[32033] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 32.09

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Jul 14 03:12:52 2020

From: RISKS List Owner <risko@csl.sri.com>
Date: Mon, 13 Jul 2020 14:51:42 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Monday 13 July 2020  Volume 32 : Issue 09

Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at

24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (Esquire)
A Marine called customer service when his M107 failed during gunfight
  (Business Insider)
Microsoft neuters Office 365 account attacks that used clever ruse
  (Ars Technica)
How Universities Can Keep Foreign Governments from Stealingo Intellectual
  Capital (Scientific American)
Poochin' Mnuchin? (Michael LeVine)
Mental health, stress, and moral injury (Rob Slade)
Home Security Camera Wi-Fi Signals Can be Hacked to Tell When People Are
  Home (Jonathan Chadwick)
Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and Google
  Assistant (Dan Goodin)
Can an Algorithm Predict the Pandemic's Next Moves? (Benedict Carey)
Supreme Court Preserves Limits on Autodialed Calls to Cell Phones,
  Overturns Government Debt Collection Exception (Cooley)
Re: Not so random acts: Science finds that being kind pays off
  (Neil Youngman)
Abridged info on RISKS (comp.risks)


Date: Sat, 11 Jul 2020 16:03:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch

On 17 Apr 2015, a Sydney District Court sentenced Milky to four years and
six months in prison after he was found guilty of the charges. Not
surprisingly, St. George was not forthcoming with details as to what had
happened.  A spokesperson for the bank would say only, to *The Sunday
Telegraph*, that the glitch had been the result of a *human error* that had
since been corrected.  ``The issue has been resolved and the customer has
been convicted,'' the spokesperson went on.  ``The bank is now seeking to
recover funds.''  The police confiscated Milky's belongings and turned them
over to the bank. Judge Stephen Norrish said the twenty-seven-year-old's
excuse that he was going to keep spending until the bank contacted him was
``almost laughable... he thought he could get away with anything and he
almost did.''

According to Milky's contract with the bank, he was perfectly authorized to
receive overdrafts subject to the bank's approval. In practice, when Milky
put in an overdraft request, it would get sent up from his local bank to a
corporate relationship officer for sign-off. But if the officer didn't
respond within a certain time frame, the request would automatically get
approved -- which is what kept happening for him. In other words, as the
bank admitted in court, it was its own human error, and had nothing to do
with his getting unauthorized access to a computer at all.  It was
scapegoating him for its own mistake and his lawyers had botched the case,
he fumed.  ``It was a long shot for the prosecution to even come after me
the way they did.  And I don't think anyone in the jury understood it.''

On December 1, 2016, the New South Wales Court of Appeal ruled in his favor
too.  ``The unusual aspect of Mr. Moore's conduct was that there was nothing
covert about it,'' Justice Mark Leeming noted in his judgment, adding that
St. George bank had chronicled ``with complete accuracy Mr.  Moore's growing
indebtedness.''  St. George declined to comment on the acquittal, though it
later contacted Milky to tell him it was not coming after him for his
remaining debt. It was obviously in the bank's best interest to let this
fade as quickly as possible. As Milky left the courthouse a free man, a
reporter from the tabloid TV show /A Current Affair /trailed him, cheekily
asking if he was going to drive home in a Maserati.  ``Not today,'' Milky
told her with a laugh.  ``Not today.''  [...\

Instead, he plans to make his fortune the old-fashioned way: by working, as
a criminal lawyer. After successfully representing himself in his case, he
found his calling. He's currently enrolled in law school and expects to get
his degree this spring. And what will he do if he ends up making millions
again?  ``I reckon I'll have to move back here,'' he says with a smile,
which would be the most *beauuuutiful ending* of all.


At least the bank didn't call it a computer error. And the bank deservedly
took the hit.


Date: Thu, 9 Jul 2020 23:37:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Marine called customer service when his M107 failed during
  gunfight (Business Insider)

The Barrett M107 .50-caliber long-range sniper rifle is a firearm made for
the modern war on terrorism. Officially adopted by the U.S. Army in 2002 and
boasting a 2,000-meter range, a suppressor-ready muzzle brake, and
recoil-minimizing design, the semi-automatic offers "greater range and
lethality against personnel and materiel targets than other sniper systems
in the U.S. inventory," according to an assessment by Military.com.

