Risks Digest 33.11

37 views
Skip to first unread message

RISKS List Owner

unread,
Mar 28, 2022, 5:29:24 PMMar 28
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Monday 28 March 2022 Volume 33 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.11>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
I'm the Operator -- The Aftermath of a Self-Driving Tragedy (WiReD)
Every Tesla Accident Resulting in Death (Tesla Deaths)
How U.S. auto regulators played mind games with Tesla's Elon Musk (WashPost)
Welcome to the Artificial Intelligence Incident Database (via Gabe Goldberg)
Smart devices are watching you everywhere and violating your privacy,
computer scientists warn (Study Finds)
The fight over anonymity is about the future of the Internet
(geoff goodfellow)
Activist Publishes Redacted Version of Classified Military UFO Report (Vice)
Hacker group Lapsus$ leaks 37GB of Microsoft source code for Bing and
Cortana (XDA)
Lapsus$ and Okta (Rob Slade)
30% of Apache Log4j Security Holes Remain Unpatched (The New Stack)
Supply-chain crisis data (WiReD)
U.S. Accuses Russians of Hacking Infrastructure, Including Nuclear Plant
(NYTimes)
Is Yandex, Russia's Largest Tech Company, Too Big to Fail (WiReD)
Corrupted Open Source Software Enters Russian Battlefield (NYTimes)
Veeam and Backups (Cliff Kilby)
Germany warns against using Kaspersky software citing 'considerable'
cyberrisk after Russia's invasion (TechCrunch)
Russian Anti-Virus Company Kaspersky Officially Branded as National
Security Threat (ITechpost)
FCC puts Kaspersky on security threat list, says it poses "unacceptable
risk" (Ars Technica)
Re: MMS spam? (Amos Shapir)
The US Tried Permanent Daylight Saving Time in the '70s. People Hated It
(WashPost)
Re: One problem with permanent daylight saving time: Geography (John Levine)
Senate vote for permanent daylight saving time wasn't supposed to pass
(Lauren Weinstein)
URL problem on the Doug Jones op-ed (Mark Brader)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 27 Mar 2022 14:42:25 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: I'm the Operator -- The Aftermath of a Self-Driving Tragedy (WiReD)

In 2018, an Uber autonomous vehicle fatally struck a pedestrian. In a
WIRED exclusive, the human behind the wheel finally speaks.

https://www.wired.com/story/uber-self-driving-car-fatal-crash/

------------------------------

Date: Thu, 24 Mar 2022 01:53:39 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Every Tesla Accident Resulting in Death (Tesla Deaths)

We provide an updated record of Tesla fatalities and Tesla accident deaths
that have been reported and as much related crash data as possible
(e.g. location of crash, names of deceased, etc.). This sheet also tallies
claimed and confirmed Tesla autopilot crashes, i.e. instances when
Autopilot was activated during a Tesla crash that resulted in death. Read
our other sheets for additional data and analysis on vehicle miles traveled,
links and analysis comparing Musk's safety claims, and more.

Tesla Deaths Total as of 3/23/2022: 246
Tesla Autopilot Deaths Count: 12

https://www.tesladeaths.com/

------------------------------

Date: Sun, 27 Mar 2022 23:55:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How U.S. auto regulators played mind games with Tesla's Elon Musk
(WashPost)

Officials have tried to appeal to Musk's ego and have upped threats to force
Tesla into line

SAN FRANCISCO -- The first time Washington regulators tried to investigate
Tesla's Autopilot software, CEO Elon Musk was irate.

Weeks earlier, a Tesla using the company's advanced driver-assistance system
had crashed into a tractor-trailer at about 70 mph, killing the driver. When
National Highway Traffic Safety Administration officials called Tesla
executives to say they were launching an investigation, Musk screamed,
protested and threatened to sue, said a former safety official who spoke on
the condition of anonymity to discuss sensitive matters.

The regulators knew Musk could be impulsive and stubborn; they would need to
show some spine to win his cooperation. So they waited. And in a subsequent
call, ``when tempers were a little bit cool, Musk agreed to cooperate: He
was a changed person.''

https://www.washingtonpost.com/technology/2022/03/27/tesla-elon-musk-regulation

------------------------------

Date: Thu, 24 Mar 2022 01:56:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Welcome to the Artificial Intelligence Incident Database

The AI Incident Database is the only collection of AI deployment harms or
near harms across all disciplines, geographies, and use cases.

https://incidentdatabase.ai/?lang=en

------------------------------

Date: Thu, 17 Mar 2022 08:46:00 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Smart devices are watching you everywhere and violating your
privacy, computer scientists warn (Study Finds)

Do you ever get the creepy feeling you're being watched? According to two
computer scientists, you're probably right, only it's not *someone* watching
you, it's *something* -- and that thing is smart technology.

