RISKS-LIST: Risks-Forum Digest Thursday 29 Aug 2024 Volume 34 : Issue 43 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.43> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Apparent cyberattack at Seattle airport causes internet outages (WCBV) Scammers dupe chemical company into wiring $60 million (Help Net Security) Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage Campaign (Politico) Android malware steals payment card data using previously unseen technique (ArsTechnica) Recent bot campaign backing Poilievre shows AI easily accessible for political messaging: report (CBC) Without Guardrails, Generative AI Can Harm Education (Dave Farber) Foreign Policy: TikTok ban & global data commons (Douglas Lucas) Telco fined $1M for transmitting Biden deepfake without verifying Caller ID (ArsTechnica) RFID cards could turn into a global security mess after discovery of hardware backdoor (Techspot) Apple to Let iPhone Users Delete Safari, Other Native Apps to Comply With EU Law (WSJ) Re: Feds sue Georgia Tech for lying bigly about computer security (Cliff Kilby) Re: Fake QR codes posted on Redondo Beach parking meters to scam drivers, police say (Geoff Luenning) Re: Birmingham Oracle (Wol) Re: Telegram billionaire co-founder Pavel Durov arrested (Turgut Kalfaoglu) Re: Policy, due care, and the failure of Heartland Tri-State (Phil Smith III) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 27 Aug 2024 11:43:45 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Apparent cyberattack at Seattle airport causes internet outages (WCBV) https://www.wcvb.com/article/seattle-airport-cyberattack-internet-outages/61984238 ------------------------------ Date: Tue, 27 Aug 2024 13:15:47 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Scammers dupe chemical company into wiring $60 million (Help Net Security) Orion S.A., a global chemical company with headquarters in Luxembourg, has become a victim of fraud: it lost approximately $60 million through “multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.” Was it a BEC attack? A representative of the company declined to share with Help Net Security any additional details beyond what is included in the 8-K filing. “To date, the Company has not found any evidence of additional fraudulent activity and currently does not believe the incident resulted in any unauthorized access to data or systems maintained by the Company,” the filing further says. “However, the Company’s investigation into the incident and its impacts on the Company, including its internal controls, remains ongoing. The business and operations were not affected.” While Orion’s filing does not outright say that the wire transfers were the result of business email compromise (BEC), the possibility seems most likely. Given the above wording, the compromised email was likely that of a supplier or customer. (Alternative possibilities, such as a deepfake video conference call paired with social engineering tricks, are possible, but less likely.) https://www.helpnetsecurity.com/2024/08/13/orion-fraudulent-wire-transfers-60- million/ ------------------------------ Date: Mon, 26 Aug 2024 15:45:46 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage Campaign (Politico) During the early days of Silicon Valley, a tech industry entrepreneur teamed up with the FBI to ship faulty devices to Moscow. https://www.politico.com/news/magazine/2024/08/04/us-spies-soviet-technology-00164126 ------------------------------ Date: Sun, 25 Aug 2024 00:10:46 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Android malware steals payment card data using previously unseen technique (ArsTechnica) https://arstechnica.com/?p=2045086 ------------------------------ Date: Tue, 27 Aug 2024 06:37:31 -0600 From: Matthew Kruk <mkr...@gmail.com> Subject: Recent bot campaign backing Poilievre shows AI easily accessible for political messaging: report (CBC) https://www.cbc.ca/news/politics/ai-platforms-generate-political-messages-rall ies-1.7305321 A suspected bot campaign surrounding a recent Pierre Poilievre event shows that generative artificial intelligence (AI) tools are easily accessible to anyone looking to influence political messaging online, researchers have found. In July, the social media platform X was inundated with posts following the Conservative leader's tour of Northern Ontario. The posts claimed to be from people who attended Poilievre's event in Kirkland Lake, Ont., but were actually generated by accounts in Russia, France and other places, and many of them had similar messaging. ------------------------------ Date: Wed, 28 Aug 2024 20:49:18 +0900 From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?= <far...