1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 34.43

    From RISKS List Owner@21:1/5 to All on Fri Aug 30 02:18:18 2024
    RISKS-LIST: Risks-Forum Digest Thursday 29 Aug 2024 Volume 34 : Issue 43

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/34.43>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Apparent cyberattack at Seattle airport causes internet outages
    (WCBV)
    Scammers dupe chemical company into wiring $60 million
    (Help Net Security)
    Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
    Sabotage Campaign (Politico)
    Android malware steals payment card data using previously unseen
    technique (ArsTechnica)
    Recent bot campaign backing Poilievre shows AI easily
    accessible for political messaging: report (CBC)
    Without Guardrails, Generative AI Can Harm Education (Dave Farber)
    Foreign Policy: TikTok ban & global data commons (Douglas Lucas)
    Telco fined $1M for transmitting Biden deepfake without
    verifying Caller ID (ArsTechnica)
    RFID cards could turn into a global security mess after
    discovery of hardware backdoor (Techspot)
    Apple to Let iPhone Users Delete Safari, Other Native Apps to Comply With EU
    Law (WSJ)
    Re: Feds sue Georgia Tech for lying bigly about computer security
    (Cliff Kilby)
    Re: Fake QR codes posted on Redondo Beach parking meters to scam drivers,
    police say (Geoff Luenning)
    Re: Birmingham Oracle (Wol)
    Re: Telegram billionaire co-founder Pavel Durov arrested
    (Turgut Kalfaoglu)
    Re: Policy, due care, and the failure of Heartland Tri-State
    (Phil Smith III)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 27 Aug 2024 11:43:45 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Apparent cyberattack at Seattle airport causes internet outages (WCBV)

    https://www.wcvb.com/article/seattle-airport-cyberattack-internet-outages/61984238

    ------------------------------

    Date: Tue, 27 Aug 2024 13:15:47 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Scammers dupe chemical company into wiring $60 million
    (Help Net Security)

    Orion S.A., a global chemical company with headquarters in Luxembourg, has become a victim of fraud: it lost approximately $60 million through
    “multiple fraudulently induced outbound wire transfers to accounts
    controlled by unknown third parties.”

    Was it a BEC attack?

    A representative of the company declined to share with Help Net Security any additional details beyond what is included in the 8-K filing.

    “To date, the Company has not found any evidence of additional fraudulent activity and currently does not believe the incident resulted in any unauthorized access to data or systems maintained by the Company,” the
    filing further says.

    “However, the Company’s investigation into the incident and its impacts on the Company, including its internal controls, remains ongoing. The business
    and operations were not affected.”

    While Orion’s filing does not outright say that the wire transfers were the result of business email compromise (BEC), the possibility seems most
    likely. Given the above wording, the compromised email was likely that of a supplier or customer.

    (Alternative possibilities, such as a deepfake video conference call
    paired with social engineering tricks, are possible, but less likely.)

    https://www.helpnetsecurity.com/2024/08/13/orion-fraudulent-wire-transfers-60- million/

    ------------------------------

    Date: Mon, 26 Aug 2024 15:45:46 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
    Sabotage Campaign (Politico)

    During the early days of Silicon Valley, a tech industry entrepreneur teamed
    up with the FBI to ship faulty devices to Moscow.

    https://www.politico.com/news/magazine/2024/08/04/us-spies-soviet-technology-00164126

    ------------------------------

    Date: Sun, 25 Aug 2024 00:10:46 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Android malware steals payment card data using previously unseen
    technique (ArsTechnica)

    https://arstechnica.com/?p=2045086

    ------------------------------

    Date: Tue, 27 Aug 2024 06:37:31 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Recent bot campaign backing Poilievre shows AI easily
    accessible for political messaging: report (CBC)

    https://www.cbc.ca/news/politics/ai-platforms-generate-political-messages-rall ies-1.7305321

    A suspected bot campaign surrounding a recent Pierre Poilievre event shows
    that generative artificial intelligence (AI) tools are easily accessible to anyone looking to influence political messaging online, researchers have
    found.

    In July, the social media platform X was inundated with posts following the Conservative leader's tour of Northern Ontario.

    The posts claimed to be from people who attended Poilievre's event in
    Kirkland Lake, Ont., but were actually generated by accounts in Russia,
    France and other places, and many of them had similar messaging.

    ------------------------------

    Date: Wed, 28 Aug 2024 20:49:18 +0900
    From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?=
    <farber@keio.jp>
    Subject: Without Guardrails, Generative AI Can Harm Education

    A new study led by researchers at Wharton and Penn reveals that using generative AI improves student performance, but also makes it harder for students to learn and acquire new skills.

