RISKS Forum mailing list archives
Risks Digest 34.42
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 26 Aug 2024 20:09:29 PDT
RISKS-LIST: Risks-Forum Digest Monday 26 Aug 2024 Volume 34 : Issue 42 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.42> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Protecting Connected Self-Driving Vehicles from Hackers (Patricia DeLacey) ARRL hit with ransomware (Steve Golson) Fake QR codes posted on Redondo Beach parking meters to scam drivers, police say (LA Times) Toward a Code-Breaking Quantum Computer (Adam Zewe) Multiple Flaws in Microsoft macOS Apps Unpatched Despite Potential Risks (Connor Jones) More on Boeing fuselage panel blowout (Seattle Times) Park'N Fly reveals data breach affecting 1 million customer files (CBC) Local Networks Go Global When Domain Names Collide (Krebs) Biometrics in the workplace may be the way of the future. But at what cost? (CBC) Telegram billionaire co-founder Pavel Durov arrested (Lauren Weinstein) Almost half of FDA-approved AI medical devices are not trained on real patient data (MedicalXpress.com) How much more water and power does AI computing demand? Tech firms don't want you to know (LA Times) How Section 230 Is Being Used Against Tech Giants Like Meta (NY Times) Two policy articles suggested by Dan Geer (PGN) Re: Policy, due care, and the failure of Heartland Tri-State (Geoff Kuenning, Cliff Kilby) Re: Birmingham Oracle (Cliff Kilby) Re: High-end racing bikes are now vulnerable to hacking (Geoff Kuenning) Re: Feds sue Georgia Tech for lying bigly about computer security (Geoff Kuenning) Re: Kroger unveils AI-powered automatic price gouger (Wol) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Protecting Connected Self-Driving Vehicles from Hackers (Patricia DeLacey) Patricia DeLacey, University of Michigan Computer Science and Engineering, 20 Aug 2024, via ACM TechNews University of Michigan (U-M) researchers found that connected self-driving vehicles are vulnerable to data fabrication attacks, which occur when hackers remove real objects from or insert fake objects into perception data. Researchers at U-M's Mcity Test Facility used falsified LiDAR-based 3D sensor data and zero-delay attack scheduling to better understand the security vulnerabilities, and developed the Collaborative Anomaly Detection system as a countermeasure. The system uses shared 2D occupancy maps to cross-check the data and quickly identify geometric inconsistencies. ------------------------------ Date: Sun, 25 Aug 2024 23:48:39 -0400 From: Steve Golson <sgolson () trilobyte com> Subject: ARRL hit with ransomware American Radio Relay League (ARRL), the U.S. national association for amateur radio, was hit with a sophisticated ransomware attack. https://www.arrl.org/news/arrl-it-security-incident-report-to-members Sometime in early May 2024, ARRL’s systems network was compromised by threat acto-power-demands-of-ai-computing rs (TAs) using information they had purchased on the dark web. The TAs accessed headquarters on-site systems and most cloud-based systems. They used a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers. Despite the wide variety of target configurations, the TAs seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system. This serious incident was an act of organized crime. The highly coordinated and executed attack took place during the early morning hours of May 15. That morning, as staff arrived, it was immediately apparent that ARRL had become the victim of an extensive and sophisticated ransomware attack. The FBI categorized the attack as “unique” as they had not seen this level of sophistication among the many other attacks, they have experience with. The ransom demands by the TAs, in exchange for access to their decryption tools, were exorbitant. It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization with limited resources. Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. [Also noted by Gabe Goldberg. PGN] ------------------------------ Date: Mon, 26 Aug 2024 06:40:28 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Fake QR codes posted on Redondo Beach parking meters to scam drivers, police say (LA Times) The QR codes, which appear to be connected to a 'quishing' scam, were found on about 150 parking meters along the Esplanade and in the Riviera Village area, police said. Someone affixed fraudulent QR codes to parking meters in popular areas of Redondo Beach in an attempt to scam residents and visitors, authorities warned. The QR codes — which direct people to a website that’s not affiliated with the city or its official parking meter system — were found on about 150 parking meters along the Esplanade and in the Riviera Village area, the Redondo Beach Police Department said Saturday in a news release. When users reached that website, poybyphone.online, they were prompted to enter their location and payment information. [...] https://www.latimes.com/california/story/2024-08-25/fake-qr-codes-posted-on-redondo-beach-parking-meters-to-scam-people-police-say [How can the police department become non-Redondont? PGN] [Now we have to worry about squishing quishing. PGN] [Perhaps