[33435] in RISKS Forum
Risks Digest 34.38
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Mon Jul 29 20:05:26 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Mon, 29 Jul 2024 17:05:07 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Monday 29 Jul 2024 Volume 34 : Issue 38
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.38>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway
(The New York Times)
Spy v spy v spy: Jamming home wifi's by crims & cops (Henry Baker)
Lawmaker uses AI voice clone to address Congress (BBC via Matthew Kruk)
AI May Save Us, or May Construct Viruses to Kill Us (NYTimes)
Robots sacked, screenings shut down: a new movement of Luddites is rising up
against AI (Ed Newton-Rex)
Restrictions on AI training data (NYTimes via Jim Geissman)
Apple signs on to Biden's responsible AI guidelines (Politico)
Crypto fanatics flock to Trump, hoping to *make bitcoin great again*.
(WashPost)
Devastating ransomware attack shuts down L.A. County courts
Proofpoint Email Routing Flaw Exploited to Send Millions
of Spoofed Phishing Emails (The Hacker News)
Prominent Short Seller Made Millions Off Bait-and-Switch Scheme,
U.S. Says (NYTimes)
Secure Boot is completely broken on 200+ models from 5 big device makers
(Ars Technica)
Hackers steal call records of 'nearly all' AT&T customers (BBC)
Security Firm Discovers Remote Worker Is North Korean Hacker (Michael Kan)
New Israeli Spyware (Israel News)
Windows resiliency: Best practices and the path forward
(MS vis PGN)
Google reverts TV YouTube app to original search history behavior
(Lauren Weinsteain)
CrowdStrike and fuzz testing (Martin Ward)
Re: U.S. Gender Care Is Ignoring ... (Julizn Bradford)
Re: Switzerland now requires all government software to be open source
(Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 28 Jul 2024 01:29:04 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway (The New York Times)
Traffic was at a standstill for hours on a portion of I-15 near Baker,
Calif., after a truck carrying lithium batteries overturned and caught
fire. [...]
Drivers were stuck in traffic in 109-degree heat on a California highway
on Saturday for hours as the authorities struggled to extinguish a fire
involving a truck carrying lithium ion batteries that had overturned on
Friday.
“Multiple attempts were made to move the container from the freeway
shoulder to open land using heavy equipment,” the San Bernardino County
Fire Protection District said on social media on Saturday. “However, the
container’s weight, exceeding 75,000 pounds, has made these efforts
unsuccessful so far.”
https://www.nytimes.com/2024/07/27/us/battery-fire-traffic-nevada-california.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb
------------------------------
Date: Sun, 28 Jul 2024 22:07:16 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Spy v spy v spy: Jamming home wifi's by crims & cops
Those wifi cameras that you just installed to spy on your own home (and
AirBnB guests?):
Jammed by both crims and cops!
FCC: "Yes, Wi-Fi devices that comply with FCC technical standards **must
accept interference**, including interference that may cause undesired
operation. This is because the FCC's Part 15 federal regulation limits the
amount of electromagnetic interference that electronic devices can cause,
and requires that they operate without interfering with authorized radio
services."
https://www.pcworld.com/article/2405434/burglars-are-jamming-wi-fi-security-cameras.html
Burglars are jamming Wi-Fi security cameras -- here's what you can do
Tech-savvy thieves are finding new ways to circumvent wireless networked
security cameras like Ring and Nest.
By Michael Crider Staff Writer, PCWorld Jul 22, 2024 9:24 am PDT
https://www.404media.co/dhs-has-a-ddos-robot-to-disable-internet-of-things-booby-traps-inside-homes/
DHS Has a DoS Robot to Disable Internet of Things 'Booby Traps' Inside
Homes
Jason Koebler Jul 22, 2024 at 9:50 AM
"NEO carries an onboard computer and **antenna array** that will allow
officers the ability to create a 'denial-of-service' event to disable
'Internet of Things' devices that could potentially cause harm while
entry is made."
