Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.81

RISKS-LIST: Risks-Forum Digest  Saturday 7 August 2021  Volume 32 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.81>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Thousands of Patients Were Implanted With Heart Pumps That the FDA
  Knew Could Be Dangerous (ProPublica)
Reading Race: A Remarkable AI/ML Achievemento (WordPress)
Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked (WiReD)
The Pentagon inches toward letting AI control weapons (WiReD)
Cyber-attack against steering of ships? (Times of Israel)
What, me worry? (WashPost via Gabe Goldberg)
The chip shortage is getting worse (Vox)
The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
Revealed: leak uncovers global abuse of cyber-surveillance weapon
  (The Guardian)
Keeping old computers going costs government 2.3bn pounds a year, says
  report (Richard Morris -- BBC)
Apple to Scan iPhones for Child Sex Abuse Images (James Clayton -- BBC)
DRM on hand power tools (TechDirt)
Hacking a Capsule Hotel to Silence a Noisy Neighbor (Infosecurity Magazine)
Senate Banking Chair Asks CFPB How It Plans to Address Risks of Chime and
  Other Banking Apps (ProPublica)
Hackers Turning to 'Exotic' Programming Languages for Malware Development
  (The Hacker News)
Re: Hackers using 'Exotic' PLs for Malware (Henry Baker)
Re: Chair moved to clean in control room, bumps switch, shutting reactor in
  Taiwan (JC Cantrell)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 6 Aug 2021 17:49:17 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Thousands of Patients Were Implanted With Heart Pumps That the FDA
  Knew Could Be Dangerous (ProPublica)

Inspectors repeatedly found manufacturing and device quality problems with
the HeartWare heart pump. But the FDA did not penalize the company, and
patients had the device implanted on their hearts without knowing the facts.

https://www.propublica.org/article/heartware-patients-implanted-fda

------------------------------

Date: Wed, 4 Aug 2021 10:40:04 -0400
From: "Olin Sibert" <osibert@oxfordsystemsinc.com>
Subject: Reading Race: A Remarkable AI/ML Achievement (WordPress)

In this posting and paper pre-print,

https://lukeoakdenrayner.wordpress.com/2021/08/02/ai-has-the-worst-superpower-medical-racism/
https://arxiv.org/abs/2107.10356

Luke Oakden-Rayner describes a jaw-dropping accomplishment of a medical AI
system: it learned to recognize the self-reported racial identity of medical
patients by analyzing their X-rays(!). Even more remarkable, it has thus far
proven infeasible to discover how it does so, in part because humans are
unable to perform the same feat.

On one level, this is a bad risk for medical care driven by inscrutable
black boxes. But there are potential counter-measures to mitigate the
effect.

On another level, this is a fascinating intellectual and research challenge:
how *does* it do that, and why can people apparently not do the same thing?

And on yet another level, what does this result imply for fooling AI-driven
systems in all sorts of other contexts? Or for making tamper-resistant AI
systems?

------------------------------

Date: Fri, 6 Aug 2021 17:46:04 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Hospitals Still Use Pneumatic Tubes—and They Can Be Hacked | WIRED
  (WiReD)

The vulnerabilities the Armis researchers found in TransLogic PTS offerings
aren't directly exploitable from the open Internet. But they're all
relatively simple flaws to take advantage of, a smattering of hardcoded
passwords, buffer overflows, memory corruption bugs, and the like. An
attacker on the same network as the web of pneumatic tubes and control
panels would have multiple paths to manipulate the system.  And by
exploiting certain flaws, they could even install their own unvalidated
firmware on a Translogic Nexus Control Panel. For attackers, this would be
an avenue to establishing deep, lasting control—hospitals would need to
install another curative firmware update to eradicate the intruders.

https://www.wired.com/story/pneumatic-tubes-hospitals-hacking/

Must be present to hack -- so insider/intruder threat only?

