RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 32.50

From: RISKS List Owner <risko () csl sri com>
Date: Fri, 19 Feb 2021 16:00:29 PST
RISKS-LIST: Risks-Forum Digest  Friday 19 February 2021  Volume 32 : Issue 50

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.50>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Texas vs FERC's "best practices" for anticipating disasters (PGN)
U.S. Water Supply Has Few Protections Against Hacking (WSJ)
Python wheel-jacking in supply chain attacks (VDOO)
A Windows Defender Vulnerability Lurked Undetected for 12 Years (WiReD)
Mercedes-Benz cars giving out *wrong* location info
  (Car and Driver Magazine)
Growing size of vehicle screens sparks safety concerns
  (The Center for Auto Safety)
Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and
  Jets (WSJ)
California DMV suffers massive third-party data breach (TechCrunch)
Researcher hacks over 35 tech firms in novel supply chain attack (Ax Sharma)
How faster Internet is being blocked by politics and poverty throughout the
  eastern U.S. (CNET)
'Spy pixels in emails have become endemic' (BBC News)
Google has bowed to pressure and will make 'significant' payments to Rupert
  Murdoch's News Corp (Business Insider)
The losers in the news battle (Lauren Weinstein)
Fixing Chrome 88's suddenly broken custom search-engine behavior
  (Lauren Weinstein)
Facebook blocks news in Australia over government's payment rules
  (Dylan Byers)
Woke teachers want Shakespeare cut from curriculum: 'This is about White
  supremacy' (Washington Times)
Facebook to Label Climate Change Posts Like Covid, Vote Content (Yahoo!)
France Ties Russia's Sandworm to a Multiyear Hacking Spree (WiReD)
Citibank can't get back $900 million it wired by mistake (CNN)
Incredibly poor software design costs Citigroup $500M (Matt Levine)
Climate Change Could Shred Guitars Known for Shredding (Scientific American)
Data breach warning after California DMV contractor hit by file-stealing
  ransomware (TechCrunch)
Entitled People Are More Likely To Be Angry at Bad Luck
  (Scientific American)
Who Should Stop Unethical A?I (Matthew Hutson)
AI may mistake chess discussions as racist talk (Techxplore)
"Holy cow. Bitcoin is using half a percent of all the world's electricity?
  (geoff goodfellow)
Nvidia limits crypto-mining on new graphics card (msn.com)
The IRS Cashed Her Check, Then the Late Notice Started Coming (ProPublica)
Authorities have taken down the dark web's largest illegal marketplace
  vendor (The Verge)
U.S. election cybersecurity (CDT)
People answer scientists' queries in real time while dreaming
  (Scientific American)
How Oracle Sells Repression in China (The Intercept)
The Untold History of America's Zero-Day Market (WiReD)
"Vaccine" passport? (Rob Slade)
Man offered vaccine after error lists him as 6.2cm tall (BBC)
Gorilla COVID risks (CNN)
Japanese contact tracing software of Covid-19 patient on Android did not
  work for four months (Kyodo News)
Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021 (PGN)
Re: Calling All Ham Radio Operators (Bob Wilson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 19 Feb 2021 10:49:28 PST
From: Peter Neumann <neumann () csl sri com>
Subject: Texas vs FERC's "best practices" for anticipating disasters

Richard Parker,
Texas Could Have Kept the Lights On:
  The state's powerful [sic] utilities failed to prepare for the worst
Editorial, *The New York Times*, 18 Feb 2021
https://www.nytimes.com/2021/02/17/opinion/texas-blackout-energy-abbott.html

Paul Krugman,
Texas, Land of Wind and Lies:
  When post-truth politics meets energy policy, the outlook is bleak
Editorial, *The New York Times*, 19 Feb 2021

PGN's mini-editorial for RISKS:

Many of the lessons from 35 years of the ACM Risks Forum have been massively
ignored in Texas, in this case resulting in massive power outages with no
potable water, and added difficulties for COVID-19 vaccines that needed deep
refrigeration).  The lessons from dozens of previous propagating outages
have been partially addressed in other states, with considerable diminution
in massively cascading multi-state fiascoes over time.  However, the earlier
notion of having spare electricity to share with other regions has been
deprecated, which could otherwise help out in emergencies.  Furthermore,
Texas's desire to go it alone has seriously backfired, especially in that
there were explicit warnings from the Federal Emergency Regulatory
Commission that extensive cold-hardening was needed after a serious cold
snap in 2011 that effected millions with no power -- evidently ignored
without any sensible system engineering for resilience.  The Texas disaster
clearly violates the Albert Einstein principle: Everything should be made as
simple as possible but no simpler.  This is a horrible example of "much too
simple".  As usual, the blame can be widely distributed, but in this case
most of it is mercilessly self-inflicted.  Furthermore, the incredible
fantasy of the Governor and others in blaming this disaster on alternative
energy sources such as wind power borders on insanity.

In this case, even the "best practices" recommended by FERC a decade ago may
not have been good enough, but could have avoided much of the effects of
this disaster.

The loss of the Challenger shuttle was another example of a lesson to be
learned in anticipating cold weather (e.g., RISKS-5.78 and 5.80).  What made
that particularly unfortunate was that Roger Boisjoly had explicitly warned
not to launch in freezing weather because it was known that the O-rings
might not hold.  Thus, in that case the risks were known in advance, but not
adequately considered. (See RISKS-12.40 for more on that.)

