RISKS-LIST: Risks-Forum Digest Monday 26 Aug 2024 Volume 34 : Issue 42
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/34.42>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Protecting Connected Self-Driving Vehicles from Hackers
(Patricia DeLacey)
ARRL hit with ransomware (Steve Golson)
Fake QR codes posted on Redondo Beach parking meters to scam drivers,
police say (LA Times)
Toward a Code-Breaking Quantum Computer (Adam Zewe)
Multiple Flaws in Microsoft macOS Apps Unpatched Despite
Potential Risks (Connor Jones)
More on Boeing fuselage panel blowout (Seattle Times)
Park'N Fly reveals data breach affecting 1 million customer files (CBC)
Local Networks Go Global When Domain Names Collide (Krebs)
Biometrics in the workplace may be the way of the future.
But at what cost? (CBC)
Telegram billionaire co-founder Pavel Durov arrested
(Lauren Weinstein)
Almost half of FDA-approved AI medical devices are not
trained on real patient data (MedicalXpress.com)
How much more water and power does AI computing demand? Tech firms
don't want you to know (LA Times)
How Section 230 Is Being Used Against Tech Giants Like Meta (NY Times)
Two policy articles suggested by Dan Geer (PGN)
Re: Policy, due care, and the failure of Heartland Tri-State
(Geoff Kuenning, Cliff Kilby)
Re: Birmingham Oracle (Cliff Kilby)
Re: High-end racing bikes are now vulnerable to hacking
(Geoff Kuenning)
Re: Feds sue Georgia Tech for lying bigly about computer security
(Geoff Kuenning)
Re: Kroger unveils AI-powered automatic price gouger (Wol)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Protecting Connected Self-Driving Vehicles from Hackers
(Patricia DeLacey)
Patricia DeLacey, University of Michigan Computer Science and
Engineering, 20 Aug 2024, via ACM TechNews
University of Michigan (U-M) researchers found that connected self-driving vehicles are vulnerable to data fabrication attacks, which occur when
hackers remove real objects from or insert fake objects into perception
data. Researchers at U-M's Mcity Test Facility used falsified LiDAR-based
3D sensor data and zero-delay attack scheduling to better understand the security vulnerabilities, and developed the Collaborative Anomaly Detection system as a countermeasure. The system uses shared 2D occupancy maps to cross-check the data and quickly identify geometric inconsistencies.
------------------------------
Date: Sun, 25 Aug 2024 23:48:39 -0400
From: Steve Golson <
sgolson@trilobyte.com>
Subject: ARRL hit with ransomware
American Radio Relay League (ARRL), the U.S. national association for
amateur radio, was hit with a sophisticated ransomware attack.
https://www.arrl.org/news/arrl-it-security-incident-report-to-members
Sometime in early May 2024, ARRL’s systems network was compromised by
threat acto-power-demands-of-ai-computing rs (TAs) using information
they had purchased on the dark web. The TAs accessed headquarters
on-site systems and most cloud-based systems. They used a wide variety
of payloads affecting everything from desktops and laptops to
Windows-based and Linux-based servers. Despite the wide variety of
target configurations, the TAs seemed to have a payload that would
host and execute encryption or deletion of network-based IT assets, as
well as launch demands for a ransom payment, for every system.
This serious incident was an act of organized crime. The highly
coordinated and executed attack took place during the early morning
hours of May 15. That morning, as staff arrived, it was immediately
apparent that ARRL had become the victim of an extensive and
sophisticated ransomware attack. The FBI categorized the attack as
“unique” as they had not seen this level of sophistication among the
many other attacks, they have experience with.
The ransom demands by the TAs, in exchange for access to their
decryption tools, were exorbitant. It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization
with limited resources. Their ransom demands were dramatically
weakened by the fact that they did not have access to any compromising
data. It was also clear that they believed ARRL had extensive
insurance coverage that would cover a multi-million-dollar ransom
payment.
[Also noted by Gabe Goldberg. PGN]
------------------------------
Date: Mon, 26 Aug 2024 06:40:28 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Fake QR codes posted on Redondo Beach parking meters to scam drivers,
police say (LA Times)
The QR codes, which appear to be connected to a 'quishing' scam, were found
on about 150 parking meters along the Esplanade and in the Riviera Village area, police said.
Someone affixed fraudulent QR codes to parking meters in popular areas of Redondo Beach in an attempt to scam residents and visitors, authorities
warned.
The QR codes — which direct people to a website that’s not affiliated
with the city or its official parking meter system — were found on
about 150 parking meters along the Esplanade and in the Riviera
Village area, the Redondo Beach Police Department said Saturday in a
news release. When users reached that website, poybyphone.online,
they were prompted to enter their location and payment information.