...
https://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal
CONSUMER ALERT: Using or Importing Jammers is Illegal
https://www.fcc.gov/general/jammer-enforcement "Local law enforcement
agencies do ***not*** have independent authority to use jamming
equipment; in certain limited exceptions use by Federal
law-enforcement agencies is authorized in accordance with applicable
statutes.
------------------------------
Date: Thu, 25 Jul 2024 21:57:30 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Lawmaker uses AI voice clone to address Congress
We talk about the risks of AI. Thought I'd pass along a non-risk, indeed a
benefit. Let's hope for more.
https://www.bbc.com/news/videos/c728q850e5do
Virginia Congresswoman Jennifer Wexton used an artificial intelligence (AI)
programme to address the House on Thursday. A year ago, the lawmaker was
diagnosed with progressive supranuclear palsy, which makes it difficult for
her to speak.
The AI programme allowed Wexton to make a clone of her speaking voice using
old recordings of appearances and speeches she made in Congress. Wexton
appears to be the first person to speak on the House floor with a voice
recreated by AI.
[Indeed, a positive use for something that is so easily misused. PGN]
------------------------------
Date: Sat, 27 Jul 2024 22:25:52 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: AI May Save Us, or May Construct Viruses to Kill Us
(NYTimes)
https://www.nytimes.com/2024/07/27/opinion/ai-advances-risks.html
Here’s a bargain of the most horrifying kind: For less than $100,000,
it may now be possible to use artificial intelligence to develop a
virus that could kill millions of people.
That’s the conclusion of Jason Matheny, the president of the RAND
Corporation, a think tank that studies security matters and other
issues.
“It wouldn't cost more to create a pathogen that’s capable of killing
hundreds of millions of people versus a pathogen that’s only capable
of killing hundreds of thousands of people,” Matheny told me.
In contrast, he noted, it could cost billions of dollars to produce a new
vaccine or antiviral in response.
------------------------------
Date: Mon, 29 Jul 2024 06:50:26 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Ed Newton-Rex)
Robots sacked, screenings shut down: a new movement of luddites is
rising up against AI
Earlier this month, a popular lifestyle magazine introduced a new “fashion
and lifestyle editor” to its huge social media following. “Reem”
<https://sheerluxe.com/fashion/meet-our-new-ai-enhanced-editor-reem>, who on
first glance looked like a twentysomething woman who understood both fashion
and lifestyle, was proudly announced as an “AI enhanced team member”. That
is, a fake person, generated by artificial intelligence. Reem would be
making product recommendations to SheerLuxe’s followers – or, to put it
another way, doing what SheerLuxe would otherwise pay a person to do. The
reaction was entirely predictable: outrage
<https://www.bbc.com/news/articles/c3gw720vz3lo>, followed by a hastily
issued apology. One suspects Reem may not become a staple of its editorial
team.
This is just the latest in a long line of walkbacks of “exciting AI
projects” that have been met with fury by the people they’re meant to
excite. The Prince Charles Cinema in Soho, London, canceled
<https://www.bbc.co.uk/news/articles/cjll3w15j0yo.amp> a screening of an
AI-written film in June, because its regulars vehemently objected. Lego was
pressured <https://www.axios.com/2024/03/15/lego-ai-ninjago-images> to take
down a series of AI-generated images it published on its website. Doctor Who
started experimenting with generative AI, but quickly stopped after a wave
of complaints.
<https://gizmodo.com/doctor-who-ai-bbc-complaints-response-disney-plus-1851363443>
A company swallows the AI hype, thinks jumping on board will paint it as
innovative, and entirely fails to understand the growing anti-AI sentiment
taking hold among many of its customers.
