Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.81 RISKS-LIST: Risks-Forum Digest Saturday 7 August 2021 Volume 32 : Issue 81 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Thousands of Patients Were Implanted With Heart Pumps That the FDA Knew Could Be Dangerous (ProPublica) Reading Race: A Remarkable AI/ML Achievemento (WordPress) Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked (WiReD) The Pentagon inches toward letting AI control weapons (WiReD) Cyber-attack against steering of ships? (Times of Israel) What, me worry? (WashPost via Gabe Goldberg) The chip shortage is getting worse (Vox) The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD) Revealed: leak uncovers global abuse of cyber-surveillance weapon (The Guardian) Keeping old computers going costs government 2.3bn pounds a year, says report (Richard Morris -- BBC) Apple to Scan iPhones for Child Sex Abuse Images (James Clayton -- BBC) DRM on hand power tools (TechDirt) Hacking a Capsule Hotel to Silence a Noisy Neighbor (Infosecurity Magazine) Senate Banking Chair Asks CFPB How It Plans to Address Risks of Chime and Other Banking Apps (ProPublica) Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) Re: Hackers using 'Exotic' PLs for Malware (Henry Baker) Re: Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (JC Cantrell) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 6 Aug 2021 17:49:17 -0400 From: "Gabe Goldberg" Subject: Thousands of Patients Were Implanted With Heart Pumps That the FDA Knew Could Be Dangerous (ProPublica) Inspectors repeatedly found manufacturing and device quality problems with the HeartWare heart pump. But the FDA did not penalize the company, and patients had the device implanted on their hearts without knowing the facts. https://www.propublica.org/article/heartware-patients-implanted-fda ------------------------------ Date: Wed, 4 Aug 2021 10:40:04 -0400 From: "Olin Sibert" Subject: Reading Race: A Remarkable AI/ML Achievement (WordPress) In this posting and paper pre-print, https://lukeoakdenrayner.wordpress.com/2021/08/02/ai-has-the-worst-superpower-medical-racism/ https://arxiv.org/abs/2107.10356 Luke Oakden-Rayner describes a jaw-dropping accomplishment of a medical AI system: it learned to recognize the self-reported racial identity of medical patients by analyzing their X-rays(!). Even more remarkable, it has thus far proven infeasible to discover how it does so, in part because humans are unable to perform the same feat. On one level, this is a bad risk for medical care driven by inscrutable black boxes. But there are potential counter-measures to mitigate the effect. On another level, this is a fascinating intellectual and research challenge: how *does* it do that, and why can people apparently not do the same thing? And on yet another level, what does this result imply for fooling AI-driven systems in all sorts of other contexts? Or for making tamper-resistant AI systems? ------------------------------ Date: Fri, 6 Aug 2021 17:46:04 -0400 From: "Gabe Goldberg" Subject: Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked | WIRED (WiReD) The vulnerabilities the Armis researchers found in TransLogic PTS offerings aren't directly exploitable from the open Internet. But they're all relatively simple flaws to take advantage of, a smattering of hardcoded passwords, buffer overflows, memory corruption bugs, and the like. An attacker on the same network as the web of pneumatic tubes and control panels would have multiple paths to manipulate the system. And by exploiting certain flaws, they could even install their own unvalidated firmware on a Translogic Nexus Control Panel. For attackers, this would be an avenue to establishing deep, lasting control—hospitals would need to install another curative firmware update to eradicate the intruders. https://www.wired.com/story/pneumatic-tubes-hospitals-hacking/ Must be present to hack -- so insider/intruder threat only? ------------------------------ Date: Fri, 6 Aug 2021 19:34:23 -0400 From: "Gabe Goldberg" Subject: The Pentagon inches toward letting AI control weapons (WiReD) Drills involving swarms of drones raise questions about whether machines could outperform a human operator in complex scenarios. https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/ ------------------------------ Date: Tue, 3 Aug 2021 16:54:04 -0700 From: "Mabry Tyson" Subject: Cyber-attack against steering of ships? (Times of Israel) Smells like a cyber-attack https://www.timesofisrael.com/4-ships-in-gulf-of-oman-lose-control-days-after-drone-strike-on-vessel/ At least six ships off the coast of the United Arab Emirates broadcast warnings [on 3 Aug 2021] that they had lost control of their steering under unclear circumstances as British