In our RISKS-related archives is also a major six-week complete power-outage
disaster in Quebec in the winter of 1996-1997 when transmission towers froze
and collapsed from the weight of ice under the prolonged hard freeze, and
the outage lasted for months.  Water was also a relevant issue there as in
Texas, because there were no available public water sources during the
entire outage.  (Surely, cold weather was not a surprise there.)

------------------------------

Date: Thu, 18 Feb 2021 10:26:45 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Python wheel-jacking in supply chain attacks (VDOO)

Recently, a novel supply-chain attack was published by security researcher
Alex Birsan, detailing how dependency confusion (or "name-squatting") in
package managers can be misused in order to execute malicious code on
production and development systems.

In short, most package managers such as pip and npm do not distinguish
between internal packages (hosted on internal company servers) and external
ones (hosted on public servers). [...]
https://www.vdoo.com/blog/python-wheel-jacking-supply-chain-attacks

------------------------------

Date: Sat, 13 Feb 2021 09:25:54 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: U.S. Water Supply Has Few Protections Against Hacking (WSJ)

Vulnerabilities highlighted after cyber intruder tampered with treatment
plant in Florida

A Florida city whose water system was hacked last week said Friday that it
completed a federally mandated security-risk assessment three months ago,
but hadn't yet integrated the findings into its emergency plans.

The hacking incident -- occurring after a security review -- has thrown into
stark relief a vulnerability of the more than 50,000 community water systems
that supply most Americans with their drinking water: they don't have to
meet any national standard for cybersecurity.

That is in contrast to electric utilities, which have had to meet
increasingly stringent rules since 2008 for the physical and cybersecurity
of key assets and, more recently, for parts of their supply chains. Rules
for the electric industry are reinforced by monetary penalties for
violations.

On Feb. 5, an engineer at a water treatment plant in Oldsmar, Fla., in
Pinellas County, detected that a hacker had accessed the facility's control
system and attempted to increase the amount of lye used to treat the water
to a potentially dangerous level. The control engineer witnessed the
tampering, as a ghostly hand moved a cursor over his screen, and he reversed
it immediately, officials said. But the episode highlighted how few
protections are mandated to defend the U.S. water supply.

The incident comes as officials warn about the growing sophistication and
brazenness of attacks on critical infrastructure. Many attacks are never
publicly revealed, but The Wall Street Journal identified targets in a
Russian campaign in 2017 to pierce electric-utility defenses, by first
penetrating trusted suppliers, and another effort in 2019 by unidentified
hackers who targeted electric utilities in at least 18 states.

More recently, the government has said the sprawling SolarWinds hack,
disclosed in December, compromised more than half a dozen federal agencies
including the State, Commerce and Treasury departments, and critical
infrastructure organizations -- whose names, as yet, haven't been revealed.

The federal government took a small step toward addressing the problem of
insufficient cyber-defenses in the water industry in 2018 with passage of
the America's Water Infrastructure Act. The law requires water providers
serving about 80% of the U.S. population to do security-risk reviews and
integrate findings into their emergency plans.

The biggest water providers were required to complete that work last year,
and all but 10 of 542 organizations complied, according to the Environmental
Protection Agency. But nearly 9,000 smaller suppliers -- including the water
department in Oldsmar -- have until the end of this year to complete their
reviews and implement findings.

The smallest of suppliers -- the 40,000 organizations with fewer than 3,300
customers, each -- are exempt.

Even though water systems must certify completion of their work to the EPA,
they aren't required to share copies of their work product with the agency.
As a result, the EPA doesn't actually assess the quality of their action.
Because the agency doesn't possess the documents, they are effectively
beyond the reach of federal public-records law.  [...]

Federal officials advised water utilities this week to take a hard look at
remote access tools, which have been especially popular during the
pandemic. Industry experts said many improvements can be made at little or
no expense -- such as enforcing password protection and utilizing encryption
and firewalls -- but that small utilities struggle with things as simple as
cyber training.

The Federal Bureau of Investigation, which is investigating the intrusion,
said it has probed other incidents in which desktop sharing software was
used as an attack vector against critical infrastructure providers.

Cybersecurity experts said preliminary information about the Oldsmar water
department -- such as that employees shared a single password on TeamViewer
-- suggested broader security problems.

The Water Information Sharing and Analysis Center, a nonprofit clearinghouse
for threat information geared to water suppliers, said the incident appeared
to be ``more opportunistic than sophisticated,'' partly because the intruder
didn't attempt to hide the fact he was messing with the chemical delivery
system.

Christopher Krebs, former director of the Cybersecurity and Infrastructure
Security Agency, said in congressional testimony Wednesday that it is
possible the intruder was a disgruntled employee or a foreign actor.
``That's why we do investigations,'' he said, adding that the municipal
utility's defenses were ``not where anybody, any operational security
professional would like for that security posture to be.''

Unfortunately, he added, ``Oldsmar is probably the rule rather than the
exception.''

He urged Congress to consider offering the industry more financial
assistance to make cyber upgrades.

An EPA official said the agency estimates that $750 billion is needed to
replace pipes, upgrade water treatment facilities and improve
cyber-preparedness at water utilities a big lift.

