Risks Digest 33.30

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Monday 20 June 2022  Volume 33 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.30>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [RISKS-33.29 delay on USENET was due to a Panix key upgrade.]
We've only scratched the surface of how bad the crypto[currency] crime wave
 has gotten (Yaohoo!)
FBI warns crypto fraud on LinkedIn is a 'significant threat' (Engadget)
"Ethereum Mining Is Going Away (Bloomberg)
Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files
 Hostage (The Hacker News)
Micropatching on the fly (Tom Van Vleck)
The Open Secret of Google Search (The Atlantic)
Leaked Audio From 80 Internal TikTok Meetings Shows That U.S. User Data Has
 Been Repeatedly Accessed From China (Buzzfeednews)
Lake Mead and Lake Powell, the 2 largest reservoirs in the US, which provide
 water to over 40 million Americans in Nevada, Arizona and  California, are
 at their lowest levels ever. (twtiter via geoff goodfellow)
Stronger Security for Smart Devices (Adam Zewe)
New Mexico's Post-Certification Recounts (Annie Gowan)
It is 2022. My coffee mug wants me to log in, wants to know my location, and
 if it can send me promotional emails... (Marc IRL)
A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future
 (Georgetown CSET))
A minor example of human factors in security (risks () sctb net)
Serious Warning Issued For Millions Of Google Gmail Users (Forbes)
Re: the death knell of jSCH (Dmitri Maziuk)
Re: Physics-Based Cryptocurrency Transmits Energy Through Blockchain
 (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 19 Jun 2022 11:28:10 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: We've only scratched the surface of how bad the crypto[currency] crime wave
 has gotten (Yaohoo!)

We've only scratched the surface of how bad the crypto crime wave has gotten

https://news.yahoo.com/weve-only-scratched-surface-bad-221758213.html

------------------------------

Date: Fri, 17 Jun 2022 17:16:04 -0400
From: Monty Solomon <monty () roscom com>
Subject: FBI warns crypto fraud on LinkedIn is a 'significant threat'
 (Engadget)

https://www.engadget.com/fbi-warning-crypto-fraud-linkedin-significant-threat-191600330.html

------------------------------

Date: Mon, 20 Jun 2022 12:23:17 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: "Ethereum Mining Is Going Away

David Pan and Olga Kharif, Bloomberg, 16 Jun 2022,
via ACM TechNews; Monday, 20 Jun 2022

Ethereum mining could end soon due to "the Merge," leaving as many as 1
million miners out of a source of income. The Merge (expected to occur in
August, though it has been pushed back several times already) involves a
shift from the proof-of-work model, which uses a significant amount of
computing power and energy, to the proof-of-stake model to record
transactions. The alternative model will slash the Ethereum network's power
consumption by about 99%, but also will put miners out of work. Following
The Merge, some Ethereum miners plan to mine other coins that require
graphics processing units, like Ethereum Classic or Ravencoin, or to use
their equipment for rendering (an aspect of digital video production) or
machine learning tasks.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecdcx23467ax071600&;

------------------------------

Date: Thu, 16 Jun 2022 07:27:17 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: Microsoft Office 365 Feature Could Help Ransomware Hackers Hold
 Cloud Files Hostage (The Hacker News)

A "dangerous piece of functionality" has been discovered in Microsoft 365
suite that could be potentially abused by a malicious actor to ransom files
stored on SharePoint and OneDrive and launch attacks on cloud
infrastructure.

The cloud ransomware attack makes it possible to launch file-encrypting
malware to "encrypt files stored on SharePoint and OneDrive in a way that
makes them unrecoverable without dedicated backups or a decryption key from
the attacker," Proofpoint said in a report published today.
<https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality>

The infection sequence can be carried out using a combination of Microsoft
APIs, command-line interface (CLI) scripts, and PowerShell scripts, the
enterprise security firm added.

