Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.03 RISKS-LIST: Risks-Forum Digest Wednesday 24 June 2020 Volume 32 : Issue 03 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Vehicle Attacks Rise As Extremists Target Protesters (npr.org) Chrome extensions with 33 million downloads slurped sensitive user data (Ars Technica) Millions of documents from >200 US police agencies published in BlueLeaks trove (Ars Technica) Wrongfully Accused by an Algorithm (NYTimes) If T-Mobile's giant outage affected you, now's your chance to tell the FCC (Ars Technica) This sneaky malware goes to unusual lengths to cover its tracks (ZDNet) Masked arsonist might've gotten away with it if she hadn't left Etsy review (Jon Brodkin) Crooks abuse Google Analytics to conceal theft of payment card data (Ars Technica) Bot mafias have wreaked havoc in World of Warcraft Classic (WiReD) The Pentagon's Bottomless Money Pit (RollingStone) Testing, testing, testing (Rob Slade) Coronavirus misinformation, and how scientists can help to fight it (Dave Farber) Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B (NYTimes) Social Media Giants Support Racial Justice. Their Products Undermine It. (NYTimes) Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants Say They Need (NYTimes) Many Medical Decision Tools Disadvantage Black Patients Why Obsessive K-Pop Fans Are Turning Toward Political Activism (NYTimes) Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally (William Bader) Re: Silicon Valley Can't Be Neutral (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 22 Jun 2020 10:16:32 +0800 From: Richard Stein Subject: Vehicle Attacks Rise As Extremists Target Protesters (npr.org) https://www.npr.org/2020/06/21/880963592/vehicle-attacks-rise-as-extremists-target-protesters That a kill switch cannot be prophylacticly applied to all non-emergency vehicles in the vicinity of a protest exposes pedestrian marchers to heinous and violent reprisals. A localized kill switch won't halt a '63 Chevy Impala. Kill switch vulnerabilities have appeared repeatedly in comp.risks: https://catless.ncl.ac.uk/Risks/27/11#subj3.1 https://catless.ncl.ac.uk/Risks/27/84#subj10.1 https://catless.ncl.ac.uk/Risks/28/24#subj12.1 https://catless.ncl.ac.uk/Risks/28/25#subj5.1 https://catless.ncl.ac.uk/Risks/30/29#subj4.1 In https://catless.ncl.ac.uk/Risks/28/25#subj5.1, Jonathan Zittrain states: "I know I've long inveighed against vendor (and, by proxy, government) control over consumer technology, and I still think that's a central threat to both open code and free speech. But all of that otherwise-worrisome tech applied to weapons seems to invert the equities." Given that kill switches are not readily viable solutions: Laying traffic spikes across intersections and at start/end points traversed by protesters might suppress vehicle ramming incidents. Public safety offices require advanced notification to deploy traffic spikes given a march route and duration estimate. Protest planning forbearance reduces flash-mob spontaneity, but can enhance pedestrian safety that appears absent today. ------------------------------ Date: Tue, 23 Jun 2020 18:49:30 -0400 From: Monty Solomon Subject: Chrome extensions with 33 million downloads slurped sensitive user data (Ars Technica) https://arstechnica.com/information-technology/2020/06/chrome-extensions-with-33-million-downloads-slurped-sensitive-user-data/ The extensions, which Google removed only after being privately notified of them, actively siphoned data such as screenshots, contents in device clipboards, browser cookies used to log in to websites, and keystrokes such as passwords, researchers from security firm Awake told me. Many of the extensions were modular, meaning once installed, they updated themselves with executable files, which in many cases were specific to the operating system they ran on. Awake provided additional details in this report. https://cdn2.hubspot.net/hubfs/3455675/wp-the-internets-new-arms-dealers-malicious-domain-registrars.pdf ------------------------------ Date: Tue, 23 Jun 2020 18:34:10 -0400 From: Monty Solomon Subject: Millions of documents from >200 US police agencies published in BlueLeaks trove (Ars Technica) Document dump comes almost 4 weeks after murder by police of George Floyd. https://arstechnica.com/tech-policy/2020/06/blueleaks-airs-private-data-from-more-than-200-us-police-agencies/ ------------------------------ Date: Wed, 24 Jun 2020 14:49:41 -0400 From: Monty Solomon Subject: Wrongfully Accused by an Algorithm (NYTimes) In what may be the first known case of its kind, a faulty facial recognition match led to a Michigan man's arrest for a crime he did not commit. https://www.nytimes.com/2020/06/24/technology/facial-recognition-arrest.html ------------------------------ Date: Tue, 23 Jun 2020 18:32:41 -0400 From: Monty Solomon Subject: If T-Mobile's giant outage affected you, now's your chance to tell the FCC (Ars Technica) FCC asks public to describe experiences during last week's 13-hour outage. https://arstechnica.com/tech-policy/2020/06/if-t-mobiles-giant-outage-affected-you-nows-your-chance-to-tell-the-fcc/ ------------------------------ Date: Wed, 24 Jun 2020 14:20:40 -1000 From: geoff goodfellow Subject: This sneaky malware goes to unusual lengths to cover its tracks (ZDNet) *Glupteba creates a backdoor into infected Windows systems - and researchers think it'll be offered to cyber criminals as an easy means of distributing other malware.