[...]
https://www.latimes.com/california/story/2024-08-25/fake-qr-codes-posted-on-redondo-beach-parking-meters-to-scam-people-police-say
[How can the police department become non-Redondont? PGN]
[Now we have to worry about squishing quishing. PGN]
[Perhaps the `o' in `poy' was in cyrillic? PGN]
------------------------------
Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Toward a Code-Breaking Quantum Computer (Adam Zewe)
Adam Zewe, *MIT News*, 23 Aug 2024, via ACM TechNews
Massachusetts Institute of Technology (MIT) researchers have developed an algorithm that could help pave the way for encryption methods strong enough
to withstand a quantum computer's code-breaking power and feasible to implement. The new algorithm uses a series of Fibonacci numbers requiring simple multiplication instead of squaring, which allows any exponent to be computed using only two qubits. It also addresses error correction,
filtering out corrupt results and processing only correct ones.
------------------------------
Date: Mon, 26 Aug 2024 11:38:17 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Multiple Flaws in Microsoft macOS Apps Unpatched Despite
Potential Risks (Connor Jones)
Connor Jones, *The Register*, 19 Aug 2024. via ACM TechNews
Security researchers at Cisco Talos identified eight flaws in Microsoft's
macOS apps that could allow hackers to access a device to record video and sound, obtain sensitive data, log user input, and escalate privileges. The vulnerabilities affect Microsoft products Excel, OneNote, Outlook,
PowerPoint, Teams, and Word. The researchers said Microsoft considers the
flaws to be low risk and has no plans to fix them.
------------------------------
Date: Sun, 25 Aug 2024 12:31:19 -0700
From: "George V. Reilly" <
george@reilly.org>
Subject: More on Boeing fuselage panel blowout (Seattle Times)
A cascade of diffuse responsibility and pressure to finish the job.
The near-catastrophic midair blowout of a door-sized fuselage panel
on an Alaska Airlines 737 MAX 9 in Jan 2024 was caused by two
distinct manufacturing errors by different crews on successive days
last fall in Boeing’s assembly plant in Renton.
The first manufacturing lapse occurred within a four-hour window early
18 Sep 2023. On the evening of the next day, in the space of about an
hour, the second error was made by a different crew of mechanics,
untrained to work on that fuselage panel, known as a door plug,
according to federal investigative and internal Boeing records.
Boeing’s quality control system failed to catch the faulty work
performed within those two windows."
https://www.seattletimes.com/business/boeing-aerospace/inside-boeings-factory-lapses-that-led-to-alaska-air-blowout
------------------------------
Date: Mon, 26 Aug 2024 17:11:29 -0600
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Park'N Fly reveals data breach affecting 1 million customer files
(CBC)
https://www.cbc.ca/news/business/park-n-fly-data-breach-canada-1.7305301
Parking provider Park'N Fly has disclosed that an unauthorized third party breached its network last month and gained access to one million customer files.
The breach occurred from July 11 to July 13, but the company said in a statement that an investigation has determined that "no payment information
was compromised."
Park'N Fly said the personal information that was accessed may include
"names and basic contact information," including email and mailing
addresses.
The company said it has taken steps to upgrade its network security and has notified customers about the breach.
------------------------------
Date: Sun, 25 Aug 2024 15:45:36 +0000 (UTC)
From: "Steve Bacher" <
sebmb1@verizon.net>
Subject: Local Networks Go Global When Domain Names Collide (Krebs)
The proliferation of new top-level domains (TLDs) has exacerbated a
well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs
that didn’t exist at the time. Meaning, they are continuously sending
their Windows usernames and passwords to domain names they do not
control and which are freely available for anyone to register. Here’s
a look at one security researcher’s efforts to map and shrink the size
of this insidious problem.
https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/
------------------------------
Date: Sun, 25 Aug 2024 10:13:02 -0600
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Biometrics in the workplace may be the way of the future.
But at what cost? (CBC)
https://www.cbc.ca/radio/costofliving/biometrics-in-workplace-1.7300573
When Ellie Thomson arrives at work, she doesn't punch in on a physical
clock or even check in on an app. Instead, she scans her finger.
"Seeing everyone else go ahead and do it, it just figured like the right
thing to do and there was no issues with it,'" Thomson told Cost of Living.
Thomson is a 21-year-old server and bartender at charbar in Calgary. She's
one of many employees who now use biometric technology such as fingerprint scanning to clock in and out, and that number is rising.
------------------------------
Date: Sat, 24 Aug 2024 16:42:10 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Telegram billionaire co-founder Pavel Durov arrested in France
Apparently part of an investigation into reported use of Telegram
for criminal activity.
