Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.11 RISKS-LIST: Risks-Forum Digest Thursday 16 July 2020 Volume 32 : Issue 11 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: High-profile Twitter accounts hacked (Sundry sources) Russian Hackers Trying to Steal Coronavirus Vaccine Research Intelligence Agencies Say (NYTimes) Iranian Spies Accidentally Leaked Videos of Themselves Hacking (WiReD) NOAA storm-spotting app was suspended after being overrun with false and hateful reports (WashPost) An invisible hand: Patients aren't being told about the AI systems advising their care (StatNews) CJEU rejects EU-US Privacy Shield (EAID-Berlin) EU court rules U.S. servers not private enough for its citizens' data (WashPost) When tax prep is free, you may be paying with your privacy (WashPost) Re: Why Some Birds Are Likely To Hit Buildings (Keith Medcalf) Re: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (Martin Ward) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 15 Jul 2020 15:10:24 -0700 From: Paul Saffo Subject: High-profile Twitter accounts hacked (Sundry sources) https://www.nbcnews.com/tech/security/suspected-bitcoin-scammers-take-over-twitter-accounts-bill-gates-elon-n1233948 The Twitter accounts of Barack Obama, Jeff Bezos, Joe Biden, Elon Musk and many other high-profile people and companies became pawns Wednesday in one of the most visible cyberscams in the Internet's history. Suspected bitcoin scammers grabbed control of accounts belonging to the rich and famous, as well as lower-profile accounts, for more than two hours during the afternoon and tricked at least a few hundred people into transferring the cryptocurrency. A tweet typical of the attack sent from the account of Bill Gates, the software mogul who is the world's second-wealthiest person, promised to double all payments sent to his Bitcoin address for the next 30 minutes. ``Everyone is asking me to give back, and now is the time. You send $1,000, I send you back $2,000.'' Similar tweets appeared on the accounts of rapper Kanye West, investor Warren Buffett and corporations including Apple, Wendy's, Uber and the money transfer app Cash. Twitter said it was looking into the attack. ``We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly,'' the company said in a tweet. [See also https://www.nytimes.com/2020/07/15/technology/twitter-hack-bill-gates-elon-musk.html https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/ A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts. [...] Hackers Convinced Twitter Employee to Help Them Hijack Accounts After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground:. https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos ] [Assume everything can be hacked -- and most easily by insiders. Perhaps the only sane policy is this: Always say/write what you believe to be true, because everyone may be listening or someone may hack into it. And damn the torpedos. The truth will out, even if it may take a long time. PGN] [Lauren Weinstein also noted (with no URL): Twitter shutdown of verified accounts blocked NWS from issuing tornado warnings. PGN] ------------------------------ Date: Thu, 16 Jul 2020 15:44:54 -0400 From: Monty Solomon Subject: Russian Hackers Trying to Steal Coronavirus Vaccine Research, Intelligence Agencies Say The hackers have been targeting British, Canadian and American organizations researching vaccines using spear-phishing and malware. https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html ------------------------------ Date: Thu, 16 Jul 2020 08:32:32 -0700 From: Lauren Weinstein Subject: Iranian Spies Accidentally Leaked Videos of Themselves Hacking (WiReD) https://www.wired.com/story/iran-apt35-hacking-video/ ------------------------------ Date: Tue, 14 Jul 2020 21:20:17 -0400 From: Monty Solomon Subject: NOAA storm-spotting app was suspended after being overrun with false and hateful reports (WashPost) The NOAA's "mPING" application was compromised, sending false severe weather data to forecasters and the public. https://www.washingtonpost.com/weather/2020/07/14/noaa-app-mping-suspended/ ------------------------------ Date: July 16, 2020 at 22:08:12 GMT+9 From: Richard Forno Subject: An invisible hand: Patients aren't being told about the AI systems advising their care (StatNews) Rebecca Robbins and Erin Brodwin, 15 Jul 2020, via Dave Farber Since February of last year, tens of thousands of patients hospitalized at one of