* A malware campaign which creates a backdoor providing full access to compromised Windows PC, while adding them to a growing botnet, has developed some unusual measures for staying undetected. Glupteba first emerged in 2018 and started by gradually dropping more components into place on infected machines in its bid to create a backdoor to the system. The malware is continuously in development and in the last few months it appears to have been upgraded with new techniques and tactics to coincide with a new campaign which has been detailed by cybersecurity researchers at Sophos. The paper describes Glupteba as "highly self-defending malware" with the cyber criminal group behind it paying special attention to "enhancing features that enable the malware to evade detection". However, its method of distribution is relatively simple: it's bundled in pirated software, including cracked versions of commercial applications, as well as illegal video game downloads. The idea is simply to get as many users to download compromised applications which contain the Glupteba payload as possible. To ensure the best possible chance of a successful compromise, the malware is gradually dropped, bit-by-bit onto the system to avoid detection by any anti-virus software the user may have installed. The malware also uses the EternalBlue SMB vulnerability to help it secretly spread across networks. But that isn't where the concealment and self-defence ends, because even after installation Glupteba goes out of its way to stay undetected. [...] https://www.zdnet.com/article/this-sneaky-malware-goes-to-unusual-lengths-to-cover-its-tracks/ ------------------------------ Date: Sun, 21 Jun 2020 17:00:58 -0600 From: Jim Reisert AD1C Subject: Masked arsonist might've gotten away with it if she hadn't left Etsy review (Jon Brodkin) Jon Brodkin, Ars Technica, 18 Jun 2020 Woman who burned two police cars IDed by tattoo and Etsy review of her T-shirt. To some extent, every Internet user leaves a digital trail. So when a masked arsonist was seen on video setting fire to a police car on the day of a recent protest in Philadelphia, the fact that her face was hidden didn't prevent a Federal Bureau of Investigation agent from tracking down the suspect. The keys ended up being a tattoo and an Etsy review the alleged arsonist had left for a T-shirt she was wearing at the scene of the crime, according to the FBI. https://arstechnica.com/tech-policy/2020/06/masked-arsonist-mightve-gotten-away-with-it-if-she-hadnt-left-etsy-review/ ------------------------------ Date: Tue, 23 Jun 2020 18:37:40 -0400 From: Monty Solomon Subject: Crooks abuse Google Analytics to conceal theft of payment card data (Ars Technica) Ecommerce site's blind trust makes the service a perfect place to dump data. https://arstechnica.com/information-technology/2020/06/google-analytics-trick-allows-crooks-to-hide-card-skimming/ ------------------------------ Date: Tue, 23 Jun 2020 18:39:21 -0400 From: Monty Solomon Subject: Bot mafias have wreaked havoc in World of Warcraft Classic (WiReD) Blizzard has suspended or closed over 74,000 accounts in the last month. https://www.wired.com/story/world-of-warcraft-classic-russian-bots/ ------------------------------ Date: Mon, 22 Jun 2020 15:32:39 -0500 From: Subject: The Pentagon's Bottomless Money Pit (RollingStone) When the Defense Department flunked its first-ever fiscal review, one of our government's greatest mysteries was exposed: Where does the DoD's $700 billion annual budget go? Contains numerous mentions of huge IT project failures. https://www.rollingstone.com/politics/politics-features/pentagon-budget-myst ery-807276/ Just over 50 years ago, Dwight Eisenhower gave his famous farewell address warning of the power of the "military-industrial complex." The former war commander bemoaned the creation of a "permanent armaments industry of vast proportions," and said the "potential for the disastrous rise of misplaced power exists and will persist." Eisenhower's warning is celebrated by the left as a caution against the overweening political power of war-makers, but as we're now seeing, it was predictive also as a fiscal conservative's nightmare vision of the future. The military has become an unstoppable mechanism for hoovering up taxpayer dollars and deploying them in the most inefficient manner possible. ------------------------------ Date: Mon, 22 Jun 2020 11:24:04 -0700 From: Rob Slade Subject: Testing, testing, testing Recently, a certain national leader has directed that testing for the SARS-CoV-2 