[33453] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 34.43

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Aug 29 22:16:18 2024

From: RISKS List Owner <risko@csl.sri.com>
Date: Thu, 29 Aug 2024 19:15:59 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Thursday 29 Aug 2024  Volume 34 : Issue 43

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.43>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Apparent cyberattack at Seattle airport causes internet outages
 (WCBV)
Scammers dupe chemical company into wiring $60 million
 (Help Net Security)
Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
 Sabotage Campaign (Politico)
Android malware steals payment card data using previously unseen
 technique (ArsTechnica)
Recent bot campaign backing Poilievre shows AI easily
 accessible for political messaging: report (CBC)
Without Guardrails, Generative AI Can Harm Education (Dave Farber)
Foreign Policy: TikTok ban & global data commons (Douglas Lucas)
Telco fined $1M for transmitting Biden deepfake without
 verifying Caller ID (ArsTechnica)
RFID cards could turn into a global security mess after
 discovery of hardware backdoor (Techspot)
Apple to Let iPhone Users Delete Safari, Other Native Apps to Comply With EU
 Law (WSJ)
Re: Feds sue Georgia Tech for lying bigly about computer security
 (Cliff Kilby)
Re: Fake QR codes posted on Redondo Beach parking meters to scam drivers,
 police say (Geoff Luenning)
Re: Birmingham Oracle (Wol)
Re: Telegram billionaire co-founder Pavel Durov arrested
 (Turgut Kalfaoglu)
Re: Policy, due care, and the failure of Heartland Tri-State
 (Phil Smith III)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 27 Aug 2024 11:43:45 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apparent cyberattack at Seattle airport causes internet outages (WCBV)

https://www.wcvb.com/article/seattle-airport-cyberattack-internet-outages/61984238

------------------------------

Date: Tue, 27 Aug 2024 13:15:47 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Scammers dupe chemical company into wiring $60 million
 (Help Net Security)

Orion S.A., a global chemical company with headquarters in Luxembourg, has
become a victim of fraud: it lost approximately $60 million through
“multiple fraudulently induced outbound wire transfers to accounts
controlled by unknown third parties.”

Was it a BEC attack?

A representative of the company declined to share with Help Net Security any
additional details beyond what is included in the 8-K filing.

“To date, the Company has not found any evidence of additional fraudulent
activity and currently does not believe the incident resulted in any
unauthorized access to data or systems maintained by the Company,” the
filing further says.

“However, the Company’s investigation into the incident and its impacts on
the Company, including its internal controls, remains ongoing. The business
and operations were not affected.”

While Orion’s filing does not outright say that the wire transfers were the
result of business email compromise (BEC), the possibility seems most
likely. Given the above wording, the compromised email was likely that of a
supplier or customer.

  (Alternative possibilities, such as a deepfake video conference call
  paired with social engineering tricks, are possible, but less likely.)

https://www.helpnetsecurity.com/2024/08/13/orion-fraudulent-wire-transfers-60-
million/

------------------------------

Date: Mon, 26 Aug 2024 15:45:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
 Sabotage Campaign (Politico)

During the early days of Silicon Valley, a tech industry entrepreneur teamed
up with the FBI to ship faulty devices to Moscow.

https://www.politico.com/news/magazine/2024/08/04/us-spies-soviet-technology-00164126

------------------------------

Date: Sun, 25 Aug 2024 00:10:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Android malware steals payment card data using previously unseen
 technique (ArsTechnica)

https://arstechnica.com/?p=2045086

------------------------------

Date: Tue, 27 Aug 2024 06:37:31 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Recent bot campaign backing Poilievre shows AI easily
 accessible for political messaging: report (CBC)

https://www.cbc.ca/news/politics/ai-platforms-generate-political-messages-rall
ies-1.7305321

A suspected bot campaign surrounding a recent Pierre Poilievre event shows
that generative artificial intelligence (AI) tools are easily accessible to
anyone looking to influence political messaging online, researchers have
found.

In July, the social media platform X was inundated with posts following the
Conservative leader's tour of Northern Ontario.

The posts claimed to be from people who attended Poilievre's event in
Kirkland Lake, Ont., but were actually generated by accounts in Russia,
France and other places, and many of them had similar messaging.

------------------------------

Date: Wed, 28 Aug 2024 20:49:18 +0900
From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?=
        <farber@keio.jp>
Subject: Without Guardrails, Generative AI Can Harm Education

A new study led by researchers at Wharton and Penn reveals that using
generative AI improves student performance, but also makes it harder for
students to learn and acquire new skills.

