Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.06 RISKS-LIST: Risks-Forum Digest Monday 29 June 2020 Volume 32 : Issue 06 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit (Chuck Petras) 76-year-old American jailed in Spain was unwitting drug mule, U.S. says (The Boston Globe) Ripple20 IP stack vulnerability may affect literally billion devices (Chiaki Ishikawa) Security breach impacts Maine State Police database (BostonGlobe) How a Good Scam Can Bypass Our Defences (Bruce Grierson) E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata (The Hacker News) Moroccan Journalist Targeted With Network Injection Attacks Using NSO Groups Tools (Amnesty International) Netgear moves to plug vulnerability in routers after researchers find zero-day (Sean Lyngaas) TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data (Ars Technica) Zoom chats short circuit a brain function essential for trust -- and that's bad for business (Don Pittis) EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital Library Against Publishers (Andy Maxwell) Re: 40 milliseconds to go halfway around the Earth? *NOT* (Fred Cohen) Re: 0.5% of coronavirus stimulus checks went to dead people according to the GAO (James Cloos) Re: Smells Fishy? The Fish That Prevent Iran From Hacking (Michael Grant, Phil Nasadowski) Quote of The Day (George Orwell, 1984) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 29 Jun 2020 20:55:51 +0000 From: Chuck Petras Subject: Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit Where to begin? "The man's relatives then took an air conditioner to the hospital – as daytime temps reportedly topped out at 106 degrees — and allegedly unplugged the ventilator after not finding an open socket to cool down the room, according to the report. Hospital staffers had deactivated air conditioners in the unit in an effort to curb the spread of COVID-19 []." Man Dies after Relatives Unplug Ventilator for Air Conditioner Unit https://www.24x7mag.com/medical-equipment/patient-care-equipment/ventilators/man-dies-unplug-ventilator-air-conditioner/ ------------------------------ Date: Sun, 28 Jun 2020 10:00:05 -0400 From: Monty Solomon Subject: 76-year-old American jailed in Spain was unwitting drug mule, U.S. says (The Boston Globe) Victor Stemberger wasn't about to ignore the emails inviting him into a multimillion-dollar business opportunity, so he pitched himself as perfect for the job. In a way he was — but for all the wrong reasons. https://www.boston.com/news/crime/2020/06/27/76-year-old-american-jailed-in-spain-was-unwitting-drug-mule-us-says ------------------------------ Date: Mon, 29 Jun 2020 07:22:08 +0900 From: "ISHIKAWA,chiaki" Subject: Ripple20 IP stack vulnerability may affect literally billion devices Recently found vulnerability, called Ripple20. of an IP stack software created by Treck, may literally affect billion devices. The IP stack originally developed by Treck is meant for embedded devices and runs on embedded OS, such as real-time OS. It is also marketed by a Japanese company Zuken Elmic after the joint development diverged. Looking at the few advisories [1][2] and the original report by JSOF [3], an Israeli company which first reported the vulnerability, one can't ignore the fact that so many companies already published a list of devices affected by the vulnerability. HP and HP enterprise, for example, alone listed printers, notebook and desktop PCs, and workstations. I don't have the marketing figure handy, but the list includes popular models and so I think it could be millions of devices(?) Finding names like Aruba, Cisco among companies whose products are affected was a surprise to me. These companies are known for the networking software. But they used third party network stack for certain products, obviously. As a matter of fact, I once used the early version of the stack from Elmic (a Japanese company before it was bought by Zuken). It was an old version in the early 2000s I am a bit concerned since some partner companies used the stack back then for prototyping. At the time, it was one of the few IP stacks for embedded devices that had the support of IPv6. I am afraid the list of Japanese companies whose products are affected may grow. I suspect the response may be slow due to Covid-19 outbreak and many people work from home. Zuken Elmic web page (in Japanese) claimed the stack, marketed under the name of Kasago,  has been used by 300 companies for 500 different products.[5] Ouch. The last years' Urgent/11 [4] was also bad, but Ripple20 may turn out to be worse according to already reported products. We may see more of these vulnerabilities in the future now that security community turn its eyes toward embedded device domain. [1] Treck IP stacks contain multiple vulnerabilities, CERT/CC,      https://kb.cert.org/vuls/id/257161 [2] ICS Advisory (ICSA-20-168-01) - Treck TCP/IP Stack,      https://www.us-cert.gov/ics/advisories/icsa-20-168-01 [3] Ripple20 - 19 Zero-Day Vulnerabilities Amplified by the Supply Chain, JSOF,      https://www.jsof-tech.com/ripple20/ [4]  URGENT/11 - UPDATE: URGENT/11 affects additional RTOSs - Highlights Risks on Medical Devices, ARMIS,      https://www.armis.com/urgent11/ [5] KASAGO®IPv4、KASAGO®IPv4Light https://www.elwsc.co.jp/wp-content/uploads/2020/02/KASAGOv4_201912.pdf ------------------------------ Date: Sun, 28 Jun 2020 09:54:45 -0400 From: Monty Solomon Subject: Security breach impacts Maine State Police database (BostonGlobe) State police said the most common documents shared on the database are crime information and situational awareness bulletins. https://www.boston.com/news/local-news/2020/06/27/security-breach-impacts-maine-state-police-database ------------------------------ Date: Sat, 27 Jun 2020 16:46:26 -0600 From: "Matthew Kruk" Subject: How a Good Scam Can Bypass Our Defences (Bruce Grierson) Bruce Grierson: Cons exploit our cognitive biases. I learned the hard way that some of us are more vulnerable than others The email popped up on my screen at 6:45 a.m. on December 24. I'd already been up for a couple of hours, working to deadline. It was from someone I know quite well: the minister of the North Shore Unitarian Church, which we attend. "I need a favor from you," the message said. "Email me as soon as you get my message." "Ahoy Ron," I replied. A friend was in the hospital battling cancer, he said, and he'd just learned she was scheduled for surgery tonight. Could I possibly pick up some iTunes gift cards? "She needs the cards to download her favorite music and videos to boost her confidence on her next phase of surgery." He'd do it himself, but he was tied up, he explained. "I will surely reimburse you as soon as I can." [...] https://thewalrus.ca/how-a-good-scam-can-bypass-our-defenses/ ------------------------------ Date: Mon, 29 Jun 2020 09:27:50 -1000 From: the keyboard of geoff goodfellow Subject: E-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata (The Hacker News) In what's one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on the hacked websites. "We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores," Malwarebytes researchers said last week. "This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot." The evolving tactic of the operation, widely known as web skimming or a Magecart attack, comes as bad actors are finding different ways to inject JavaScript scripts, including misconfigured AWS S3 data storage buckets and exploiting content security policy to transmit data to a Google Analytics account under their control. Using Steganography to Hide Skimmer Code in EXIF... [...] https://thehackernews.com/2020/06/image-credit-card-skimmers.html ------------------------------ Date: Sun, 28 Jun 2020 10:16:21 -0400 From: Monty Solomon Subject: Moroccan Journalist Targeted With Network Injection Attacks Using NSO Groups Tools (Amnesty International) Amnesty International, 22 June 2020 In October 2019 Amnesty International published a first report on the use of spyware produced by Israeli company NSO Group against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui. Through our continued investigation, Amnesty International's Security Lab identified similar evidence of the targeting of Omar Radi, a prominent activist and journalist from Morocco from January 2019 until the end of January 2020. Evidence gathered through our technical analysis of Omar Radi's iPhone revealed traces of the same “network injection” attacks we described in our earlier report that were used against Maati Monjib. This provides strong evidence linking these attacks to NSO Group's tools. These findings are especially significant because Omar Radi was targeted just three days after NSO Group released its human rights policy. These attacks continued after the company became aware of Amnesty International's first report that provided evidence of the targeted attacks in Morocco. This investigation thus, demonstrates NSO Group's continued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy. https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/ ------------------------------ Date: Mon, 29 Jun 2020 12:32:09 -0400 (EDT) From: ACM TechNews Subject: Netgear moves to plug vulnerability in routers after researchers find zero-day (Sean Lyngaas) Sean Lyngaas, CyberScoop, 17 Jun, via ACM TechNews; Monday, June 29, 2020 Netgear said it is close to releasing a patch for a newly discovered software vulnerability that could enable hackers to remotely exploit home Internet routers and potentially access devices running on those networks. The cybersecurity company GRIMM and Trend Micro's Zero Day Initiative (ZDI) reported the vulnerability. GRIMM's Adam Nichols said his team detected a vulnerable copy of a Web server on the router in 79 different Netgear devices. He noted that a hacker does not necessarily need to be on a Wi-Fi network to launch an attack. Researchers said the vulnerability affects a version of Netgear firmware dating to 2007. ZDI first reported the bug to Netgear in January, delaying its analysis so Netgear could address the issue. It published its findings on June 15 to raise awareness after Netgear requested multiple extensions for releasing a fix. Netgear said the patch has been delayed by the pandemic. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25ccax223244x067564& ------------------------------ Date: Mon, 29 Jun 2020 09:26:50 -1000 From: geoff goodfellow Subject: TikTok and 53 other iOS apps STILL snoop your sensitive clipboard data (Ars Technica) Passwords, bitcoin addresses, and anything else in clipboards are free for the taking. In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users' most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either. The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found , the apps deliberately called an iOS programming interface that retrieves text from users' clipboards. Universal snooping In many cases, the covert reading isn't limited to data stored on the local device. In the event the iPhone or iPad uses the same Apple ID as other Apple devices and are within roughly 10 feet of each other, all of them share a universal clipboard , meaning contents can be copied from the app of one device and pasted into an app running on a separate device. That leaves open the possibility that an app on an iPhone will read sensitive data on the clipboards of other connected devices. This could include bitcoin addresses, passwords, or email messages that are temporarily stored on the clipboard of a nearby Mac or iPad. Despite running on a separate device, the iOS apps can easily read the sensitive data stored on the other machines. ``It's very, very dangerous,'' Mysk said in an interview on Friday, referring to the apps' indiscriminate reading of clipboard data. ``These apps are reading clipboards, and there's no reason to do this. An app that doest have a text field to enter text has no reason to read clipboard text.'' The video below demonstrates universal clipboard reading: [...] https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-ios-apps-still-snoop-your-sensitive-clipboard-data/ ------------------------------ Date: Mon, 29 Jun 2020 06:59:22 -0600 From: "Matthew Kruk" Subject: Zoom chats short circuit a brain function essential for trust -- and that's bad for business (Don Pittis) In-person encounters are crucial for establishing trust and building successful teams, according to research Ever get the sense there is something vital missing on those Zoom meetings? If so, you're not alone -- and there is Canadian science to back you up. As political and business leaders push to reopen the economy hoping to get restaurants, retailers and factories making money again, there may be good economic reasons for putting at least some of the work-from-home crowd back into the office as fast as it's safe to do so. Canadian research on "computer-mediated communication," begun long before the current lockdown, shows video chat is an inadequate substitute for real-life interaction. The real thing, dependent on non-verbal cues, is extraordinarily more effective in creating rapport and getting ideas across. https://www.cbc.ca/news/business/zoom-trust-business-pandemic-1.5628638 ------------------------------ Date: June 28, 2020 20:35:32 JST From: Dewayne Hendricks Subject: EFF & Heavyweight Legal Team Will Defend Internet Archive's Digital Library Against Publishers (Andy Maxwell) Andy Maxwell, Torrent Freak, Jun 26 2020 (via Dave Farber) The EFF has revealed it is teaming up with law firm Durie Tangri to defend the Internet Archive against a lawsuit targeting its Open Library. According to court filings, the impending storm is shaping up to be a battle of the giants, with opposing attorneys having previously defended Google in book scanning cases and won a $1bn verdict for the RIAA against ISP Cox. In March and faced with the chaos caused by the coronavirus pandemic, the Internet Archive (IA) launched its National Emergency Library (NEL) Built on its existing Open Library, the NEL provided users with unlimited borrowing of more than a million books, something which the IA hoped would help *displaced learners* restricted by quarantine measures. Publishers Sue Internet Archive After making a lot of noise in opposition to both the Open and Emergency libraries, publishers Hachette, HarperCollins, John Wiley and Penguin Random House filed a massive copyright infringement lawsuit against the Internet Archive. Declaring the libraries little more than `pirate' services that have no right to scan books and lend them out, even in a controlled fashion, the publishers bemoaned the direct threat to their businesses and demanded millions of dollars in statutory damages. Earlier this month the IA announced the early closure of the NEL, with IA founder Brewster Kahle calling for an end to litigation and the start of cooperation. There are no public signs of either. Indeed, the opposing sides are preparing for action. EFF and Attorneys Team Up to Defend IA Last evening the EFF announced that it is joining forces with California-based law firm Durie Tangri to defend the Internet Archive against a lawsuit which they say is a threat to IA's Controlled Digital Lending (CDL) program. The CDL program allows people to check out scanned copies of books for which the IA and its partners can produce physically-owned copies. The publishers clearly have a major problem with the system but according to IA and EFF, the service is no different from that offered by other libraries. ``EFF is proud to stand with the Archive and protect this important public service,'' says EFF Legal Director Corynne McSherry. ``Controlled digital lending helps get books to teachers, children and the general public at a time when that is more needed and more difficult than ever. It is no threat to any publisher's bottom line.'' [... PGN-truncated] ------------------------------ Date: Sun, 28 Jun 2020 07:10:51 -0700 From: Fred Cohen Subject: Re: 40 milliseconds to go halfway around the Earth? *NOT* (Bacon, RISKS-32.05) Today the "lie" travels around the globe in 40 milliseconds, and is solidified by, and enhanced in, each retelling. Hmmm.... 40 milliseconds = 4*10^-2 Speed of light... 