RISKS Forum mailing list archives
Risks Digest 33.10
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 21 Mar 2022 11:20:26 PDT
RISKS-LIST: Risks-Forum Digest Monday 21 March 2022 Volume 33 : Issue 10 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.10> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: It's 70 degrees warmer than normal in eastern Antarctica. Scientists are flabbergasted. (MSN) Russia Faces IT Crisis with Just 2 Months of Data Storage Left (Bill Toulas) Huge DDoS attack temporarily kicks Israeli government sites offline (The Register) Unix Rootkit Used to Steal ATM Banking Data (Two items combined) Researcher Uses 379-Year-Old Algorithm to Crack Crypto Keys in the Wild (Dan Goodin) Legislation to require hand-counting of ballots? (Douglas W. Jones) When It Comes to AI, Can We Ditch the Datasets? (Adam Zewe) The TikTok-Oracle Deal Would Set 2 Dangerous Precedents (WiReD) Find You: Building a stealth AirTag clone (Positive Security) Tired of Waiting for Driverless Vehicles? Head to a Farm (Scott McFetridge) *Time* Releases Full Magazine Issue as NFT on the Blockchain" (Time) Beware of QR Code Scams (Heidi Mitchell) Drone swarm forms clickable QR code (Hollywood Reporter) Re: Senate passes permanent Daylight Saving Time (John Levine) One problem with permanent daylight saving time: Geography (Lauren Weinstein) Re: MMS spam? (Jay Libove, Rob Slade) Re: Farewell Honeychild (Charles Jackson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 19 Mar 2022 14:49:38 PDT From: Peter Neumann <neumann () csl sri com> Subject: It's 70 degrees warmer than normal in eastern Antarctica. Scientists are flabbergasted. (MSN) The coldest location on the planet has experienced an episode of warm weather this week unlike any ever observed, with temperatures over the eastern Antarctic ice sheet soaring 50 to 90 degrees above normal. The warmth has smashed records and shocked scientists. This event is completely unprecedented and upended our expectations about the Antarctic climate system, said Jonathan Wille, a researcher studying polar meteorology at Universite Grenoble Alpes in France, in an email. Antarctic climatology has been rewritten, tweeted Stefano Di Battista, a researcher who has published studies on Antarctic temperatures. He added that such temperature anomalies would have been considered impossible and unthinkable before they actually occurred. Parts of eastern Antarctica have seen temperatures hover 70 degrees (40 Celsius) above normal for three days and counting, Wille said. He likened the event to the June heat wave in the Pacific Northwest, which scientists concluded would have been virtually impossible without human-caused climate change. What is considered warm over the frozen, barren confines of eastern Antarctica is, of course, relative. Instead of temperatures being minus-50 or minus-60 degrees (minus-45 or minus-51 Celsius), they've been closer to zero or 10 degrees (minus-18 Celsius or minus-12 Celsius) -- but that's a massive heat wave by Antarctic standards. [...] https://www.msn.com/en-us/weather/topstories/it-e2-80-99s-70-degrees-warmer-than-normal-in-eastern-antarctica-scientists-are-flabbergasted/ar-AAVfk4m ------------------------------ Date: Wed, 16 Mar 2022 12:08:06 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Russia Faces IT Crisis with Just 2 Months of Data Storage Left (Bill Toulas) Bill Toulas, BleepingComputer, Ides of March 2022, via ACM TechNews, 16 Mar 2022 The withdrawal of Western cloud computing companies from Russia has left the country with roughly two months of information technology (IT) data storage. Russian news outlet *Kommersant* says the situation is compounded by exponential growth of public Russian agencies' storage needs due to Smart City projects entailing extensive video-surveillance and facial-recognition systems. Options proposed at a meeting of the Ministry of Digital Transformation Solutions include leasing all available domestic data storage or mandating that Internet service providers ditch media streaming services and other online entertainment platforms. Russia also could seize IT servers and storage left behind by exiting businesses and incorporate them into public infrastructure. The last option would be to use Chinese cloud service providers and IT system sellers, although China has not yet decided how much aid it is willing to provide. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e3c6x23240bx073178& ------------------------------ Date: Wed, 16 Mar 2022 09:16:49 +0200 From: Mike Rechtman <mike () rechtman com> Subject: Huge DDoS attack temporarily kicks Israeli government sites offline (The Register) A state of emergency is declared as officials assess the damage and look for culprits https://www.theregister.com/2022/03/15/ddos-attack-israel-government-iran/ 15 Mar 2022 // 17:12 UTC A massive distributed denial-of-service (DDoS) attack forced Israeli officials Monday to temporarily take down several government websites and to declare a state of online emergency to assess the damage and begin investigating who was behind the incident. In a tweet, the Israel National Cyber Directorate said it had detected the DDoS attack against a communications provider and that several websites had been taken down, though all have since resumed normal activity. According to Internet watchdog NetBlocks, the attacks targeted Israeli telecom providers Bezeq and Cellcom and hit multiple networks run by the companies. ------------------------------ Date: Mon, 21 Mar 2022 12:03:33 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Unix Rootkit Used to Steal ATM Banking Data (Two items combined) Bill Toulas, BleepingComputer, 17 Mar 2022 Researchers at the cybersecurity firm Mandiant found that the LightBasin hacking group is using a previously unknown Unix rootkit to steal ATM banking data and make unauthorized cash withdrawals from ATM terminals at several banks. The rootkit, a Unix kernel module called "Caketap," affects servers running the Oracle Solaris operating system, hiding network connections, processes, and files while installing several hooks into system functions to receive remote commands and configurations. Caketap intercepts messages sent to the Payment Hardware Security Module (HSM), used by the banking industry to verify bank card information, to stop verification messages that match fraudulent bank cards and instead generate a valid response. It also internally saves valid messages that match non-fraudulent primary account numbers and sends them to the HSM to avoid impacting routine customer transactions and implant operations. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x232602x073400& ALSO: Drew Harwell, *The Washington Post* 17 Mar 2022 Computer programmers and volunteer "information warriors" are attempting to counter Russian propaganda and information suppression concerning the Ukraine invasion. A Website built by the squad303 coder group shows a randomly selected Russian citizen's email address and phone or WhatsApp number, and provides a pre-written message visitors can send to engage in a dialogue. A Polish programmer said he works with more than 100 volunteers from the U.S., Estonia, France, Germany, and more, divided into teams focused on software development, cyberdefense, social media, and a help desk to onboard new messengers. Western social media companies and media outlets also have started helping Russians bypass government censorship by using Tor software, which directs online traffic through a scattered network of servers, neutralizing Russia's Website blockade. Market research data indicates virtual private network applications, which enable Russians to access otherwise-banned sites, have been downloaded millions of times on the Apple and Google app stores. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x2325f7x073400& ------------------------------ Date: Wed, 16 Mar 2022 12:08:06 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Researcher Uses 379-Year-Old Algorithm to Crack Crypto Keys in the Wild (Dan Goodin) Dan Goodin, Ars Technica, 14 Mar 2022, via ACM TechNews, 16 Mar 2022 Researcher Hanno B=F6ck said he used a 379-year-old algorithm described by French mathematician Pierre de Fermat to break a handful of weak cryptographic keys found in the wild. The keys were generated with older software owned by technology company Rambus, derived from a basic version of the SafeZone Crypto Libraries. B=F6ck said the SafeZone library insufficiently randomized the two prime numbers it used to generate RSA keys, and Fermat's factorization method can crack such keys easily. The algorithm was based on the fact that any odd number can be expressed as the difference between two squares, and factors near that number's root are easily and quickly calculable. B=F6ck thinks all the keys he found in the wild were generated using software or methods unaffiliated with the SafeZone library, which if true means the Fermat algorithm might easily break keys crafted by other software. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e3c6x23240fx073178& [You gotta be very Ferm-at avoiding such primes. PGN] ------------------------------ Date: Sun, 20 Mar 2022 11:49:09 PDT From: Peter Neumann <neumann () csl sri com> Subject: Legislation to require hand-counting of ballots? (Douglas W. Jones) My long-time colleague (Prof.) Doug Jones (not the politician) has published an op-ed relating to recent attempts to abandon ballot scanners in favor of hand-counting ballots. It is in The Des Moines Register. This is worth reading. https://www.msn.com/en-us/news/politics/opinion-we-shouldnt-abandon-machine-counted-election-ballots/ar-AAVhCzE [Hand-counting is more easily rigged? PGN] ------------------------------ Date: Mon, 21 Mar 2022 12:03:33 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: When It Comes to AI, Can We Ditch the Datasets? (Adam Zewe) Adam Zewe, MIT News, 15 Mar 2022 Massachusetts Institute of Technology (MIT) researchers have demonstrated the use of a generative machine-learning model to produce synthetic data, based on real data, to train another model for image classification. Researchers showed the generative model millions of images containing objects in a specific class, after which it learned those objects' appearance in order to generate similar objects. MIT's Ali Jahanian said generative models also learn how to transform underlying training data, and connecting a pre-trained generative model to a contrastive learning model enabled both models to work together automatically. The results show that a contrastive representation learning model trained only on synthetic data can learn visual representations that rival or top those learned from real data. In analyzing how the number of samples influenced the model's performance, researchers determined that, in some cases, generating larger numbers of unique samples facilitated additional enhancements. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x2325f8x073400& [RISKS: Is this just kicking the can down the road, because The training-data model may be biased. PGN] ------------------------------ Date: Sun, 20 Mar 2022 21:57:26 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The TikTok-Oracle Deal Would Set 2 Dangerous Precedents (WiReD) The agreement may provoke a global data storage melee and more politically motivated intervention in the tech sector. In August 2020, President Donald Trump dropped a bombshell executive order banning TikTok in the United States. Since then, as TikTok has competed against other Big Tech companies -- growing among teen users while Facebook and others have struggled -- its ability to survive in the United States has remained under a cloud of uncertainty. Would regulators step in and kill off a product that had become a staple form of communication for some 100 million Americans? That cloud seemed to lift last week in the wake of reports that TikTok will enter into a data storage deal with Oracle. In the short term, the agreement would be good for U.S. users, enabling TikTok to invest more of its resources and energy into improving its product, rather than wrestling with the government. But in the long run, the forecast looks bleaker. The deal would establish precedents likely to harm technology companies and their users. [...] However, the agreement is almost certain to provide momentum to foreign governments who want to do exactly what the United States is doing: require companies to store data within their borders. Numerous countries have pushed these types of data localization requirements over the last decade, including Russia, India, and France. In response, the tech sector has made the case that this approach to data storage creates privacy risks, degrades performance, and imposes compliance costs that make it harder for small companies to compete. If the U.S. government succeeds in forcing TikTok to enter this local data-storing arrangement with Oracle, other governments will be more likely to impose comparable requirements on U.S. companies operating within their borders. A principle that might be appealing to TikTok’s critics in the United States could seem much less desirable if it were applied to Apple, Meta, or Snap in countries like China or Russia. The war in Ukraine has highlighted why countries like Russia want to use localization to exert more control over global tech companies, and also why it’s so important that local data storage requirements remain the exception rather than the norm. https://www.wired.com/story/the-tiktok-oracle-deal-would-set-2-dangerous-precedents ------------------------------ Date: Sun, 20 Mar 2022 22:11:15 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Find You: Building a stealth AirTag clone (Positive Security) * After AirTags are reportedly used more and more frequently for malicious purposes, Apple has published a statement that lists its current and future efforts to prevent misuse. * We built an AirTag clone that bypasses all those tracking protection features and confirmed it working in a real-world experiment (source code available here). * We encourage Apple to include AirTag clones/modified AirTags into their threat model when planning the next changes to the Find My ecosystem. https://positive.security/blog/find-you ------------------------------ Date: Mon, 21 Mar 2022 12:03:33 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Tired of Waiting for Driverless Vehicles? Head to a Farm (Scott McFetridge) Scott McFetridge, Associated Press, 16 Mar 2022 Driverless vehicles are more abundant on farms than city streets, with John Deere to start manufacturing autonomous tractors this fall after more than 10 years in development. The company intends to run the tractors on 10 to 50 farms by fall, before expanding to more farms in the coming years. Carnegie Mellon University's Raj Rajkumar said autonomous tractors have no vehicles, pedestrians, or intricacies of urban systems to deal with, and they can employ consistent global-positioning system data. Farmers can hitch a plow behind the driverless tractor, start it with a swipe of a smartphone, and then leave it to travel the field on its own. The machine has six pairs of cameras that can provide a 360-degree image, and computer algorithms help it to navigate and stop before unfamiliar obstacles. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x2325ffx073400& [If it its uses are off-road only, that means safety standards tend to be considerably reduced? That's the way off-road equipment works now, although it might need a trailer to go from one farm to another. PGN] ------------------------------ Date: Mon, 21 Mar 2022 12:03:33 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: *Time* Releases Full Magazine Issue as NFT on the Blockchain" (Time) *Time*, 18 MAr 2022 *Time* magazine will publish the first fully decentralized magazine issue, available on March 23 as a non-fungible token (NFT) on the blockchain. Created in partnership with LITDAO, a Web3 cultural currency and NFT project, the issue will be hosted through a decentralized protocol, with readers accessing the magazine through an interactive NFT. With support from the global Internet finance firm Circle, the issue, which will feature a cover story on Ethereum's Vitalik Buterin, will be airdropped to certain TIMEPiece and genesis LIT community wallet holders. "As *Time* continues to push the boundaries as to what is possible within the Web3 ecosystem, producing the first-ever full magazine on the blockchain seemed like a natural extension for our brand, and we knew this issue, in particular, would be cherished by our community," said *Time~'s Keith A. Grossman. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x2325fcx073400& ------------------------------ Date: Mon, 21 Mar 2022 12:03:33 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Beware of QR Code Scams (Heidi Mitchell) Heidi Mitchell, *The Wall Street Journal*, 19 Mar 2022 Security researchers warn of the growing threat of fraudulent quick response (QR) codes, including some affixed to parking meters in Texas cities that tricked drivers into entering their credit-card data at a bogus Website. Although the Better Business Bureau's Scam Tracker site lists just 46 QR code-related attacks in the U.S. since March 2020, link-management service Bit.ly has observed a 750% increase in QR-code downloads since then. Most smartphones "just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is," said Justin Fier at artificial intelligence cybersecurity firm Darktrace. Skilled attackers also can use a QR code to send users to a spoof site, then hand over the information they enter to the genuine site. Symantec's Eric Chien suggests either avoiding QR codes that are stuck on devices or installing QR-code scanner applications. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e440x2325f9x073400& [See RISKS-33.02-04. PGN] ------------------------------ Date: Wed, 16 Mar 2022 17:47:35 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Drone swarm forms clickable QR code (Hollywood Reporter) In a publicity stunt for a TV series, 400 drones formed a huge QR code square in the sky over Austin, Texas, which linked to the series' trailer clip. Yet another way to make people click on links to sites they never intended to visit. Full story at: https://www.hollywoodreporter.com/tv/tv-news/halo-sxsw-drones-1235110882/ ------------------------------ Date: 16 Mar 2022 14:39:22 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Senate passes permanent Daylight Saving Time (RISKS-33.09) There were claims that there might be more accidents, but no evidence that there actually were. https://www.nytimes.com/1974/10/01/archives/senate-votes-return-to-standard-time-for-four-months-and-sends-bill.html Here in the frozen north, in January the sun rises at 7:30 or later so a lot of kids wait for the bus in the dark with or without daylight time. ------------------------------ Date: Mon, 21 Mar 2022 09:48:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: One problem with permanent daylight saving time: Geography It's pretty much always the case that anything Congress does in a hurry hasn't been thought out. Often not thinking things through is one of Congress' most obvious attributes. -L https://www.nbcnews.com/politics/meet-the-press/one-problem-permanent-daylight-saving-time-geography-n1292415 ------------------------------ Date: Wed, 16 Mar 2022 08:10:31 +0000 From: Jay Libove <libove () felines org> Subject: Re: MMS spam? In re: Rob Slade's question about MMS spam, I've seen some mobile phone based messaging clients that, by default, "upgrade" messages which are too long to fit in a single (or in a consecutive set of up to five) SMS text messages, or which contain non-SMS-compatible content, to MMS. That is of course a horrible default, because MMS messages tend to have ridiculous costs, of which the user is unlikely to be consciously aware at the moment that their messaging software "helpfully" ensures delivery .. at a cost of $1.00 or so both to themself and probably also to each recipient. Rob, ask your correspondent to take a look at the settings of their messaging app in which the finally-resulted-as-MMS message was sent. -Jay ------------------------------ Date: Mon, 7 Mar 2022 07:21:29 -0800 From: Rob Slade <rslade () gmail com<mailto:rslade () gmail com>> Subject: Re: MMS spam? I have been receiving a lot of MMS (as opposed to SMS, normal text) messages on my phones recently. One of the phones doesn't have a data plan, so I don't get to see what the messages are. (Yes, yes, I *know* the cell companies promise that their plans allow you unlimited voice, video, and pictures "text" messages. They lie.) I have generally despaired of trying to get people to realize the difference between SMS and MMS messages, and the incompatibilities that make MMS messages unreliable even if you do have the phone and cell/mobile data plan to support them. However, a few days ago I got an MMS message from someone who *is* technically competent, and, when I challenged him, he denied sending any such message. Given that he would know, and the increase in numbers, I am wondering if there is some new spamming campaign utilizing MMS messages. Anybody heard/seen anything along these lines? ------------------------------ Date: Tue, 15 Mar 2022 21:15:11 -0400 From: Charles Jackson <clj () jacksons net> Subject: Re: Farewell Honeychild (PGN, RISKS-33.09) Well, as I recall the story, it goes like this: Honeywell and Fairchild have announced a merger. They also announced that the merger would create substantial efficiencies by reducing expenses. Substantial layoffs are expected. The merged firm will be called Farewell Honeychild. [TNX for the rest of the story!!! PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.10 ************************
Current thread:
- Risks Digest 33.10 RISKS List Owner (Mar 21)