RISKS Forum mailing list archives
Risks Digest 33.30
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 20 Jun 2022 16:19:38 PDT
RISKS-LIST: Risks-Forum Digest Monday 20 June 2022 Volume 33 : Issue 30 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.30> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [RISKS-33.29 delay on USENET was due to a Panix key upgrade.] We've only scratched the surface of how bad the crypto[currency] crime wave has gotten (Yaohoo!) FBI warns crypto fraud on LinkedIn is a 'significant threat' (Engadget) "Ethereum Mining Is Going Away (Bloomberg) Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage (The Hacker News) Micropatching on the fly (Tom Van Vleck) The Open Secret of Google Search (The Atlantic) Leaked Audio From 80 Internal TikTok Meetings Shows That U.S. User Data Has Been Repeatedly Accessed From China (Buzzfeednews) Lake Mead and Lake Powell, the 2 largest reservoirs in the US, which provide water to over 40 million Americans in Nevada, Arizona and California, are at their lowest levels ever. (twtiter via geoff goodfellow) Stronger Security for Smart Devices (Adam Zewe) New Mexico's Post-Certification Recounts (Annie Gowan) It is 2022. My coffee mug wants me to log in, wants to know my location, and if it can send me promotional emails... (Marc IRL) A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future (Georgetown CSET)) A minor example of human factors in security (risks () sctb net) Serious Warning Issued For Millions Of Google Gmail Users (Forbes) Re: the death knell of jSCH (Dmitri Maziuk) Re: Physics-Based Cryptocurrency Transmits Energy Through Blockchain (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 19 Jun 2022 11:28:10 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: We've only scratched the surface of how bad the crypto[currency] crime wave has gotten (Yaohoo!) We've only scratched the surface of how bad the crypto crime wave has gotten https://news.yahoo.com/weve-only-scratched-surface-bad-221758213.html ------------------------------ Date: Fri, 17 Jun 2022 17:16:04 -0400 From: Monty Solomon <monty () roscom com> Subject: FBI warns crypto fraud on LinkedIn is a 'significant threat' (Engadget) https://www.engadget.com/fbi-warning-crypto-fraud-linkedin-significant-threat-191600330.html ------------------------------ Date: Mon, 20 Jun 2022 12:23:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: "Ethereum Mining Is Going Away David Pan and Olga Kharif, Bloomberg, 16 Jun 2022, via ACM TechNews; Monday, 20 Jun 2022 Ethereum mining could end soon due to "the Merge," leaving as many as 1 million miners out of a source of income. The Merge (expected to occur in August, though it has been pushed back several times already) involves a shift from the proof-of-work model, which uses a significant amount of computing power and energy, to the proof-of-stake model to record transactions. The alternative model will slash the Ethereum network's power consumption by about 99%, but also will put miners out of work. Following The Merge, some Ethereum miners plan to mine other coins that require graphics processing units, like Ethereum Classic or Ravencoin, or to use their equipment for rendering (an aspect of digital video production) or machine learning tasks. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecdcx23467ax071600& ------------------------------ Date: Thu, 16 Jun 2022 07:27:17 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage (The Hacker News) A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure. The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker," Proofpoint said in a report published today. <https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality> The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added. The attack, at its core, hinges on a Microsoft 365 feature called AutoSave that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online. <https://support.microsoft.com/en-us/office/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5> It commences with gaining unauthorized access to a target user's SharePoint Online or OneDrive account, followed by abusing the access to exfiltrate and encrypt files. The three most common avenues to obtain the initial foothold involve directly breaching the account via phishing or brute-force attacks, tricking a user into authorizing a rogue third-party OAuth application, or taking over the web session of a logged-in user. But where this attack stands apart from traditional endpoint ransomware activity is that the encryption phase requires locking each file on SharePoint Online or OneDrive more than the permitted versioning limit. [...] <https://support.microsoft.com/en-us/office/how-versioning-works-in-lists-and-libraries-0f6cd105-974f-44a4-aadb-43ac5bdfd247> https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.html ------------------------------ Date: Mon, 20 Jun 2022 15:39:28 -0400 From: Tom Van Vleck <thvv () multicians org> Subject: Micropatching on the fly People who are running computers with a lot of old and buggy software are being wooed by services that will apply binary patches to their code while it is running. If a site is running an old down-rev version and can't afford the time, cost, and effort to upgrade to a later version, the micropatching service can apply fixes on the fly. [No flies are injured in the process. PGN] They patch in storage to avoid verification of code signatures. Sometimes they extract patches from later versions of the code and back-port them to older code. There is a DARPA/I2O program that is awarding ways to patch IoT appliances and heavy truck engines: https://www.darpa.mil/program/assured-micropatching