While Barrett's reputation of "flawless reliability" has made the M107 the
sniper weapon of choice, the rifle is just like any other essential tool: It
often breaks when you need it most. And that's apparently what happened to
one Marine Corps unit pinned down in a firefight, according to one of
Barrett's longtime armorers.



Date: Fri, 10 Jul 2020 02:50:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Microsoft neuters Office 365 account attacks that used clever ruse
  (Ars Technica)



Date: Sun, 12 Jul 2020 12:56:35 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: How Universities Can Keep Foreign Governments from Stealing
  Intellectual Capital (Scientific American)


The essay enumerates insider risks that can enable theft of intellectual
property (IP) and classified information.

"National Institutes of Health have reportedly made inquiries into nearly
200 NIH-funded researchers at more than 60 U.S. institutions for potentially
violating NIH conflict-of-interest, conflict-of-commitment or
research-integrity rules. Many of these ideas and technologies are important
to national security."

The second to last paragraph's concluding sentence states: "But if
universities fail to police themselves adequately in these areas, we face
the specter of more draconian reactions from lawmakers."

Has the time arrived for the US government to enact a data protection law?
Regulating cybersecurity, auditing organizational compliance, and enforcing
mandatory penalties for cyber-crime enabled by organizational negligence may
yield public benefit. Ongoing voluntary efforts to toughen infrastructure
and organizations against cyber-crime reveal an unchecked scourge.

The surveillance economy's data collection, data exploitation for profit,
and data breach life cycle sponsors an estimated US$ 1T per year global
criminal industry (see
retrieved on 11JUL2020).

The Privacy Rights Clearinghouse https://privacyrights.org/data-breaches
describes a chronology of U.S. incidents totaling ~9000 and ~11.7B records
between 2006-2018, and estimates JAN-SEP2019 data breach frequency at ~5200
incidents totaling ~8B records.  These statistics prove that voluntary
organizational efforts to deter cyber-crime are substantially ineffective.

The Computer Misuse Act (USC Section 18) does not punish cyber-crime
enablers: these are the surveillance economy's keepers of vulnerable and
weakly protected Internet-accessible data repositories and computer
systems. Cyber-crimes, especially ID theft, inures public mental health, and
imbrues governments, businesses, and educational institutions. Some people
and organizations are enriched by the cyber-crime pandemic.

Most enablers are small or medium-sized organizations (less than 500 people)
with parsimonious budgets unaccommodating and ill-equipped to implement
vigorous cybersecurity defenses; they outsource cybersecurity capabilities
because they can't afford it. The comp.risks forum labels ineffective
cybersecurity practice as "security theater."

A few enablers are titans (financial services, and intelligence gathering
organizations, data aggregators) that maintain petabytes of repository
content. These leviathans are usually defended by cybersecurity operation
centers brimming with gear and people procured from a vast cyber-industrial

Cybersecurity service suppliers are hired to oversee an organization's
digital hygiene, and prevent brand-weakening data breaches that raise
alarm. Yet cyber-crime continues undeterred despite "best in the business"
deterrence. The surveillance economy's "moose on the table" facilitates the
cyber-crime industry's "cut of the take."

Federal regulations govern vehicle, food, and consumer product safety that
protects public health and safety interests. Mandatory enforcement of
cyber-security regulations may suffice where voluntary efforts have not.

A "meet or exceed" regulation, propounded by The Cybersecurity and
Infrastructure Security Agency @ https://cyber.dhs.gov/directives, may
represent a regulation baseline.

Require all Internet-accessible repository owner/operators and technology
suppliers to adopt CISA directives and guidelines, then periodically elevate
and strengthen them to promote enhancements: frequent patch application,
firewall port lockdown, minimal administrative and least privilege
assignment, proactive malware detection measures, multi-factor
authentication, personnel training for malware vigilance, etc. Enforcement
compliance auditing will require significant federal sponsorship to reveal
and discipline organizations engaged in security theater charades.