virus be "slowed" so that the numbers of new cases of the disease will be reduced. This is, of course, flatly ridiculous. Testing does not cause problems, it just reveals existing problems. And the lack of testing doesn't prevent problems, it only blinds you to the scope of the problem. I have told my "testing" story before ... Oh, well, what the hey: I am reminded of a situation where sales and marketing was supposed to carry out virus scans before they installed our product. They had previously been using an inferior product, and I mandated that they using a more accurate product. At one point a machine was brought in as a problem. First step in my process was to scan the machine, and, sure enough, it was infected. "Did you scan it?" "Yes." "Did you use the right scanner?" "Well, no, we used the old one." "Why did you use the old scanner, when I've specified that you have to use the new one?" "Well, when we use the one you told us to, it finds viruses ..." ------------------------------ Date: Tue, 23 Jun 2020 10:29:33 +0900 From: Dave Farber Subject: Coronavirus misinformation, and how scientists can help to fight it https://www.nature.com/articles/d41586-020-01834-3?utm_source=Nature+Briefing&utm_campaign=761bed091d-briefing-dy-20200622&utm_medium=email&utm_term=0_c9dfd39373-761bed091d-43758197 ------------------------------ Date: Tue, 23 Jun 2020 08:10:03 -0400 From: Monty Solomon Subject: Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B (NYTimes) The German company's share price has plunged 80 percent, and its longtime chief executive has resigned. https://www.nytimes.com/2020/06/19/business/wirecard-scandal.html ------------------------------ Date: Tue, 23 Jun 2020 08:13:18 -0400 From: Monty Solomon Subject: Social Media Giants Support Racial Justice. Their Products Undermine It. (NYTimes) Shows of support from Facebook, Twitter and YouTube don't address the way those platforms have been weaponized by racists and partisan provocateurs. https://www.nytimes.com/2020/06/19/technology/facebook-youtube-twitter-black-lives-matter.html ------------------------------ Date: Tue, 23 Jun 2020 09:16:55 -0400 From: Monty Solomon Subject: Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants Say They Need (NYTimes) Small businesses say the Twitter chief's other company is holding on to 30 percent of their customers' payments during the pandemic. https://www.nytimes.com/2020/06/23/technology/square-jack-dorsey-pandemic-withholding.html ------------------------------ Date: Tue, 23 Jun 2020 09:22:30 -0400 From: Monty Solomon Subject: Many Medical Decision Tools Disadvantage Black Patients (NYTimes) Doctors look to these digital calculators to make treatment decisions, but they can end up denying black patients access to certain specialists, drugs and transplants. https://www.nytimes.com/2020/06/17/health/many-medical-decision-tools-disadvantage-black-patients.html ------------------------------ Date: Tue, 23 Jun 2020 07:47:12 -0400 From: Monty Solomon Subject: Why Obsessive K-Pop Fans Are Turning Toward Political Activism (NYTimes) After claiming some credit for the fizzling of President Trump's rally in Oklahoma, the online armies of Korean pop music listeners are feeling prepared and empowered. https://www.nytimes.com/2020/06/22/arts/music/k-pop-fans-trump-politics.html ------------------------------ Date: Sun, 21 Jun 2020 22:21:24 +0100 From: William Bader Subject: Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally (PGN comment in RISKS-32.02) > The title Monty sent me is the one online, which says `Stans' instead of > `Fans'. "A crazed and or obsessed fan. The term comes from the song Stan by eminem. The term Stan is used to describe a fan who goes to great lengths to obsess over a celebrity." https://www.urbandictionary.com/define.php?term=Stan [Thanks to at least a dozen readers for helping my education. I stans corrected. But I remember Stan Laurel and Oliver Hardy, whom all but the oldest RISKS readers probably don't. PGN] ------------------------------ Date: June 24, 2020 6:22:20 JST From: John Levine Subject: Re: Silicon Valley Can't Be Neutral (Via Dave Farber) In article <566E5F5C-2B19-4E1E-AF1D-0F1194EDC43B@keio.jp> you write: > Silicon Valley Can't Be Neutral in the U.S.-China Cold War -- > https://foreignpolicy.com/2020/06/22/zoom-china-us-cold-war-unsafe > In other words, Zoom is rolling out a ``one-company, two-systems model'' -- > participants in China would be subject to censorship, but those outside of > China would not. I agree this is pretty creepy, but how is this fundamentally different from the way that EU laws like right to be forgotten make search engines results in Europe omit stuff that is included other places? If you're going to operate in a country at all, you have to follow the country's rules. I expect I would have a different answer to whether I'd operate in China. ------------------------------ Date: Mon, 1 Jun 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.03 ************************