the `o' in `poy' was in cyrillic? PGN] ------------------------------ Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Toward a Code-Breaking Quantum Computer (Adam Zewe) Adam Zewe, *MIT News*, 23 Aug 2024, via ACM TechNews Massachusetts Institute of Technology (MIT) researchers have developed an algorithm that could help pave the way for encryption methods strong enough to withstand a quantum computer's code-breaking power and feasible to implement. The new algorithm uses a series of Fibonacci numbers requiring simple multiplication instead of squaring, which allows any exponent to be computed using only two qubits. It also addresses error correction, filtering out corrupt results and processing only correct ones. ------------------------------ Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Multiple Flaws in Microsoft macOS Apps Unpatched Despite Potential Risks (Connor Jones) Connor Jones, *The Register*, 19 Aug 2024. via ACM TechNews Security researchers at Cisco Talos identified eight flaws in Microsoft's macOS apps that could allow hackers to access a device to record video and sound, obtain sensitive data, log user input, and escalate privileges. The vulnerabilities affect Microsoft products Excel, OneNote, Outlook, PowerPoint, Teams, and Word. The researchers said Microsoft considers the flaws to be low risk and has no plans to fix them. ------------------------------ Date: Sun, 25 Aug 2024 12:31:19 -0700 From: "George V. Reilly" <george () reilly org> Subject: More on Boeing fuselage panel blowout (Seattle Times) A cascade of diffuse responsibility and pressure to finish the job. The near-catastrophic midair blowout of a door-sized fuselage panel on an Alaska Airlines 737 MAX 9 in Jan 2024 was caused by two distinct manufacturing errors by different crews on successive days last fall in Boeing’s assembly plant in Renton. The first manufacturing lapse occurred within a four-hour window early 18 Sep 2023. On the evening of the next day, in the space of about an hour, the second error was made by a different crew of mechanics, untrained to work on that fuselage panel, known as a door plug, according to federal investigative and internal Boeing records. Boeing’s quality control system failed to catch the faulty work performed within those two windows." https://www.seattletimes.com/business/boeing-aerospace/inside-boeings-factory-lapses-that-led-to-alaska-air-blowout ------------------------------ Date: Mon, 26 Aug 2024 17:11:29 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Park'N Fly reveals data breach affecting 1 million customer files (CBC) https://www.cbc.ca/news/business/park-n-fly-data-breach-canada-1.7305301 Parking provider Park'N Fly has disclosed that an unauthorized third party breached its network last month and gained access to one million customer files. The breach occurred from July 11 to July 13, but the company said in a statement that an investigation has determined that "no payment information was compromised." Park'N Fly said the personal information that was accessed may include "names and basic contact information," including email and mailing addresses. The company said it has taken steps to upgrade its network security and has notified customers about the breach. ------------------------------ Date: Sun, 25 Aug 2024 15:45:36 +0000 (UTC) From: "Steve Bacher" <sebmb1 () verizon net> Subject: Local Networks Go Global When Domain Names Collide (Krebs) The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem. https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/ ------------------------------ Date: Sun, 25 Aug 2024 10:13:02 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Biometrics in the workplace may be the way of the future. But at what cost? (CBC) https://www.cbc.ca/radio/costofliving/biometrics-in-workplace-1.7300573 When Ellie Thomson arrives at work, she doesn't punch in on a physical clock or even check in on an app. Instead, she scans her finger. "Seeing everyone else go ahead and do it, it just figured like the right thing to do and there was no issues with it,'" Thomson told Cost of Living. Thomson is a 21-year-old server and bartender at charbar in Calgary. She's one of many employees who now use biometric technology such as fingerprint scanning to clock in and out, and that number is rising. ------------------------------ Date: Sat, 24 Aug 2024 16:42:10 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Telegram billionaire co-founder Pavel Durov arrested in France Apparently part of an investigation into reported use of Telegram for criminal activity. ------------------------------ Date: Tue, 27 Aug 2024 00:33:00 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: Almost half of FDA-approved AI medical devices are not trained on real patient data (MedicalXpress.com) https://medicalxpress.com/news/2024-08-fda-ai-medical-devices-real.html "Although AI device manufacturers boast of the credibility of their technology with FDA authorization, clearance does not mean that the devices have been properly evaluated for clinical effectiveness using real patient data." There's no standard for the clinical evaluation