RISKS-LIST: Risks-Forum Digest Wednesday 6 March 2024 Volume 34 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.09>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: BACKLOGGED -- MORE TO COME
White House urges developers to dump C and C++ (Steve Bacher)
NZ Leap Day Self Pay Petrol Pump Failures (sundry via
Jim Geissman and Brian Inglis)
Risks of Leap Years and Dumb Digital Watches (Mark Brader)
Health-care hack spreads pain across hospitals and doctors
nationwide (WashPost via Jan Wolitzky)
Cyberattack Paralyzes the Largest U.S. Health Care Payment System
(NYTimes.com via Jim Geissman)
Re: Healthcare Cyberattack (Doug McIlroy)
More than 2 Million Research Papers Have Disappeared from the
Internet (Sarah Wild)
GitHub Besieged by Millions of Malicious Repositories in
Ongoing Attack (Dan Goodin)
A Vending Machine Error Revealed Secret Face Recognition Tech (WiReD)
Vending machines had eyes all over this Ontario campus until the students
wised up (CBC)
End-to-End Encryption under attack in Nevada (Mastodon)
1-million books and 4-months later, Toronto's library recovers from a
cyberattack (CBC via Matthew Kruk)
Anycubic 3D Printers Hacked in Attempt to Inform Owners of
Security Hole (Christopher Harper)
'Keytrap' DNS bug threatens widespread Internet outages (Becky Bracken)
Wyze security issue exposed private cameras to strangers (Heather Kelly) Fingerprints Recreated from Sounds of Swiping a Touchscreen (Mark Tyson) Algorithm Reveals What's Hidden (Rizwan Choudhury)
'AI Godfather', Others Urge More Deepfake Regulation (Amy Tong)
AI feedback loop will spell death for future generative models (TechSpot) Malware Worm Can Poison ChatGPT, Gemini-Powered Assistants (Kate Irwin)
"AI Warfare Is Already Here" (Katrina Manson)
I'm begging you not to Google for airline customer service numbers
(Monty Solomon on a WashPost item)
comp.risks via Panix? (Ed Ravin on the servers)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 28 Feb 2024 11:18:38 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: White House urges developers to dump C and C++

Biden administration calls for developers to embrace memory-safe programing languages and move away from those that cause buffer overflows and other
memory access vulnerabilities.

The new 19-page report from ONCD gave C and C++ as two examples of
programming languages with memory safety vulnerabilities, and it named Rust
as an example of a programming language it considers safe. In addition, an
NSA cybersecurity information sheet from November 2022 listed C#, Go, Java, Ruby, and Swift, in addition to Rust, as programming languages it considers
to be memory-safe. <https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF>
https://www.infoworld.com/article/3713203/white-house-urges-developers-to-dump-c-and-c.html

(About time!  I've been griping about C and C++ design for decades. SB)

[The White House press release said: “Future Software Should Be Memory
Safe”. I might add that the report “Back to the Building Blocks: A Path
toward Secure and Measurable Software” explicitly recommends the
UofCambridgeUK/SRI CHERI over MTE, on page 9. That is a really nice plug.
https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/
PGN]

------------------------------

Date: Thu, 29 Feb 2024 09:21:08 -0800
From: "Jim" <jgeissman@socal.rr.com>
Subject: NZ Leap Day Self Pay Petrol Pump Failures (sundry)

Dozens of unattended fuel stations across the country stopped working on Thursday for hours because of a software issue.

https://www.nytimes.com/2024/02/29/world/asia/new-zealand-leap-year-glitch-g as-pumps.html
[Noted by quite a few of you.] https://www.nzherald.co.nz/hawkes-bay-today/news/february-29-allied-fuel-pum ps-around-nz-ground-to-a-halt-as-systems-forget-leap-year/XEQBK5JLBZG6LO3VGU Q6Q2WGC4/
Brian Inglis noted https://arstechnica.com/gadgets/2024/02/leap-year-glitch-broke-self-pay-pumps-across-new-zealand-for-over-10-hours/
PGN]

------------------------------

Date: Thu, 29 Feb 2024 06:24:19 -0500 (EST)
From: Mark Brader <msb@Vex.Net>
Subject: Risks of Leap Years and Dumb Digital Watches

[1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81,
20.83, 23.24, 25.07, 26.75, 29.30, and/or 31.60;

[2] still wear a wristwatch instead of using a cellphone or something
as a pocket watch;

[3] have the kind that needs to be set back a day because (unlike the
smarter types that track the year or receive information from
external sources) it went directly from February 28 to March 1;

and

[4] *hadn't realized it yet*?

