RISKS-LIST: Risks-Forum Digest Monday 20 June 2022 Volume 33 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.30>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [RISKS-33.29 delay on USENET was due to a Panix key upgrade.]
We've only scratched the surface of how bad the crypto[currency] crime wave
has gotten (Yaohoo!)
FBI warns crypto fraud on LinkedIn is a 'significant threat' (Engadget) "Ethereum Mining Is Going Away (Bloomberg)
Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files
Hostage (The Hacker News)
Micropatching on the fly (Tom Van Vleck)
The Open Secret of Google Search (The Atlantic)
Leaked Audio From 80 Internal TikTok Meetings Shows That U.S. User Data Has
Been Repeatedly Accessed From China (Buzzfeednews)
Lake Mead and Lake Powell, the 2 largest reservoirs in the US, which provide
water to over 40 million Americans in Nevada, Arizona and California, are
at their lowest levels ever. (twtiter via geoff goodfellow)
Stronger Security for Smart Devices (Adam Zewe)
New Mexico's Post-Certification Recounts (Annie Gowan)
It is 2022. My coffee mug wants me to log in, wants to know my location, and
if it can send me promotional emails... (Marc IRL)
A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future
(Georgetown CSET))
A minor example of human factors in security (risks@sctb.net)
Serious Warning Issued For Millions Of Google Gmail Users (Forbes)
Re: the death knell of jSCH (Dmitri Maziuk)
Re: Physics-Based Cryptocurrency Transmits Energy Through Blockchain
(John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 19 Jun 2022 11:28:10 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: We've only scratched the surface of how bad the crypto[currency] crime wave
has gotten (Yaohoo!)

We've only scratched the surface of how bad the crypto crime wave has gotten

https://news.yahoo.com/weve-only-scratched-surface-bad-221758213.html

------------------------------

Date: Fri, 17 Jun 2022 17:16:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FBI warns crypto fraud on LinkedIn is a 'significant threat'
(Engadget)

https://www.engadget.com/fbi-warning-crypto-fraud-linkedin-significant-threat-191600330.html

------------------------------

Date: Mon, 20 Jun 2022 12:23:17 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: "Ethereum Mining Is Going Away

David Pan and Olga Kharif, Bloomberg, 16 Jun 2022,
via ACM TechNews; Monday, 20 Jun 2022

Ethereum mining could end soon due to "the Merge," leaving as many as 1
million miners out of a source of income. The Merge (expected to occur in August, though it has been pushed back several times already) involves a
shift from the proof-of-work model, which uses a significant amount of computing power and energy, to the proof-of-stake model to record
transactions. The alternative model will slash the Ethereum network's power consumption by about 99%, but also will put miners out of work. Following
The Merge, some Ethereum miners plan to mine other coins that require
graphics processing units, like Ethereum Classic or Ravencoin, or to use
their equipment for rendering (an aspect of digital video production) or machine learning tasks.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecdcx23467ax071600&

------------------------------

Date: Thu, 16 Jun 2022 07:27:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Microsoft Office 365 Feature Could Help Ransomware Hackers Hold
Cloud Files Hostage (The Hacker News)

A "dangerous piece of functionality" has been discovered in Microsoft 365
suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud
infrastructure.

The cloud ransomware attack makes it possible to launch file-encrypting
malware to "encrypt files stored on SharePoint and OneDrive in a way that
makes them unrecoverable without dedicated backups or a decryption key from
the attacker," Proofpoint said in a report published today. <https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality>

The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added.

The attack, at its core, hinges on a Microsoft 365 feature called AutoSave
that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online. <https://support.microsoft.com/en-us/office/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5>

It commences with gaining unauthorized access to a target user's SharePoint Online or OneDrive account, followed by abusing the access to exfiltrate and encrypt files. The three most common avenues to obtain the initial foothold involve directly breaching the account via phishing or brute-force attacks, tricking a user into authorizing a rogue third-party OAuth application, or taking over the web session of a logged-in user.

But where this attack stands apart from traditional endpoint ransomware activity is that the encryption phase requires locking each file on
SharePoint Online or OneDrive more than the permitted versioning limit.
[...]

<https://support.microsoft.com/en-us/office/how-versioning-works-in-lists-and-libraries-0f6cd105-974f-44a4-aadb-43ac5bdfd247>
https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.html

------------------------------

Date: Mon, 20 Jun 2022 15:39:28 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Micropatching on the fly

People who are running computers with a lot of old and buggy software are
being wooed by services that will apply binary patches to their code while
it is running.

If a site is running an old down-rev version and can't afford the time,
cost, and effort to upgrade to a later version, the micropatching service
can apply fixes on the fly.

[No flies are injured in the process. PGN]

They patch in storage to avoid verification of code signatures. Sometimes
they extract patches from later versions of the code and back-port them to older code.

