Perpetual IT

Last week, a UK journalist reported an incident that he subtitled with the words, “Hilarious mix-up may have highlighted a potential issue with the vaccine roll-out.”

As you probably know, medical mix-ups have a habit of ending badly, especially when they involve automated calculations that determine drug doses.

In this case, happily, things ended in hearty laughter, but the story nevertheless has a lot to teach us about how we collect, store and process data:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

---

Nvidia, the graphics chip company that wants to buy ARM, made a unusual announcement last week.

The company is about to launch its latest GeForce GPU (graphics processing unit) chip, the RTX 3060, and wants its users know that the chip is “tailored to meet the needs of gamers and those who create digital experiences.”

Nvidia says:

Our GeForce RTX GPUs introduce cutting-edge technologies — such as RTX real-time ray-tracing, DLSS AI-accelerated image upscaling technology, Reflex super-fast response rendering for the best system latency, and many more.

Ray-tracing is an algorithm used in generating synthetic images that are almost unbelievably realistic, correctly modelling complex optical interactions such as reflection, transparency and refraction, but this sort of realism comes at huge computational cost.

You can therefore see why gamers and digital artists might be very keen to get their hands on the latest special-purpose hardware that can speed up the creation of images rendered in this way.

Horns of a dilemma

The dilemma that modern GPUs face, however, is that they’re also pretty good at performing cryptographic calculations, like computing hashes such as as SHA-2 and SHA-3 at high speed.

This sort of algorithm is used at the heart of many cryptocurrency mining calculations.

You can therefore see why cryptocurrency fans might be very keen to get their hands on the latest special-purpose hardware that can speed up the calculations needed to earn cryptocoins.

This tension between graphics-cards-used-for-graphics and graphics-cards-used-for-cryptomining has regularly led to new product releases from GPU makers selling out almost immediately, followed by the inevitable price gouging by buyers who were able to get hold of retail stock and then to flip their cards for a quick online profit.

Selling plenty of product may be a great outcome for GPU vendors, but the artifical price inflation caused by stock shortages is a less welcome look for any mainstream company.

The company’s true customers – the end users who were after the product in the first place – end up feeling outmanoeuvred by and aggrieved at the company itself, not the buyers who flipped for quick money.

Cryptomining considered harmful

For its new product, Nvidia has therefore openly stated in advance that its software drivers for the RTX 3060 are deliberately biased against cryptomining:

With the launch of GeForce RTX 3060 on Feb. 25, we’re taking an important step to help ensure GeForce GPUs end up in the hands of gamers. […] RTX 3060 software drivers are designed to detect specific attributes of the Ethereum cryptocurrency mining algorithm, and limit the hash rate, or cryptocurrency mining efficiency, by around 50 percent.

Simply put, Nvidia will try to detect the code you’re running, and purposefully – but not secretly, given its public announcement – take out what amounts to “denial of service” (DoS) actions against software it thinks is trying to do Ethereum calculations on the GPU.

If you want to do cryptomining, says Nvidia, you need to buy a different product:

To address the specific needs of Ethereum mining, we’re announcing the NVIDIA CMP [Cryptocurrency Mining Processor] product line for professional mining. CMP products, which don’t do graphics, are [… ]optimized for the best mining performance and efficiency. They don’t meet the specifications required of a GeForce GPU and thus don’t impact the availability of GeForce GPUs to gamers.

What about Bitcoin?

If you’re a cryptocoin enthusiast, you might be wondering why Nvidia is focused here on Ethereum (and its associated cryptocurrency Ether, or ETH) instead of the current media darling of cryptocurrencies, Bitcoin (BTC).

After all, BTC calculations can be accelerated enormously with GPUs, just like ETH calculations.

However, Bitcoin mining can be accelerated even more dramatically by using special-purpose chips built for the sole purpose of mining, so many BTC mining consortiums splash out on custom mining hardware instead of buying in general-purpose GPUs.