------------------------------

Date: Fri, 6 Aug 2021 19:34:23 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: The Pentagon inches toward letting AI control weapons (WiReD)

Drills involving swarms of drones raise questions about whether machines
could outperform a human operator in complex scenarios.

https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/

------------------------------

Date: Tue, 3 Aug 2021 16:54:04 -0700
From: "Mabry Tyson" <Tyson@AI.SRI.COM>
Subject: Cyber-attack against steering of ships? (Times of Israel)

Smells like a cyber-attack
https://www.timesofisrael.com/4-ships-in-gulf-of-oman-lose-control-days-after-drone-strike-on-vessel/

At least six ships off the coast of the United Arab Emirates broadcast
warnings [on 3 Aug 2021] that they had lost control of their steering under
unclear circumstances as British authorities reported “a potential hijack”
was underway in the area.

The six vessels announced around the same time via their Automatic
Identification System trackers that they were “not under command,” according
to MarineTraffic.com. That typically means a vessel has lost power and can
no longer steer.

  “At the same time, if they are in the same vicinity and in the same place,
  then very rarely that happens,” said Ranjith Raja, an oil and shipping
  expert with data firm Refintiv. “Not all the vessels would lose their
  engines or their capability to steer at the same time.”

------------------------------

Date: Thu, 5 Aug 2021 17:35:58 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: What, me worry?

The Greenland ice sheet experienced a massive melting event last week; The
melting event could have short-term and long-term implications for sea-level
rise.

https://www.washingtonpost.com/weather/2021/08/05/greenland-melt-event-season-2021/

A critical ocean system may be heading for collapse due to climate change,
study finds. Studies of ancient climate change show that a shutdown of the
Atlantic Meridional Overturning Circulation could lead to wild temperature
swings and major shifts in global weather systems.

https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/
<https://www.washingtonpost.com/climate-environment/2021/08/05/change-ocean-collapse-atlantic-meridional/>

Risks? Ignorance, stupidity, politics. Always a nice confluence.

------------------------------

Date: Fri, 6 Aug 2021 10:00:51 -0400
From: "Monty Solomon" <monty@roscom.com>
Subject: The chip shortage is getting worse

The semiconductor suoply crunch came for cars and phones. Now consumers are
facing higher prices.

https://www.vox.com/recode/2021/8/5/22611031/chip-shortage-cars-electronics-automakers-gm-tesla-playstation-xbox

  [... and soon it will come for you.  PGN]

------------------------------

Date: Fri, 6 Aug 2021 19:31:42 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)

On that Australian employee’s PC, someone had used a tool that pulled
credentials out of the machine's memory and then reused those usernames and
passwords to log into other machines on the network. They’d then scraped
those computers’ memories for more usernames and passwords -- finding some
that belonged to more privileged administrators.  The hackers eventually got
to a server containing hundreds of users’ credentials. Today that
credential-stealing hopscotching technique is common. But in 2011 the
analysts were surprised to see how the hackers fanned out across the
network. “It was really just the most brutal way to blow through our systems
that I’d ever seen,” Duane says.

https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

"Tool"?

------------------------------

Date: Sun, 18 Jul 2021 11:07:31 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Revealed: leak uncovers global abuse of cyber-surveillance weapon
  (The Guardian)

*Spyware sold to authoritarian regimes used to target activists,
politicians and journalists, data suggests*

Human rights activists, journalists and lawyers across the world have been
targeted by authoritarian governments using hacking software sold by the
Israeli surveillance company NSO Group, according to an investigation into
a massive data leak.

The investigation by the Guardian and 16 other media organisations suggests
widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which
the company insists is only intended for use against criminals and
terrorists.

Pegasus is a malware that infects iPhones and Android devices to enable
operators of the tool to extract messages, photos and emails, record calls
and secretly activate microphones.

The leak contains a list of more than 50,000 phone numbers that, it is
believed, have been identified as those of people of interest by clients of
NSO since 2016.

Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty
International initially had access to the leaked list and shared access
with media partners as part of the Pegasus project, a reporting consortium.