There is a DARPA/I2O program that is awarding ways to patch IoT
appliances and heavy truck engines:
https://www.darpa.mil/program/assured-micropatching

What could possibly go wrong? THVV

[Risks? This reminds me of Doug McIlroy and Bob Morris patching the live
object code of their EPL compiler (early PL/I, starkly subset for
Multics) at the same time Molly Wagner was compiling Multics
memory-management code in 1967. What a mess. (Tom, Thanks for this
item.) Note for younger RISKS readers: Tom dates back to pre-Multics on
CTSS, with what appears to be the very first e-mail system, which he and
Noel Morris developed at MIT. PGN]

------------------------------

Date: Mon, 20 Jun 2022 15:11:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Open Secret of Google Search

One of the most-used tools on the Internet is not what it used to be.

https://www.theatlantic.com/ideas/archive/2022/06/google-search-algorithm-internet/661325/

------------------------------

Date: Fri, 17 Jun 2022 18:37:02 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Leaked Audio From 80 Internal TikTok Meetings Shows That U.S.
User Data Has Been Repeatedly Accessed From China (Buzzfeednews)

https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access

------------------------------

Date: Thu, 16 Jun 2022 16:54:33 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Lake Mead and Lake Powell, the 2 largest reservoirs in the US,
which provide water to over 40 million Americans in Nevada, Arizona and
California, are at their lowest levels ever.

*... This will have unprecedented consequences and require drastic water restrictions never seen before...* https://twitter.com/US_Stormwatch/status/1536912734297526272

------------------------------

Date: Fri, 17 Jun 2022 12:14:25 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Stronger Security for Smart Devices (Adam Zewe)

Adam Zewe, *MIT News*, 14 Jun 2022, via ACM TechNews, 17 Jun 2022

Massachusetts Institute of Technology researchers demonstrated two security techniques that block power and electromagnetic side-channel attacks
targeting analog-to-digital (ADC) converters in smart devices. The countermeasures involve adding randomization to ADC conversion, which in one case uses a random number generator to decide when each capacitor switches, complicating the correlation of power supplies with output data. That method also keeps the comparator in constant operation, preventing hackers from ascertaining when each conversion stage begins and ends. The second
technique employs two comparators and an algorithm to randomly establish two thresholds rather than one, creating millions of ways 76an ADC could reach a digital output.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecc8x234601x071624&

------------------------------

Date: Sun, 19 Jun 2022 11:55:00 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: New Mexico's Post-Certification Recounts

Annie Gowan, WashPost, 17 Jun 2022 https://www.washingtonpost.com/politics/2022/06/17/new-mexico-county-weighs-defying-order-certify-election-results/

New Mexico county certifies election results, bowing to court order. Otero County commissioners voted 2 to 1 to accept results in this month's primary, reversing an earlier decision driven by unfounded concerns about fraud.

Cuoy Griffin is quoted in the article:

``My vote to remain a no isn't based on any evidence, it's not based on
any facts, it's only based on my gut feeling and my own intuition, and
that's all I need,'' Griffin said.

------------------------------

Date: Thu, 16 Jun 2022 17:04:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: It is 2022. My coffee mug wants me to log in, wants to know my
location, and if it can send me promotional emails... (Marc IRL)

https://twitter.com/Marc_IRL/status/153718748767571148

------------------------------

Date: Sun, 19 Jun 2022 10:11:00 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: A Language Model Trained to Mimic 4chan Might Portend AI's Grim
Future (Georgetown CSET))

A harbinger of the AI future?
[Excerpted from a note by Dan Geer. PGN]

A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future https://cset.georgetown.edu/newsletter/june-16-2022/

A machine learning researcher trained a language model on three and half
years' worth of 4chan posts to create what he dubbed "the most horrible
model on the Internet," raising concerns about the public availability of
language models and sparking debate about their ethical use. Yannic
Kilcher, a Swiss ML expert who covers AI and ML advances on his popular
[30]YouTube channel, fine-tuned an existing open-source language model --
[31]EleutherAI's GPT-J-6B -- using [32]a dataset of more than 130 million
posts from 4chan's "Politically Incorrect" board, an online forum with
[33]a longstanding reputation for toxicity and offensiveness. As Kilcher
described in [34]a video documenting the process, he then programmed a
team of bots to post on the board as often as they could. According to
Kilcher, the bots posted approximately 30,000 times during two separate
24-hour periods. While 4chan users were able to identify some of the bots
for what they were, this appeared to be due less to the model's
shortcomings and more to the bots' superhuman indefatigability -- they
posted round-the-clock, as frequently as the site allowed. Kilcher's
experiment was criticized by a number of experts and observers, who
[35]called it irresponsible and unethical. While Kilcher made it possible
for anyone to use his [36]"GPT-4chan" by uploading it to Hugging Face, an
online repository for AI and ML code, the site quickly restricted
access. But the cat could be out of the bag: as Kilcher's experiment
shows, currently available open-source models and datasets can be used to
create [37]surprisingly effective language models with relative ease.