That’s because BTC depends almost entirely on computing SHA-256 cryptographic hashes over and over again, starting with a randomly chosen value each time.

Ethereum calculations, however, currently use a weird mix of several different hashes, some cryptographic and others simply basic bit-stirring hashes, based on inputs drawn pseudo-randomly from a enormous pseudo-randomly generated pool of data known as the dataset.

This dataset needs recomputing every few days, takes up gigabytes of memory, and needs to be directly accessible in RAM throughout all your mining calculations.

That’s because the ETH algorithm, currently known as Ethash but often referred to by its original and much cooler name of Dagger-Hashimoto, was specifically designed to make it difficult to compute quickly on special-purpose hardware.

Any dedicated Ethereum mining hardware would not only need to include customised and accelerated hash calculating chips that could outperform your GPU, but also need to be based on a better performing motherboard with better memory management hardware and faster RAM than your gaming rig.

What about cryptojacking?

Reports we’ve seen suggest that Nvidia’s anti-crypto drivers work by detecting memory usage that looks like a Dagger-Hashimoto computation, which needs to follow unusual but unavoidable memory access patterns, and cutting the speed of ETH hashing in half.

Sadly, this isn’t likely to discourage cryptojackers – the name given to cybercriminals who implant malware that uses your computer to mine cryptocoins for them without permission.

Even though these new Nvidia drivers will halve the earning rate of the cybercriminals, the crooks aren’t paying for the electricity (you are!), so any unlawfully mined cryptcoins are still essentially “free money” for them.

We’re also wondering just how long it will take for unofficial patches to appear for Nvidia’s drivers in order to bypass the “Dagger-detector” slowdown code.

Hacking the Nvidia drivers would break their digital signatures, but on your own Windows computer you can load modified and unsigned drivers easily enough.

---

Journalist Liam Thorp, who writes for the Liverpool Echo in England, recently published an amusing story that he subtitled, “Hilarious mix-up may have highlighted a potential issue with the vaccine roll-out.”

As you can imagine, medical mix-ups rarely end well, especially when they involve calculations that determine drug doses.

But, fortunately for Liam, who describes himself, in a deadpan but gently witty and guaranteed-to-make-you-smile video, as “a bit on the chunky side,” this mixup ended with a little bit of embarrassment for his doctor but a lot of happy laughter all round.

Nevertheless, as with most IT-related “tall stories”, there are some serious lessons we can learn from this one, so here goes.

Your vaccination is waiting

Liam received a text message (SMS) inviting him for his first coronavirus vaccine shot on account of his “excess weight.”

Presuambly, Liam could have simply grabbed the opportunity and gone in for the jab, but his social conscience led him to think that if he had, as he suspected, been offered vaccination by mistake, he’d be jumping the queue ahead of those who really ought to get the chance ahead of him.

That’s because the UK is currently delivering vaccines in what it thinks is order of medical priority – for example, although you might not have been surprised to read that Her Majesty the Queen was in one of the first groups to be vaccinated, the reason was down to her age (she’s 94), not because she’s the face on all our coins and stamps.

Liam, however, says he is 32 years old with no underlying health problems that he’s aware of, and certainly nothing on record that ought to have shoved him to the front of the queue.

A massive mistake

The mystery was unravelled the next day when his GP phoned to explain to Liam that it was, indeed, all a massive mistake.

The UK health system is using a formula known as BMI, short for Body Mass Index, as a crude guide to calculate whether patients on its books are considered “morbidly obese”. (You might have expected that medical term to have gone the way of words such as moron, imbecile and idiot by now, but it is apparently still considered unexceptionable.)

BMI, it seems, was concocted some time in the early 1800s by an astronomer and mathematician who was looking for a simple rule-of-thumb to indicate objectively whether someone was undernourished, doing about right, or overweight.

It’s very basic: you take your body mass and divide it by the square of your height.

For global consistency, BMI always uses kilograms and metres, which were the units chosen by its Belgian inventor, Lambert Adolphe Jacques Quetelet.