(For myself, point 3 no longer applies. I replied my old, worn-out Timex
with a superficially identical new one and found that it does track the
year.)

------------------------------

Date: Mon, 4 Mar 2024 07:19:41 -0500
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Health-care hack spreads pain across hospitals and doctors
nationwide (WashPost)

The fallout from the hack of a little-known but pivotal health-care company
is inflicting pain on hospitals, doctor offices, pharmacies and millions of patients across the nation, with government and industry officials calling
it one of the most serious attacks on the health-care system in U.S.
history.

The 21 Feb 2024 cyberattack on Change Healthcare, owned by UnitedHealth
Group, has cut off many health-care organizations from the systems they rely
on to transmit patients' health-care claims and get paid. The ensuing outage doesn't appear to affect any of the systems that provide direct, critical
care to patients. But it has laid bare a vulnerability that cuts across the U.S. health-care system, frustrating patients unable to pay for their medications at the pharmacy counter and threatening the financial solvency
of some organizations that rely heavily on Change's platform.

<https://wapo.st/48UdFzj>

------------------------------

Date: Tue, 5 Mar 2024 18:46:21 -0800
From: "Jim" <jgeissman@socal.rr.com>
Subject: Cyberattack Paralyzes the Largest U.S. Health Care Payment System
(NYTimes.com)

[Explore this gift article from The New York Times. You can read it for free
without a subscription.]

The hacking shut down the nation's biggest health care payment system,
causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices.

https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html?u nlocked_article_code=1.ak0.DC0g.Vjacvvma4SOQ

[Lauren Weinstein found: Ransomware attack on U.S. health care payment
processor 'most serious incident of its kind' https://www.nbcnews.com/tech/security/ransomware-attack-us-health-care-payment-processor-serious-incident-ki-rcna141322
REALLY??? PGN]

------------------------------

Date: Wed, 6 Mar 2024 10:04:42 -0500
From: Douglas McIlroy <douglas.mcilroy@dartmouth.edu>
Subject: Re: Healthcare Cyberattack

This article came as a complete surprise, although it's about an attack
that happened two weeks ago: https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html

How did UnitedHealth (the parent of Change Healthcare) keep it out of the
news so long? Or have these things become so common that they're no longer newsworthy?

[I believe that the combination of AI hype, Bitcoin reaching an all-time
high, and all the rampant cyberattacks has so overwhelmed the media that
they no longer have a sense of what is most important. The Change
Healthcare fiasco is surely a sign of the times (lower case) and of The
Times. Doug, were you really surprised? PGN]

------------------------------

Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: More than 2 Million Research Papers Have Disappeared from the
Internet (Sarah Wild)

Sarah Wild, *Nature*, 4 Mar 2024, via ACM TechNews

Martin Eve of the U.K.'s University of London assessed whether 7,438,037 research papers with digital object identifiers (DOIs) were held in archives and determined that around 28%, or more than 2 million, were not held in a major digital archive despite having an active DOI. Only 58% of the sample
had been stored in at least one archive. However, Eve's research focuses
only on articles with DOIs and did not involve a search of every digital repository.

------------------------------

Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: GitHub Besieged by Millions of Malicious Repositories in
Ongoing Attack (Dan Goodin)

Dan Goodin, *Ars Technica*, 28 Feb 2024, via ACM TechNews

An ongoing cyberattack at GitHub has resulted in millions of malicious code repositories that use malware to steal developers' passwords and cryptocurrency. GitHub's "automation detection seems to miss many repos," contend Apiiro security researchers Matan Giladi and Gil David, "and the
ones that were uploaded manually survive. Because the whole attack chain
seems to be mostly automated on a large scale, the 1% that survive still
amount to thousands of malicious repos."

------------------------------

Date: Sat, 24 Feb 2024 23:03:02 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Vending Machine Error Revealed Secret Face Recognition Tech
(WiReD)

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.

The scandal started when a student using the alias SquidKid47 posted an
image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be
part of the process of using a vending machine.

"Hey, so why do the stupid M&M machines have facial recognition?"
SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named
River Stanley, who was writing for a university publication called MathNEWS.

https://www.wired.com/story/facial-recognition-vending-machine-error-investigation

The risks? Error messages. Like airport displays, billboards, etc. showing
fatal Windows errors.