Behind the backlash is a range of concerns about AI. Most visceral is its
impact on human labour: the chief effect of using AI in many of these
situations is that it deprives a person of the opportunity to do the same
work. Then there is the fact that AI systems are built by exploiting the
work
<https://www.noemamag.com/the-exploited-labor-behind-artificial-intelligence/>
of the very people they’re designed to replace, trained on their creative
output and without paying them. The technology has a tendency to sexualise
women
<https://www.theguardian.com/technology/2023/feb/08/biased-ai-algorithms-racy-women-bodies>,
is used to make deepfakes, has caused tech companies to miss climate targets
<https://www.theguardian.com/business/article/2024/jul/04/can-the-climate-survive-the-insatiable-energy-demands-of-the-ai-arms-race>
and is not nearly well enough understood for its many risks to be
mitigated. This has understandably not led to universal adulation. As Hayao
Miyazaki, the director of Studio Ghibli, the world-renowned animation
studio, has said: “I am utterly disgusted … I strongly feel that [AI] is an
insult to life itself.” [...]
https://www.theguardian.com/commentisfree/article/2024/jul/27/harm-ai-artificial-intelligence-backlash-human-labour
------------------------------
Date: Fri, 19 Jul 2024 09:00:13 -0700
From: Jim Geissman <jgeissman@socal.rr.com>
Subject: Restrictions on AI training data (NYTimes)
But there's also a lesson here for big AI companies, who have treated the
Internet as an all-you-can-eat data buffet for years, without giving the
owners of that data much of value in return. Eventually, if you take
advantage of the web, the web will start shutting its doors.
https://www.nytimes.com/2024/07/19/technology/ai-data-restrictions.html
------------------------------
Date: Sat, 27 Jul 2024 18:42:31 +0000 (UTC)
From: Steve Bacher <sebmb1@verizon.net>
Subject: Apple signs on to Biden's responsible AI guidelines (Politico)
https://www.politico.com/news/2024/07/26/apple-biden-ai-00171502
[Is there any hope that these guidelines are strong enough? PGN]
------------------------------
Date: Mon, 29 Jul 2024 10:39:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Crypto fanatics flock to Trump, hoping to *make bitcoin greatagain*
(WashPost)
The crypto community is rallying behind Trump for the 2024 election, hoping
to avoid regulation.
https://www.washingtonpost.com/business/2024/07/27/trump-bitcoin-support-2024-cryptocurrency/
------------------------------
Date: Mon, 22 Jul 2024 09:47:14 -0700
From: Jim Geissman <jgeissman@socal.rr.com>
Subject: Devastating ransomware attack shuts down L.A. County courts
(LATimes)
https://www.latimes.com/california/story/2024-07-22/la-county-court-ransomwa
re
------------------------------
Date: Mon, 29 Jul 2024 09:22:26 -0700
From: geoff goodfellow" <geoff@iconia.com>
Subject: Proofpoint Email Routing Flaw Exploited to Send Millions
of Spoofed Phishing Emails (The Hacker News)
An unknown threat actor has been linked to a massive scam campaign that
exploited an email routing misconfiguration in email security vendor
Proofpoint's defenses to send millions of messages spoofing various popular
companies like Best Buy, IBM, Nike, and Walt Disney, among others.
"These emails echoed from official Proofpoint email relays with
authenticated SPF and DKIM signatures
<https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>,
thus bypassing major security protections — all to deceive recipients
and steal funds and credit-card details," Guardio Labs researcher Nati
Tal said
<https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6>
in a detailed report shared with The Hacker News.
The cybersecurity company has given the campaign the name
EchoSpoofing. The activity is believed to have commenced in January
2024, with the threat actor exploiting the loophole to send as many as
three million emails per day on average, a number that hit a peak of
14 million in early June as Proofpoint began to enact countermeasures.
"The most unique and powerful part of this domain is the spoofing method –
leaving almost no chance to realize this is not a genuine email sent from
those companies," Tal told the publication.
"This EchoSpoofing concept is really powerful. It's kind of strange it
is being used for large-scale phishing like this instead of a boutique
spear-phishing campaign – where an attacker can swiftly take any real
company team member's identity and send emails to other co-workers –
eventually, through high-quality social engineering, get access to
internal data or credentials and even compromise the entire company.
The technique, which involves the threat actor sending the messages from an
SMTP server on a virtual private server (VPS), is notable for the fact that
it complies with authentication and security measures
<https://today.ucsd.edu/story/forwarding_based_spoofing> such as SPF and
DKIM, which are short for Sender Policy Framework and DomainKeys Identified
Mail, respectively, and refer to authentication methods that are designed
to prevent attackers from imitating a legitimate domain.
