RISKS Forum mailing list archives
Risks Digest 34.38
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 29 Jul 2024 17:05:07 PDT
RISKS-LIST: Risks-Forum Digest Monday 29 Jul 2024 Volume 34 : Issue 38 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.38> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway (The New York Times) Spy v spy v spy: Jamming home wifi's by crims & cops (Henry Baker) Lawmaker uses AI voice clone to address Congress (BBC via Matthew Kruk) AI May Save Us, or May Construct Viruses to Kill Us (NYTimes) Robots sacked, screenings shut down: a new movement of Luddites is rising up against AI (Ed Newton-Rex) Restrictions on AI training data (NYTimes via Jim Geissman) Apple signs on to Biden's responsible AI guidelines (Politico) Crypto fanatics flock to Trump, hoping to *make bitcoin great again*. (WashPost) Devastating ransomware attack shuts down L.A. County courts Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails (The Hacker News) Prominent Short Seller Made Millions Off Bait-and-Switch Scheme, U.S. Says (NYTimes) Secure Boot is completely broken on 200+ models from 5 big device makers (Ars Technica) Hackers steal call records of 'nearly all' AT&T customers (BBC) Security Firm Discovers Remote Worker Is North Korean Hacker (Michael Kan) New Israeli Spyware (Israel News) Windows resiliency: Best practices and the path forward (MS vis PGN) Google reverts TV YouTube app to original search history behavior (Lauren Weinsteain) CrowdStrike and fuzz testing (Martin Ward) Re: U.S. Gender Care Is Ignoring ... (Julizn Bradford) Re: Switzerland now requires all government software to be open source (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 28 Jul 2024 01:29:04 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway (The New York Times) Traffic was at a standstill for hours on a portion of I-15 near Baker, Calif., after a truck carrying lithium batteries overturned and caught fire. [...] Drivers were stuck in traffic in 109-degree heat on a California highway on Saturday for hours as the authorities struggled to extinguish a fire involving a truck carrying lithium ion batteries that had overturned on Friday. “Multiple attempts were made to move the container from the freeway shoulder to open land using heavy equipment,” the San Bernardino County Fire Protection District said on social media on Saturday. “However, the container’s weight, exceeding 75,000 pounds, has made these efforts unsuccessful so far.” https://www.nytimes.com/2024/07/27/us/battery-fire-traffic-nevada-california.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb ------------------------------ Date: Sun, 28 Jul 2024 22:07:16 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Spy v spy v spy: Jamming home wifi's by crims & cops Those wifi cameras that you just installed to spy on your own home (and AirBnB guests?): Jammed by both crims and cops! FCC: "Yes, Wi-Fi devices that comply with FCC technical standards **must accept interference**, including interference that may cause undesired operation. This is because the FCC's Part 15 federal regulation limits the amount of electromagnetic interference that electronic devices can cause, and requires that they operate without interfering with authorized radio services." https://www.pcworld.com/article/2405434/burglars-are-jamming-wi-fi-security-cameras.html Burglars are jamming Wi-Fi security cameras -- here's what you can do Tech-savvy thieves are finding new ways to circumvent wireless networked security cameras like Ring and Nest. By Michael Crider Staff Writer, PCWorld Jul 22, 2024 9:24 am PDT https://www.404media.co/dhs-has-a-ddos-robot-to-disable-internet-of-things-booby-traps-inside-homes/ DHS Has a DoS Robot to Disable Internet of Things 'Booby Traps' Inside Homes Jason Koebler Jul 22, 2024 at 9:50 AM "NEO carries an onboard computer and **antenna array** that will allow officers the ability to create a 'denial-of-service' event to disable 'Internet of Things' devices that could potentially cause harm while entry is made." ... https://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal CONSUMER ALERT: Using or Importing Jammers is Illegal https://www.fcc.gov/general/jammer-enforcement "Local law enforcement agencies do ***not*** have independent authority to use jamming equipment; in certain limited exceptions use by Federal law-enforcement agencies is authorized in accordance with applicable statutes. ------------------------------ Date: Thu, 25 Jul 2024 21:57:30 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Lawmaker uses AI voice clone to address Congress We talk about the risks of AI. Thought I'd pass along a non-risk, indeed a benefit. Let's hope for more. https://www.bbc.com/news/videos/c728q850e5do Virginia Congresswoman Jennifer Wexton used an artificial intelligence (AI) programme to address the House on Thursday. A year ago, the lawmaker was diagnosed with progressive supranuclear palsy, which makes it difficult for her to speak. The AI programme allowed Wexton to make a clone of her speaking voice using old recordings of appearances and speeches she made in Congress. Wexton appears to be the first person to speak on the House floor with a voice recreated by AI. [Indeed, a positive use for something that is so easily misused. PGN] ------------------------------ Date: Sat, 27 Jul 2024 22:25:52 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: AI May Save Us, or May Construct Viruses