The attack, at its core, hinges on a Microsoft 365 feature called AutoSave
that creates copies of older file versions as and when users make edits to a
file stored on OneDrive or SharePoint Online.
<https://support.microsoft.com/en-us/office/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5>

It commences with gaining unauthorized access to a target user's SharePoint
Online or OneDrive account, followed by abusing the access to exfiltrate and
encrypt files. The three most common avenues to obtain the initial foothold
involve directly breaching the account via phishing or brute-force attacks,
tricking a user into authorizing a rogue third-party OAuth application, or
taking over the web session of a logged-in user.

But where this attack stands apart from traditional endpoint ransomware
activity is that the encryption phase requires locking each file on
SharePoint Online or OneDrive more than the permitted versioning limit.
[...]

<https://support.microsoft.com/en-us/office/how-versioning-works-in-lists-and-libraries-0f6cd105-974f-44a4-aadb-43ac5bdfd247>
https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.html

------------------------------

Date: Mon, 20 Jun 2022 15:39:28 -0400
From: Tom Van Vleck <thvv () multicians org>
Subject: Micropatching on the fly

People who are running computers with a lot of old and buggy software are
being wooed by services that will apply binary patches to their code while
it is running.

If a site is running an old down-rev version and can't afford the time,
cost, and effort to upgrade to a later version, the micropatching service
can apply fixes on the fly.

  [No flies are injured in the process.  PGN]

They patch in storage to avoid verification of code signatures.  Sometimes
they extract patches from later versions of the code and back-port them to
older code.

There is a DARPA/I2O program that is awarding ways to patch IoT
appliances and heavy truck engines:
  https://www.darpa.mil/program/assured-micropatching

  What could possibly go wrong?  THVV

    [Risks? This reminds me of Doug McIlroy and Bob Morris patching the live
    object code of their EPL compiler (early PL/I, starkly subset for
    Multics) at the same time Molly Wagner was compiling Multics
    memory-management code in 1967.  What a mess.  (Tom, Thanks for this
    item.)  Note for younger RISKS readers: Tom dates back to pre-Multics on
    CTSS, with what appears to be the very first e-mail system, which he and
    Noel Morris developed at MIT.  PGN]

------------------------------

Date: Mon, 20 Jun 2022 15:11:24 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Open Secret of Google Search

One of the most-used tools on the Internet is not what it used to be.

https://www.theatlantic.com/ideas/archive/2022/06/google-search-algorithm-internet/661325/

------------------------------

Date: Fri, 17 Jun 2022 18:37:02 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Leaked Audio From 80 Internal TikTok Meetings Shows That U.S.
 User Data Has Been Repeatedly Accessed From China (Buzzfeednews)

https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access

------------------------------

Date: Thu, 16 Jun 2022 16:54:33 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: Lake Mead and Lake Powell, the 2 largest reservoirs in the US,
 which provide water to over 40 million Americans in Nevada, Arizona and
 California, are at their lowest levels ever.

*... This will have unprecedented consequences and require drastic water
restrictions never seen before...*
https://twitter.com/US_Stormwatch/status/1536912734297526272

------------------------------

Date: Fri, 17 Jun 2022 12:14:25 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Stronger Security for Smart Devices (Adam Zewe)

Adam Zewe, *MIT News*, 14 Jun 2022, via ACM TechNews, 17 Jun 2022

Massachusetts Institute of Technology researchers demonstrated two security
techniques that block power and electromagnetic side-channel attacks
targeting analog-to-digital (ADC) converters in smart devices. The
countermeasures involve adding randomization to ADC conversion, which in one
case uses a random number generator to decide when each capacitor switches,
complicating the correlation of power supplies with output data. That method
also keeps the comparator in constant operation, preventing hackers from
ascertaining when each conversion stage begins and ends. The second
technique employs two comparators and an algorithm to randomly establish two
thresholds rather than one, creating millions of ways 76an ADC could reach a
digital output.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecc8x234601x071624&;

------------------------------

Date: Sun, 19 Jun 2022 11:55:00 PDT
From: Peter G Neumann <neumann () csl sri com>
Subject: New Mexico's Post-Certification Recounts

Annie Gowan, WashPost, 17 Jun 2022
https://www.washingtonpost.com/politics/2022/06/17/new-mexico-county-weighs-defying-order-certify-election-results/

New Mexico county certifies election results, bowing to court order.  Otero
County commissioners voted 2 to 1 to accept results in this month's primary,
reversing an earlier decision driven by unfounded concerns about fraud.