------------------------------

Date: Tue, 27 Feb 2024 06:53:09 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Vending machines had eyes all over this Ontario campus until the
students wised up (CBC)

https://www.cbc.ca/news/business/vending-machine-facial-analysis-invenda-waterloo-1.7126196

An Ontario university is pulling dozens of vending machines that were
tracking the age and gender of customers in the latest example of pushback against technology that tests the boundaries of privacy rules.

The move comes amid opposition from University of Waterloo students, who
became aware of the technology after a Reddit user spotted an on-screen
error message on one of the machines earlier this month, about an apparent problem with its facial recognition program.

------------------------------

Date: Fri, 23 Feb 2024 15:32:12 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: End-to-End Encryption under attack in Nevada (Mastodon)

Idiots who don't understand the importance of ENCRYPTION, SECURITY,
PRIVACY? Or just ANTI-TECHNOLOGISTS?

https://mastodon.lawprofs.org/@riana/111982802756354530

------------------------------

Date: Tue, 27 Feb 2024 06:54:30 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: 1-million books and 4-months later, Toronto's library
recovers from a cyberattack (CBC)

https://www.cbc.ca/news/canada/toronto/toronto-library-ransomware-recovery-= 1.7126412

More than four months after a ransomware attack shut down the Toronto
Public Library's computer systems, staff are finally putting a million
stranded books back on the shelves.

At the library's distribution centre in the east end of the city, Domenic Lollino wheeled pallet after pallet of library books off a tractor-trailer
-- one of 15 such vehicles storing those books that were returned while the electronic cataloguing system was down.

"It's a big backlog," he said, and it means employees like him are working 12-hour shifts to get through it all.

------------------------------

Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Anycubic 3D Printers Hacked in Attempt to Inform Owners of
Security Hole (Christopher Harper)

Christopher Harper, *Tom's Hardware*, 1 Mar 2024,via ACM TechNews

Hackers reportedly discovered security vulnerabilities in Anycubic 3D
printers and are using a readme file on the printer display to inform users about the issue and encourage them to disable the Internet connection until
a patch is issued. The hackers indicated that they had contacted Anycubic regarding the two critical security flaws they uncovered but resorted to informing users directly after not receiving a response from the company.

------------------------------

Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST)
From: ACM Technews <Technews-editor@acm.org>
Subject: 'Keytrap' DNS bug threatens widespread Internet outages
(Becky Bracken)

Becky Bracken, Dark Reading, 20 Feb 2024, via ACM Technews

Researchers at Germany's ATHENE (National Research Center for Applied Cybersecurity) found a design flaw in a domain name system (DNS) security`q extension that could cause widespread Internet disruptions if it were
exploited on multiple DNS servers simultaneously. DNS servers that use the DNSSEC extension to validate traffic are vulnerable to the "keytrap" dns
bug, which has existed since 2000. The researchers worked with Google, Cloudflare, and other major DNS service providers on patches before
publishing their work.

------------------------------

Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST)
From: ACM Technews <technews-editor@acm.org>
Subject: Wyze security issue exposed private cameras to strangers
(Heather Kelly)

Heather Kelly, *The Washington Post*, 20 Feb 2024, via ACM Technews

Kirkland, WA-based Wyze said about 13,000 users of its security cameras were able to view sensitive content from the devices of other users when the
cameras came back online 16 Feb following an hours-long service outage attributed to Amazon Web Services. Some users were able to see thumbnails
from other users' feeds in their apps and clicked to view the videos. Wyze attributed the mixup of device IDs and user ID mapping to a partner that has since fixed the issue.

------------------------------

Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Fingerprints Recreated from Sounds of Swiping a Touchscreen
(Mark Tyson)

Mark Tyson, Tom's Hardware, 19 Feb 2024, via ACM TechNews

Researchers in the U.S. and China have demonstrated a side-channel attack on the Automatic Fingerprint Identification System that allows fingerprint
pattern features to be extracted from the sounds of a user's finger swiping
a touchscreen. The attack, dubbed PrintListener, can be made through apps
like Discord, Skype, WeChat, and FaceTime when a device's microphone is
on. Tests of PrintListener found it could extract up to 27.9% of partial fingerprints, and 9.3% of complete fingerprints, within five attempts at the highest-security false acceptance rate setting of 0.01%.