Kevin Morley, manager of federal relations for the American Water Works
Association, an industry group, said that $10 million was authorized in 2018
to help small utilities pay for security upgrades but Congress never
appropriated the money. There are other federal programs that provide grants
and low-interest loans.

https://www.wsj.com/articles/u-s-water-supply-has-few-protections-against-hacking-11613154238

------------------------------

Date: Sat, 13 Feb 2021 13:58:07 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: A Windows Defender Vulnerability Lurked Undetected for 12 Years
  (WiReD)

Microsoft has finally patched the bug in its antivirus program after
researchers spotted it last fall.

Just because a vulnerability is old doesn't mean it's not useful.  Whether
it's Adobe Flash hacking or the EternalBlue exploit for Windows, some
methods are just too good for attackers to abandon, even if they're years
past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous
Windows Defender antivirus was seemingly overlooked by attackers and
defenders alike until recently. Now that Microsoft has finally patched it,
the key is to make sure hackers don't try to make up for lost time.

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

------------------------------

Date: Mon, 15 Feb 2021 17:56:45 +0000 ()
From: danny burstein <dannyb () panix com>
Subject: Mercedes-Benz cars giving out *wrong* location info
  (Car and Driver Magazine)

Mercedes-Benz is recalling almost 1.3 million vehicles from the 2016 through
2021 model years to fix a problem with the communication module for the
eCall emergency call system. Affected vehicles could indicate the wrong
location to emergency services when used in case of an incident on the road.
[...]

The National Highway Traffic Safety Administration (NHTSA), in its recall
notice, says the problem is expected to affect 100 percent of the 1,292,258
Mercedes-Benz and Mercedes-AMG vehicles subject to the recall by
Mercedes-Benz USA

https://www.caranddriver.com/news/a35498170/mercedes-benz-emergency-call-system-recall/

------------------------------

Date: Sun, 14 Feb 2021 21:18:13 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Growing size of vehicle screens sparks safety concerns
  (The Center for Auto Safety)

Mercedes is unveiling a 56-inch smart screen in one of its cars later this
year, part of a new trend safety groups say could pose real dangers on the
road.

https://www.autosafety.org/growing-size-of-vehicle-screens-sparks-safety-concerns/

------------------------------

Date: Wed, 17 Feb 2021 13:05:51 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships,
  Choppers, and Jets (WSJ)

Andy Pasztor,*The Wall Street Journal*,  13 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

The Pentagon is pushing for increased use of automation in the
U.S. military, outpacing efforts in commercial automation as officials aim
to counter technological advances among adversaries. These autonomous
technologies are expected to emerge in future civilian aircraft, air traffic
control systems, and drone applications, but unlike commercial automation,
there are concerns about the lack of regulation over the Pentagon's
initiatives. While these advanced systems will not be deployed immediately,
the recent $740 billion defense authorization bill includes provisions to
expand and promote automation across the military. Military projects in the
works include pairing an autonomous jet fighter with a traditional one in
mock dogfights and using autonomous helicopters to deliver supplies to
remote outposts, an autonomous vehicle for transporting ground troops,
undersea vehicles to carry cargo and gather intelligence, and artificial
intelligence to assume the role of a U-2 reconnaissance plane pilot for
navigation.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-297d5x228694x070110&;

------------------------------

Date: Thu, 18 Feb 2021 07:53:51 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: California DMV suffers massive third-party data breach (TechCruch)

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/

------------------------------

Date: Wed, 17 Feb 2021 13:05:51 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: Researcher hacks over 35 tech firms in novel supply chain attack
  (Ax Sharma)

Ax Sharma, BleepingComputer, 9 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

Security researcher Alex Birsan launched a novel software supply chain
attack that breached the internal systems of more than 35 major companies,
including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and
Uber. The attack involved uploading malware to open source repositories like
PyPI, npm, and RubyGems, which then was distributed downstream automatically
into the company's internal applications. The attack did not need action by
the victim, unlike traditional typo-squatting or brandjacking attacks,
instead taking advantage of dependency confusion, a unique design flaw of
open-source ecosystems. Birsan explained that "vulnerabilities or design
flaws in automated build or installation tools may cause public dependencies
to be mistaken for internal dependencies with the exact same name." Birsan
has earned more than $130,000 from bug bounty programs and pre-approved
penetration testing arrangements for his research.
"https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/";

------------------------------

Date: Thu, 18 Feb 2021 12:10:41 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: How faster Internet is being blocked by politics and poverty
  throughout the eastern U.S. (CNET)

*Biden's broadband plan faces a serious test case in Appalachia's digital
divide, where a potent mix of extreme poverty, lack of infrastructure and
poor data present tremendous hurdles to the president's dream of closing the
broadband gap.*

For one public school teacher in Laurel County, Kentucky, proper education
means making a painful and difficult decision. While her home is connected
to AT&T's U-Verse Internet service, it's only fast enough to support one
person at a time. So in the midst of a pandemic-driven mandate for remote
learning, she often has to choose between teaching her students and ensuring
her own school-age kids are able to log on.

"We have really done a horrible job making sure they have the means," said
the teacher, who requested we withhold her name out of fear of losing her
job.

One pandemic-driven solution in Kentucky has been to put mobile hotspots in
public school parking lots so kids without internet at home can keep up with
schoolwork, but that isn't without its own flaws.
<https://www.cnet.com/news/drastically-speed-up-your-android-phones-hotspot-with-this-simple-setting/>
"If they don't have gas money to come and get their child at the school
when they're sick, they're sure not going to have gas money to drive to the
school every day to download their assignments," she said.  [...]
https://www.cnet.com/features/biden-broadband-plan-digital-divide-appalachia-rural-test-case/

------------------------------

Date: Wed, 17 Feb 2021 12:36:06 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: 'Spy pixels in emails have become endemic' (BBC News)

The use of "invisible" tracking tech in emails is now "endemic", according
to a messaging service that analysed its traffic at the BBC's request.