3*10^8 meters/second Distance in 40 msec = 12,000,000 meters (1.2*10^7) Circumference of the Earth (pole to pole in meters) ~40,000,000 (4*10^7) Half way around the world = 20,000,000 meters. 40 ms is really only about a quarter of the way around the Earth -- at the speed of light! Note that since radio can go all directions you could perhaps cover half the Earth by going in all directions. HOWEVER, lies typically travel via Internet, where routers typically slow things down considerably. If you actually try to get packets half way around the world (e.g., from California to Mumbai) you will find that routing takes lots of additional time: > traceroute mu.ac.in traceroute to mu.ac.in (14.139.125.195), 30 hops max, 60 byte packets  1  10.0.2.1 (10.0.2.1)  0.513 ms  0.818 ms  0.793 ms  2  192.168.1.254 (192.168.1.254)  2.539 ms  2.512 ms  2.486 ms  3  162-200-148-1.lightspeed.mtryca.sbcglobal.net (162.200.148.1) 6.802 ms  7.207 ms  7.696 ms  4  99.161.44.106 (99.161.44.106)  8.041 ms  8.533 ms  17.439 ms  5  * * *  6  12.83.47.137 (12.83.47.137)  19.002 ms  8.016 ms  8.152 ms  7  sffca402igs.ip.att.net (12.122.114.29)  13.986 ms  15.078 ms 14.440 ms  8  192.205.37.58 (192.205.37.58)  16.560 ms  16.911 ms  17.543 ms  9  ae-9.r24.snjsca04.us.bb.gin.ntt.net (129.250.2.2)  15.533 ms 15.869 ms  24.884 ms ... I should note that the "lie" (40ms) spread by RISKS got around the World literally before I got my pants on this morning, and to get the truth out will likely take days before it is even sent out by RISKS. One more note. The lie also has to get from someone's brain (or some mechanism's mechanism) and into someone (or something) else's brain (mechanism), and while getting lies out may be pretty quick, penetrating the brain to the point where the meme is formed in the recipient also takes considerable time relative to 40ms. ------------------------------ Date: Sun, 28 Jun 2020 15:49:02 -0400 From: James Cloos Subject: Re: 0.5% of coronavirus stimulus checks went to dead people according to the GAO (Goldberg, RISKS-32.04) Given that the stimulus is a refundable discount on 2020 income tax, any estate that is open and could file a 2020 1040 is due the stimulus anyway. So there was nothing at all wrong with his estate receiving it. And the same for probably most of the estates which received them. The article is an example of low quality journalism. ------------------------------ Date: Sat, Jun 27, 2020 at 10:36 AM From: Michael Grant Subject: Re: Smells Fishy? The Fish That Prevent Iran From (via GG) Here's a great little experiment that I encourage everyone to do! Next time you're at the swimming pool and you see the lifeguard testing the chlorine level in the pool, kindly ask them if they would mind testing the water in the drinking fountain. Last time I did this in Washington DC, the lifeguard was so astonished that he had to do the reading 3 times. He showed me that the levels of chlorine in the Washington DC water were in the danger zone, all the way at the top of his chart! He said if the water was in the pool, he'd have to take everyone out of the pool! ------------------------------ Date: Sun, 28 Jun 2020 12:38:04 -0400 From: Phil Nasadowski Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water System (RISKS-32.04) Geoff Kuenning brings up some very valid points. Having 15 years experience in water/wastewaters controls (and by no means saying his views are invalid in any way, they certainly are valid), I'd like to point out that even in "major metropolitan areas", in the suburbs, the amount of remote control over chlorine injection is often "none". As a matter of fact, a lot of operations prefer this, because if there's something wrong, they WANT the operator on duty to go out and check the station. (Naturally, notification often comes via a SCADA system which has stupidly poor security 99% of the time. Sometimes notification comes when the call center is flooded with angry calls from residents with bad water.) That assumes there's even computerized control over chemical injection. Most places, it's a simple pump, sitting on a chemical tank, that gets set and left that way, until the flow changes. If the flow is computer controlled, the operator has the ability to remotely stop the well, assuming that the relay-based hard logic mandated in (some) places doesn't stop the out of control chemical injection, first. It won't stop against a Stuxnet kind of attack (and I'm sure others I can't think of, never mind just breaking into the station and turning the knob on the pump up all the way), but it's some hope...Until something else comes along that nobody thought of. Years ago, a few vendors were offering systems that were basically electronic fishtanks. I don't think really anyone took the bait... Philip Nasadowski, Chief Engineer, PCS Integrators (973) 575-7464 x155 ------------------------------ Date: Sun, 28 Jun 2020 10:42:24 -1000 From: the keyboard of geoff goodfellow Subject: Quote of The Day (George Orwell, 1984) "Every book has been rewritten, every picture has been repainted, every statue and street and building has been renamed, every date has been altered...History has stopped. Nothing exists except an endless present in which the Party is always right." https://twitter.com/benshapiro/status/1275045608106209281 ------------------------------ Date: Mon, 1 Jun 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.06 ************************