The presence of a phone number in the data does not reveal whether a device
was infected with Pegasus or subject to an attempted hack. However, the
consortium believes the data is indicative of the potential targets NSO’s
government clients identified in advance of possible surveillance attempts.

Forensics analysis of a small number of phones whose numbers appeared on
the leaked list also showed more than half had traces of the Pegasus
spyware.

The Guardian and its media partners will be revealing the identities of
people whose number appeared on the list in the coming days. They include
hundreds of business executives, religious figures, academics, NGO
employees, union officials and government officials, including cabinet
ministers, presidents and prime ministers.

The list also contains the numbers of close family members of one country’s
ruler, suggesting the ruler may have instructed their intelligence agencies
to explore the possibility of monitoring their own relatives.

The disclosures begin on Sunday, with the revelation that the numbers of
more than 180 journalists are listed in the data, including reporters,
editors and executives at the Financial Times, CNN, the New York Times,
France 24, the Economist, Associated Press and Reuters.

The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was
found in the list, apparently of interest to a Mexican client in the weeks
leading up to his murder, when his killers were able to locate him at a
carwash. His phone has never been found so no forensic analysis has been
possible to establish whether it was infected.  [...]

https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus

------------------------------

Date: Fri, 6 Aug 2021 21:51:17 +0100
From: "Chris Drewe" <c.drewe0123@btinternet.com>
Subject: Keeping old computers going costs government 2.3bn pounds a year,
  says report (Richard Morris -- BBC)

I just spotted this on a BBC website, probably not a surprise (2.3 billion
pounds is about US$3.22 billion; when I worked in telecomms, we used Y2K as
an opportunity to review/update our software as needed):

https://www.bbc.co.uk/news/uk-politics-58085316

------------------------------

Date: Fri, 6 Aug 2021 12:38:22 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Apple to Scan iPhones for Child Sex Abuse Images (BBC News)

James Clayton, *BBC News*, 5 Aug 2021 via ACM TechNews, 6 Aug, 2021

Apple has unveiled a system designed to scan U.S. customers' iPhones to
determine if they contain child sexual abuse material (CSAM). The system
compares photo files on each handset to a database of known CSAM gathered by
the National Center for Missing and Exploited Children and other
organizations. Before an iPhone can be used to upload an image to the iCloud
Photos platform, the technology will look for matches to known CSAM; matches
are evaluated by human reviewers who report confirmed matches to law
enforcement. The company said the system's privacy benefits are
significantly better than existing techniques, because Apple only learns
about users' images if their iCloud Photos accounts contain collections of
known CSAM.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c341x22cb98x071038&

  [See also EFF: Apple's Plan to "Think Different" About Encryption Opens a
   Backdoor to Your Private Life:
https://www.eff.org/deeplinks/2021/08/apples-plan-think-different-about-encryption-opens-backdoor-your-private-life

  This `plan' is causing all sorts of blowback discussions that could
  overwhelm RISKS, so I may hold of on your responses until I get a
  well-reasoned analysis.  "It's complicated" no matter how you slice it.
  PGN]

------------------------------

Date: Thu, 05 Aug 2021 14:40:36 -0400
From: "Arthur T." <risks202107.6.atsjbt@xoxy.net>
Subject: DRM on hand power tools (TechDirt)

https://www.techdirt.com/articles/20210802/07490447288/home-depot-tech-will-brick-power-tools-if-theyre-stolen-what-could-possibly-go-wrong.shtml

"Home Depot says their new anti-theft strategy is now being used [...] the
store will use Bluetooth technology to activate the tool."

And from the comments:
"I'd expect the simplest fix to this is to buy your tools
from a vendor that does not sabotage them."

------------------------------

Date: Fri, 6 Aug 2021 00:09:28 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Hacking a Capsule Hotel to Silence a Noisy Neighbor
  (Infosecurity Magazine)

Security researcher Kya Supa was staying at a capsule hotel in Japan while
on vacation and had a noisy neighbor.