Standardized cyber-security solutions effectively homogenize defenses.  When
adopted by organizations across industries, they inherit common
technological weaknesses. Open-source contributions integrated into deployed
software and hardware reveal this risk. Organizations leverage standardized
solutions to avoid in-house expenditures. Cheaper?  Certainly. More
effective than do-it-yourself cybersecurity? Apparently not.

Cyber-crime arises from negligence: technological vulnerabilities, weak
internal controls, shirked professional duties and sloppy fulfillment,
insider actions, etc. Technologically, negligence can materialize from
multiple sources: unpatched platform backdoor exploitation, known but
untrapped malware exploit, ransomware, role impersonation and phishing,
advanced persistent threat targeting, no multi-factor authentication access
controls, etc.

Internet service usage terms routinely encourage cybersecurity
under-investment by asserting a negligence exemption. If contract law can
effectively indemnify organizational liability against negligence, why
strengthen technological and organizational protections for collected data
troves or core intellectual property? Cybersecurity negligence and liability
exemption constraints will motivate compliance investments.

The "terms of service acknowledgment" checkbox found in virtually all
Internet services, once ticked and submitted, grants free reign to
surveillance economy life cycle exploitation for profit or purpose. An
effective federal cybersecurity regulation will restrict website terms of
service by limiting liability exemptions due to negligence.

This text snippet, retrieved on 10JUL2020 from
https://www.experian.com/corporate/legalterms, typifies website usage
terms. It asserts a negligence exemption and unlimited liability
indemnification should an adverse outcome arise from use:


Passing and enforcing regulations that constrain negligence exemption is
easier proposed than achieved. Business lobbies frequently pursue their
interests on behalf of boardrooms and CxOs above public interests that
mitigate cyber-crime incident frequency.

Cybersecurity regulation penalties enforced per
will signal governance teams to adjust investment priorities.  Prosecuting
cybersecurity non-compliance can restrain capitalism's capricious

The surveillance economy imperils civility with impunity. Cybersecurity
regulatory enforcement is unlikely to halt cyber-crime, but can promote
restoration of trust, a scarce public virtue desperate for replenishment.


Date: Thu, 9 Jul 2020 14:16:21 -0700
From: Michael LeVine <mlevine@redshift.com>
Subject: Poochin' Mnuchin?

Just got this and think it is some sort of lead in to a scam...

> Begin forwarded message:

> From: MAIL SERVICE <xavier@immobiliariarosell.com>
> Subject: NOTIFICATION!!!
> Date: July 9, 2020 at 12:56:35 PM PDT
> To: undisclosed-recipients:;
> Reply-To: 1brattany@att.net

> Attn: Recipient,

> The Office of Foreign Assets Control (OFAC) administers and enforces
sanctions based on US foreign policy. OFAC acts under Presidential national
emergency powers, as well as authority granted by specific legislation, to
impose controls on TRANSACTIONS and assets under US jurisdiction.

> However, by the virtue of provision of law which confer [sic] on us powers
to advocate, adjudicate, suspend and authorize. We hereby state without
prejudice that according to the security manifest booklet on outstanding
transactions due to an extensive investigation after some financial analysis
through the assistance of several agencies with resources combined, we
intend to raise awareness to eligible recipients off the record.

> All necessary clarifications from our department have commenced and if
there is any information that may succeed our verification, do not hesitate
for confirmation.

> Regards,

> Mr. Steven T. Mnuchin
> Secretary of Treasury,
> Office of Foreign Assets Control


Date: Thu, 9 Jul 2020 18:12:50 -0700
From: Rob Slade  <rmslade@shaw.ca>
Subject: Mental health, stress, and moral injury

OK, everybody is under stress, of various types, right now.  It's creating
mental health challenges in a variety of ways.  We need to protect our
employees, colleagues, and ourselves, as well.