Cuoy Griffin is quoted in the article:

  ``My vote to remain a no isn't based on any evidence, it's not based on
  any facts, it's only based on my gut feeling and my own intuition, and
  that's all I need,'' Griffin said.

------------------------------

Date: Thu, 16 Jun 2022 17:04:17 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: It is 2022. My coffee mug wants me to log in, wants to know my
 location, and if it can send me promotional emails... (Marc IRL)

https://twitter.com/Marc_IRL/status/153718748767571148

------------------------------

Date: Sun, 19 Jun 2022 10:11:00 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: A Language Model Trained to Mimic 4chan Might Portend AI's Grim
 Future (Georgetown CSET))

A harbinger of the AI future?
  [Excerpted from a note by Dan Geer.  PGN]

A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future
https://cset.georgetown.edu/newsletter/june-16-2022/

  A machine learning researcher trained a language model on three and half
  years' worth of 4chan posts to create what he dubbed "the most horrible
  model on the Internet," raising concerns about the public availability of
  language models and sparking debate about their ethical use. Yannic
  Kilcher, a Swiss ML expert who covers AI and ML advances on his popular
  [30]YouTube channel, fine-tuned an existing open-source language model --
  [31]EleutherAI's GPT-J-6B -- using [32]a dataset of more than 130 million
  posts from 4chan's "Politically Incorrect" board, an online forum with
  [33]a longstanding reputation for toxicity and offensiveness. As Kilcher
  described in [34]a video documenting the process, he then programmed a
  team of bots to post on the board as often as they could. According to
  Kilcher, the bots posted approximately 30,000 times during two separate
  24-hour periods. While 4chan users were able to identify some of the bots
  for what they were, this appeared to be due less to the model's
  shortcomings and more to the bots' superhuman indefatigability -- they
  posted round-the-clock, as frequently as the site allowed. Kilcher's
  experiment was criticized by a number of experts and observers, who
  [35]called it irresponsible and unethical. While Kilcher made it possible
  for anyone to use his [36]"GPT-4chan" by uploading it to Hugging Face, an
  online repository for AI and ML code, the site quickly restricted
  access. But the cat could be out of the bag: as Kilcher's experiment
  shows, currently available open-source models and datasets can be used to
  create [37]surprisingly effective language models with relative ease.

  30. https://www.youtube.com/c/YannicKilcher/videos
  31. https://huggingface.co/EleutherAI/gpt-j-6B
  32. https://zenodo.org/record/3606810#.YpjGgexByDU
  33. https://nymag.com/intelligencer/2015/11/inside-pol-4chans-racist-heart.html
  34. https://youtu.be/efPrtcLdcdM
  35. https://fortune.com/2022/06/10/ai-chatbot-trained-on-4chan-by-yannic-kilcher-draw-ethics-questions/
  36. https://huggingface.co/ykilcher/gpt-4chan
  37. 
https://thegradient.pub/gpt-4chan-lessons/#:~:text=An%20evaluation%20of%20the%20model%20on%20the%20Language%20Model%20Evaluation%20Harness.%20Kilcher%20emphasized%20the%20result%20that%20GPT-4chan%20slightly%20outperformed%20other%20existing%20language%20models%20on%20the%20TruthfulQA%20Benchmark%2C%20which%20involves%20picking%20the%20most%20truthful%20answer%20to%20a%20multiple%20choice%20question

------------------------------

Date: Sun, 19 Jun 2022 14:59:58 +0200
From: risks () sctb net
Subject: A minor example of human factors in security

I recently relocated to Gibraltar and looked to open a local bank account.