of Medical AI. The FDA's evaluation of device approval is guided by evidence generated from retrospective studies, prospective studies and randomized control trials. Is simulated patient data a viable alternative for device approval? We're about to discover that answer. The FDA MAUDE platform documents adverse device reports for injury, malfunction, and death events for approval medical devices (with or without AI) sold into th e consumer marketplace. ------------------------------ Date: Mon, 26 Aug 2024 06:38:27 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: How much more water and power does AI computing demand? Tech firms don't want you to know (LA Times) Every time someone uses ChatGPT to write an essay, create an image or advise them on planning their day, the environment pays a price. A query on the chatbot that uses artificial intelligence is estimated to require at least 10 times more electricity than a standard search on Google. If all Google searches similarly used generative AI, they might consume as much electricity as a country the size of Ireland, calculates Alex de Vries, the founder of Digiconomist, a website that aims to expose the unintended consequences of digital trends. Yet someone using ChatGPT or another artificial intelligence application has no way of knowing how much power their questions will consume as they are processed in the tech companies’ enormous data centers. [...] https://www.latimes.com/environment/story/2024-08-26/tech-firms-conceal-water-and-power-demands-of-ai-computing ------------------------------ Date: Sun, 25 Aug 2024 19:16:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How Section 230 Is Being Used Against Tech Giants Like Meta (The New York Times) A Massachusetts professor has filed a lawsuit against Meta using a novel interpretation of Section 230, a law known primarily for shielding social media companies from liability. Facebook, X, YouTube and other social media platforms rely on a 1996 law to insulate themselves from legal liability for user posts. The protection from this law, Section 230 of the Communications Decency Act, is so significant that it has allowed tech companies to flourish. But what if the same law could be used to rein in the power of those social media giants? That idea is at the heart of a lawsuit filed in May against Meta, the owner of Facebook, Instagram and WhatsApp. The plaintiff has asked a federal court to declare that a little-used part of Section 230 makes it permissible for him to release his own software that lets users automatically unfollow everyone on Facebook. The lawsuit, filed by Ethan Zuckerman, a public policy professor at the University of Massachusetts Amherst, is the first to use Section 230 against a tech giant in this way, his lawyers said. It is an unusual legal maneuver that could turn a law that typically protects companies like Meta on its head. And if Mr. Zuckerman succeeds, it could mean more power for consumers to control what they see online. https://www.nytimes.com/2024/08/20/technology/meta-section-230-lawsuit.html?unlocked_article_code=1.Fk4.86mE.Yf_Ivbw_qdOS&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb As plenty of comments note, control what you see by not being on Facebook. That appears to be possible, contrary to far-too-common belief. ------------------------------ Date: Mon, 26 Aug 2024 8:41:41 PDT From: Peter Neumann <neumann () csl sri com> Subject: Two policy articles suggested by Dan Geer Cyber-Effects in Warfare: Categorizing the Where, What, and Why Jason Healey https://tnsr.org/2024/08/cyber-effects-in-warfare-categorizing-the-wh=ere-what-and-why/ Data as Ammunition: A New Framework for Information Warfare Lt. Col. Jessica Dawson and Col. Katie E. Matthew https://cyberdefensereview.army.mil/Portals/6/Documents/2024_Summer/CDRV9N2_Summer_2024-SE-Web.pdf ------------------------------ Date: Sun, 25 Aug 2024 02:34:07 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Policy, due care, and the failure of Heartland Tri-State Bank (Kilby, RISKS-34.41) Or quite possibly the policy is wrong, imposed by somebody who is blindly parroting advice that they themselves don't understand. A perfect example is the commonly enforced policy that passwords should be forcibly changed on a periodic basis, which was originally recommended by NIST based on a fundamental misunderstanding of the issues. (That particular bit of bad advice has recently been rescinded, but many organizations are still following it.) ------------------------------ Date: Sun, 25 Aug 2024 06:32:40 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Re: Policy, due care, and the failure of Heartland Tri-State Bank (Kuenning, RISKS-34.42) "If the company adopts a poor practice as policy, follow the policy, but report the poor practice to your supervisor, the GRC team, or your Ethics line, should you be in a company large enough to have one." The policy may be stupid, or out of date, or in the case of mandatory password resets, demanded by insurance carriers or contract. PCI-DSS continues to be a big driver of the rotation policy. https://www.