The researchers designed an experiment with nearly 1,000 high school math
students in Turkey to determine whether large language models can harm or
help their education. One group of students was given GPT Base, a chat
interface similar to ChatGPT-4, to help them during practice sessions. A
second group was given GPT Tutor, an interface similar to ChatGPT-4 but with
safeguards. It includes teacher input and is designed to guide students with
hints rather than directly giving answers.

------------------------------

Date: Tue, 27 Aug 2024 18:20:08 -0700
From: Douglas Lucas <dal@riseup.net>
Subject: Foreign Policy: TikTok ban & global data commons (by me)

On Aug. 27, Foreign Policy published my new article "Banning TikTok won't
keep your data safe: Pompous billionaires, authoritarian regimes, and opaque
oligarchs are hoarding our data. Only an alternative online ecosystem will
stop them." The working title was "TikTok ban shows need for real global
data commons."

 From the article:

"'This is why I am working on a universal database: to try to democratize
this access to a megaphone and bring us information from everyone,' Canadian
programmer and philosopher Heather Marsh said at a censored Oxford Union
whistle-blowing panel. [...]

"Marsh proposes decoupling apps and databases with a framework separating
information into layers. The foundation [probably on IPFS] would be a
universal database where, say, professors could place instructional videos
as public data. Apps would offer additional features, such as captioning or
translation, without vacuuming up personal data as the price of
entry. Personal data would instead be treated as each individual's sole
property.

"Apps would become just apps, adding functionality and that's it, no longer
married to any company’s exclusive database. Work on middle layers—via
public or private federated servers—would enhance the universal database
with meaning and trust networks, and ready it for apps. This middle data,
and the apps themselves, could be confidential or deleted. But as long as
international consortia maintained the foundational universal database and
framework, akin to international bodies maintaining the web now, the
database would persist—a global commons."

Links:

Regular URL:
https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-knowledge-commons/

Erratically performing, paywall-jumping gift hyperlink for sharing
everywhere:
https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-keenowledge-commons/?utm_content=gifting&tpcc=gifting_article&gifting_article=YmlkZW4tdGlrdG9rLWJ5dGVkYW5jZS1jaGluYS1iYW4tZ2V0Z2VlLWtub3dsZWRnZS1jb21tb25z&pid=OC20506955

Alternate hyperlink: https://archive.ph/9Ss1S


What are the RISKS of establishing a new ecosystem decoupling apps from
databases and stratifying information into layers? As my article says,
"corporate-owned data, personal data, and public data are all hopelessly
mixed, polarizing people into inflammatory thought bubbles and stripping
them of privacy and dignity"; but also, bad actors poaching lingo from
idealistic articles to help them sell seems-similar snake oil; nobody
offering to lift a finger to fund, code, or open doors for the global data
commons project; gift hyperlinks with probably malfunctioning query strings;
exhausted underpaid journalists.

------------------------------

Date: Sun, 25 Aug 2024 00:15:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Telco fined $1M for transmitting Biden deepfake without
 verifying Caller ID (ArsTechnica)

https://arstechnica.com/?p=2044661

------------------------------

Date: Mon, 26 Aug 2024 22:28:03 -0400
From: Monty Solomon <monty@roscom.com>
Subject: RFID cards could turn into a global security mess after
 discovery of hardware backdoor (Techspot)
Poking at bad encryption practices to discover some outrageous, unexpected
issues

https://www.techspot.com/news/104436-previously-unknown-hardware-backdoors-could-turn-rfid-cards.html

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Sat, 24 Aug 2024 22:31:58 -0400
Subject: Apple to Let iPhone Users Delete Safari, Other Native
 Apps to Comply With EU Law (WSJ)
Company to align products with the bloc=E2=80=99s digital competition law
https://www.wsj.com/tech/apple-to-let-iphone-users-delete-safari-other-nativ=
e-apps-to-comply-with-eu-law-58c964e8

------------------------------

Date: Thu, 29 Aug 2024 12:22:16 -0400
From: "Cliff Kilby" <cliffjkilby@gmail.com>
Subject: Re: Feds sue Georgia Tech for lying bigly about computer security
 (RISKS-34.42)

"There is a current trend toward blindly applying high-level “security”
rules to all computers in an organization, regardless of their purpose and
existing defenses."

You mean baselining?

"I've seen this with my own machines (which have extremely strong defenses):
hired-gun outsiders who have no clear understanding of CS unilaterally
decided to block access to all sorts of ports that they see as
vulnerabilities."

You mean"
Don't allow access to resources that do not have a reason to be available?
and
Once a variance is determined to be needed, follow the exception process?

It sounds like everything is in order there. I wonder why the CS department
of Harvey Mudd would find complaint.

------------------------------

Date: Mon, 26 Aug 2024 23:46:03 -0700
From: Geoff Kuenning <geoff@cs.hmc.edu>
Subject: Re: Fake QR codes posted on Redondo Beach parking meters
 to scam drivers, police say (RISKS-34.42)

The same QR-sticker scam has been reported in Conwy, Wales.  And one
suspects it has shown up elsewhere.

I always review the link on a QR code before following it.  But it can be
hard to spot a fake (poybyphone vs. paybyphone?  On a small screen they're
almost the same.)

  [One could not be a successful scientist without realizing that, in
  contrast to the popular conception supported by newspapers and mothers of
  scientists, a goodly number of scientists are not only narrow-minded and
  dull, but also just stupid. -- James Watson]

------------------------------

Date: Tue, 27 Aug 2024 19:28:33 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Birmingham Oracle (Tom Van Vleck, RISKS-34.41)

> From: Cliff Kilby<cliffjkilby@gmail.com>
> Tom, Would you see this as an example of selection bias?

I (Wol) certainly would not.

It is (or was) an extremely regular meme in the UK computer press that big
Public database projects were badly specified, poorly run, and usually came
in massively late and over budget.

Given the huge number of procurement disasters at the time, they certainly
should have been.

Most SQL/Relational projects I have come across have been estimating /
budgeting disasters, and imho they are using a sledgehammer to drive a
screw.

On the other hand, while MultiValue projects may be few in number, pretty
much all the anecdotal evidence I have is that they are far less
resource-intensive, usually on time or early, and often under budget.

For example, while Cache is not a MultiValue database, it is similar, and in
a shoot-out with Oracle Oracle struggled to meet the 100K inserts target,
invoking all sorts of cheats to hit it. Cache on the other hand had no
trouble at all, and within weeks of install breezed through 250K.

Imnsho, the problem is that the aims of database engine designers and users
differ. Relational Database Engine designers, in their attempts to avoid a
worst case scenario of an O(n) search, have made all searches O(log(n)).

MultiValue (and I presume Cache) and other database designs that predate SQL
et al have pushed the job of avoiding O(n) onto the database designers. As a
result MultiValue (in the absence of a pathological hash) guarantees a 95%
O(1) hit rate. And comes with tools to warn the DBA what the worst O is
(unlikely to exceed 2 or 3).

Given the huge size of databases nowadays, even log(n) is expensive and one
has to wonder whether the use of Relational and similar databases makes
sense as users are left sitting there waiting for the system to respond. I
know I'll often spend maybe the first hour of the day trouble-shooting "the
database failed to respond", and it's almost always just the sheer weight of
people starting work.

------------------------------

Date: Tue, 27 Aug 2024 21:24:11 +0200 (GMT+02:00)
From: Turgut Kalfaoglu <Turgut@kalfaoglu.com>
Subject: Re: Telegram billionaire co-founder Pavel Durov arrested
 (RISKS-34.42)

Back in 2018 Pavel Durov was asked by the Russian government to cooperate
and share Telegram’s encryption keys in order to stop alleged
terrorist-related [>] issues with the Russian government arose, the
mainstream media showed [act?]ivities happening via the app.

When his issues with the Russian government arose, the mainstream media
showed great praise for Telegram’s creator, applauding him and bashing
Russia.  Now Durov is in French custody and where are all of these voices
that were so eager to defend freedom of speech back in 2018?

  [A bit of gibberish fixed?  PGN]

------------------------------

Date: Mon, 26 Aug 2024 23:42:20 -0400
From: "Phil Smith III" <phsiii@gmail.com>
Subject: Re: Policy, due care, and the failure of Heartland
 Tri-State (RISKS-34.43)

> A perfect example is the commonly enforced policy

Including PCI. PCI DSS 4.0 still requires it, which is one reason a lot of
organizations are still doing it:

8.3.9, "Passwords/passphrases are changed at least once every 90 days"

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.43
************************

home help back first fref pref prev next nref lref last post