinstein) Re: Companies envision taxis flying above jammed traffic (Martin Ward, John Levine, Barry Gold) Re: Finding it hard to get a new job? Robot recruiters might be to blame (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 17 May 2022 18:00:14 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (The Hacker News) A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is "off." The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC <https://en.wikipedia.org/wiki/Near-field_communication>), and ultra-wideband (UWB <https://en.wikipedia.org/wiki/Ultra-wideband>) continue to operate while iOS is shut down when entering a "power reserve" Low Power Mode (LPM). While this is done so as to enable features like Find My <https://thehackernews.com/2022/02/experts-create-apple-airtag-clone-that.html> and facilitate Express Card transactions <https://support.apple.com/en-us/guide/security/sec90cd29d1f/web>, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO <https://www.seemoo.tu-darmstadt.de/>) at the Technical University of Darmstadt said <https://arxiv.org/pdf/2205.06114.pdf> in a paper entitled "Evil Never Sleeps." "The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM," the researchers said. "Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model." The findings are set to be *presented* <https://wisec2022.cs.utsa.edu/accepted-papers/> at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week. [...] https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html ------------------------------ Date: Thu, 19 May 2022 13:48:37 PDT From: Peter Neumann <neumann () csl sri com> Subject: PDF election ballots Andrew Appel: A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified https://freedom-to-tinker.com/2022/05/19/a-pdf-file-is-not-paper-so-pdf-ballots-cannot-be-verified/ [PDF is an executable language. Ballots can also be altered -- or indeed executed, as seems to happens to certain disfavored candidates in certain countries. PGN] ------------------------------ Date: Thu, 19 May 2022 10:08:46 -1000 From: geoff goodfellow <geoff () iconia com> Subject: New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (The Hacker News) A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas. "An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack," UK-based cybersecurity company NCC Group said. "This may enable unauthorized access to devices in BLE-based proximity authentication systems." Relay attacks <https://en.wikipedia.org/wiki/Relay_attack>, also called two-thief attacks, are a variation of person-in-the-middle attacks in which an adversary intercepts communication between two parties, one of whom is also an attacker, and then relays it to the target device without any manipulation. While various mitigations have been implemented to prevent relay attacks, including imposing response time limits during data exchange between any two devices communicating over BLE and triangulation-based localization techniques, the new relay attack can bypass these measures. [...] https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/ https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/ [Tom Van Vleck noted: New Bluetooth hack can unlock your Tesla -- and all kinds of other devices The comments are really funny. https://arstechnica.com/information-technology/2022/05/new-bluetooth-hack-can-unlock-your-tesla-and-all-kinds-of-other-devices/ PGN] ------------------------------ Date: Tue, 17 May 2022 17:14:53 -1000 From: geoff goodfellow <geoff () iconia com> Subject: When Your Smart ID Card Reader Comes With Malware (KrebsOnSecurity) Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example. [...] https://krebsonsecurity.com/2022/05/when-your-smart-id-card-reader-comes-with-malware/ ------------------------------ Date: Wed, 18 May 2022 11:16:05 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Sadly, this food delivery robot got caught on the tracks while trying to cross (Twitter) https://twitter.com/tulipsmg/status/1525976684998144005 [Gee whiz. Two different food-delivery robots in successive issues. This one should be in a Train "sears robot catalog", because it caught fire. (Funny only if you are my age, perhaps.) PGN] ------------------------------ Date: Wed, 18 May 2022 16:08:50 -0400 From: Monty Solomon <monty () roscom com> Subject: Two-Card Monte: Why Mastercard And Visa Rarely Shut Down Scammers Who Are Ripping Off Consumers (Buzzfeed News) The global credit-card rivals maintain a strikingly permissive relationship with companies that have been accused of fraud. For one of Mastercard' top executives, that relationship went even further. A BuzzFeed News investigation. https://www.buzzfeednews.com/article/rosalindadams/mastercard-visa-fraud ------------------------------ Date: Fri, 20 May 2022 06:32:12 +0900 From: Dave Farber <farber () keio jp> Subject: Crypto meltdown highlights need for urgent regulatory intervention
From an OPED in Nikkei Asia 5/20 by David Farber and Dan Gilmor
You have to feel a twinge of sympathy for the people who "invested" their savings in cryptocurrencies during the past few months and who subsequently lost most or all of their money when the cryptocurrency marketplace collapsed during the past several weeks. The words "invested" is in quotes for a reason. This bubble was a classic in the genre, and the people who are collectively losing the most money are low-information gamblers, not investors, just as they are when every economic bubble deflates. And they were warned. Anyone paying the slightest attention had to have heard the ever-more-strident cautions, including ours, that cryptocurrencies were not what they seemed and that this "marketplace" was in large part a mirage. And, as we said in the article, ``Cryptocurrencies remain a gamble best avoided,'' published online on Feb. 5, a rigged game. ------------------------------ Date: Wed, 18 May 2022 12:28:57 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Eavesdroppers Can Hack 