It all goes back to the fact that these messages are routed from
various adversary-controlled Microsoft 365 tenants, which are then
relayed through Proofpoint enterprise customers' email infrastructures
to reach users of free email providers such as Yahoo!, Gmail, and GMX.
This is the result of what Guardio described as a "super-permissive
misconfiguration flaw" in Proofpoint servers ("pphosted.com") that
essentially allowed spammers to take advantage of the email
infrastructure to send the messages. [...]
https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html
------------------------------
Date: Mon, 29 Jul 2024 10:44:32 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Prominent Short Seller Made Millions Off Bait-and-Switch Scheme,
U.S. Says (NYTimes)
Federal authorities filed charges against Andrew Left, founder of Citron
Research, who they said made at least $16 million from a multiyear scheme to
manipulate market prices.
https://www.nytimes.com/2024/07/26/business/andrew-left-short-seller-fraud.html
------------------------------
Date: Sat, 27 Jul 2024 01:59:54 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Secure Boot is completely broken on 200+ models from 5 big device
makers (Ars Technica)
[Also noted by Monty Solomon]
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-o
n-200-models-from-5-big-device-makers/
On Thursday, researchers from security firm Binarly revealed that Secure
Boot is completely compromised on more than 200 device models sold by Acer,
Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key
underpinning Secure Boot on those models that was compromised in 2022.
Report
https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem
------------------------------
Date: Sat, 13 Jul 2024 16:11:45 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Hackers steal call records of 'nearly all' AT&T customers (BBC)
https://www.bbc.com/news/articles/c51yemmmg9mo
Hackers stole call and text records data from "nearly all" of 109 million
AT&T Wireless customers, the telecommunications company disclosed on Friday.
The firm said one suspect had been arrested after the records - from May to
October 2022 - were illegally downloaded and copied to a third-party
platform this April.
The stolen data did not contain the content of calls or texts, but did
record the numbers contacted, as well as the number and lengths of
interactions, the company said.
------------------------------
Date: Fri, 26 Jul 2024 11:00:06 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Security Firm Discovers Remote Worker Is North Korean Hacker
(Michael Kan)
Michael Kan, *PC Magazine*, 23 Jul 2024
KnowBe4, a U.S. security training firm, disclosed that it had unknowingly
hired a remote software engineer who turned out to be a North Korean hacker.
The firm revealed in a blog post that as soon as the employee received a
company-issued Mac, it began to load malware. The Mac's onboard security
software detected the malware, however, and the company was able to prevent
the hacker from using the device to compromise its internal systems.
------------------------------
Date: Sat, 27 Jul 2024 08:22:11 -0700
From: "Peter G. Neumann" <peter.neumann@sri.com>
Subject: New Israeli Spyware (Ja'aretz)
Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense
Exists - Israel News (Ha'aretz)
https://www.haaretz.com › Israel News
According to a September 2023 Haaretz magazine article, the Israeli
cyberfirm Insanet has developed a new spyware tool called Sherlock that uses
ads for tracking and infection. The company was founded by well-known
entrepreneurs in offensive cyber and digital intelligence, and is owned by
former defense establishment members, including Dani Arditi, a former head
of the National Security Council.
------------------------------
Date: Fri, 26 Jul 2024 08:14:43 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Windows resiliency: Best practices and the path forward
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-resiliency-best-practices-and-the-path-forward/ba-p/4201550
[Please remember that *best practices* are generally a minimal set of
practices that is seriously incomplete and sometimes inappropriate,
particularly in systems with critical requirements. PGN]
------------------------------
Date: Sat, 27 Jul 2024 10:09:21 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google reverts TV YouTube app to original search history behavior
On 21 July I noted that the TV app for YouTube (e.g. Android TV, Chromecast
with Google TV) had become much harder to use since user-specific search
history was no longer being shown, replaced with a list of (as far as I'm
concerned) utterly useless "hot, trending" topics. This meant that users had
to manually reenter their common searches with every use. Extremely bad user
experience. I made my concerns about this change known to Google. I'm sure I
wasn't the only one.
