Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.76 RISKS-LIST: Risks-Forum Digest Saturday 10 July 2021 Volume 32 : Issue 76 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: RFI on scientific integrity (White House OSTP) A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate (geoff goodfellow) Social-credit score system for Germany (Vorausschau) Developer Infinidash joke ends up as job requirement (The Register) Europe makes the case to ban biometric surveillance (Matt Burgess) Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News) Researchers examine burden of electronic health record on primary care clinicians (medicalxpress.com) How California's new Digital Vaccine Records can be easily abused (EFF) NY's "Excelsior" vaccine "passport" is a mess (TechReview) Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability (MS) Human Risk Management /HRM/ is the FIX. (The Hacker News) Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software (Krebs on Security) Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk (KTVU) GOP Congressman in leaked video: "We want chaos and inability to get things done for the next 18 months!" (Common Dreams) Re: Supreme Court sides with credit agency (Richard Stein, Stanley Chow) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 5 Jul 2021 19:56:58 PDT From: Peter G Neumann Subject: RFI on scientific integrity (White House OSTP) [For the entire history of the ACM Risks Forum, we have sought integrity and trustworthiness in scientific and engineering efforts, and what we might be able to do to ensure it. This may be first government RFI to be included in RISKS, but it seems to be exactly in our wheelhouse. I believe our International audience might want to respond, as well as those in the U.S. PGN] The White House Office of Science and Technology Policy (OSTP) seeks information by 28 July 2021 to help improve the effectiveness of Federal scientific integrity policies to enhance public trust in science. The January 27, 2021 Presidential Memorandum on Restoring Trust in Government Through Scientific Integrity and Evidence-Based Policymaking (Memorandum) directs OSTP to convene an inter-agency task force under the National Science and Technology Council to review the effectiveness of policies developed since the issuance of the Presidential Memorandum on scientific integrity issued on March 9, 2009 in preventing improper political interference in the conduct of scientific research and the collection of data; preventing the suppression or distortion of findings, data, information, conclusions, or technical results; supporting scientists and researchers of all genders, races, ethnicities, and backgrounds; and advancing the equitable delivery of the Federal Government's programs. To support this assessment, OSTP seeks information about: (1) The effectiveness of Federal scientific integrity policies and needed areas of improvement; (2) good practices Federal agencies could adopt to improve scientific integrity, including in the communication of scientific information, addressing emerging technologies and evolving scientific practices, supporting professional development of Federal scientists, and promoting transparency in the implementation of agency scientific integrity policies; and (3) other topics or concerns that Federal scientific integrity policies should address. Please note the purpose of this RFI is not to receive reports on alleged offenses that are in violation of Federal scientific integrity policies. If you have witnessed or experienced any harmful acts that may undermine scientific integrity and you would like to report these allegations, please contact the Scientific Integrity Officer or Office of the Inspector General at the relevant Federal agency. https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies ------------------------------ Date: Mon, 5 Jul 2021 12:37:23 -1000 From: geoff goodfellow Subject: A code grabber is a device that can capture a radio signal from a vehicle's key fob, analyze it and replicate And here is the code grabber hidden in the Game Boy case. https://twitter.com/it4sec/status/1411902542993412096 ------------------------------ Date: Mon, 5 Jul 2021 08:46:32 +0200 From: Thomas Koenig Subject: Social-credit score system for Germany (Vorausschau) The German ministry for education and science (BMBF) has published a study in which it puts forward a Chinese-style social credit system for Germany. A translated quote from the long version on an official BMBF https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the web site's design is atrocious, trying to find the information is quite difficult). ``Highly controversial at the beginning, the bonus point system is largely accepted in the 2030s. It establishes new norms in everyday life that were not possible before. The participatory development of the rules also ensures greater acceptance among the population. Approval of the bonus system is growing, particularly in view of the increasing dynamics of climate change. A point-based evaluation, for example, the of ecological