6G Frequency with DIY Metasurface (Jake Boyd) Jade Boyd, Rice University News, 16 May 2022, via ACM TechNews, 18 May 2022 Hackers can use common tools to construct a metasurface that allows them to listen in on 6G wireless transmissions. Researchers at Rice and Brown universities demonstrated that attackers could employ a sheet of office paper covered with two-dimensional foil symbols to reroute part of a 150-gigahertz "pencil beam" signal between two users, calling it a Metasurface-in-the-Middle exploit. In such a situation, the eavesdropper designs a metasurface to diffract part of a signal to their location; Rice's Zhambyl Shaikhanov said they then laser-print the metasurface by feeding metal foil through a laminator. Brown's Daniel Mittleman said the hot-stamping technique was developed to simplify metasurface manufacturing for quick, affordable testing. Warns Rice's Edward Knightly, "Next-generation wireless will use high frequencies and pencil beams to support wide-band applications like virtual reality and autonomous vehicles." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ea62x233db0x071353& ------------------------------ Date: Wed, 18 May 2022 07:12:17 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: China's Internet Censors Try a New Trick: Revealing Users' Locations? (NYTimes) For years China's censors have relied on a trusted tool kit to control the country's Internet. They have deleted posts, suspended accounts, blocked keywords, and arrested the most outspoken. Now they are trying a new trick: displaying social media users' locations beneath posts. Authorities say the location tags, which are displayed automatically, will help unearth overseas disinformation campaigns intended to destabilize China. In practice, they have offered new fuel for pitched online battles that increasingly link Chinese citizens' locations with their national loyalty. Chinese people posting from overseas, and even from provinces deemed insufficiently patriotic, are now easily targeted by nationalist influencers, whose fans harass them or report their accounts. The tags, based on a user's Internet Protocol, or I.P., address that can reveal where a person is located, were first applied to posts that mentioned the Russian invasion of Ukraine, a topic authorities said was being manipulated with foreign propaganda. Now they are being expanded to most social media content, further chilling speech on a Chinese Internet dominated by censorship and isolated from the world. The move marks a new step in a decade-long push by Chinese officials to end anonymity online and exert a more perfect control over China's digital town squares. https://www.nytimes.com/2022/05/18/business/china-internet-censors-ip-address.html ------------------------------ Date: Mon, 16 May 2022 19:55:30 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Exposure through identity verification? I got data-breach notice today from Assurance IQ, LLC and some of its affiliated companies. (I'm dang sure they wouldn't have told me if they weren't forced to by law.) Of course they said that "keeping personal data safe and secure is very important" to them. I guess that's why they didn't notice for 16 months that someone was repeatedly using their site to extract personal data. Based on their description, it sounds like if you filled out a life insurance application with someone's "name, address, and other information", they then "retrieved a driver's license number that was then displayed...in the online application." Yup, either they helpfully auto-filled that number (if they knew it, why did they need it filled in?) or, more likely, displayed it as a method of identity verification. "Please click here if you are the person with DL number 1234567." Did nobody review this design? [I suspect nobody who knew anything did. PGN] ------------------------------ Date: Tue, 17 May 2022 09:49:17 -0400 (EDT) From: Mark Brader <msb () Vex Net> Subject: 463 people's COVID benefits accidentally sent to one of them https://english.kyodonews.net/news/2022/05/814926b5d433-man-mistakenly-sent-463-mil-yen-in-covid-funds-gambles-it-all-away.html ------------------------------ Date: Thu, 19 May 2022 09:47:40 +0800 From: Richard Stein <rmstein () ieee org> Subject: Zero-trust security: Assume everyone on the Internet is out to get you -- and already has (techxplore) https://techxplore.com/news/2021-05-zero-trust-assume-internet-youand.html "Using the public health analogy, a zero-trust approach to cybersecurity assumes that an infection is only a cough -- or, in this case, a click -- away, and focuses on building an immune system capable of dealing with whatever novel virus may come along. Put another way, instead of defending a castle, this model assumes that the invaders are already inside the walls." "Zero Trust Architecture," from https://csrc.nist.gov/publications/detail/sp/800-207/final(retrieved on 19MAY2022) documents a framework for infrastructure, processes, and policies to establish a Zero Trust ecosystem. A significant shift from the static, network-based Internet perimeter we enjoy today, where trust -- too much trust -- enables convenient and anonymous access easing navigation through infrastructure, Zero Trust imposes constant credential authentication challenges for users, assets and resources based on a centralized policy enforcement mechanism. Policy enforcement subjects a user's identity to verification checks for each new resource access request, and access is subject to mediation (via privilege and allocation masks), logging, and analysis. The US government now requires disclosure of industry cyber incidents. For businesses deemed "critical infrastructure," regulation will likely be necessary to compel Zero Trust adoption. The days of voluntary business cyber compliance are history. Commercial enterprises will object to the transition cost. Ransomware and business e-mail compromise payoffs are illegal -- but weakly enforced, and