I'm pleased to report that as of this morning, the original behavior has
returned to the TV app, with user search history now appearing as it did
before. Since this was not the case last night, and the app version is now
dated 24 July, this clearly is an update.
------------------------------
Date: Mon, 29 Jul 2024 13:03:24 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: CrowdStrike and fuzz testing
CrowdStrike were using a *signed* *verified* kernel driver that crashed and
caused a blue screen when given a data file consisting of all binary zeros.
Testing programs with random inputs dates back to the 1950s when data was
still stored on punched cards. Programmers would use punched cards that were
pulled from the trash or card decks of random numbers as input to computer
programs. If an execution revealed undesired behavior, a bug had been
detected.
In the late 1980's, Prof Barton Miller uncovered bugs in Unix (user mode)
utilities by feeding them with random data, a testing method for which he
coined the term "fuzz testing".
In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing
infrastructure for security-critical components of the Chromium web browser.
In September 2014, Shellshock was disclosed as a family of security bugs in
the widely used UNIX Bash shell; most vulnerabilities of Shellshock were
found using the fuzzer AFL.
In April 2015, Hanno B=C3=B6ck showed how the fuzzer AFL could have found
the 2014 Heartbleed vulnerability.
In September 2016, Microsoft announced Project Springfield, a cloud-based
fuzz testing service for finding security critical bugs in software.
In September 2020, Microsoft released OneFuzz, a self-hosted
fuzzing-as-a-service platform that automates the detection of software bugs.
And yet, despite all of this, Microsoft
signed the CrowdStrike kernel mode driver *without* doing *any* fuzz
testing!
Then, CrowdStrike released a data file without testing it.
Then, all the purchasers of CrowdStrike software installed the update
on their live systems the moment it was released, without testing,
it first.
Then, the systems running critical infrastructure bluescreened and could
not be fixed remotely, despite the fact that they (1) were controlling
critical infrastructure and (2) were running MicroSoft software
which is infamous for bluescreening. (They could have used virtual
machines or KVM switches to enable remote access at the hardware level).
MicroSoft's greatest contribution to the computer industry has been to
convince people that computer errors are just "glitches": a force of nature
that we just have to put up with and cannot do anything about. According to
Microsoft, CrowdStrike affected *only* 8.5 million machines ("less than 1%
of all Windows computers"), so canceling 6.5% of all air flights worldwide,
stopping hospitals from doing anything but emergency operations, preventing
911 calls from going through and so on and so on, is just not a big
deal. Nobody needs to lose their job, or stop using MicroSoft software
because of it!
[Nevertheless, it was a big deal for a lot of people
who were personally affected. PGN]
------------------------------
Date: Fri, 26 Jul 2024 10:59:22 +0100
From: Julian Bradfield <jcb@inf.ed.ac.uk>
Subject: Re: U.S. Gender Care Is Ignoring ... (Ward, RISKS-34.37)
> The so-called "comprehensive review" is the UK Cass Report which has been
> widely criticised for ignoring 98% of the published science: because these
> studies did not use double-blind testing. But in a medical environment
> where a treatment is already known to be effective, double-blind testing
> is unethical and evil.
This is itself gross misrepresentation.
The Cass Review considered 103 papers, of which 2% were considered
"high-quality", and 56% "moderate quality", and all these were
included in the analysis.
Responses to this and some other misrepresentations can be seen
here:
https://cass.independent-review.uk/home/publications/final-report/final-report-faqs/
------------------------------
Date: Sat, 27 Jul 2024 12:43:55 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Switzerland now requires all government software to
be open source (RISKS-34.37)
I suspect that this law is not going to achieve what legislators hope for.
Companies who wish to keep their code hidden can do it while still formally
complying with the law. E.g., they can post code in assembly (which can be
generated automatically by tools like "cc -S") if regulations allow it.
There are also shrouding tools which remove comments and change all
statements to something like "felicity = commandment + serenity".
Such practices may adhere to the letter of the law, but make "public" code
virtually unusable for any practical purpose.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.38
************************