    The researchers designed an experiment with nearly 1,000 high school math students in Turkey to determine whether large language models can harm or
    help their education. One group of students was given GPT Base, a chat interface similar to ChatGPT-4, to help them during practice sessions. A
    second group was given GPT Tutor, an interface similar to ChatGPT-4 but with safeguards. It includes teacher input and is designed to guide students with hints rather than directly giving answers.

    ------------------------------

    Date: Tue, 27 Aug 2024 18:20:08 -0700
    From: Douglas Lucas <dal@riseup.net>
    Subject: Foreign Policy: TikTok ban & global data commons (by me)

    On Aug. 27, Foreign Policy published my new article "Banning TikTok won't
    keep your data safe: Pompous billionaires, authoritarian regimes, and opaque oligarchs are hoarding our data. Only an alternative online ecosystem will
    stop them." The working title was "TikTok ban shows need for real global
    data commons."

    From the article:

    "'This is why I am working on a universal database: to try to democratize
    this access to a megaphone and bring us information from everyone,' Canadian programmer and philosopher Heather Marsh said at a censored Oxford Union whistle-blowing panel. [...]

    "Marsh proposes decoupling apps and databases with a framework separating information into layers. The foundation [probably on IPFS] would be a
    universal database where, say, professors could place instructional videos
    as public data. Apps would offer additional features, such as captioning or translation, without vacuuming up personal data as the price of
    entry. Personal data would instead be treated as each individual's sole property.

    "Apps would become just apps, adding functionality and that's it, no longer married to any company’s exclusive database. Work on middle layers—via public or private federated servers—would enhance the universal database
    with meaning and trust networks, and ready it for apps. This middle data,
    and the apps themselves, could be confidential or deleted. But as long as international consortia maintained the foundational universal database and framework, akin to international bodies maintaining the web now, the
    database would persist—a global commons."

    Links:

    Regular URL: https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-knowledge-commons/

    Erratically performing, paywall-jumping gift hyperlink for sharing
    everywhere: https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-keenowledge-commons/?utm_content=gifting&tpcc=gifting_article&gifting_article=YmlkZW4tdGlrdG9rLWJ5dGVkYW5jZS1jaGluYS1iYW4tZ2V0Z2VlLWtub3dsZWRnZS1jb21tb25z&pid=OC20506955

    Alternate hyperlink: https://archive.ph/9Ss1S


    What are the RISKS of establishing a new ecosystem decoupling apps from databases and stratifying information into layers? As my article says, "corporate-owned data, personal data, and public data are all hopelessly
    mixed, polarizing people into inflammatory thought bubbles and stripping
    them of privacy and dignity"; but also, bad actors poaching lingo from idealistic articles to help them sell seems-similar snake oil; nobody
    offering to lift a finger to fund, code, or open doors for the global data commons project; gift hyperlinks with probably malfunctioning query strings; exhausted underpaid journalists.

    ------------------------------

    Date: Sun, 25 Aug 2024 00:15:46 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Telco fined $1M for transmitting Biden deepfake without
    verifying Caller ID (ArsTechnica)

    https://arstechnica.com/?p=2044661

    ------------------------------

    Date: Mon, 26 Aug 2024 22:28:03 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: RFID cards could turn into a global security mess after
    discovery of hardware backdoor (Techspot)
    Poking at bad encryption practices to discover some outrageous, unexpected issues

    https://www.techspot.com/news/104436-previously-unknown-hardware-backdoors-could-turn-rfid-cards.html

    ------------------------------

    From: Monty Solomon <monty@roscom.com>
    Date: Sat, 24 Aug 2024 22:31:58 -0400
    Subject: Apple to Let iPhone Users Delete Safari, Other Native
    Apps to Comply With EU Law (WSJ)
    Company to align products with the bloc=E2=80=99s digital competition law https://www.wsj.com/tech/apple-to-let-iphone-users-delete-safari-other-nativ= e-apps-to-comply-with-eu-law-58c964e8

    ------------------------------

    Date: Thu, 29 Aug 2024 12:22:16 -0400
    From: "Cliff Kilby" <cliffjkilby@gmail.com>
    Subject: Re: Feds sue Georgia Tech for lying bigly about computer security
    (RISKS-34.42)

    "There is a current trend toward blindly applying high-level “security” rules to all computers in an organization, regardless of their purpose and existing defenses."

    You mean baselining?

    "I've seen this with my own machines (which have extremely strong defenses): hired-gun outsiders who have no clear understanding of CS unilaterally
    decided to block access to all sorts of ports that they see as vulnerabilities."

    You mean"
    Don't allow access to resources that do not have a reason to be available?
    and
    Once a variance is determined to be needed, follow the exception process?

    It sounds like everything is in order there. I wonder why the CS department
    of Harvey Mudd would find complaint.

    ------------------------------

    Date: Mon, 26 Aug 2024 23:46:03 -0700
    From: Geoff Kuenning <geoff@cs.hmc.edu>
    Subject: Re: Fake QR codes posted on Redondo Beach parking meters
    to scam drivers, police say (RISKS-34.42)

    The same QR-sticker scam has been reported in Conwy, Wales. And one
    suspects it has shown up elsewhere.

    I always review the link on a QR code before following it. But it can be
    hard to spot a fake (poybyphone vs. paybyphone? On a small screen they're almost the same.)

    [One could not be a successful scientist without realizing that, in
    contrast to the popular conception supported by newspapers and mothers of
    scientists, a goodly number of scientists are not only narrow-minded and
    dull, but also just stupid. -- James Watson]

    ------------------------------

    Date: Tue, 27 Aug 2024 19:28:33 +0100
    From: Wols Lists <antlists@youngman.org.uk>
    Subject: Re: Birmingham Oracle (Tom Van Vleck, RISKS-34.41)

    From: Cliff Kilby<cliffjkilby@gmail.com>
    Tom, Would you see this as an example of selection bias?

    I (Wol) certainly would not.

    It is (or was) an extremely regular meme in the UK computer press that big Public database projects were badly specified, poorly run, and usually came
    in massively late and over budget.

    Given the huge number of procurement disasters at the time, they certainly should have been.

    Most SQL/Relational projects I have come across have been estimating / budgeting disasters, and imho they are using a sledgehammer to drive a
    screw.

    On the other hand, while MultiValue projects may be few in number, pretty
    much all the anecdotal evidence I have is that they are far less resource-intensive, usually on time or early, and often under budget.

    For example, while Cache is not a MultiValue database, it is similar, and in
    a shoot-out with Oracle Oracle struggled to meet the 100K inserts target, invoking all sorts of cheats to hit it. Cache on the other hand had no
    trouble at all, and within weeks of install breezed through 250K.

    Imnsho, the problem is that the aims of database engine designers and users differ. Relational Database Engine designers, in their attempts to avoid a worst case scenario of an O(n) search, have made all searches O(log(n)).

    MultiValue (and I presume Cache) and other database designs that predate SQL
    et al have pushed the job of avoiding O(n) onto the database designers. As a result MultiValue (in the absence of a pathological hash) guarantees a 95%
    O(1) hit rate. And comes with tools to warn the DBA what the worst O is (unlikely to exceed 2 or 3).

    Given the huge size of databases nowadays, even log(n) is expensive and one
    has to wonder whether the use of Relational and similar databases makes
    sense as users are left sitting there waiting for the system to respond. I
    know I'll often spend maybe the first hour of the day trouble-shooting "the database failed to respond", and it's almost always just the sheer weight of people starting work.

    ------------------------------

    Date: Tue, 27 Aug 2024 21:24:11 +0200 (GMT+02:00)
    From: Turgut Kalfaoglu <Turgut@kalfaoglu.com>
    Subject: Re: Telegram billionaire co-founder Pavel Durov arrested
    (RISKS-34.42)

    Back in 2018 Pavel Durov was asked by the Russian government to cooperate
    and share Telegram’s encryption keys in order to stop alleged terrorist-related [>] issues with the Russian government arose, the
    mainstream media showed [act?]ivities happening via the app.

    When his issues with the Russian government arose, the mainstream media
    showed great praise for Telegram’s creator, applauding him and bashing Russia. Now Durov is in French custody and where are all of these voices
    that were so eager to defend freedom of speech back in 2018?

    [A bit of gibberish fixed? PGN]

    ------------------------------

    Date: Mon, 26 Aug 2024 23:42:20 -0400
    From: "Phil Smith III" <phsiii@gmail.com>
    Subject: Re: Policy, due care, and the failure of Heartland
    Tri-State (RISKS-34.43)

    A perfect example is the commonly enforced policy

    Including PCI. PCI DSS 4.0 still requires it, which is one reason a lot of organizations are still doing it:

    8.3.9, "Passwords/passphrases are changed at least once every 90 days"

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.43
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)