Square your height

Why, or even if, this is a useful metric is unclear – and some current mathematicians and medical professionals do indeed consider BMI to be an inexplicable oversimplification.

Clearly, dividing mass directly by height wouldn’t work, because the volume of a cube isn’t proportional to its height.

But the volume of a cube isn’t proportional to the square of its height, either: as the name “cube” itself suggests, its volume is the cube (the third power) of its height.

It’s the same for round objects.

If you ever studied mathematics at school you will probably remember being compelled to learn the formulas for the circumference and area of a circle, and perhaps for the surface area and volume of a sphere.

You may not remember the formulas themselves, but you are sure to remember being told to remember them:

 For a circle or sphere of radius r: Circumference of circle: 2πr (said aloud as: two pi R) Circumference of sphere: 2πr Area of circle: πr2 (said aloud as: pi R squared) Surface area of sphere: 4πr2 (said aloud as: four pi R squared) Volume of sphere: (4πr3)/3 (said aloud as: four-thirds pi R cubed)

Areas grow in a quadratic way (i.e. by squaring), and volumes in a cubic way (i.e. by cubing).

As you grow, however, you don’t increase in size at the same rate in every dimension.

Unlike a cube, you don’t end up as wide as you are tall, nor yet as deep as you are wide, and your legs are a totally different shape and size to your torso, so presumably cubing your height in the BMI formula would be little better than squaring it, tending to overestimate your volume rather than to underestimate it.

But it’s still not obvious why BMI uses the square of your height, given that you aren’t flat, either – unlike a square, which does have a width and a height, yet has a depth of zero.

Modern BMI alternatives suggest using your height raised to the power 2.5, thus slotting in somewhere beween squaring and cubing, in order to maintain the simplicity of the calculation, given that height and body mass are easy to measure with basic equipment. Other 21st-century proposals suggest using a mobile phone app to estimate your volume more reliably using silhouettes derived from photos snapped from various angles.

Nevertheless, BMI is what the UK health service is using to decide whether your body mass is sufficiently high, given how tall you are, to put you at greater than normal risk from COVID-19.

If your BMI is above a pre-decided value, you’re offered you a chance in the vaccination queue that you might not have have got based on other factors alone, such as your age.

And here’s the thing: Liam Thorp’s BMI was computed as 28,000, which was above the threshold needed to qualify him for early vaccination.

We’re assuming that somewhere there was some programming code like this:

 local current_limit = 40 if compute_BMI(patientrecord) > current_limit then send_sms(patientrecord,invitation_text) end

What apparently didn’t exist was code, say, like this:

 local current_limit = 40 local largest_likely_bmi = 200 local huge_fudge_factor = 12 local bmi = compute_BMI(patientrecord) if bmi > (largest_likely_bmi * huge_fudge_factor) then ask_for_someone_informed_to_check(patientrecord) log_anomaly(patientrecord,"WEIRD BMI") elseif bmi > current_limit then send_sms(patientrecord,invitation_text) end

As far as we can tell, the largest reliably known BMI on record is a shade over 200, which was recorded by a Saudi Arabian man who reached a body mass of just over 600kg.

He has apparently now got down to just 68kg, a good match for his height, but given that he was the second heaviest person in history at his peak weight, and the heaviest living person at that time, it’s a good bet that there is no one currently alive who has a BMI more than 200.

So Liam’s BMI measurement of 28,000 wasn’t just inaccurate, it was wildly, unbelievably, bizarrely and perhaps even dangerously wrong, given that there was at least one automated system that depended on it to make active decisions about his health care.

What happened?

Apparently, Liam’s height is pretty lofty (for those who aren’t Dutch, at least), at 1.88m.