Hey's review indicated that two-thirds of emails sent to its users' personal
accounts contained a "spy pixel", even after excluding for spam.

Its makers said that many of the largest brands used email pixels, with the
exception of the "big tech" firms.

Defenders of the trackers say they are a commonplace marketing tactic.

And several of the companies involved noted their use of such tech was
mentioned within their wider privacy policies.

https://www.bbc.com/news/technology-56071437

Hardly news, just a reminder...

------------------------------

Date: Wed, 17 Feb 2021 13:55:02 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Google has bowed to pressure and will make 'significant' payments
  to Rupert Murdoch's News Corp (Business Insider)

It's difficult to disagree with Jeff Jarvis' view as described in this
article. This is a slippery slope that goes a significant way toward
breaking the fundamental principles of the Web, toward a "pay to link" model
that would destroy competition and could leave the big boys the only ones
standing. And this could make disinformation/misinformation problems worse
as well. -L

https://www.businessinsider.com/google-news-payments-deal-rupert-murdoch-wall-street-journal-australia-2021-2

------------------------------

Date: Wed, 17 Feb 2021 21:18:24 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: The losers in the news battle

The ultimate losers in the battle between news organizations, Facebook, and
Google, isn't any of those. It's ordinary users, who will be impotent
observers as the Internet they've come to know collapses around them in a
sea of pay-to-link sites that will bleed the Web dry.

------------------------------

Date: Sat, 13 Feb 2021 21:29:15 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Fixing Chrome 88's suddenly broken custom search-engine behavior

Fixing Chrome 88's suddenly broken custom search engine behavior

[C'mon Google!] In the last 24 hours or so, the standard Chrome
"custom search engines" shortcut behavior (e.g. yt<space> to search on
YouTube), that I've depended on for many years, stopped working in
Chrome 88.

To fix it: Go to: chrome://flags/#omnibox-keyword-search-button
DISABLE. Then RELAUNCH.

Please don't suddenly change stuff like this, Google, without any warning or
explanation! And please don't deprecate this fix!

------------------------------

Date: Wed, 17 Feb 2021 12:34:11 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Facebook blocks news in Australia over government's payment rules
  (Dylan Byers)

https://www.nbcnews.com/tech/tech-news/facebook-blocks-news-australia-governments-payment-rules-rcna292

Facebook said Wednesday that Australian users and publishers will not be
able to post news content to its social network after the country's
government threatened to force it to pay publishers.

The announcement is the most significant and severe split between Facebook
and a foreign government over growing calls for big tech companies to pay
publishers to feature their content.  [...]

------------------------------

Date: Thu, 18 Feb 2021 12:13:55 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Woke teachers want Shakespeare cut from curriculum:
        'This is about White supremacy' (Washington Times)

The crown teachers once put on William Shakespeare now lies uneasy upon his
head as the English playwright comes under assault from teachers who fault
his unwoke attitudes regarding race, sexuality, gender and class.

For the new breed of teachers, Shakespeare is seen less as an icon of
literature and more as a tool of imperial oppression, an author who should
be dissected in class or banished from the curriculum entirely.

``This is about white supremacy and colonization,'' declared the teachers who
founded #DisruptTexts, a group that wants staples of Western literature
removed or subjected to withering criticism.

The anti-Shakespeare teachers say fans of the plays ignore the author's
problematic worldview. They say readers of Shakespeare should be required to
address the ``whiteness'' of their thinking.

If Shakespeare must be taught, these educators say, then it should be
presented with watered-down versions of the original or supplemental texts
focused on equality issues.  [...]
https://www.washingtontimes.com/news/2021/feb/15/woke-teachers-want-shakespeare-cut-curriculum-abou/

------------------------------

Date: Thu, 18 Feb 2021 14:24:16 PST
From: Peter Neumann <neumann () csl sri com>
Subject: Facebook to Label Climate Change Posts Like Covid, Vote Content
  (Yahoo!)

Facebook Inc. will begin labeling some user posts that mention climate
change in the same way it has annotated posts discussing elections and
Covid-19, a sign the social network is taking climate-related
misinformation more seriously.

The labels will direct users to Facebook's Climate Science Information
Center -- an existing hub that includes related news articles, climate
change data and recommendations for Pages to follow. The new labels will be
added to some posts about climate change, regardless of their accuracy, a
strategy Facebook has used with other widely discussed topics as a way to
fight falsehoods.

Chief Executive Officer Mark Zuckerberg has argued that the best way to
keep misinformation from spreading on its networks is not just to remove
misleading posts, but to offer people accurate information from
authoritative sources. The labels are rolling out first to users in the
U.K., though the plan is to bring them to more countries soon, according to
a Facebook blog post.