What could possibly go wrong? THVV [Risks? This reminds me of Doug McIlroy and Bob Morris patching the live object code of their EPL compiler (early PL/I, starkly subset for Multics) at the same time Molly Wagner was compiling Multics memory-management code in 1967. What a mess. (Tom, Thanks for this item.) Note for younger RISKS readers: Tom dates back to pre-Multics on CTSS, with what appears to be the very first e-mail system, which he and Noel Morris developed at MIT. PGN] ------------------------------ Date: Mon, 20 Jun 2022 15:11:24 -0400 From: Monty Solomon <monty () roscom com> Subject: The Open Secret of Google Search One of the most-used tools on the Internet is not what it used to be. https://www.theatlantic.com/ideas/archive/2022/06/google-search-algorithm-internet/661325/ ------------------------------ Date: Fri, 17 Jun 2022 18:37:02 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Leaked Audio From 80 Internal TikTok Meetings Shows That U.S. User Data Has Been Repeatedly Accessed From China (Buzzfeednews) https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access ------------------------------ Date: Thu, 16 Jun 2022 16:54:33 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Lake Mead and Lake Powell, the 2 largest reservoirs in the US, which provide water to over 40 million Americans in Nevada, Arizona and California, are at their lowest levels ever. *... This will have unprecedented consequences and require drastic water restrictions never seen before...* https://twitter.com/US_Stormwatch/status/1536912734297526272 ------------------------------ Date: Fri, 17 Jun 2022 12:14:25 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Stronger Security for Smart Devices (Adam Zewe) Adam Zewe, *MIT News*, 14 Jun 2022, via ACM TechNews, 17 Jun 2022 Massachusetts Institute of Technology researchers demonstrated two security techniques that block power and electromagnetic side-channel attacks targeting analog-to-digital (ADC) converters in smart devices. The countermeasures involve adding randomization to ADC conversion, which in one case uses a random number generator to decide when each capacitor switches, complicating the correlation of power supplies with output data. That method also keeps the comparator in constant operation, preventing hackers from ascertaining when each conversion stage begins and ends. The second technique employs two comparators and an algorithm to randomly establish two thresholds rather than one, creating millions of ways 76an ADC could reach a digital output. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecc8x234601x071624& ------------------------------ Date: Sun, 19 Jun 2022 11:55:00 PDT From: Peter G Neumann <neumann () csl sri com> Subject: New Mexico's Post-Certification Recounts Annie Gowan, WashPost, 17 Jun 2022 https://www.washingtonpost.com/politics/2022/06/17/new-mexico-county-weighs-defying-order-certify-election-results/ New Mexico county certifies election results, bowing to court order. Otero County commissioners voted 2 to 1 to accept results in this month's primary, reversing an earlier decision driven by unfounded concerns about fraud. Cuoy Griffin is quoted in the article: ``My vote to remain a no isn't based on any evidence, it's not based on any facts, it's only based on my gut feeling and my own intuition, and that's all I need,'' Griffin said. ------------------------------ Date: Thu, 16 Jun 2022 17:04:17 -0700 From: geoff goodfellow <geoff () iconia com> Subject: It is 2022. My coffee mug wants me to log in, wants to know my location, and if it can send me promotional emails... (Marc IRL) https://twitter.com/Marc_IRL/status/153718748767571148 ------------------------------ Date: Sun, 19 Jun 2022 10:11:00 PDT From: Peter Neumann <neumann () csl sri com> Subject: A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future (Georgetown CSET)) A harbinger of the AI future? [Excerpted from a note by Dan Geer. PGN] A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future https://cset.georgetown.edu/newsletter/june-16-2022/ A machine learning researcher trained a language model on three and half years' worth of 4chan posts to create what he dubbed "the most horrible model on the Internet," raising concerns about the public availability of language models and sparking debate about their ethical use. Yannic Kilcher, a Swiss ML expert who covers AI and ML advances on his popular [30]YouTube channel, fine-tuned an existing open-source language model -- [31]EleutherAI's GPT-J-6B -- using [32]a dataset of more than 130 million posts from 4chan's "Politically Incorrect" board, an online forum with [33]a longstanding reputation for toxicity and offensiveness. As Kilcher described in [34]a video documenting the process, he then programmed a team of bots to post on the board as often as they could. According to Kilcher, the bots posted approximately 30,000 times during two separate 24-hour periods. While 4chan users were able to identify some of the bots for what they were, this appeared to be due less to the model's shortcomings and more to the bots' superhuman indefatigability -- they posted round-the-clock, as frequently as the site allowed. Kilcher's experiment was criticized by a number of experts and observers, who [35]called it irresponsible and unethical. While Kilcher made it possible for anyone to use his [36]"GPT-4chan" by uploading it to Hugging Face, an online repository for AI and ML code, the site quickly restricted access. But the cat could be out of the bag: as Kilcher's experiment shows, currently available open-source models and datasets can be used to create [37]surprisingly effective language models with relative ease. 30. https://www.youtube.com/c/YannicKilcher/videos 31. https://huggingface.co/EleutherAI/gpt-j-6B 32. https://zenodo.org/record/3606810#.YpjGgexByDU 33. https://nymag.com/intelligencer/2015/11/inside-pol-4chans-racist-heart.html 34. https://youtu.be/efPrtcLdcdM 35. https://fortune.com/2022/06/10/ai-chatbot-trained-on-4chan-by-yannic-kilcher-draw-ethics-questions/ 36. https://huggingface.co/ykilcher/gpt-4chan 37. https://thegradient.pub/gpt-4chan-lessons/#:~:text=An%20evaluation%20of%20the%20model%20on%20the%20Language%20Model%20Evaluation%20Harness.