We can therefore figure out how heavy he’d need to be in order to hit a BMI of 28,000:

 Let Liam's alleged body mass be M kg M kg / (1.88m x 1.88m) = 28000 kg/m2 M kg / 3.53m2 = 28000 kg/m2 M kg = 98963 kg

In comparison, the locomotives that pull cars and trucks through the Channel Tunnel weigh in at about 130,000kg, or 130 tons.

In the UK (and, surprisingly perhaps, also in many other Commonwealth countries that gave up the imperial system decades before Britain), Liam’s height is typically described in vernacular speech as six foot two inches, or 6’2″ if written down including its units.

And measurements such as height and and mass should never be recorded without their units, or they simply don’t make sense, because height and mass are, by definition, not dimensionless numbers.

Your body mass, for example, simply can’t be 72, or 144. (Or 10.4 in the UK’s curiously confusing system of stones and pounds, where there are 14 pounds in a stone, who knew?)

Body mass has to be recorded as something like 72kg, or 144lb, or 10st4lb, so that the numbers make sense in real life.

It seems that Liam’s 6’2″ had ended up entered as 6.2…

…and the field it was entered into assumed that the units were centimetres.

As far as we can tell, even the shortest person on earth is ten times taller than that.

So Liam’s height was as improbable when it was entered as his computed BMI was when the vaccination scheduling system sent him his appointment.

What to do?

• Don’t jump the vaccination queue just because you can. An obvious mistake needs correcting, not exploiting. Likewise, if you find your bank has wrongly credited you with $98,963 that you jolly well know isn’t really yours, don’t rush out and spend it before they realise. You will almost certainly end up having to pay it back.
• Don’t leave out the units. Numbers that measure things are meaningless without their units. Don’t make assumptions, especially for measurements where various different units are in common local use, such as feet/metres, kilograms/pounds, knots/mph/kph, or different sorts of dollar. If you are creating a user interface, do your best to help the user get the entries in correct units, even if it requires a little more effort or typing.
• Don’t ignore absurdities. In Liam’s case, his doctor did exactly the right thing and intervened in person to resolve the error. When programming, don’t blindly accept suspicious data. At the same time, don’t simply ignore it either, but get it checked out.

Of course, the last point above is vital in cybersecurity.

Many a malware attack has succeeded where it ought to have failed because a warning was written off as, “Probably just the sysdamins doing some tests.”

And many an otherwise obvious phishing attack has succeeded because, “The web filter never blocked it so I decided to take that as a free pass from the IT department to go to the site anyway.”

To recite a carpentry metaphor we have used before: in cybersecurity, it pays to measure twice, cut once.

---

How a bug hunter snuck into the internal networks of 35 megacorporations. Why romance scams are going stronger than ever (and how to avoid them). What to do about those tempting but treacherous “tax refund” messages. And a listener tells us how (and why) he got a bit carried away with his ivy while he was gardening…

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

The US Department of Justice (DOJ) has just unsealed a lengthy list of cybercrime charges against three North Koreans.

The DOJ explicitly named the three accused men as Jon Chang Hyok (31 years old), Kim Il (27), and Park Jin Hyok (36), alleging them to be part of a North Korean hacking group that you may have heard referred to over the years as APT38 or the Lazarus Group.

APT is shorthand for Advanced Persistent Threat, a jargon term for malware that is designed not only to infect a computer but also to remain in place and to stay active even after the current user logs off or reboots the device. Malware that is persistent essentially runs quietly but continuously in the background until someone spots it and removes it. Sadly, most modern malware has persistence, so it doesn’t magically vanish when you exit your browser or turn off your computer.

According to the indictment, the three men are said to have been criminally active from “no later than September 28, 2009, and continuing through [to] at least December 8, 2020.”

This means that Kim Il (who apparently also went by the name Tony Walker) allegedly got started when he was still a teenager, because he would have been just 15 or 16 years old back in 2009.

The charge sheet makes interesting reading, enumerating 45 specific instances of alleged criminality, referred to formally in the charge sheet as “Overt Acts 1 to 45.”