Facebook has been used to spread climate misinformation in much the same way
the service is used for sharing all kinds of misleading posts. False
statements about climate change reviewed by Facebook's fact-checkers are
flagged, but unlike Covid-19 misinformation, climate posts are not typically
removed. That's because Facebook doesn't consider most climate
misinformation to pose an imminent threat of harm, which is the bar for
removing false information from the service.  [...]
https://finance.yahoo.com/news/facebook-label-climate-change-posts-110000858.html

------------------------------

Date: Wed, 17 Feb 2021 19:14:58 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: France Ties Russia's Sandworm to a Multiyear Hacking Spree
 (WiReD)

A French security agency warns that the destructively minded group has
exploited an IT monitoring tool from Centreon.

https://www.wired.com/story/sandworm-centreon-russia-hack/

------------------------------

Date: Wed, 17 Feb 2021 11:37:13 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Citibank can't get back $900 million it wired by mistake

New York (CNN Business)After committing one of the "biggest blunders in
banking history," Citibank won't be allowed to recover the almost half a
billion dollars it accidentally wired to Revlon's lenders, a US District
Court judge ruled.

Citibank, which was acting as Revlon's loan agent, meant to send about $8
million in interest payments to the cosmetic company's lenders.  Instead,
Citibank accidentally wired almost 100 times that amount, including $175
million to a hedge fund. In all, Citi (C) accidentally sent $900 million to
Revlon's lenders.

https://www.cnn.com/2021/02/16/business/citibank-revlon-lawsuit-ruling/index.html

------------------------------

Date: Wed, 17 Feb 2021 13:34:31 -0500
From: George Mannes <gmannes () gmail com>
Subject: Incredibly poor software design costs Citigroup $500M
  (Matt Levine)


From the incomparable Bloomberg columnist Matt Levine

  (Relevant excerpts from paywalled item):

... The ``easiest (or perhaps only)'' way to pay off some lenders but not
others was to instruct the software to pay off all the lenders! But tell it
only to *pretend* to pay them! Just send that money to a wash account! This
is all fine! Let's read another horrifying paragraph!

Because the vast majority of wire transactions processed by Citibank using
Flexcube involve the payment of funds to third parties, any payment entered
into the system is released as a wire payment unless the maker suppresses
the default option. Citibank's internal Fund Sighting Manual provides
instructions for suppressing Flexcube's default. When entering a payment,
the employee is presented with a menu with several *boxes* that can be
*checked* along with an associated field in which an account number can be
input. The Fund Sighting Manual explains that, in order to suppress payment
of a principal amount, ``ALL of the below field[s] must be set to the wash
account: FRONT[;] FUND[; and] PRINCIPAL'' -- meaning that the employee had
to check all three of those boxes and input the wash account number into the
relevant fields.

This is just demented stuff. If you want to send out interest payments in
cash, but send the principal payment to the wash account, you have to check
the box next to PRINCIPAL and also the boxes next to FRONT and FUND.
PRINCIPAL sounds like principal: You are sending the principal to the wash
account, sure, right, yes, check that box.  FRONT and FUND sound like
nothing. So the Citi operations people messed it up:

Notwithstanding these instructions, Ravi, Raj, and Fratta all believed --
incorrectly -- that the principal could be properly suppressed solely by
setting the PRINCIPAL field to the wash account. Accordingly, as Ravi built
out the transaction between 5:15 and 5:45 p.m. in his role as maker, he
checked off only the PRINCIPAL field, neglecting the FRONT and FUND
fields. Figure 1, below, ``is an accurate image of the Flexcube screen after
[Ravi] input the data.''

At 5:45 p.m., Ravi emailed Raj for approval of the transaction, explaining
that ``Princip[al] to Wash A[ccount] & Interest to DDA A[ccount].'' The
``DDA Account'' referenced the Demand Deposit Account, which is an
operational, external-facing account used by Citibank to collect payments
from customers and make transfers to lenders. After reviewing the
transaction, Raj believed -- incorrectly -- that the principal would be sent
to the wash account and only the interest payments would be sent out to the
Lenders.  Raj then emailed Fratta, seeking final approval under the six-eye
review process, explaining ``NOTE: Principal set to Wash and Interest Notice
released to Investors.'' Fratta, also believing incorrectly that the default
instructions were being properly overridden and the principal payment would
be directed to the wash account, not to the Lenders, responded to Raj via
email, noting, ``Looks good, please proceed. Principal is going to wash.''

The software gave him a warning, but not a very good one:

Raj then proceeded with the final steps to approve the transfers, which
prompted a warning on his computer screen -- referred to as a ``stop sign''
-- stating: ``Account used is Wire Account and Funds will be sent out of the
bank. Do you want to continue?'' But ``[t]he stop sign' did not indicate the
amount that would be sent out of the bank,' or whether it constituted an
amount equal to the intended interest payment, an amount equal to the
outstanding principal on the loan, or a total of both.'' Because Raj
intended to release ``the interim interest payment to [the] [L]enders,'' he
therefore clicked ``YES.''

Here's Figure 1; it does not particularly explain itself:

See, the ``don't actually send the money'' box next to ``PRINCIPAL'' is
checked, but that doesn't do anything, you have to check two other boxes to
make it not actually send the money.

When they discovered the error the next day, their first reaction was not
to email the lenders asking for the money back (that was their second
reaction); their *first *reaction was to email tech support to say the
software was broken:

At 10:26 a.m., Fratta emailed Citibank's technology support group:
``Yesterday we processed a payment with Principal to the wash and Interest
to be sent to lenders. All details in the front end screens yesterday le[d]
us to believe that the payment would be handled in that manner. . . .
Screenshots provided below indicating that the wash account . . . is present
and boxes checked appropriately for the principal components.''  Fratta then
forwarded the same email to members of his team, with the subject line
``Urgent Wash Account Does not Work.'' He stated: ``Flexcube is not working
properly, and it will send your payments out the door to
lenders/borrowers. The wash account selection is not working. This lead
[sic] to ~1BN going out the door in error yesterday for an ABTF Deal,
Revlon.'' ...