%20Kilcher%20emphasized%20the%20result%20that%20GPT-4chan%20slightly%20outperformed%20other%20existing%20language%20models%20on%20the%20TruthfulQA%20Benchmark%2C%20which%20involves%20picking%20the%20most%20truthful%20answer%20to%20a%20multiple%20choice%20question ------------------------------ Date: Sun, 19 Jun 2022 14:59:58 +0200 From: risks () sctb net Subject: A minor example of human factors in security I recently relocated to Gibraltar and looked to open a local bank account. With one of the banks I contacted, communication was difficult - it turned out their email server refused to accept or to make TLS connections, and my email server mandates the use of TLS; their emails to me were not being delivered (and their staff were either not receiving, or not understanding, or not acting upon any error reports) and as I discovered when I tried to email them, my server's connections were rejected. I - from an web-based email account which allows unencrypted connections - emailed the bank about this, pointing out the possibility, given that they are a bank, of people unwittingly or thoughtlessly emailing sensitive information, and the simplicity and ease of allowing TLS connections. This email went unanswered. I discussed the matter directly with a member of their staff, who relayed the issue to their IT team; I was informed the IT team did not consider it a security risk, and in addition (although very likely this chap only speaking as himself, and not in any way reflecting bank policy), when I indicated the bank had three months to act before I would discuss the matter in public, he informed me if I did so the bank might well not wish to do business with me in the future. We all behave rationally given the incentives placed upon us in the situation we are in. ------------------------------ Date: Sat, 21 May 2022 18:17:34 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Serious Warning Issued For Millions Of Google Gmail Users (Forbes) Gmail is the world's most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future. In an eye-opening *blog post* <https://ysamm.com/?p=763>, security researcher Youssef Sammouda has revealed that Gmail's OAuth authentication code enabled him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to sign in to the service. And the wider implications of this are significant. Speaking to *The Daily Swing* <https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit>, Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook's logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the '*Open Authorization* <https://en.wikipedia.org/wiki/OAuth>' standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants. Sammouda reports no vulnerabilities using other email accounts. He does stress that it could potentially be applied more widely "but that was more complicated to develop an exploit for." He states Facebook paid him a $44,625 'bug bounty' for its role in this vulnerability. Facebook has subsequently patched the vulnerability from their side. I have contacted Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply. Commenting on Sammouda's findings, security provider *Malwarebytes Labs* <https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/> issued a warning to anyone using linked accounts: "Linked accounts were invented to make logging in easier," writes Pieter Arntz, the company's Malware Intelligence Researcher. "You can use one account to log in to other apps, sites and services... All you need to do to access the account is confirm that the account is yours." [...] https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/ ------------------------------ Date: Thu, 16 Jun 2022 18:56:53 -0500 From: dmitri maziuk <dmitri.maziuk () gmail com> Subject: Re: the death knell of jSCH (RISKS-33.29) Java is abnormally stable. I have code I wrote in early 2000s, some of it rather messy and not exactly what I'd call robust design (there's a reason for that of course), and it's still working fine in production now. By today's "agile standards", this just can't be right. ------------------------------ Date: 20 Jun 2022 15:34:49 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Physics-Based Cryptocurrency Transmits Energy Through Blockchain (LLNL, RISKS-33.29) I think if we remove the technobabble, this is saying that it's a stablecoin backed by electricity commodity futures rather than by money. Electricity futures are am arcane corner of the futures market, mostly of interest to utilities and large industrial customers, but they do exist. Putting them on a blockchain adds that magic pixie dust that makes it possible to do, well, I have no idea but I am sure it is wonderful. If you wanted you could do pork belly or nickel trades on a blockchain with exactly the same benefits. The claim that you can somehow take the energy used to mine cryptocurrency and somehow turn it back into electricity is idiotically stupid, but what else is new in crypto land? ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.30 ************************
Current thread:
- Risks Digest 33.30 RISKS List Owner (Jun 20)