We advise you to peruse this list and ask yourself, for each Overt Act, the questions: “How well would my own network and staff block an attack of this sort?”, as well as “If we didn’t block it up front, how quickly would we spot it afterwards, before further harm could be done?”

The criminal charges include:

• Carrying out the infamous Sony Pictures megahack back in 2014. Data stolen allegedly included not only Sony’s intellectual property but also personal information about tens of thousands of employees, including salary and contract details, with some reports suggesting that a whopping 100TB of corporate data was stolen.
• Hacking into banks and compromising their ATM (cashpoint) networks to enable fraudulent withdrawals. This sort of crime generally involves recruiting so-called “casher crews” in one or more cities around the world who go on ATM withdrawal sprees, typically over one adrenaline-filled night, running from cash machine to cash machine and taking out the maximum per-transaction limit (typically just a few hundred dollars) each time. The casher crews typically give the withdrawn cash in bulk to a handler in return for a cut of the takings.
• Hacking into banks and issuing fake money transfer instructions using the SWIFT payment network. The DOJ claims the accused got away with more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa.
• Extorting money via ransomware. The ransomware variants that the accused are alleged to have created and used include the infamous and fast-spreading WannaCry virus of 2017, but the allegations extend right up to 2020. The extortion charges cover both types of blackmail that we commonly see in ransomware attacks these days, namely squeezing the victim to “buy back” the decryption keys to recover any scrambled data, as well as paying “hush money” so the criminals will delete any copies of company data that they stole during the attack.
• Stealing cryptocurrency via booby-trapped cryptocurrency apps. The allegations refer to range of malicious apps peddled by the accused. These went by innocent-enough names such as Celas Trade Pro, iCryptoFx, Union Crypto Trader, Kupay Wallet and CryptoNeuro Trader. Apparently, these malware programs ended up installed by staff at numerous cryptocurrency trading companies, who quickly found their cryptocurrency holdings depleted by fraudulent outward transfers totalling more than $100 million.
• Operating a fraudulent Initial Cryptocoin Offering (ICO) called Marine Chain Token. Because Bitcoin was worth quite literally zero when it began, those who mined or acquired bitcoins early on and never sold up have not merely doubled or trebled their money, but are sitting on millionfold or even greater returns. This has led to a frenzy of investors keen to pay real money (or to hand over existing cryptocurrency) to startup comanies who promise to let early adopters get in right at the start of their new cryptocurrency by handing out cryptocoins created especially for the ICO. In an ICO scam, those initial cryptocoins never get issued at all. The scammers simply run off with the money.
• Launching spearphishing attacks against numerous US organizations. Simply put, spearphishing is just plain old phishing, but where the content of the fraudulent messages is carefully chosen to sound specifically interesting or important to the recipient. The indictment alleges that the accused deliberately targeted defense contractors, energy companies, aerospace companies, technology companies, the US Department of State, and the US Department of Defense.

What to do?

It’s unusual to see a single indictment accusing a small gang of alleged crooks of such a varied list of cybercrimes…

…but each crime on the list is depressingly familiar these days.

Most of us, or perhaps all of us, will have first hand experience of attempted cybercrime attacks, such as ransomware-infected email attachments, booby-trapped web links and fraudulent investment offers; some of us, sadly, will actually have been victims ourselves, or will know an individual or a company who was.

Worse still, the risks are compounded these days by the increasing need to work remotely and to keep contact with colleagues, even people we don’t know very well or have yet to meet in person, over the imperfect medium of teleconferencing, instant messaging, email and the like.

We therefore invite you to read a brand new Sophos White Paper entitled Securing the Anywhere Organization.

Yes, this paper showcases our own products and services, and how to use them for defence-in-depth.

But even if you aren’t using any Sophos offerings, you will find useful checklists to help you answer those questions we proposed at the top of this article: “How likely is it that I’d block an attack of type X outright?”, and “How soon would I notice if the crooks were sneaky enough that I didn’t stop it up front?”

---