@keio.jp> Subject: Without Guardrails, Generative AI Can Harm Education A new study led by researchers at Wharton and Penn reveals that using generative AI improves student performance, but also makes it harder for students to learn and acquire new skills. The researchers designed an experiment with nearly 1,000 high school math students in Turkey to determine whether large language models can harm or help their education. One group of students was given GPT Base, a chat interface similar to ChatGPT-4, to help them during practice sessions. A second group was given GPT Tutor, an interface similar to ChatGPT-4 but with safeguards. It includes teacher input and is designed to guide students with hints rather than directly giving answers. ------------------------------ Date: Tue, 27 Aug 2024 18:20:08 -0700 From: Douglas Lucas <d...@riseup.net> Subject: Foreign Policy: TikTok ban & global data commons (by me) On Aug. 27, Foreign Policy published my new article "Banning TikTok won't keep your data safe: Pompous billionaires, authoritarian regimes, and opaque oligarchs are hoarding our data. Only an alternative online ecosystem will stop them." The working title was "TikTok ban shows need for real global data commons." From the article: "'This is why I am working on a universal database: to try to democratize this access to a megaphone and bring us information from everyone,' Canadian programmer and philosopher Heather Marsh said at a censored Oxford Union whistle-blowing panel. [...] "Marsh proposes decoupling apps and databases with a framework separating information into layers. The foundation [probably on IPFS] would be a universal database where, say, professors could place instructional videos as public data. Apps would offer additional features, such as captioning or translation, without vacuuming up personal data as the price of entry. Personal data would instead be treated as each individual's sole property. "Apps would become just apps, adding functionality and that's it, no longer married to any company’s exclusive database. Work on middle layers—via public or private federated servers—would enhance the universal database with meaning and trust networks, and ready it for apps. This middle data, and the apps themselves, could be confidential or deleted. But as long as international consortia maintained the foundational universal database and framework, akin to international bodies maintaining the web now, the database would persist—a global commons." Links: Regular URL: https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-knowledge-commons/ Erratically performing, paywall-jumping gift hyperlink for sharing everywhere: https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-keenowledge-commons/?utm_content=gifting&tpcc=gifting_article&gifting_article=YmlkZW4tdGlrdG9rLWJ5dGVkYW5jZS1jaGluYS1iYW4tZ2V0Z2VlLWtub3dsZWRnZS1jb21tb25z&pid=OC20506955 Alternate hyperlink: https://archive.ph/9Ss1S What are the RISKS of establishing a new ecosystem decoupling apps from databases and stratifying information into layers? As my article says, "corporate-owned data, personal data, and public data are all hopelessly mixed, polarizing people into inflammatory thought bubbles and stripping them of privacy and dignity"; but also, bad actors poaching lingo from idealistic articles to help them sell seems-similar snake oil; nobody offering to lift a finger to fund, code, or open doors for the global data commons project; gift hyperlinks with probably malfunctioning query strings; exhausted underpaid journalists. ------------------------------ Date: Sun, 25 Aug 2024 00:15:46 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Telco fined $1M for transmitting Biden deepfake without verifying Caller ID (ArsTechnica) https://arstechnica.com/?p=2044661 ------------------------------ Date: Mon, 26 Aug 2024 22:28:03 -0400 From: Monty Solomon <mo...@roscom.com> Subject: RFID cards could turn into a global security mess after discovery of hardware backdoor (Techspot) Poking at bad encryption practices to discover some outrageous, unexpected issues https://www.techspot.com/news/104436-previously-unknown-hardware-backdoors-could-turn-rfid-cards.html ------------------------------ From: Monty Solomon <mo...@roscom.com> Date: Sat, 24 Aug 2024 22:31:58 -0400 Subject: Apple to Let iPhone Users Delete Safari, Other Native Apps to Comply With EU Law (WSJ) Company to align products with the bloc=E2=80=99s digital competition law https://www.wsj.com/tech/apple-to-let-iphone-users-delete-safari-other-nativ= e-apps-to-comply-with-eu-law-58c964e8 ------------------------------ Date: Thu, 29 Aug 2024 12:22:16 -0400 From: "Cliff Kilby" <cliffjki...