authorities reported “a potential hijack” was underway in the area. The six vessels announced around the same time via their Automatic Identification System trackers that they were “not under command,” according to MarineTraffic.com. That typically means a vessel has lost power and can no longer steer. “At the same time, if they are in the same vicinity and in the same place, then very rarely that happens,” said Ranjith Raja, an oil and shipping expert with data firm Refintiv. “Not all the vessels would lose their engines or their capability to steer at the same time.” ------------------------------ Date: Thu, 5 Aug 2021 17:35:58 -0400 From: "Gabe Goldberg" Subject: What, me worry? The Greenland ice sheet experienced a massive melting event last week; The melting event could have short-term and long-term implications for sea-level rise. https://www.washingtonpost.com/weather/2021/08/05/greenland-melt-event-season-2021/ A critical ocean system may be heading for collapse due to climate change, study finds. Studies of ancient climate change show that a shutdown of the Atlantic Meridional Overturning Circulation could lead to wild temperature swings and major shifts in global weather systems. https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/ Risks? Ignorance, stupidity, politics. Always a nice confluence. ------------------------------ Date: Fri, 6 Aug 2021 10:00:51 -0400 From: "Monty Solomon" Subject: The chip shortage is getting worse The semiconductor suoply crunch came for cars and phones. Now consumers are facing higher prices. https://www.vox.com/recode/2021/8/5/22611031/chip-shortage-cars-electronics-automakers-gm-tesla-playstation-xbox [... and soon it will come for you. PGN] ------------------------------ Date: Fri, 6 Aug 2021 19:31:42 -0400 From: "Gabe Goldberg" Subject: The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD) On that Australian employee’s PC, someone had used a tool that pulled credentials out of the machine's memory and then reused those usernames and passwords to log into other machines on the network. They’d then scraped those computers’ memories for more usernames and passwords -- finding some that belonged to more privileged administrators. The hackers eventually got to a server containing hundreds of users’ credentials. Today that credential-stealing hopscotching technique is common. But in 2011 the analysts were surprised to see how the hackers fanned out across the network. “It was really just the most brutal way to blow through our systems that I’d ever seen,” Duane says. https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/ "Tool"? ------------------------------ Date: Sun, 18 Jul 2021 11:07:31 -1000 From: geoff goodfellow Subject: Revealed: leak uncovers global abuse of cyber-surveillance weapon (The Guardian) *Spyware sold to authoritarian regimes used to target activists, politicians and journalists, data suggests* Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones. The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016. Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium. The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts. Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware. The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers. The list also contains the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives. The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters. The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected. [...] https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus ------------------------------ Date: Fri, 6 Aug 2021 21:51:17 +0100 From: "Chris Drewe" Subject: Keeping old computers going costs government 2.3bn pounds a year, says report (Richard Morris -- BBC) I just spotted this on a BBC website, probably not a surprise (2.3 billion pounds is about US$3.22 billion; when I worked in telecomms, we used Y2K as an opportunity to review/update our software as needed): https://www.bbc.co.uk/news/uk-politics-58085316 ------------------------------ Date: Fri, 6 Aug 2021 12:38:22 -0400 (EDT) From: ACM TechNews Subject: Apple to Scan iPhones for Child Sex Abuse Images (BBC News) James Clayton, *BBC News*, 5 Aug 2021 via ACM TechNews, 6 Aug, 2021 Apple has unveiled a system designed to scan U.S. customers' iPhones to determine if they contain child sexual abuse material (CSAM). The system compares photo files on each handset to a database of known CSAM gathered by the National Center for Missing and Exploited Children and other organizations. Before an iPhone can be used to upload an image to the iCloud Photos platform, the technology will look for matches to known CSAM; matches are evaluated by human reviewers who report confirmed matches to law enforcement. The company said the system's privacy benefits are significantly better than existing techniques, because Apple only learns about users' images if their iCloud Photos accounts contain collections of known CSAM. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c341x22cb98x071038& [See also EFF: Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life: https://www.eff.org/deeplinks/2021/08/apples-plan-think-different-about-encryption-opens-backdoor-your-private-life This `plan' is causing all sorts of blowback discussions that could overwhelm RISKS, so I may hold of on your responses until I get a well-reasoned analysis. "It's complicated" no matter how you slice it. PGN] ------------------------------ Date: Thu, 05 Aug 2021 14:40:36 -0400 From: "Arthur T." Subject: DRM on hand power tools (TechDirt) https://www.techdirt.com/articles/20210802/07490447288/home-depot-tech-will-brick-power-tools-if-theyre-stolen-what-could-possibly-go-wrong.shtml "Home Depot says their new anti-theft strategy is now being used [...] the store will use Bluetooth technology to activate the tool." And from the comments: "I'd expect the simplest fix to this is to buy your tools from a vendor that does not sabotage them." ------------------------------ Date: Fri, 6 Aug 2021 00:09:28 -0400 From: "Gabe Goldberg" Subject: Hacking a Capsule Hotel to Silence a Noisy Neighbor (Infosecurity Magazine) Security researcher Kya Supa was staying at a capsule hotel in Japan while on vacation and had a noisy neighbor. Every day at around 2 a.m., the neighbor would be on the phone making a loud call. Supa politely asked the neighbor to not be so loud, but the neighbor didn't listen. What happened next was the subject of Supa's session at the Black Hat US 2021 hybrid event, where he detailed how he was able to hack the hotel's system to get back at his noisy neighbor, whom he referred to as Bob. "Some people just don't take anything seriously," Supa said about Bob. "So I thought it would be nice if I could take control of his room and make him have a lovely night." https://www.infosecurity-magazine.com/news/bhusa-hacking-a-capsule-hotel/ ------------------------------ Date: Sun, 1 Aug 2021 00:01:22 -0400 From: "Gabe Goldberg" Subject: Senate Banking Chair Asks CFPB How It Plans to Address Risks of Chime and Other Banking Apps (ProPublica) Citing a ProPublica report on the high numbers of complaints about involuntary Chime account closures and other problems, Sherrod Brown asked the Consumer Financial Protection Bureau to lay out a plan for overseeing neobanks. https://www.propublica.org/article/senate-banking-chair-asks-cfpb-how-it-plans-to-address-risks-of-chime-and-other-banking-apps And there are commercials for Credit Karma gamifying checking accounts -- use your debit card, maybe purchase (but only up to $5,000) will be free. Plus, they say, there's a maximum balance limit -- give us your money, but not too much. Making banking fun, what could go wrong. ------------------------------ Date: Tue, 27 Jul 2021 12:33:46 -1000 From: geoff goodfellow Subject: Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products." On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming , but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch and render them powerless. Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...] https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html ------------------------------ Date: Tue, 03 Aug 2021 09:01:38 -0700 From: "Henry Baker" Subject: Re: Hackers using 'Exotic' PLs for Malware Headline from the Prohibition Era: "Bootleggers using powerful cars and speedboats to outrun police and Coast Guard" 'Exotic' PL's is a "dog bites man" headline, if I ever saw one. What's the takeaway? Should 'exotic' programming languages be banned, because criminals use them? Perhaps high-quality food should also be banned, because criminals eat it? High-quality 'exotic' programming languages can dramatically reduce the types of bugs that enable malware in the first place, much like better locks can reduce theft. Perhaps the criminals are doing us all a favor & dramatically demonstrating the advantages of these 'exotic' languages? ------------------------------ Date: Tue, 3 Aug 2021 18:28:47 +0000 (UTC) From: "JC Cantrell" Subject: Re: Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (The Register, RISKS-32.80) > Surprisingly a real-life scenario and not a plotline from The Simpsons. > Dan Jacobson Earlier than the Simpsons. Very like Peter Ustinov in Hot Millions from 1968, cleaning staff and all: Hot Millions (1968), Directed by Eric Till. With Peter Ustinov, Maggie Smith, Karl Malden, Bob Newhart. Paroled London ... ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.81 ************************