to Kill Us (NYTimes) https://www.nytimes.com/2024/07/27/opinion/ai-advances-risks.html Here’s a bargain of the most horrifying kind: For less than $100,000, it may now be possible to use artificial intelligence to develop a virus that could kill millions of people. That’s the conclusion of Jason Matheny, the president of the RAND Corporation, a think tank that studies security matters and other issues. “It wouldn't cost more to create a pathogen that’s capable of killing hundreds of millions of people versus a pathogen that’s only capable of killing hundreds of thousands of people,” Matheny told me. In contrast, he noted, it could cost billions of dollars to produce a new vaccine or antiviral in response. ------------------------------ Date: Mon, 29 Jul 2024 06:50:26 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Robots sacked, screenings shut down: a new movement of Luddites is rising up against AI (Ed Newton-Rex) Robots sacked, screenings shut down: a new movement of luddites is rising up against AI Earlier this month, a popular lifestyle magazine introduced a new “fashion and lifestyle editor” to its huge social media following. “Reem” <https://sheerluxe.com/fashion/meet-our-new-ai-enhanced-editor-reem>, who on first glance looked like a twentysomething woman who understood both fashion and lifestyle, was proudly announced as an “AI enhanced team member”. That is, a fake person, generated by artificial intelligence. Reem would be making product recommendations to SheerLuxe’s followers – or, to put it another way, doing what SheerLuxe would otherwise pay a person to do. The reaction was entirely predictable: outrage <https://www.bbc.com/news/articles/c3gw720vz3lo>, followed by a hastily issued apology. One suspects Reem may not become a staple of its editorial team. This is just the latest in a long line of walkbacks of “exciting AI projects” that have been met with fury by the people they’re meant to excite. The Prince Charles Cinema in Soho, London, canceled <https://www.bbc.co.uk/news/articles/cjll3w15j0yo.amp> a screening of an AI-written film in June, because its regulars vehemently objected. Lego was pressured <https://www.axios.com/2024/03/15/lego-ai-ninjago-images> to take down a series of AI-generated images it published on its website. Doctor Who started experimenting with generative AI, but quickly stopped after a wave of complaints. <https://gizmodo.com/doctor-who-ai-bbc-complaints-response-disney-plus-1851363443> A company swallows the AI hype, thinks jumping on board will paint it as innovative, and entirely fails to understand the growing anti-AI sentiment taking hold among many of its customers. Behind the backlash is a range of concerns about AI. Most visceral is its impact on human labour: the chief effect of using AI in many of these situations is that it deprives a person of the opportunity to do the same work. Then there is the fact that AI systems are built by exploiting the work <https://www.noemamag.com/the-exploited-labor-behind-artificial-intelligence/> of the very people they’re designed to replace, trained on their creative output and without paying them. The technology has a tendency to sexualise women <https://www.theguardian.com/technology/2023/feb/08/biased-ai-algorithms-racy-women-bodies>, is used to make deepfakes, has caused tech companies to miss climate targets <https://www.theguardian.com/business/article/2024/jul/04/can-the-climate-survive-the-insatiable-energy-demands-of-the-ai-arms-race> and is not nearly well enough understood for its many risks to be mitigated. This has understandably not led to universal adulation. As Hayao Miyazaki, the director of Studio Ghibli, the world-renowned animation studio, has said: “I am utterly disgusted … I strongly feel that [AI] is an insult to life itself.” [...] https://www.theguardian.com/commentisfree/article/2024/jul/27/harm-ai-artificial-intelligence-backlash-human-labour ------------------------------ Date: Fri, 19 Jul 2024 09:00:13 -0700 From: Jim Geissman <jgeissman () socal rr com> Subject: Restrictions on AI training data (NYTimes) But there's also a lesson here for big AI companies, who have treated the Internet as an all-you-can-eat data buffet for years, without giving the owners of that data much of value in return. Eventually, if you take advantage of the web, the web will start shutting its doors. https://www.nytimes.com/2024/07/19/technology/ai-data-restrictions.html ------------------------------ Date: Sat, 27 Jul 2024 18:42:31 +0000 (UTC) From: Steve Bacher <sebmb1 () verizon net> Subject: Apple signs on to Biden's responsible AI guidelines (Politico) https://www.politico.com/news/2024/07/26/apple-biden-ai-00171502 [Is there any hope that these guidelines are strong enough? PGN] ------------------------------ Date: Mon, 29 Jul 2024 10:39:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Crypto fanatics flock to Trump, hoping to *make bitcoin greatagain* (WashPost) The crypto community is rallying behind Trump for the 2024 election, hoping to avoid regulation. https://www.washingtonpost.com/business/2024/07/27/trump-bitcoin-support-2024-cryptocurrency/ ------------------------------ Date: Mon, 22 Jul 2024 09:47:14 -0700 From: Jim Geissman <jgeissman () socal rr com> Subject: Devastating ransomware attack shuts down L.A. County courts (LATimes) https://www.latimes.com/california/story/2024-07-22/la-county-court-ransomwa re ------------------------------ Date: Mon, 29 Jul 2024 09:22:26 -0700 From: geoff goodfellow" <geoff () iconia com> Subject: Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails (The Hacker News) An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others. "These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures <https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>, thus bypassing major security protections — all to deceive recipients and steal funds and credit-card details," Guardio Labs researcher Nati Tal said <https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6> in a detailed report shared with The Hacker News. The cybersecurity company has given the campaign the name EchoSpoofing. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures. "The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from those companies," Tal told the publication. "This EchoSpoofing concept is really powerful. It's kind of strange it is being used for large-scale phishing like this instead of a boutique spear-phishing campaign – where an attacker can swiftly take any real company team member's identity and send emails to other co-workers – eventually, through high-quality social engineering, get access to internal data or credentials and even compromise the entire company. The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that it complies with authentication and security measures <https://today.ucsd.edu/story/forwarding_based_spoofing> such as SPF and DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from imitating a legitimate domain. It all goes back to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint enterprise customers' email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX. This is the result of what Guardio described as a "super-permissive misconfiguration flaw" in Proofpoint servers ("pphosted.com") that essentially allowed spammers to take advantage of the email infrastructure to send the messages. [...] https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html ------------------------------ Date: Mon, 29 Jul 2024 10:44:32 -0400 From: Monty Solomon <monty () roscom com> Subject: Prominent Short Seller Made Millions Off Bait-and-Switch Scheme, U.S. Says (NYTimes) Federal authorities filed charges against Andrew Left, founder of Citron Research, who they said made at least $16 million from a multiyear scheme to manipulate market prices. https://www.nytimes.com/2024/07/26/business/andrew-left-short-seller-fraud.html ------------------------------ Date: Sat, 27 Jul 2024 01:59:54 +0000 From: Victor Miller <victorsmiller () gmail com> Subject: Secure Boot is completely broken on 200+ models from 5 big device makers (Ars Technica) [Also noted by Monty Solomon] https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-o n-200-models-from-5-big-device-makers/ On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. Report https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem ------------------------------ Date: Sat, 13 Jul 2024 16:11:45 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Hackers steal call records of 'nearly all' AT&T customers (BBC) https://www.bbc.com/news/articles/c51yemmmg9mo Hackers stole call and text records data from "nearly all" of 109 million AT&T Wireless customers, the telecommunications company disclosed on Friday. The firm said one suspect had been arrested after the records - from May to October 2022 - were illegally downloaded and copied to a third-party platform this April. The stolen data did not contain the content of calls or texts, but did record the numbers contacted, as well as the number and lengths of interactions, the company said. ------------------------------ Date: Fri, 26 Jul 2024 11:00:06 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Security Firm Discovers Remote Worker Is North Korean Hacker (Michael Kan) Michael Kan, *PC Magazine*, 23 Jul 2024 KnowBe4, a U.S. security training firm, disclosed that it had unknowingly hired a remote software engineer who turned out to be a North Korean hacker. The firm revealed in a blog post that as soon as the employee received a company-issued Mac, it began to load malware. The Mac's onboard security software detected the malware, however, and the company was able to prevent the hacker from using the device to compromise its internal systems. ------------------------------ Date: Sat, 27 Jul 2024 08:22:11 -0700 From: "Peter G. Neumann" <peter.neumann () sri com> Subject: New Israeli Spyware (Ja'aretz) Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists - Israel News (Ha'aretz) https://www.haaretz.com › Israel News According to a September 2023 Haaretz magazine article, the Israeli cyberfirm Insanet has developed a new spyware tool called Sherlock that uses ads for tracking and infection. The company was founded by well-known entrepreneurs in offensive cyber and digital intelligence, and is owned by former defense establishment members, including Dani Arditi, a former head of the National Security Council. ------------------------------ Date: Fri, 26 Jul 2024 08:14:43 -0400 From: Monty Solomon <monty () roscom com> Subject: Windows resiliency: Best practices and the path forward https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-resiliency-best-practices-and-the-path-forward/ba-p/4201550 [Please remember that *best practices* are generally a minimal set of practices that is seriously incomplete and sometimes inappropriate, particularly in systems with critical