@gmail.com> Subject: Re: Feds sue Georgia Tech for lying bigly about computer security (RISKS-34.42) "There is a current trend toward blindly applying high-level “security” rules to all computers in an organization, regardless of their purpose and existing defenses." You mean baselining? "I've seen this with my own machines (which have extremely strong defenses): hired-gun outsiders who have no clear understanding of CS unilaterally decided to block access to all sorts of ports that they see as vulnerabilities." You mean" Don't allow access to resources that do not have a reason to be available? and Once a variance is determined to be needed, follow the exception process? It sounds like everything is in order there. I wonder why the CS department of Harvey Mudd would find complaint. ------------------------------ Date: Mon, 26 Aug 2024 23:46:03 -0700 From: Geoff Kuenning <ge...@cs.hmc.edu> Subject: Re: Fake QR codes posted on Redondo Beach parking meters to scam drivers, police say (RISKS-34.42) The same QR-sticker scam has been reported in Conwy, Wales. And one suspects it has shown up elsewhere. I always review the link on a QR code before following it. But it can be hard to spot a fake (poybyphone vs. paybyphone? On a small screen they're almost the same.) [One could not be a successful scientist without realizing that, in contrast to the popular conception supported by newspapers and mothers of scientists, a goodly number of scientists are not only narrow-minded and dull, but also just stupid. -- James Watson] ------------------------------ Date: Tue, 27 Aug 2024 19:28:33 +0100 From: Wols Lists <antli...@youngman.org.uk> Subject: Re: Birmingham Oracle (Tom Van Vleck, RISKS-34.41) > From: Cliff Kilby<cliffjki...@gmail.com> > Tom, Would you see this as an example of selection bias? I (Wol) certainly would not. It is (or was) an extremely regular meme in the UK computer press that big Public database projects were badly specified, poorly run, and usually came in massively late and over budget. Given the huge number of procurement disasters at the time, they certainly should have been. Most SQL/Relational projects I have come across have been estimating / budgeting disasters, and imho they are using a sledgehammer to drive a screw. On the other hand, while MultiValue projects may be few in number, pretty much all the anecdotal evidence I have is that they are far less resource-intensive, usually on time or early, and often under budget. For example, while Cache is not a MultiValue database, it is similar, and in a shoot-out with Oracle Oracle struggled to meet the 100K inserts target, invoking all sorts of cheats to hit it. Cache on the other hand had no trouble at all, and within weeks of install breezed through 250K. Imnsho, the problem is that the aims of database engine designers and users differ. Relational Database Engine designers, in their attempts to avoid a worst case scenario of an O(n) search, have made all searches O(log(n)). MultiValue (and I presume Cache) and other database designs that predate SQL et al have pushed the job of avoiding O(n) onto the database designers. As a result MultiValue (in the absence of a pathological hash) guarantees a 95% O(1) hit rate. And comes with tools to warn the DBA what the worst O is (unlikely to exceed 2 or 3). Given the huge size of databases nowadays, even log(n) is expensive and one has to wonder whether the use of Relational and similar databases makes sense as users are left sitting there waiting for the system to respond. I know I'll often spend maybe the first hour of the day trouble-shooting "the database failed to respond", and it's almost always just the sheer weight of people starting work. ------------------------------ Date: Tue, 27 Aug 2024 21:24:11 +0200 (GMT+02:00) From: Turgut Kalfaoglu <tur...@kalfaoglu.com> Subject: Re: Telegram billionaire co-founder Pavel Durov arrested (RISKS-34.42) Back in 2018 Pavel Durov was asked by the Russian government to cooperate and share Telegram’s encryption keys in order to stop alleged terrorist-related [>] issues with the Russian government arose, the mainstream media showed [act?]ivities happening via the app. When his issues with the Russian government arose, the mainstream media showed great praise for Telegram’s creator, applauding him and bashing Russia. Now Durov is in French custody and where are all of these voices that were so eager to defend freedom of speech back in 2018? [A bit of gibberish fixed? PGN] ------------------------------ Date: Mon, 26 Aug 2024 23:42:20 -0400 From: "Phil Smith III" <phs...@gmail.com> Subject: Re: Policy, due care, and the failure of Heartland Tri-State (RISKS-34.43) > A perfect example is the commonly enforced policy Including PCI. PCI DSS 4.0 still requires it, which is one reason a lot of organizations are still doing it: 8.3.9, "Passwords/passphrases are changed at least once every 90 days" ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.43 ************************