footprint -- helps to make the polluter-pays principle transparent.'' Participation in the point system would be voluntary in the sense that not participating would bring very real drawbacks. Another quote: ``The bonus system is also helpful for the labor market, which continues to suffer from a shortage of skilled workers. system is helpful. It helps to identify qualification potential and efficiently organize the spatial mobility of the workforce.'' So, not participating would lead to lower chances of getting a job. China is explicitly mentioned as a role model. ------------------------------ Date: Mon, 5 Jul 2021 11:18:19 +0200 From: Peter Houppermans Subject: Developer Infinidash joke ends up as job requirement (The Register) From https://www.theregister.com/2021/07/05/infinidash/ ``A tweeted musing that merely mentioning a new AWS product would be enough to see it appear in job ads has come true — even though the product mentioned is made up.'' Amusingly, enough people picked up the joke and ran with it (my personal favourite was the announcement of an *O RLY* book) for it to indeed expose quite a few bandwagons, not in the least the aforementioned job specs which have long demonstrated a remarkable ability to remain disconnected from reality. Entertaining - and educational. ------------------------------ Date: Thu, 8 Jul 2021 19:40:11 PDT From: Peter G Neumann Subject: Europe makes the case to ban biometric surveillance (Matt Burgess) Matt Burgess, WiReD, 7 Jul 2021 Companies are racing to track your emotions, how you walk and your voiceprint. Should Europe ban biometric tracking entirely? Your body is a data goldmine. From the way you look to how you think and feel, firms working in the burgeoning biometrics industry are developing new and alarming ways to track everything we do. And, in many cases, you may not even know you're being tracked. But the biometrics business is on a collision course with Europe's leading data protection experts. Both the European Data Protection Supervisor, which acts as the EU's independent data body, and the European Data Protection Board, which helps countries implement GDPR consistently, have called for a total ban on using AI to automatically recognise people. [...] https://www.wired.co.uk/article/europe-ai-biometrics ------------------------------ Date: Tue, 6 Jul 2021 15:07:19 -0700 From: "Lauren Weinstein" Subject: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News) [Why is this still legal?] https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma ------------------------------ Date: Sat, 10 Jul 2021 09:43:30 +0800 From: "Richard Stein" Subject: Researchers examine burden of electronic health record on primary care clinicians (medicalxpress.com) https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html Health record data entry by physicians interferes with patient quality of care. Data entry streamlines healthcare billing, but should it be prioritized over positive patient outcome? Apparently yes. What can be done to mitigate this conflict? "Virtual or AI-powered scribes could reduce the burden of note-taking across primary care specialties and can be evaluated in future studies, the authors state. Interventions that streamline messaging and placing orders are also research priorities." Naturally enough, these medical incidents are known to arise from old-fashioned, hands-on medicine. How common are these medical errors? The abstract from "Your Health Care May Kill You: Medical Errors," via https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform 2017;234:13-17. "Recent studies of medical errors have estimated errors may account for as many as 251,000 deaths annually in the United States (U.S)., making medical errors the third leading cause of death. Error rates are significantly higher in the U.S. than in other developed countries such as Canada, Australia, New Zealand, Germany and the United Kingdom (U.K)." I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic procedure will be ordered and performed? Fortunately, the pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography) has been retired. [I almost misread this as pneumann ... has been retired. PNeumann] ------------------------------ Date: Thu, 8 Jul 2021 13:18:34 -0700 From: "Lauren Weinstein" Subject: How California's new Digital Vaccine Records can be easily abused (EFF) https://www.eff.org/deeplinks/2021/06/decoding-californias-new-digital-vaccine-records-and-potential-dangers ------------------------------ Date: Wed, 7 Jul 2021 08:34:15 -0700 From: "Lauren Weinstein" Subject: NY's "Excelsior" vaccine "passport" is a mess (TechReview) Just say no. -L https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/ ------------------------------ Date: Wed, 7 Jul 2021 19:03:09 -1000 From: geoff goodfellow Subject: Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability (MS) Even as Microsoft *expanded patches* https://docs.microsoft.com/en-us/windows/release-health/windows-message-center for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the patch