requirements. PGN] ------------------------------ Date: Sat, 27 Jul 2024 10:09:21 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google reverts TV YouTube app to original search history behavior On 21 July I noted that the TV app for YouTube (e.g. Android TV, Chromecast with Google TV) had become much harder to use since user-specific search history was no longer being shown, replaced with a list of (as far as I'm concerned) utterly useless "hot, trending" topics. This meant that users had to manually reenter their common searches with every use. Extremely bad user experience. I made my concerns about this change known to Google. I'm sure I wasn't the only one. I'm pleased to report that as of this morning, the original behavior has returned to the TV app, with user search history now appearing as it did before. Since this was not the case last night, and the app version is now dated 24 July, this clearly is an update. ------------------------------ Date: Mon, 29 Jul 2024 13:03:24 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: CrowdStrike and fuzz testing CrowdStrike were using a *signed* *verified* kernel driver that crashed and caused a blue screen when given a data file consisting of all binary zeros. Testing programs with random inputs dates back to the 1950s when data was still stored on punched cards. Programmers would use punched cards that were pulled from the trash or card decks of random numbers as input to computer programs. If an execution revealed undesired behavior, a bug had been detected. In the late 1980's, Prof Barton Miller uncovered bugs in Unix (user mode) utilities by feeding them with random data, a testing method for which he coined the term "fuzz testing". In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of the Chromium web browser. In September 2014, Shellshock was disclosed as a family of security bugs in the widely used UNIX Bash shell; most vulnerabilities of Shellshock were found using the fuzzer AFL. In April 2015, Hanno B=C3=B6ck showed how the fuzzer AFL could have found the 2014 Heartbleed vulnerability. In September 2016, Microsoft announced Project Springfield, a cloud-based fuzz testing service for finding security critical bugs in software. In September 2020, Microsoft released OneFuzz, a self-hosted fuzzing-as-a-service platform that automates the detection of software bugs. And yet, despite all of this, Microsoft signed the CrowdStrike kernel mode driver *without* doing *any* fuzz testing! Then, CrowdStrike released a data file without testing it. Then, all the purchasers of CrowdStrike software installed the update on their live systems the moment it was released, without testing, it first. Then, the systems running critical infrastructure bluescreened and could not be fixed remotely, despite the fact that they (1) were controlling critical infrastructure and (2) were running MicroSoft software which is infamous for bluescreening. (They could have used virtual machines or KVM switches to enable remote access at the hardware level). MicroSoft's greatest contribution to the computer industry has been to convince people that computer errors are just "glitches": a force of nature that we just have to put up with and cannot do anything about. According to Microsoft, CrowdStrike affected *only* 8.5 million machines ("less than 1% of all Windows computers"), so canceling 6.5% of all air flights worldwide, stopping hospitals from doing anything but emergency operations, preventing 911 calls from going through and so on and so on, is just not a big deal. Nobody needs to lose their job, or stop using MicroSoft software because of it! [Nevertheless, it was a big deal for a lot of people who were personally affected. PGN] ------------------------------ Date: Fri, 26 Jul 2024 10:59:22 +0100 From: Julian Bradfield <jcb () inf ed ac uk> Subject: Re: U.S. Gender Care Is Ignoring ... (Ward, RISKS-34.37)
The so-called "comprehensive review" is the UK Cass Report which has been widely criticised for ignoring 98% of the published science: because these studies did not use double-blind testing. But in a medical environment where a treatment is already known to be effective, double-blind testing is unethical and evil.
This is itself gross misrepresentation. The Cass Review considered 103 papers, of which 2% were considered "high-quality", and 56% "moderate quality", and all these were included in the analysis. Responses to this and some other misrepresentations can be seen here: https://cass.independent-review.uk/home/publications/final-report/final-report-faqs/ ------------------------------ Date: Sat, 27 Jul 2024 12:43:55 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Switzerland now requires all government software to be open source (RISKS-34.37) I suspect that this law is not going to achieve what legislators hope for. Companies who wish to keep their code hidden can do it while still formally complying with the law. E.g., they can post code in assembly (which can be generated automatically by tools like "cc -S") if regulations allow it. There are also shrouding tools which remove comments and change all statements to something like "felicity = commandment + serenity". Such practices may adhere to the letter of the law, but make "public" code virtually unusable for any practical purpose. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.38 ************************
Current thread:
- Risks Digest 34.38 RISKS List Owner (Jul 29)