Concentrating on health workers, the Centre of Excellence on Post-Traumatic
Stress Disorder at The Royal Ottawa and Phoenix Australia -- Centre for
Post-traumatic Mental Health have co-developed A Guide to Moral Injury.  The
Website, outlining the issues, is at: https://www.moralinjuryguide.ca/ You
can obtain the full guide, free of charge.
Guide.pdf An executive summary is available here:


Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Home Security Camera Wi-Fi Signals Can be Hacked to Tell When
  People Are Home (Jonathan Chadwick)

Jonathan Chadwick, *The Daily Mail* (UK), 6 Jul 2020

Scientists at the U.K.'s Queen Mary University of London and the Chinese
Academy of Sciences in Beijing have demonstrated exploits of
Internet-connected security camera uploads that track potential burglars,
allowing hackers to learn whether homes are occupied or not. Many smart home
cameras use Wi-Fi connections to facilitate remote monitoring by homeowners,
which hackers can hijack when activated--even if the video content is
encrypted. An undisclosed home Internet Protocol security camera provider
allowed the researchers access to a dataset covering 15.4 million streams
from 211,000 active users. By studying the rate at which cameras uploaded
data via the Internet, the team could detect when a camera was uploading
motion, and even differentiate between certain types of motion. The
researchers also learned that online traffic generated by the cameras, often
motion-triggered, could be monitored to predict whether people were at home.


Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and
  Google Assistant (Dan Goodin)

Dan Goodin, Ars Technica, 1 Jul 2020

Researchers at Ruhr University Bochum and the Max Planck Institute for
Security and Privacy in Germany have identified more than 1,000 word
sequences that incorrectly trigger voice assistants like Alexa, Google Home,
and Siri. The researchers found that dialogue from TV shows and other
sources produces false triggers that activate the devices, raising concerns
about privacy. Depending on pronunciation, the researchers found that Alexa
will wake to the words "unacceptable" and "election," while Siri will
respond to "a city," and Google Home to "OK, cool." They note that when the
devices wake, a portion of the conversation is recorded and transmitted to
the manufacturer, where employees may transcribe and check the audio to help
improve word recognition. This means each company's logs may contain
fragments of potentially private conversations.


Date: Wed, 8 Jul 2020 12:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Can an Algorithm Predict the Pandemic's Next Moves?
  (Benedict Carey)

Benedict Carey, *The New York Times*, 2 Jul 2020

An international team of scientists has developed a computer model to
predict Covid-19 outbreaks about two weeks before they happen. Team leaders
Mauricio Santillana and Nicole Kogan of Harvard University created the
algorithm, which monitors Twitter, Google searches, and mobility data from
smartphones in real time in order to forecast outbreaks 14 days or more
before case counts start rising. Santillana said the model is based on
observations rather than assumptions, employing methods responsive to
immediate behavioral changes. The team integrated multiple real-time data
streams with a prediction model from Northeastern University, based on
people's movements and interactions in communities, and assessed the value
of trends in the data stream by observing how each correlated with case
counts and deaths over March and April in each state. Santillana said, "We
don't see this data as replacing traditional surveillance, but confirming


Date: Mon, 13 Jul 2020 09:09:16 -0600
From: Cooley <info@emailcc.com>
Subject: Supreme Court Preserves Limits on Autodialed Calls to Cell Phones,
  Overturns Government Debt Collection Exception

In a widely anticipated decision in Barr v. American Association of
Political Consultants, the US Supreme Court determined that an exception to
the Telephone Consumer Protection Act (TCPA) that allowed robocalls to
mobile phones to collect government debts was unconstitutional, but declined
to overturn the broader ban on most robocalls to mobile phones without the
prior express consent of the recipient. The decision reveals significant
differences among the justices on how to apply the First Amendment to the
TCPA, but also leaves that current regime in place for all but a fraction of
entities that use autodialed calls. As a result, entities that make
autodialed calls should continue to obtain prior express written consent
for those calls.



Date: Fri, 10 Jul 2020 17:58:21 +0100
From: Neil Youngman <antlists@youngman.org.uk>
Subject: Re: Not so random acts: Science finds that being kind pays off

It's long been known that tit-for-tat is a very good social strategy -- it's
pretty obvious that anybody who is always kind will be taken advantage of,
and anybody who is never kind will be shunned.

But if we're "forgiving tit-for-tat" (i.e., we're mostly tit-for-tat but
every now and then forgive an unkindness), then people who don't play the
game get punished, but people who do can be pretty much always kind in

That's old news ...


Date: Mon, 1 Jun 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 32.09

home help back first fref pref prev next nref lref last post