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf Failure to adhere to PCI-DSS can get your company stripped of the ability to process credit cards. In Heartland's case. Failure to follow wire/transfer limit policy appears to contributed directly to the bank's failure. It doesn't matter why it's policy, if it's not your job to review and change policy; follow the policy, report the poor practice. Another example: Policy: Use Antivirus (AV). Action: The policy impedes my job, I won't. Result: Lawsuit, directed at the specific individual who decided not to follow policy, and the org that permitted it to be bypassed. https://arstechnica.com/security/2024/08/oh-your-cybersecurity-researchers-wont-use-antivirus-tools-heres-a-federal-lawsuit/ Is traditional AV less than 100% effective? Most likely. https://scholarworks.gsu.edu/cgi/viewcontent.cgi?article=1000&context=ebcs_tools Can it be used as a security control for the swiss cheese model? Absolutely. https://en.m.wikipedia.org/wiki/Swiss_cheese_model Was it contractually specified? If so, it doesn't matter if it is effective or difficult to maintain. The contract will tend to become the risk first. ------------------------------ Date: Sun, 25 Aug 2024 07:27:11 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Re: Birmingham Oracle (Tom Van Vleck, RISKS-34.41) Tom, Would you see this as an example of selection bias? I.e., are there few reports of an Oracle implementation coming in on time/on budget because estimates are hard, or because there is a tendency to underreport things that worked as they were anticipated to? I am not familiar with the Birmingham IT procurement system. I wonder if they (or Oracle) attempted to account for Hofstadter at all. ------------------------------ Date: Sun, 25 Aug 2024 02:22:49 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: High-end racing bikes are now vulnerable to hacking (The Verge) As an avid (if third-rate) cyclist and racing fan, I of course read the paper. On the plus side, the attacks would be hard to deploy in practice: they require prior proximity to the victim's bike and need to be in the vicinity at the moment of the attack. Even on steep climbs, professional racers go by at 10-15 MPH (15-25 KPH), and in sprints they're going over 40 (65), so the in-range time for a spectator is minimal. You also have to fake them out at the right moment. Thus, the best approach would be to have the attacking equipment in a nearby rider's pocket, and the uncertainties of racing (plus the weight issues) make that unlikely. On the minus side, this highlights the fact that we don't train budding computer scientists (and, sadly, engineers in other disciplines who think they're qualified to write code) in security issues--especially relatively subtle vulnerabilities like this one. The most important RISK given in the paper is a replay attack, which is *well* known to the security community but not to most programmers. Perhaps every CS degree should include a semester that covers nothing but types of attacks, ignoring mitigations because it's better to spend the time on variations? (BTW, my current bike has wired electronic shifting. I don't race any more anyway, but the paper highlighted that there is *NO* benefit to going wireless; in fact it almost certainly adds unwanted weight for extra batteries. Wireless shifters are just a case of manufacturers adopting the latest tech just because (a) it's "cool" and (b) they think wires are ugly.) ------------------------------ Date: Sun, 25 Aug 2024 02:29:44 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Feds sue Georgia Tech for lying bigly about computer security (DoJ) This story scares me. There is a current trend toward blindly applying high-level "security" rules to all computers in an organization, regardless of their purpose and existing defenses. I've seen this with my own machines (which have extremely strong defenses): hired-gun outsiders who have no clear understanding of CS unilaterally decided to block access to all sorts of ports that they see as vulnerabilities. In my own case I've had to fight to get necessary ports unblocked, modify how I operate, and even rewrite software to work around their unjustified and unfocused paranoia. Not to mention the people (some of whom are at Georgia Tech) who are doing security research and *need* to keep their honeypots and sandboxes open to attackers. ------------------------------ Date: Sun, 25 Aug 2024 17:22:36 +0100 From: Wol <antlists () youngman org uk> Subject: Re: Kroger unveils AI-powered automatic price gouger (Levine, RISKS-34.41) My employer is trying to do exactly this. They want to know how much "must be sold" stock is left in the warehouse as end-of-day approaches. Unfortunately, the IT department is telling the analysts they need to wait an hour or so, so IT can make sure the data is accurate. Classic confusion between "timely" and "accurate" - how can the data be accurate if it's an hour out-of-date, and rather more important, how can the 3pm data be timely if the store closes at 4pm! ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.42 ************************
Current thread:
- Risks Digest 34.42 RISKS List Owner (Aug 26)