------------------------------
Date: Tue, 27 Aug 2024 00:33:00 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: Almost half of FDA-approved AI medical devices are not
trained on real patient data (MedicalXpress.com)
https://medicalxpress.com/news/2024-08-fda-ai-medical-devices-real.html
"Although AI device manufacturers boast of the credibility of their
technology with FDA authorization, clearance does not mean that the
devices have been properly evaluated for clinical effectiveness using
real patient data."
There's no standard for the clinical evaluation of Medical AI. The
FDA's evaluation of device approval is guided by evidence generated
from retrospective studies, prospective studies and randomized control
trials.
Is simulated patient data a viable alternative for device approval?
We're about to discover that answer.
The FDA MAUDE platform documents adverse device reports for injury, malfunction, and death events for approval medical devices (with or
without AI) sold into th e consumer marketplace.
------------------------------
Date: Mon, 26 Aug 2024 06:38:27 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: How much more water and power does AI computing demand? Tech firms
don't want you to know (LA Times)
Every time someone uses ChatGPT to write an essay, create an image or advise them on planning their day, the environment pays a price.
A query on the chatbot that uses artificial intelligence is estimated to require at least 10 times more electricity than a standard search on Google.
If all Google searches similarly used generative AI, they might consume as
much electricity as a country the size of Ireland, calculates Alex de Vries, the founder of Digiconomist, a website that aims to expose the unintended consequences of digital trends.
Yet someone using ChatGPT or another artificial intelligence
application has no way of knowing how much power their questions will
consume as they are processed in the tech companies’ enormous data
centers. [...]
https://www.latimes.com/environment/story/2024-08-26/tech-firms-conceal-water-and-power-demands-of-ai-computing
------------------------------
Date: Sun, 25 Aug 2024 19:16:36 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How Section 230 Is Being Used Against Tech Giants Like
Meta (The New York Times)
A Massachusetts professor has filed a lawsuit against Meta using a
novel interpretation of Section 230, a law known primarily for
shielding social media companies from liability.
Facebook, X, YouTube and other social media platforms rely on a 1996
law to insulate themselves from legal liability for user posts. The
protection from this law, Section 230 of the Communications Decency
Act, is so significant that it has allowed tech companies to flourish.
But what if the same law could be used to rein in the power of those social media giants?
That idea is at the heart of a lawsuit filed in May against Meta, the owner
of Facebook, Instagram and WhatsApp. The plaintiff has asked a federal court
to declare that a little-used part of Section 230 makes it permissible for
him to release his own software that lets users automatically unfollow
everyone on Facebook.
The lawsuit, filed by Ethan Zuckerman, a public policy professor at the University of Massachusetts Amherst, is the first to use Section 230 against
a tech giant in this way, his lawyers said. It is an unusual legal maneuver that could turn a law that typically protects companies like Meta on its
head. And if Mr. Zuckerman succeeds, it could mean more power for consumers
to control what they see online.
https://www.nytimes.com/2024/08/20/technology/meta-section-230-lawsuit.html?unlocked_article_code=1.Fk4.86mE.Yf_Ivbw_qdOS&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb
As plenty of comments note, control what you see by not being on Facebook.
That appears to be possible, contrary to far-too-common belief.
------------------------------
Date: Mon, 26 Aug 2024 8:41:41 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Two policy articles suggested by Dan Geer
Cyber-Effects in Warfare: Categorizing the Where, What, and Why
Jason Healey
https://tnsr.org/2024/08/cyber-effects-in-warfare-categorizing-the-wh=ere-what-and-why/
Data as Ammunition: A New Framework for Information Warfare
Lt. Col. Jessica Dawson and Col. Katie E. Matthew
https://cyberdefensereview.army.mil/Portals/6/Documents/2024_Summer/CDRV9N2_Summer_2024-SE-Web.pdf
------------------------------
Date: Sun, 25 Aug 2024 02:34:07 -0700
From: Geoff Kuenning <
geoff@cs.hmc.edu>
Subject: Re: Policy, due care, and the failure of Heartland Tri-State
Bank (Kilby, RISKS-34.41)
Or quite possibly the policy is wrong, imposed by somebody who is blindly parroting advice that they themselves don't understand. A perfect example
is the commonly enforced policy that passwords should be forcibly changed on
a periodic basis, which was originally recommended by NIST based on a fundamental misunderstanding of the issues. (That particular bit of bad
advice has recently been rescinded, but many organizations are still
following it.)
------------------------------
Date: Sun, 25 Aug 2024 06:32:40 -0400
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: Re: Policy, due care, and the failure of Heartland Tri-State
Bank (Kuenning, RISKS-34.42)
"If the company adopts a poor practice as policy, follow the policy, but
report the poor practice to your supervisor, the GRC team, or your Ethics
line, should you be in a company large enough to have one."