Every day at around 2 a.m., the neighbor would be on the phone making a
loud call. Supa politely asked the neighbor to not be so loud, but the
neighbor didn't listen. What happened next was the subject of Supa's
session at the Black Hat US 2021 hybrid event, where he detailed how he
was able to hack the hotel's system to get back at his noisy neighbor,
whom he referred to as Bob.

"Some people just don't take anything seriously," Supa said about Bob.
"So I thought it would be nice if I could take control of his room and
make him have a lovely night."

https://www.infosecurity-magazine.com/news/bhusa-hacking-a-capsule-hotel/

------------------------------

Date: Sun, 1 Aug 2021 00:01:22 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Senate Banking Chair Asks CFPB How It Plans to Address Risks of
  Chime and Other Banking Apps (ProPublica)

Citing a ProPublica report on the high numbers of complaints about
involuntary Chime account closures and other problems, Sherrod Brown asked
the Consumer Financial Protection Bureau to lay out a plan for overseeing
neobanks.

https://www.propublica.org/article/senate-banking-chair-asks-cfpb-how-it-plans-to-address-risks-of-chime-and-other-banking-apps

And there are commercials for Credit Karma gamifying checking accounts --
use your debit card, maybe purchase (but only up to $5,000) will be
free. Plus, they say, there's a maximum balance limit -- give us your money,
but not too much.

Making banking fun, what could go wrong.

------------------------------

Date: Tue, 27 Jul 2021 12:33:46 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
  Development (The Hacker News)

Threat actors are increasingly shifting to "exotic" programming languages
such as Go, Rust, Nim, and Dlang that can better circumvent conventional
security protections, evade analysis, and hamper reverse engineering
efforts.

"Malware authors are known for their ability to adapt and modify their
skills and behaviors to take advantage of newer technologies," said
<https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks>
Eric Milam, Vice President of threat research at BlackBerry. "That
tactic has multiple benefits from the development cycle and inherent
lack of coverage from protective products."

On the one hand, languages like Rust are more secure as they offer
guarantees like memory-safe programming
<https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
but they can also be a double-edged sword when malware engineers abuse the
same features designed to offer increased safeguards to their advantage,
thereby making malware less susceptible to exploitation and thwart attempts
to activate a kill-switch
<https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
them powerless.

Noting that binaries written in these languages can appear more complex,
convoluted, and tedious when disassembled, the researchers said the pivot
adds additional layers of obfuscation, simply by virtue of them being
relatively new, leading to a scenario where older malware developed using
traditional languages like C++ and C# are being actively retooled with
droppers and loaders written in uncommon alternatives to evade detection by
endpoint security systems. [...]

https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html

------------------------------

Date: Tue, 03 Aug 2021 09:01:38 -0700
From: "Henry Baker" <hbaker1@pipeline.com>
Subject: Re: Hackers using 'Exotic' PLs for Malware

Headline from the Prohibition Era:

  "Bootleggers using powerful cars and speedboats to outrun police and Coast
  Guard"

'Exotic' PL's is a "dog bites man" headline, if I ever saw one.

What's the takeaway?

Should 'exotic' programming languages be banned, because criminals use them?
Perhaps high-quality food should also be banned, because criminals eat it?

High-quality 'exotic' programming languages can dramatically reduce the
types of bugs that enable malware in the first place, much like better
locks can reduce theft.

Perhaps the criminals are doing us all a favor & dramatically
demonstrating the advantages of these 'exotic' languages?

------------------------------

Date: Tue, 3 Aug 2021 18:28:47 +0000 (UTC)
From: "JC Cantrell" <jc_cantrell1@yahoo.com>
Subject: Re: Chair moved to clean in control room, bumps switch, shutting
  reactor in Taiwan (The Register, RISKS-32.80)

> Surprisingly a real-life scenario and not a plotline from The Simpsons.
> Dan Jacobson

Earlier than the Simpsons. Very like Peter Ustinov in Hot Millions from 1968, cleaning staff and all:

  Hot Millions (1968), Directed by Eric Till. With Peter Ustinov, Maggie
  Smith, Karl Malden, Bob Newhart. Paroled London ...

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.81
************************