Over the course of the day, Fratta learned that the principal payments --
which were made with Citibank's own money, as Revlon had provided funds only
for the interim interest payments to be made in connection with the roll up
transaction -- were not caused by a technical error, but by human error: the
failure to select the FRONT and FUND fields when inputting the default
override instructions in Flexcube.

Nope, nope, he was right the first time, this whole setup is a ``technical
error.'' Citi's software will only let you pay principal to some lenders if
you pretend to pay it to every lender, and it will only let you pretend to
pay principal to every lender if you check the ``just pretend'' box next to
``PRINCIPAL'' (fine!) and ``FUND'' (what?) and ``FRONT'' (what even?). What a
terrifying thing......l

------------------------------

Date: Sun, 14 Feb 2021 09:44:58 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Climate Change Could Shred Guitars Known for Shredding
  (Scientific American)

https://www.scientificamerican.com/podcast/episode/climate-change-could-shred-guitars-known-for-shredding/

"It is the wood that the rock greats have sworn by -- swamp ash, in the form
of their Fender Telecaster and Stratocaster guitars -- for over 70 years. If
you've ever listened to rock, you've probably heard a swamp ash, solid body
guitar. But now, climate change is threatening the wood that helped build
rock and roll."

Rock n' roll will never die, but the next generation of inspirational
guitarists, and their rich riffs, may not mature without solid-body swamp
ash stringed instruments. Amplifiers that go to 11 can't fix Fender
Stratocaster extinction.

------------------------------

Date: Fri, 19 Feb 2021 15:29:42 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Data breach warning after California DMV contractor hit by
 file-stealing ransomware (TechCrunch)

California's Department of Motor Vehicles is warning of a potential data
breach after a contractor was hit by ransomware.

The Seattle-based Automatic Funds Transfer Services (AFTS), which the DMV
said it has used for verifying changes of address with the national database
since 2019, was hit by an unspecified strain of ransomware earlier this
month.

In a statement sent by email, the DMV said that the attack may have
compromised “the last 20 months of California vehicle registration records
that contain names, addresses, license plate numbers and vehicle
identification numbers.” But the DMV said AFTS does not have access to
customers' Social Security numbers, dates of birth, voter registration,
immigration status or driver's license information, and was not compromised.

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/?guccounter=1

------------------------------

Date: Thu, 18 Feb 2021 11:00:49 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Entitled People Are More Likely To Be Angry at Bad Luck
  (Scientific American)

https://www.scientificamerican.com/article/entitled-people-are-more-likely-to-be-angry-at-bad-luck/

"Defeat is never fun, but losing a game of poker is less painful when it's
due to the luck of the draw rather than an opponent who's cheating.
Unfairness fires people up, whereas bad luck just disappoints.

"But interestingly, this isn't true for everyone. In a series of studies, we
found that people who have higher levels of psychological entitlement -- who
believe they deserve good things -- actually felt victimized and angered
when they experienced, remembered or imagined bad luck befalling them."

Where would the technology industry be if luck preordained investment
outcomes? Is the game of life imperceptibly fixed for some and not others?
Fortitude sustains human perseverance, though the myth of Sisyphus reminds
us that effort does not always render beneficial outcome.

That luck serves a significant role in personal or collective achievement,
or underachievement, or at least the perception of it, is both devastating
and demoralizing. Resorting to luck as the sole determinant of success
reinforces the desperate idiom that "Man plans and God laughs."

------------------------------

Date: Mon, 15 Feb 2021 06:44:57 -0500
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Who Should Stop Unethical AI? (Matthew Hutson)

At artificial-intelligence conferences, researchers are increasingly alarmed
by what they see.

Matthew Hutson, *The New Yorker*, 15 Feb, 2021

https://www.newyorker.com/tech/annals-of-technology/who-should-stop-unethical-ai

------------------------------

Date: Fri, 19 Feb 2021 10:13:39 +0800
From: Richard Stein <rmstein () ieee org>
Subject: AI may mistake chess discussions as racist talk
  (Techxplore.com)

https://techxplore.com/news/2021-02-ai-chess-discussions-racist.html

'"We don't know what tools YouTube uses, but if they rely on artificial
intelligence to detect racist language, this kind of accident can happen,"
KhudaBukhsh said. And if it happened publicly to someone as high-profile as
Radic, it may well be happening quietly to lots of other people who are not
so well known.'

Would discussion of "rainbow-sprinkled cookies" or an "all red, queen-high
flush" crash Youtube's AI platform?

Risk: AI misclassification.

------------------------------

Date: Wed, 17 Feb 2021 13:11:45 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: "Holy cow. Bitcoin is using half a percent of all the world's
  electricity?

https://twitter.com/Ryan-Knutson/status/1362167579461226497

------------------------------

From: Richard Stein <rmstein () ieee org>
Date: Fri, 19 Feb 2021 10:25:54 +0800
Subject: Nvidia limits crypto-mining on new graphics card (msn.com)

https://www.msn.com/en-xl/news/other/nvidia-limits-crypto-mining-on-new-graphics-card/ar-BB1dNJev

"Nvidia said the software for its forthcoming GeForce RTX 3060 card will
limit how efficiently it can process Ethereum transactions by about 50%.