indictments of impacted business organizations have not materialized so far. See "Ransomware Payments and the Law," from https://www.lawfareblog.com/ransomware-payments-and-law (retrieved on 19MAY2022) for background. Incidents are inconvenient and embarrassing, a mere business expense passed onto the customer as cyber-insurance premium prices inflate. An overview of Zero Trust architecture and prototype of how it operates can be found in the video https://youtu.be/6I6bnNdZ5XU via "Zero-trust architecture may hold the answer to cybersecurity insider threats" https://techxplore.com/news/2022-05-zero-trust-architecture-cybersecurity-insider-threats.html. ["Get got" is a prerequisite for becoming "got got."] [As I must have noted here already, ZERO-TRUST is a horrible term. There is always something that has to be trusted, whether you like it or not. "Minimal-trust" might make some sense, except today everything is a potential weak link, and NOTHING is trustworthy. Applying it to bacterial and viral infections is similarly stupid. PGN] ------------------------------ Date: Thu, 19 May 2022 09:37:55 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: DOJ says it will no longer prosecute good-faith hackers under CFAA (TechCrunch) https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/ ------------------------------ Date: Thu, 19 May 2022 08:36:31 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Selfies Further Endanger Rare Phallic Plant, Conservationists Fear (NYT) (Richard C. Paddock) 18 May 2022 The three women shrieked and giggled as they plucked the tubular pitchers from rare carnivorous plants in the mountains of Cambodia. The phallic shape of the pitchers reminded them of something, they joked as a friend filmed the scene with a phone. The women broke off some of the distinctive appendages, which the plants use to trap insects. Holding them suggestively for the camera, they compared the pitchers' sizes to the physique of different men from various parts of Cambodia. "I want all of them," says the woman in blue, displaying four plucked pitchers for the camera. The widely viewed video prompted Cambodia's ministry of environment to warn the public last week not to pick the pitchers of the plant, which is an endangered species and protected by law. Conservationists are concerned that the growing popularity of smartphones and selfies could increase pressure on the rare plants. https://www.nytimes.com/2022/05/18/world/asia/cambodian-plant-video.html ------------------------------ Date: Thu, 19 May 2022 08:47:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Artificial Intelligence * Stephen Colbert: "Are you afraid of artificial intelligence taking over?" * Ricky Gervais: "I'd love for any intelligence to take over." ------------------------------ Date: Tue, 17 May 2022 14:00:48 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.21) You are not thinking three-dimensionally. Consider the famous "spaghetti junction" (https://en.wikipedia.org/wiki/Gravelly_Hill_Interchange) where 18 different roads intersect in a free-flowing junction over five different levels. Flying cars can operate on an arbitrarily large number of different levels, so you can indeed "just breeze through the sky". ------------------------------ Date: 16 May 2022 21:15:36 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Companies envision taxis flying above jammed traffic (Bacher, RISKS-33.20)
Hasn't anyone considered that once flying cars/taxis are practical and popularized, the traffic jams will simply migrate from the roads to the air?
Maybe, maybe not. Cars have to stay on the road, but in principle flying vehicles can go point to point so long as they are able to avoid running into each other (admittedly a significant "if".) Also, flying vehicles can fly at different altitudes. Commercial planes fly at specified altitudes, 1000 vertical feet apart, with alternating levels for alternating directions. I have my doubts whether flying cars will ever be a mass market item, as opposed to a toy for rich people and a niche item for people who have some business reason that the time savings are worth it. We've had small planes for over a century and the cost to own and run a plane is still a lot more than for a car. ------------------------------ Date: Thu, 19 May 2022 10:15:54 -0700 From: Barry Gold <BarryDGold () ca rr com> Subject: Re: Companies envision taxis flying above jammed traffic Except that there's a lot more room in the air. Freeways are limited to whatever land we can afford to buy for the purpose. Airways can use a huge amount of space, and can use it on multiple levels. Even if you restricted air traffic to the space above existing roadways (on the basis that landowners also own the airspace above their land, at least up to wherever the commercial airlanes start), you could stack traffic 2, 3, 5, 10, 20 levels high, where existing roadways are limited to 1 or at most 2 levels. [You seem to be completely ignoring the TCAS issues relating to changing altitudes. PGN] ------------------------------ Date: Tue, 17 May 2022 12:32:45 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Finding it hard to get a new job? Robot recruiters might be to blame (RISKS-33.21) The problem seems to be that such tools are deployed before testing if they are actually adequate for the job. It seems as if the rules are defined by programmers, and if there are people who participate in the process on behalf of the hiring company, they are of HR and not of the hiring departments. The result may give rise to Artificial Stupidity. Testing such a tool should involve running it in parallel with screening candidates by human managers, for a significant time period (I think at least a year); and then comparing the results to catch any misfeatures or biases in the design. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.22 ************************
Current thread:
- Risks Digest 33.22 RISKS List Owner (May 19)