------------------------------

Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Algorithm Reveals What's Hidden (Rizwan Choudhury)

Rizwan Choudhury, Interesting Engineering, 20 Feb 2024,
via ACM TechNews

An algorithm developed by University of South Florida (USF) researchers can produce 3D models of scenes behind walls, doors, and cars using the faint shadows cast by objects on nearby surfaces. The algorithm can reconstruct hidden scenes in just minutes using a single photo from a digital
camera. Said USF's John Murray-Bruce, "We live in a 3D world, so obtaining a more complete 3D picture of a scenario can be critical in several situations and applications."

------------------------------

Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: 'AI Godfather', Others Urge More Deepfake Regulation
(Amy Tong)

Anna Tong, Reuters, 21 Feb 2024, via ACM TechNews

More than 400 AI experts and executives from various industries, including
AI "godfather" and ACM A.M. Turing Award laureate Yoshua Bengio, signed an
open letter calling for increased regulation of deepfakes. The letter
states, "Today, deepfakes often involve sexual imagery, fraud, or political disinformation. Since AI is progressing rapidly and making deepfakes much easier to create, safeguards are needed." The letter provides
recommendations for regulation, such as criminal penalties for individuals
who knowingly produce or facilitate the spread of harmful deepfakes, and requiring AI companies to prevent their products from creating harmful deepfakes.

------------------------------

Date: Sat, 24 Feb 2024 18:25:53 +0900
From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?=
<farber@keio.jp>
Subject: AI feedback loop will spell death for future generative models (TechSpot)

https://www.techspot.com/news/99064-ai-feedback-loop-spell-death-future-generative-models.html

Forward-looking: Popular Large Language Models (LLM) such as OpenAI's
ChatGPT have been trained on human-made data, which still is the most
abundant type of content available on the Internet right now. The future, however, could hold some very nasty surprises for the reliability of LLMs trained almost exclusively on previously generated blobs of AI bits.

------------------------------

Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Malware Worm Can Poison ChatGPT, Gemini-Powered Assistants
(Kate Irwin)

Kate Irwin, *PC Magazine*, 1 Mar 2024, via ACM TechNews

A "zero-click" AI worm able to launch an "adversarial self-replicating
prompt" via text and image inputs has been developed by researchers at
Cornell University, Intuit, and Technion--Israel Institute of Technology to exploit OpenAI's ChatGPT-4, Google's Gemini, and the LLaVA open source AI model. In a test of affected AI email assistants, the researchers found that the worm could extract personal data, launch phishing attacks, and send spam messages. The researchers attributed the self-replicating malware's success
to "bad architecture design" in the generative AI ecosystem.

------------------------------

Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: "AI Warfare Is Already Here" (Katrina Manson)

Katrina Manson, *Bloomberg*, 28 Feb 2024

In recent weeks, the U.S. Department of Defense's Maven Smart System was
used to identify rocket launchers in Yemen and surface vessels in the Red
Sea and assisted in narrowing down targets in Iraq and Syria. Maven, which merges satellite imagery, sensor data, and geolocation data into a single computer interface, uses machine learning to identify personnel and
equipment on the battlefield and detect weapons factories and other objects
of interest in various environmental conditions.

------------------------------

Date: Tue, 27 Feb 2024 23:24:36 -0500
From: Monty Solomon <monty@roscom.com>
Subject: I'm begging you not to Google for airline customer service numbers

Sure, probably that's the right number for Delta. But it could be a crook posing as an airline representative. Here's what to do instead of trusting Google.

https://www.washingtonpost.com/technology/2024/02/27/airline-customer-service-phone-numbers/

------------------------------

Date: Tue, 27 Feb 2024 23:33:06 -0500
From: Ed Ravin <eravin@panix.com>
Subject: comp.risks via Panix?

[Ed is my liaison to Panix and comp.risks distribution. This is in
response to Steve Bacher complaining about a Newcastle expired cert.
(Lindsay is retired, but still shepherding NCL.) Steve noted that this
came up because my screwed up prevented RISKS-34.08 from showing up on
catless. Oops! PGN]

It's hard to find a good news server these days. Even Google has
dropped their Usenet connection -- no new Usenet articles in Google
Groups starting last week.

If you want RISKS without having to search around, go straight to
the official archive: http://catless.ncl.ac.uk/Risks/ [rather than
https during the slowness of the NCL admins. PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.09
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)