"This will make it less economical for miners to use the card for mining
Ethereum."

A software throttle is an exploit target.

------------------------------

Date: Fri, 19 Feb 2021 14:23:48 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: The IRS Cashed Her Check, Then the Late Notice Started Coming
  (ProPublica)

https://www.propublica.org/article/the-irs-cashed-her-check-then-the-late-notices-started-coming

------------------------------

Date: Thu, 18 Feb 2021 22:49:59 -0500
From: Monty Solomon <monty () roscom com>
Subject: Authorities have taken down the dark web's largest illegal
  marketplace vendor

Authorities have taken down the dark web's largest illegal marketplace
https://www.theverge.com/2021/1/12/22227929/darkmarket-shutdown-europol-worlds-largest-illegal-marketplace

------------------------------

Date: Tue, 16 Feb 2021 17:10:11 -0800
From: Peter G Neumann
Subject: U.S. election cybersecurity (CDT)

The Center for Democracy and Technology has issued a relevant report:

https://cdt.org/wp-content/uploads/2021/02/2021-02-02-CDT-Agenda-for-US-Election-Cybersecurity-KAS-FINAL.pdf

------------------------------

Date: Fri, 19 Feb 2021 17:25:29 +0800
From: Richard Stein <rmstein () ieee org>
Subject: People answer scientists' queries in real time while dreaming
  (Scientific American)

https://www.scientificamerican.com/article/people-answer-scientists-queries-in-real-time-while-dreaming/

"Researchers demonstrate that during REM sleep, people can hear -- and
respond to -- simple questions (What is eight minus six?)"

Not difficult to imagine an exploitation of this capability. For instance, a
CxO for a publicly listed company asked a yes-or-no question: 'Will your
shop achieve projected profitability this quarter?'

Risk: Sleep-talking.

------------------------------

Date: Fri, 19 Feb 2021 15:24:57 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: How Oracle Sells Repression in China (

In its bid for TikTok, Oracle was supposed to prevent data from being passed
to Chinese police. Instead, it’s been marketing its own software for their
surveillance work.

https://theintercept.com/2021/02/18/oracle-china-police-surveillance/

------------------------------

Date: Mon, 15 Feb 2021 20:04:47 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: The Untold History of America's Zero-Day Market (WiReD)

https://www.wired.com/story/untold-history-americas-zero-day-market/

A bit too breathless and incoherent...

------------------------------

Date: Tue, 16 Feb 2021 11:59:18 -0800
From: Rob Slade <rmslade () shaw ca>
Subject: "Vaccine" passport?

I'm not holding my breath, waiting for one.

I have, previously, mentioned John McAfee's "enterprise" regarding a similar
certificate or passport for swingers in the time of AIDS.  The thing just
isn't workable, at best, and, at worst, it can be a positive danger.

You're going to have to carry some kind of document or card.  Let's say it's
a card.  Now, does it just give contact info for a centralized database?
(One version I saw just used a QR code on your phone, so that definitely
seems to just be a "pointer" situation.)  *How* centralized?  This is going
to be used for international travel, one would think, if it is going to be
used at all.  So which countries are going to sign on?  And which are going
to accept a database in some other jurisdiction?  And which are going to
accept having their citizens' data stored by someone else?

OK, so what if we make it a smart card and store it on the phone.  Same
problems with jurisdiction.  Which countries are going to agree (within the
next few months, please) to a standard for data storage on such a card?  And
start producing them, all to the same specs.

Then we have the data.  There are the details of the vaccine.  Which version
of the vaccine?  Which lot number?  What is the date of administration?
(Oh, and, by the way, all vaccine administration points are going to have to
be prepared to input *and verify* all this information at the time you get
your shot.)  (Every single nurse-practitioner's office and pharmacy.)  (And
the details of who entered the info is going to have to be there as well,
for verification.)  Is it a multi-shot regimen?  Did you get your booster?

That's a lot of data.  And, if someone gets access to it, a lot more can be
inferred from it.  Like where you were on a given date and time ...

Oh, and, by the way, there are some additional data points we should add.
Like, have you been tested?  What type of test?  What date?  [...]

I see *lots* of problems ...

------------------------------

Date: Fri, 19 Feb 2021 14:08:17 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Man offered vaccine after error lists him as 6.2cm tall

Yet another case of GIGO:
https://www.bbc.com/news/uk-england-merseyside-56111209

A young man was offered a vaccine despite not being in any risk group.  It
turns out his height was registered as 6.2cm instead of 6'2", which resulted
in a BMI number of about 28,000 -- which the system flagged as "clinically,
morbidly-obese".

------------------------------

Date: Tue, 16 Feb 2021 13:22:53 -0700
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Gorilla COVID risks (CNN)

https://www.cnn.com/2021/02/16/africa/gorilla-covid-selfie-safety-scli-intl-scn/

Jack Guy, CNN, 16 Feb 2021

  Tourists who take selfies with wild mountain gorillas could put the
  primates at risk of developing Covid-19, according to new research.

  Scientists from Oxford Brookes University, England, looked at hundreds of
  Instagram posts from people visiting the animals in East Africa and found
  most tourists were close enough to gorillas to spread viruses and
  diseases, according to a press release from the university on Tuesday.