30. https://www.youtube.com/c/YannicKilcher/videos
31. https://huggingface.co/EleutherAI/gpt-j-6B
32. https://zenodo.org/record/3606810#.YpjGgexByDU
33. https://nymag.com/intelligencer/2015/11/inside-pol-4chans-racist-heart.html
34. https://youtu.be/efPrtcLdcdM
35. https://fortune.com/2022/06/10/ai-chatbot-trained-on-4chan-by-yannic-kilcher-draw-ethics-questions/
36. https://huggingface.co/ykilcher/gpt-4chan
37. https://thegradient.pub/gpt-4chan-lessons/#:~:text=An%20evaluation%20of%20the%20model%20on%20the%20Language%20Model%20Evaluation%20Harness.%20Kilcher%20emphasized%20the%20result%20that%20GPT-4chan%20slightly%20outperformed%20other%20existing%
20language%20models%20on%20the%20TruthfulQA%20Benchmark%2C%20which%20involves%20picking%20the%20most%20truthful%20answer%20to%20a%20multiple%20choice%20question

------------------------------

Date: Sun, 19 Jun 2022 14:59:58 +0200
From: risks@sctb.net
Subject: A minor example of human factors in security

I recently relocated to Gibraltar and looked to open a local bank account.

With one of the banks I contacted, communication was difficult - it turned
out their email server refused to accept or to make TLS connections, and my email server mandates the use of TLS; their emails to me were not being delivered (and their staff were either not receiving, or not understanding,
or not acting upon any error reports) and as I discovered when I tried to
email them, my server's connections were rejected.

I - from an web-based email account which allows unencrypted connections - emailed the bank about this, pointing out the possibility, given that they
are a bank, of people unwittingly or thoughtlessly emailing sensitive information, and the simplicity and ease of allowing TLS connections.

This email went unanswered.

I discussed the matter directly with a member of their staff, who relayed
the issue to their IT team; I was informed the IT team did not consider it a security risk, and in addition (although very likely this chap only speaking
as himself, and not in any way reflecting bank policy), when I indicated the bank had three months to act before I would discuss the matter in public, he informed me if I did so the bank might well not wish to do business with me
in the future.

We all behave rationally given the incentives placed upon us in the
situation we are in.

------------------------------

Date: Sat, 21 May 2022 18:17:34 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Serious Warning Issued For Millions Of Google Gmail Users (Forbes)

Gmail is the world's most popular email service, it is also known as one of
the most secure. But a dangerous exploit might make you rethink how you want
to use the service in future.

In an eye-opening *blog post* <https://ysamm.com/?p=763>, security
researcher Youssef Sammouda has revealed that Gmail's OAuth authentication
code enabled him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to sign in to the service. And the wider implications of this are significant.

Speaking to *The Daily Swing* <https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit>,
Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook's logout, checkpoint and sandbox systems
to break into accounts. Google OAuth is part of the '*Open Authorization* <https://en.wikipedia.org/wiki/OAuth>' standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites
by signing into them with the existing usernames and passwords they have already registered with these tech giants.

Sammouda reports no vulnerabilities using other email accounts. He does
stress that it could potentially be applied more widely "but that was more complicated to develop an exploit for." He states Facebook paid him a
$44,625 'bug bounty' for its role in this vulnerability. Facebook has subsequently patched the vulnerability from their side. I have contacted
Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply.

Commenting on Sammouda's findings, security provider *Malwarebytes Labs* <https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/>
issued a warning to anyone using linked accounts: "Linked accounts were invented to make logging in easier," writes Pieter Arntz, the company's
Malware Intelligence Researcher. "You can use one account to log in to other apps, sites and services... All you need to do to access the account is
confirm that the account is yours." [...] https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/

------------------------------

Date: Thu, 16 Jun 2022 18:56:53 -0500
From: dmitri maziuk <dmitri.maziuk@gmail.com>
Subject: Re: the death knell of jSCH (RISKS-33.29)

Java is abnormally stable. I have code I wrote in early 2000s, some of it rather messy and not exactly what I'd call robust design (there's a reason
for that of course), and it's still working fine in production now.

By today's "agile standards", this just can't be right.

------------------------------

Date: 20 Jun 2022 15:34:49 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Physics-Based Cryptocurrency Transmits Energy Through
Blockchain (LLNL, RISKS-33.29)

I think if we remove the technobabble, this is saying that it's a stablecoin backed by electricity commodity futures rather than by money. Electricity futures are am arcane corner of the futures market, mostly of interest to utilities and large industrial customers, but they do exist. Putting them on
a blockchain adds that magic pixie dust that makes it possible to do, well,
I have no idea but I am sure it is wonderful. If you wanted you could do
pork belly or nickel trades on a blockchain with exactly the same benefits.

The claim that you can somehow take the energy used to mine cryptocurrency
and somehow turn it back into electricity is idiotically stupid, but what
else is new in crypto land?

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.30
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)