The policy may be stupid, or out of date, or in the case of mandatory
password resets, demanded by insurance carriers or contract. PCI-DSS
continues to be a big driver of the rotation policy.
https://www.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf
Failure to adhere to PCI-DSS can get your company stripped of the ability
to process credit cards.
In Heartland's case. Failure to follow wire/transfer limit policy appears
to contributed directly to the bank's failure.
It doesn't matter why it's policy, if it's not your job to review and
change policy; follow the policy, report the poor practice.
Another example:
Policy: Use Antivirus (AV).
Action: The policy impedes my job, I won't.
Result: Lawsuit, directed at the specific individual who decided not to
follow policy, and the org that permitted it to be bypassed.
https://arstechnica.com/security/2024/08/oh-your-cybersecurity-researchers-wont-use-antivirus-tools-heres-a-federal-lawsuit/
Is traditional AV less than 100% effective? Most likely.
https://scholarworks.gsu.edu/cgi/viewcontent.cgi?article=1000&context=ebcs_tools
Can it be used as a security control for the swiss cheese model?
Absolutely.
https://en.m.wikipedia.org/wiki/Swiss_cheese_model
Was it contractually specified?
If so, it doesn't matter if it is effective or difficult to maintain. The contract will tend to become the risk first.
------------------------------
Date: Sun, 25 Aug 2024 07:27:11 -0400
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: Re: Birmingham Oracle (Tom Van Vleck, RISKS-34.41)
Tom, Would you see this as an example of selection bias?
I.e., are there few reports of an Oracle implementation coming in on
time/on budget because estimates are hard, or because there is a
tendency to underreport things that worked as they were anticipated
to?
I am not familiar with the Birmingham IT procurement system. I wonder if
they (or Oracle) attempted to account for Hofstadter at all.
------------------------------
Date: Sun, 25 Aug 2024 02:22:49 -0700
From: Geoff Kuenning <
geoff@cs.hmc.edu>
Subject: Re: High-end racing bikes are now vulnerable to hacking
(The Verge)
As an avid (if third-rate) cyclist and racing fan, I of course read the
paper. On the plus side, the attacks would be hard to deploy in practice:
they require prior proximity to the victim's bike and need to be in the vicinity at the moment of the attack. Even on steep climbs, professional racers go by at 10-15 MPH (15-25 KPH), and in sprints they're going over 40 (65), so the in-range time for a spectator is minimal. You also have to
fake them out at the right moment. Thus, the best approach would be to have the attacking equipment in a nearby rider's pocket, and the uncertainties of racing (plus the weight issues) make that unlikely.
On the minus side, this highlights the fact that we don't train budding computer scientists (and, sadly, engineers in other disciplines who think they're qualified to write code) in security issues--especially relatively subtle vulnerabilities like this one. The most important RISK given in the paper is a replay attack, which is *well* known to the security community
but not to most programmers.
Perhaps every CS degree should include a semester that covers nothing but
types of attacks, ignoring mitigations because it's better to spend the time
on variations?
(BTW, my current bike has wired electronic shifting. I don't race any more anyway, but the paper highlighted that there is *NO* benefit to going
wireless; in fact it almost certainly adds unwanted weight for extra
batteries. Wireless shifters are just a case of manufacturers adopting the latest tech just because (a) it's "cool" and (b) they think wires are ugly.)
------------------------------
Date: Sun, 25 Aug 2024 02:29:44 -0700
From: Geoff Kuenning <
geoff@cs.hmc.edu>
Subject: Re: Feds sue Georgia Tech for lying bigly about computer security
(DoJ)
This story scares me. There is a current trend toward blindly applying high-level "security" rules to all computers in an organization, regardless
of their purpose and existing defenses. I've seen this with my own machines (which have extremely strong defenses): hired-gun outsiders who have no
clear understanding of CS unilaterally decided to block access to all sorts
of ports that they see as vulnerabilities. In my own case I've had to fight
to get necessary ports unblocked, modify how I operate, and even rewrite software to work around their unjustified and unfocused paranoia.
Not to mention the people (some of whom are at Georgia Tech) who are doing security research and *need* to keep their honeypots and sandboxes open to attackers.
------------------------------
Date: Sun, 25 Aug 2024 17:22:36 +0100
From: Wol <
antlists@youngman.org.uk>
Subject: Re: Kroger unveils AI-powered automatic price gouger
(Levine, RISKS-34.41)
My employer is trying to do exactly this. They want to know how much "must
be sold" stock is left in the warehouse as end-of-day approaches. Unfortunately, the IT department is telling the analysts they need to wait
an hour or so, so IT can make sure the data is accurate.
Classic confusion between "timely" and "accurate" - how can the data be accurate if it's an hour out-of-date, and rather more important, how can the 3pm data be timely if the store closes at 4pm!
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.42
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)