for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems. On Tuesday, the Windows maker issued an *emergency out-of-band update* to address *CVE-2021-34527* (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug — tracked as CVE-2021-1675 -- that was patched by Microsoft on June 8. "Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber-research at Check Point, told The Hacker News. "These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing." "These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability," Balmas added. [...] https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html ------------------------------ Date: Thu, 8 Jul 2021 11:01:15 -1000 From: geoff goodfellow Subject: Human Risk Management /HRM/ is the FIX. (The Hacker News) Humans are an organization's strongest defence against evolving cyber-threats, but security awareness training alone often isn't enough to transform user behaviour. Human Risk Management (HRM) is the FIX. Checkout this new guide from @getusecure: [...] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via https://twitter.com/TheHackersNews/status/1413158374057730052 ------------------------------ Date: Thu, 8 Jul 2021 11:03:15 -1000 From: geoff goodfellow Subject: Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software (Krebs on Security) Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from *Kaseya*, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116 ) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the *Kaseya Virtual System Administrator* (VSA). According to this entry for CVE-2021-30116 , the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild . Also on July 3, security incident response firm *Mandiant* notified Kaseya that their billing and customer support site —*portal.kaseya.net * — was vulnerable to CVE-2015-2862 , a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness. [...] https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/ ------------------------------ Date: Wed, 7 Jul 2021 08:37:59 -1000 From: geoff goodfellow Subject: Cell phones and cancer: New UC Berkeley study suggests cell phones sharply increase tumor risk (KTVU) New UC Berkeley research draws a strong link between cell phone radiation and tumors, particularly in the brain. Researchers took a comprehensive look at statistical findings from 46 different studies around the globe and found that the use of a cell phone for more than 1,000 hours, or about 17 minutes a day over a ten year period, increased the risk of tumors by 60 percent. Researchers also pointed to findings that showed cell phone use for 10 or more years doubled the risk of brain tumors. *Joel Moskowitz* , director of the Center for Family and Community Health with the *UC Berkeley School of Public Health* conducted the research in partnership with Korea’s National Cancer Center, and Seoul National University. Their analysis took a comprehensive look at statistical findings from case control studies from 16 countries including the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand. [...] https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer ------------------------------ Date: Wed, 7 Jul 2021 15:32:43 -0700 From: "Lauren Weinstein" Subject: GOP Congressman in leaked video: "We want chaos and inability to get things done for the next 18 months!" (Common Dreams) https://www.commondreams.org/news/2021/07/07/leaked-video-gop-congressman-admits-his-party-wants-chaos-and-inability-get-stuff ------------------------------ Date: Mon, 5 Jul 2021 13:20:58 +0800 From: "Richard Stein" Subject: Re: Supreme Court sides with credit agency (WashPost, RISKS-32.75) [Hi Steven -- My concern was only hypothetical.] Suppose the TransUnion data breached, and certain parties had chosen to weaponize or exploit it? Those unfortunate 8K folks might experience palpable consequences: reduced job eligibility, stigmatization, etc. until or unless they could exonerate themselves by attempting to restore reputation. Gives one pause about profiling activities in general, and the lists of values/attribute labels contained in profiles. History suggests the global data breach pandemic is unlikely to subside. Consequences and risks compound with each case. ------------------------------ Date: Mon, 5 Jul 2021 10:52:28 -0400 From: "Stanley Chow" Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75) In Risks 32.75, Steve Klein points out that we shouldn't get excited about the U.S. Supreme court decision siding with the credit agency for SOME PEOPLE -- because "... faulty records that were never shared ... could not have suffered any damages." I am not a lawyer and have not read the decision, but it sounds like: 1. Someone has a loaded gun pointed to my head. 2. The trigger will be pulled - as soon as some random user pays $10 (or whatever fee they charge). 3. The courts cannot do anything until the trigger is pulled. 4. So, after I am dead (or my life is ruined), the courts MAY fine the credit agency some nominal amount. Is this as f**ked up as it sounds? ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.76 ************************