Minnesota's largest health systems have had their discharge planning decisions informed with help from an artificial intelligence model. But few if any of those patients has any idea about the AI involved in their care. That's because frontline clinicians at M Health Fairview generally don't mention the AI whirring behind the scenes in their conversations with patients. At a growing number of prominent hospitals and clinics around the country, clinicians are turning to AI-powered decision support tools -- many of them unproven -- to help predict whether hospitalized patients are likely to develop complications or deteriorate, whether they're at risk of readmission, and whether they're likely to die soon. But these patients and their family members are often not informed about or asked to consent to the use of these tools in their care, a STAT examination has found. The result: Machines that are completely invisible to patients are increasingly guiding decision-making in the clinic. Hospitals and clinicians ``Care operating under the assumption that you do not disclose, and that's not really something that has been defended or really thought about,'' Harvard Law School professor Glenn Cohen said. Cohen is the author of one of only a few articles examining the issue, which has received surprisingly scant attention in the medical literature even as research about AI and machine learning proliferates. https://www.statnews.com/2020/07/15/artificial-intelligence-patient-conse-hospitals/ ------------------------------ Date: Thu, 16 Jul 2020 16:01:25 +0100 From: Martyn Thomas Subject: CJEU rejects EU-US Privacy Shield (EAID-Berlin) https://www.eaid-berlin.de/dejavu-cjeu-rejects-eu-us-privacy-shield/ If you are baffled by the penultimate sentence, replace "wear" by "carry".  (with thanks to Judith Rauhofer for the explanation that "tragen" in German has both meanings). [Conversely, the German language used to uses "Sicherheit" for both security and safety. Perhaps that has changed with the use of Cyber/Kyber/...? PGN] ------------------------------ Date: Thu, 16 Jul 2020 18:32:51 +0900 From: farber@gmail.com Subject: EU court rules U.S. servers not private enough for its citizens' data (WashPost) https://www.washingtonpost.com/world/europe/top-eu-court-ruling-throws-transatlantic-digital-commerce-into-disarray-over-privacy-concerns/2020/07/16/d2c0fe06-c736-11ea-a825-8722004e4150_story.html ------------------------------ Date: Wed, 15 Jul 2020 09:47:57 -0400 From: Monty Solomon Subject: When tax prep is free, you may be paying with your privacy (WashPost) *Free* tax software is not all created equal. Some want to upsell you. Others want the data in your tax return. https://www.washingtonpost.com/technology/2019/03/07/when-tax-prep-is-free-you-may-be-paying-with-your-privacy/ ------------------------------ Date: Tue, 14 Jul 2020 21:46:33 -0600 From: "Keith Medcalf" Subject: Re: Why Some Birds Are Likely To Hit Buildings (Scientific American) While this may be entertaining, I would point out that it is unlikely that the bird was responsible for the collision. I would suggest that the more realistic situation is that the bird was just flying along minding its own business when a bloody big fat and fast moving airplane that was not watching where it was going ran into the poor bird. Calling it a "bird strike" is ridiculous. The bird did not strike the aeroplane, the aeroplane ran down the bird. And then the aeroplane and its operator carried on away from the scene of the mishap -- in actual fact the aeroplane pilot committed a hit and run. I suppose we should also call pedestrian collisions with automobiles "pedestrian strikes" and blame it on the pedestrian deliberately striking the automobiles. It would certainly put an end to a lot of issues if we did this. ------------------------------ Date: Wed, 15 Jul 2020 15:05:01 +0100 From: Martin Ward Subject: Re: 24-Year-Old Australian Man Spent $2 Million After a Bank Glitch (RISKS-32.09) Given that the court ruled that the overdraft was perfectly legal, and Milky therefore had a legal right to spend the money, it may well have been the *bank* that acted illegally in confiscated Milky's belongings. So, writing off the rest of his debt and hoping that he wouldn't go after them is the best that they can do, under the circumstances. ------------------------------ Date: Mon, 1 Jun 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.11 ************************