With one of the banks I contacted, communication was difficult - it turned
out their email server refused to accept or to make TLS connections, and my
email server mandates the use of TLS; their emails to me were not being
delivered (and their staff were either not receiving, or not understanding,
or not acting upon any error reports) and as I discovered when I tried to
email them, my server's connections were rejected.

I - from an web-based email account which allows unencrypted connections -
emailed the bank about this, pointing out the possibility, given that they
are a bank, of people unwittingly or thoughtlessly emailing sensitive
information, and the simplicity and ease of allowing TLS connections.

This email went unanswered.

I discussed the matter directly with a member of their staff, who relayed
the issue to their IT team; I was informed the IT team did not consider it a
security risk, and in addition (although very likely this chap only speaking
as himself, and not in any way reflecting bank policy), when I indicated the
bank had three months to act before I would discuss the matter in public, he
informed me if I did so the bank might well not wish to do business with me
in the future.

We all behave rationally given the incentives placed upon us in the
situation we are in.

------------------------------

Date: Sat, 21 May 2022 18:17:34 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Serious Warning Issued For Millions Of Google Gmail Users (Forbes)

Gmail is the world's most popular email service, it is also known as one of
the most secure. But a dangerous exploit might make you rethink how you want
to use the service in future.

In an eye-opening *blog post* <https://ysamm.com/?p=763>, security
researcher Youssef Sammouda has revealed that Gmail's OAuth authentication
code enabled him to exploit vulnerabilities in Facebook to hijack Facebook
accounts when Gmail credentials are used to sign in to the service. And the
wider implications of this are significant.

Speaking to *The Daily Swing*
<https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit>,
Sammouda explained that he was able to exploit redirects in Google OAuth and
chain it with elements of Facebook's logout, checkpoint and sandbox systems
to break into accounts. Google OAuth is part of the '*Open Authorization*
<https://en.wikipedia.org/wiki/OAuth>' standard used by Amazon, Microsoft,
Twitter and others which allows users to link accounts to third-party sites
by signing into them with the existing usernames and passwords they have
already registered with these tech giants.

Sammouda reports no vulnerabilities using other email accounts. He does
stress that it could potentially be applied more widely "but that was more
complicated to develop an exploit for." He states Facebook paid him a
$44,625 'bug bounty' for its role in this vulnerability. Facebook has
subsequently patched the vulnerability from their side. I have contacted
Google for a response on the role of Google OAuth in the exploit and will
update this post when/if I receive a reply.

Commenting on Sammouda's findings, security provider *Malwarebytes Labs*
<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/>
issued a warning to anyone using linked accounts: "Linked accounts were
invented to make logging in easier," writes Pieter Arntz, the company's
Malware Intelligence Researcher. "You can use one account to log in to other
apps, sites and services... All you need to do to access the account is
confirm that the account is yours."  [...]
https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/

------------------------------

Date: Thu, 16 Jun 2022 18:56:53 -0500
From: dmitri maziuk <dmitri.maziuk () gmail com>
Subject: Re: the death knell of jSCH (RISKS-33.29)

Java is abnormally stable. I have code I wrote in early 2000s, some of it
rather messy and not exactly what I'd call robust design (there's a reason
for that of course), and it's still working fine in production now.

By today's "agile standards", this just can't be right.

------------------------------

Date: 20 Jun 2022 15:34:49 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Physics-Based Cryptocurrency Transmits Energy Through
 Blockchain (LLNL, RISKS-33.29)

I think if we remove the technobabble, this is saying that it's a stablecoin
backed by electricity commodity futures rather than by money. Electricity
futures are am arcane corner of the futures market, mostly of interest to
utilities and large industrial customers, but they do exist. Putting them on
a blockchain adds that magic pixie dust that makes it possible to do, well,
I have no idea but I am sure it is wonderful. If you wanted you could do
pork belly or nickel trades on a blockchain with exactly the same benefits.

The claim that you can somehow take the energy used to mine cryptocurrency
and somehow turn it back into electricity is idiotically stupid, but what
else is new in crypto land?

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.30
************************