  "The risk of disease transmission between visitors and gorillas is very
  concerning," said study lead author Gaspard Van Hamme, an Oxford Brookes
  University alumnus who started work on the study during his masters
  program.

  "It is vital that we strengthen and enforce tour regulations to ensure
  gorilla trekking practices do not further threaten these already imperiled
  great apes."

------------------------------

Date: Mon, 15 Feb 2021 16:51:48 +0900
From: Chiaki Ishikawa <ishikawa () yk rim or jp>
Subject: Japanese contact tracing software of Covid-19 patient on Android
  did not work for four months (Kyodo News)

The following item explains it all.

https://english.kyodonews.net/news/2021/02/6437947c3d50-suga-apologizes-for-glitch-in-japans-covid-19-contact-tracing-app.html

A contact tracing app dubbed "COCOA" in Japan has failed miserably on
Android phones since September update, but obviously no one at the health
ministry or the development company who contracted the work verified the
operation on a real phone despite there are SNS posts of Covid-19 patients
who mentioned that their family members' phone did not report the exposure
warning at all.

I think the issue is due to a few factors.:

- Apple/Google publishes so called Exposure Notification API and implements
its functionality on their respective OS. The specs from two companies
disagreed on a few minor points.  Obviously, there have been updates, and
new specs are hard to read as many in ICT industry can attest. This type of
specs is read only by geeks and not many complain loudly that they are
written poorly. But I digress.

Only some really serious developers noticed the subtle difference between
the API published for iOS and Android.  A blog in Japanese about the bug. It
refers to the github issue comments that first reported the issue from
programmer's point of view.
https://zenn.dev/zipperpull/articles/20210210-cocoa-bug  (in
Japanese).

- Apple/Google have asked the health authorities of countries/regions only
one such app is used in the region. This I suppose is due to the privacy
concerns.

This made the selection of developers a bit difficult since there had been a
few independent groups who already have more or less working samples. (I
don't know if they were bug-free or not.).  Eventually, one of the developed
software was chosen as the basis of COCOA and a maintenance company was
chosen whose main function, it thought, was the operation/maintenance of
anonymous patient database (anonomized by apple/goole algorithms, I think.)

But actually, due to the API change over the long run, the app needed to be
maintained as well for both on iOS and Android. Somehow the Android update
got buggy but no real world phone tests did not take place if I understand
correctly. This is probably due to the unpreparedness of the development
company, but I am not sure.

If this were an ordinary software bug, I would say"OK, a bug is always
there, let's fix it and move on.".

However, when the app was relied on the health authority of the region where
I live (Kanagawa prefecture), it is not such an easy-to-ignore bug.  The
authority stated in early January, citing lack of man-power, that it would
rely on this failing app to keep track of people who come into contact with
known Covid-19 patients instead of human-based tracing.  This means that
those who relied on Android version of the app got short shrift and worse.
I am not even sure if iOS version is working correctly since there has been
a report from an iOS user who got Covid-19 and yet her family members
iPhones did not report the exposure. Hmm...

I use Android and have removed the app for now.

------------------------------

Date: Mon, 15 Feb 2021 10:52:16 PST
From: Peter Neumann <neumann () csl sri com>
Subject: Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021

  [I am including the ToC for this issue of Bruce Schneier's CRYPTO-GRAM
  because it illustrates an incredible increase in the breadth and
  pervasiveness of serious security attacks.  FYI.  You might want your own
  subscription (it's free) if this is of interest to you.  PGN]

For back issues, or to subscribe, visit Crypto-Gram's web page
[https://www.schneier.com/crypto-gram/].

Read this issue on the web
[https://www.schneier.com/crypto-gram/archives/2021/0215.html]

     1. Cell Phone Location Privacy
     2. Injecting a Backdoor into SolarWinds Orion
     3. Sophisticated Watering Hole Attack
     4. SVR Attacks on Microsoft 365
     5. Insider Attack on Home Surveillance Systems
     6. Massive Brazilian Data Breach
     7. Dutch Insider Attack on COVID-19 Data
     8. Police Have Disrupted the Emotet Botnet
     9. New iMessage Security Features
     10. Including Hackers in NATO Wargames
     11. Georgia's Ballot-Marking Devices
     12. More SolarWinds News
     13. Another SolarWinds Orion Hack
     14. Presidential Cybersecurity and Pelotons
     15. NoxPlayer Android Emulator Supply-Chain Attack
     16. SonicWall Zero-Day
     17. Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
     18. Ransomware Profitability
     19. Attack against Florida Water Treatment Facility
     20. Medieval Security Techniques
     21. Chinese Supply-Chain Attack on Computer Systems

------------------------------

Date: Mon, 15 Feb 2021 15:19:40 -0600
From: Bob Wilson <wilson () math wisc edu>
Subject: Re: Calling All Ham Radio Operators

As a ham myself, I want to point out this has nothing to do with ham radio
operators. (Many of us do happily use Morse, but we are not the only such
people in the world!) Ham radio is a flourishing activity (the US has more
licensed hams now than ever in the past, something like three quarters of a
million) that in addition to being a hobby enjoyed by many is a valuable
contribution to national security and safety, and should not be (be)smirched
with any connection to that hacking attack!  Bob Wilson

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.50
************************
Previous By Date Next
Previous By Thread Next

Current thread: