1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.64

    From RISKS List Owner@21:1/5 to All on Wed May 5 00:35:07 2021
    RISKS-LIST: Risks-Forum Digest Tuesday 4 May 2021 Volume 32 : Issue 64

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.64>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD)
    Dark web child abuse image site with 400,000 members taken down in
    global police sting (NBC News)
    U.S. Mulling Domestic Spying Partnership with Private Companies
    (Infosecurity Magazine)
    A New Line of Attack that Evades Spectre Defenses (Science Daily)
    An ambitious plan to tackle ransomware faces long odds (Ars Technica)
    Paying ransomware doesn't pay (Rob Slade)
    Legal chatbot firm DoNotPay adds anti-facial recognition filters
    to its suite of handy tools (The Verge)
    Known software issue grounds Ingenuity Mars copter as it attempted
    fourth flight (The Register)
    Stealthy Linux backdoor malware spotted after three years of
    minding your business (The Register)
    BadAlloc: Microsoft looked at memory allocation code in tons of
    devices and found this one common security flaw (The Register)
    Pro-Trump web forums are abuzz with directions to forge Covid
    vaccine cards (NBC News)
    How to give Feedback about the Feedback Form? (Dan Jacobson)
    100 prohibited porcupine quills seized at Dulles Airport (Herndon, VA Patch) Re: The Plane Paradox (Lars-Henrik Eriksson, Peter Bernard Ladkin)
    Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
    (Richard Stein)
    Re: Outlook/Exchange accounts under attack (Amos Shapir)
    Re: Hundreds Lose Internet service (A Michael W Bacon)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 30 Apr 2021 23:51:23 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD)

    Most remarkable, however, is the IRS's account of tracking down Sterlingov using the very same sort of blockchain analysis that his own service was
    meant to defeat. The complaint outlines how Sterlingov allegedly paid for
    the server hosting of Bitcoin Fog at one point in 2011 using the now-defunct digital currency Liberty Reserve. It goes on to show the blockchain evidence that identifies Sterlingov's purchase of that Liberty Reserve currency with bitcoins: He first exchanged euros for the bitcoins on the early
    cryptocurrency exchange Mt. Gox, then moved those bitcoins through several subsequent addresses, and finally traded them on another currency exchange
    for the Liberty Reserve funds he'd use to set up Bitcoin Fog's domain.

    Based on tracing those financial transactions, the IRS says, it then
    identified Mt. Gox accounts that used Sterlingov's home address and phone number, and even a Google account that included a Russian-language document
    on its Google Drive offering instructions for how to obscure Bitcoin
    payments. That document described exactly the steps Sterlingov allegedly
    took to buy the Liberty Reserve funds he'd used.

    The case shows yet another example of how Bitcoin, once widely believed to
    be a powerful tool for making anonymous, untraceable transactions, has
    turned out to be in many cases the very opposite. The blockchain's ledger of all Bitcoin transactions since the cryptocurrency's creation has often
    instead served as a means for law enforcement to trace even years-old transactions.

    https://www.wired.com/story/bitcoin-drug-deals-silk-road-blockchain/

    The risk? Tracing the untraceable.

    ------------------------------

    Date: Mon, 3 May 2021 20:56:51 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Dark web child abuse image site with 400,000 members taken down in
    global police sting (NBC News)

    Dark web child abuse image site with 400,000 members taken down in global police sting

    The three main suspects are accused of founding and maintaining the site, as well as giving members advice on how to avoid arrest, German police said.

    https://www.nbcnews.com/news/world/dark-web-child-abuse-image-site-400-000-members-taken-n1266108

    ------------------------------

    Date: Tue, 4 May 2021 00:21:11 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: U.S. Mulling Domestic Spying Partnership with Private Companies
    (Infosecurity Magazine)

    The Biden administration is reportedly considering teaming up with private companies to monitor American citizens' private online activity and digital communications.

    According to news source CNN, multiple sources have said that the Department
    of Homeland Security (DHS) is actively seeking a way to monitor citizens
    online without having to first secure a warrant or prove that such
    monitoring is an essential part of an ongoing investigation.

    The sources said that a plan is being formed for the DHS to circumvent these established checks to the government's power by working directly with
    private firms.

    Currently, only the unprotected information that Americans share on social media sites and public online platforms can be accessed by federal
    authorities.

    However, the alleged plan being formed by the DHS would allow authorities to see what Americans are writing and sharing online in access-restricted
    spaces such as private Facebook groups.

    The plan is reportedly not centered on the decryption of data belonging to Americans but is instead focused on getting outside entities with legal
    access to the information being shared online to report what is being said
    to the government.

    Limits are also in place at the Central Intelligence Agency (CIA) and
    National Security Administration (NSA) when it comes to domestic espionage.

    https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/

    ------------------------------

    Date: Sat, 1 May 2021 10:21:17 -0400
    From: Bob Gezelter <gezelter@rlgsc.com>
    Subject: A New Line of Attack that Evades Spectre Defenses (Science Daily)

    A team of computer-science researchers has uncovered a line of attack that breaks all Spectre defenses, meaning that billions of computers and other devices across the globe are just as vulnerable today as they were when
    Spectre was first announced.

    https://www.sciencedaily.com/releases/2021/04/210430165903.htm

    [This appears to be somewhat misguided reporting. Spectre defenses
    generally require hardware changes, and cannot be adequately resolved with
    existing hardware. The new CHERI hardware is trying to provide real
    solutions. Maybe *Science Daily* meant Meltdowm? PGN]

    ------------------------------

    Date: Sun, 2 May 2021 10:38:00 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: An ambitious plan to tackle ransomware faces long odds
    (Ars Technica)

    Heavyweight task force proposes framework to tackle a major cybersecurity problem.

    https://arstechnica.com/information-technology/2021/05/an-ambitious-plan-to-tackle-ransomware-faces-long-odds/

    ------------------------------

    Date: Mon, 3 May 2021 12:53:55 -0700
    From: Rob Slade <rslade@gmail.com>
    Subject: Paying ransomware doesn't pay

    OK, I have, elsewhere, expressed my opinion that paying the ransom for ransomware is a bad idea. https://community.isc2.org/t5/I/P/m-p/18736 First off, you are funding crime. Secondly, you are encouraging crime. (If
    nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?)

    Then there are the various reasons why paying the ransomware isn't a good
    idea in simply practical terms. Some of the ransomware was never intended
    to allow you to recover. Some is badly coded, and doesn't work when decrypting. Some of the ransomware families are simply based on symmetric encryption, and one key decrypts all. (You can find lists of those, and the ways to recover, at various places on the net.) Some of the ransomware
    groups are just disorganized, and lose their keys.

    (Then there are those who confuse ransomware with breachstortion, and are talking about people who actually do steal your data, and then threaten to publish it unless you pay up. Most of the same reasons why paying ransom
    to them is a bad idea hold, with the addition of the fact that, if you pay
    the ransom, you are relying on the promises and integrity of a bunch of thieves, liars, and extortionists.)

    (Oh, and that argument about the "business model" of ransomware and breachstortion being based on them doing what they promise? That business model only works if you are talking about return or repeat business. Are
    you telling me that you are going to go through ransom or extortion with
    the same group all over again? How stupid *are* you?)

    Now some research from Sophos backs that up. If you pay, you've got a less than 10% chance of getting all your data back. https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back

    [Speaking of "backs that up", can you spell "backup" -- which allows one
    to recover without paying. Yes, that does not help with breachstortion,
    but once again, the real answer seems to better security in hardware and
    software, and more-aware users and admins. PGN]

    ------------------------------

    Date: Tue, 4 May 2021 12:22:35 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Legal chatbot firm DoNotPay adds anti-facial recognition filters
    to its suite of handy tools (The Verge)

    https://www.theverge.com/2021/4/27/22405570/donotpay-ninja-anti-reverse-image-search-facial-recognition-filter

    ------------------------------

    Date: Fri, 30 Apr 2021 21:15:31 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Known software issue grounds Ingenuity Mars copter as it attempted
    fourth flight (The Register)

    https://go.theregister.com/feed/www.theregister.com/2021/04/30/ingenuity_fourth_flight_flops/

    ------------------------------

    Date: Fri, 30 Apr 2021 21:24:24 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Stealthy Linux backdoor malware spotted after three years of
    minding your business (The Register)

    https://go.theregister.com/feed/www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/

    ------------------------------

    Date: Fri, 30 Apr 2021 21:24:14 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: BadAlloc: Microsoft looked at memory allocation code in tons of
    devices and found this one common security flaw (The Register)

    https://go.theregister.com/feed/www.theregister.com/2021/04/29/microsoft_badalloc_iot/

    ------------------------------

    Date: Sun, 2 May 2021 17:44:16 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Pro-Trump web forums are abuzz with directions to forge Covid
    vaccine cards (NBC News)

    Some states put templates online, spurring pro-Trump and anti-vaccination forums to start spreading tips for how to create fake cards.

    https://www.nbcnews.com/tech/tech-news/covid-vaccination-card-fraud-prompts-cdc-action-rcna802

    ------------------------------

    Date: Sat, 01 May 2021 18:52:19 +0800
    From: Dan Jacobson <jidanni@jidanni.org>
    Subject: How to give Feedback about the Feedback Form?

    Let's say you are an extra big company, with an extra small single point of contact: the Feedback Form. But what if it breaks? Every other form of
    contact just plays a recording:
    "Please use the Feedback Form."
    How to give Feedback about the Feedback Form?

    1) Determine the headquarters of aforementioned extra big company is merely
    a couple miles from the headquarters of RISKS moderator PGN.

    2) Send PGN on a mission to give a certain Mr. Zuckerburg feedback. PGN says
    "Having walked all the way from SRI, I'll be dead soon." Alas, the
    secretary says "He's with a client. I don't know what to do."
    https://www.youtube.com/watch?v=Tp8XcAKYsKo

    ------------------------------

    Date: Sat, 1 May 2021 00:10:35 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: 100 prohibited porcupine quills seized at Dulles Airport
    (Herndon, VA Patch)

    "Travelers should be aware that those seemingly safe animal souvenirs they purchase overseas may accidentally introduce animal diseases that could devastate our livestock industries, sicken our citizens, and impact our nation's economy," said Keith Fleming, acting director of Field Operations
    for CBP's Baltimore Field Office, in a release. "Customs and Border
    Protection remains on our nation's frontline as protectors of our
    agricultural resources, and we will continue to work with our partners to intercept all potential threats at our nation's ports of entry."

    https://patch.com/virginia/herndon/100-prohibited-porcupine-quills-seized-dulles-airport

    ------------------------------

    Date: Sat, 1 May 2021 07:18:44 +0200
    From: Lars-Henrik Eriksson <lhe@it.uu.se>
    Subject: Re: The Plane Paradox: More Automation Should Mean More Training
    (WiReD, RISKS-32.63)

    "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28,
    2018, all four of the aircraft's flight control computers stopped
    working."

    That description is misleading to the point of being incorrect. The incident began on the runway during a touch and go after several hours of training flights the same day. During that time there had been almost a dozen alerts that something was wrong with the pitch-control system. All alerts had been reset and then ignored. At some point one alert was not reset, causing a
    loss of redundancy.

    Indeed, one of the casual factors determined by the accident investigation
    was the training instructor's decision to continue the training flights
    despite the multiple fault messages. So arguably this was not a case of automation surprising pilots, but rather of poor decision-making.

    Accident investigation report: https://www.ojk.ee/et/system/files/fail/manus/ee0180_es_san_investigation_report.pdf

    ------------------------------

    Date: Sat, 1 May 2021 11:37:21 +0200
    From: Peter Bernard Ladkin <ladkin@causalis.com>
    Subject: Re: The Plane Paradox (RISKS-32.63)

    "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28,
    2018, all four of the aircraft's flight control computers stopped
    working. ... Only the skill of the instructor pilot on board prevented a fatal crash."

    This, of course, is nonsense.

    1. The A320 has two elevator aileron computers (ELAC), three spoiler
    elevator computers (SEC), and two flight augmentation computers (FAC), for
    a total of seven. The aerodynamic control surface actuators are commanded
    by combinations of these.

    2. There is no way to control the aircraft aerodynamically if all FCCs fail.

    ------------------------------

    Date: Sat, 1 May 2021 11:20:01 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
    (James Rundle, RISKS-32.63)

    James Rundle wrote: "At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust
    models that constantly verify whether a device, user, or program should be
    able to do what it is asking to do."

    The "Zero Trust Architecture" from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

    Deployment of ZTA strategies appears to advocate a centralized policy
    decision point (PDP) and policy enforcement point (PEP) that oversees and continuously monitors identity, credential, access, and authorization to legitimate an organization's resources (devices, services, and users). A complex, multi-dimensional privilege matrix is likely monitored and characterized for resource operation based on access, authorization, feature/capability/purpose, role, etc.

    On paper, ZTA enhances infosec defense-in-depth and is proactive. A
    significant change from the reactive infosec practices widely deployed today that invite data breach/malware infection.

    Risk: Legitimized resource access through a control gateway.

    Compromise the PDP/PEP and/or the policy administrator who operates it, and
    the resource is compromised.

    ------------------------------

    Date: Sun, 2 May 2021 17:33:17 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: Outlook/Exchange accounts under attack (Slade, RISKS-32.63)

    Me too. The source of the leaked (or rather publicized) email addresses is none other than the RISKS list itself, and its archives. These addresses
    are gathered in bunches which are sold over and over; a new wave of junk appears each time a bunch is bought by a new operator. (Your address may appear several times in each bunch).

    ------------------------------

    Date: Sat, 1 May 2021 13:26:35 +0100
    From: A Michael W Bacon <amichaelwbacon@gmail.com>
    Subject: Re: Hundreds Lose Internet service (RISKS-32.63)

    [[Michael was really surprised that I ESCHEWED the opportunity to make a pun.

    How about "Beaver damns the Internet"> PGN]

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.64
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)