In a paper by University of Maryland, Baltimore County's Roberto Yus and
Penn State's Primal Pappachan, the team warns that billions of digital
devices are scanning and sensing your movements every day. Some of them are
sitting right in front of you -- inside televisions, cars, offices, and
even your refrigerator.

In 2007, few people could have imagined the countless apps which society now
uses on their smartphones each day. However, Yus and Pappachan say this
technological revolution has come with a high price to our privacy as
Internet connectivity now reaches people in more places than ever before.

For all these smart devices to do their job, they need a connection to the
Internet so they can correlate all the data they're gathering on you. For
example, a smart thermostat in your house spends its day collecting
information on you and your preferences. However, without an Internet
connection to see a weather forecast, the thermostat can't decide how to
properly set the temperature in your home.

This is just the tip of the iceberg though, as the researchers say devices
which gather data on everything people do are *infiltrating our workspaces*
<https://www.studyfinds.org/americans-security-cameras-study/>, malls, and
cities.

``In fact, the Internet of Things (IoT) is already widely used in transport
and logistics, agriculture and farming, and industry automation. There were
around 22 billion Internet-connected devices in use around the world in
2018, and the number is projected to grow to over 50 billion by 2030, the
team explains in an article published in *The Conversation
<https://theconversation.com/smart-devices-spy-on-you-2-computer-scientists-explain-how-the-internet-of-things-can-violate-your-privacy-174579>*

The problem of privacy

So, what are all these smart devices doing? A lot depends on what the device
does. Smart security cameras and home assistants like Alexa are basically
(just cameras and microphones which *record you and your activities*
<https://www.studyfinds.org/mobile-phones-tracking-location/> all day.
[...]
https://www.studyfinds.org/smart-devices-violating-privacy/

------------------------------

Date: Mon, 21 Mar 2022 09:51:14 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: The fight over anonymity is about the future of the Internet

Jeff Kosseff's last book turned out to be pretty prescient. He published The
Twenty-Six Words That Created The Internet, a deep look at the history and
future of Section 230, right as those 26 words became central to the
regulatory fight over the future of the Internet.

With his next book, Kosseff, a professor at the Naval Academy, may have done
the same thing. The book is titled *The United States of Anonymous*, and it
deals with the centuries-old argument about whether people should be allowed
to say things without having to identify themselves. In the U.S., courts
have given a lot of leeway and protection to anonymous speakers, but the
Internet has changed the equation, and companies and governments alike are
still figuring out what to do. [...]

https://www.protocol.com/anonymous-internet-jeff-koseff

------------------------------

Date: Thu, 24 Mar 2022 09:39:59 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Activist Publishes Redacted Version of Classified Military UFO
Report (Vice)

The classified version of the much-hyped UFO report describes the *shapes*
of UFOs, is far more interesting than the one released to the public. [...]

https://www.vice.com/en/article/v7dnex/activist-publishes-redacted-version-=
of-classified-military-ufo-report

------------------------------

Date: Tue, 22 Mar 2022 20:16:33 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Hacker group Lapsus$ leaks 37GB of Microsoft source code for Bing
and Cortana (XDA)

Such a leak is not funny of course. But the joke going around is that
Microsoft probably saw a five-fold traffic increase from everyone googling
"what is Bing?". -L

https://www.xda-developers.com/microsoft-lapsus-leak-37gb-soure-code/

------------------------------

Date: Wed, 23 Mar 2022 05:44:55 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: Lapsus$ and Okta

A number of people have been concerned about reports from the hacking group
LAPSUS$ that they compromised a system protected by Okta. Since Okta is a
widely used access-control and single-sign-on product, a number of experts
have surmised that it may portend a larger problem.

Okta has responded in some detail:
https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/

The way I read it, it's basically, "the system is working as designed, but
what happens if you access it with a machine that is already breached in a
different way?" When I was doing reviews of antivirus products, in the
olden days, I used to make this part of the tests I would do: what would
happen if you used/installed this on an already infected system?

So, in the same way here, what seems to have happened is that someone at
Sitel was either under remote control when they did a job that required
access to an Okta-managed system, or that while they were accessing the
Okta-managed system, they did something that allowed someone else remote
access to their system. (Okta's product is, I understand, more about access
control and single sign-on: I have no idea if they have any endpoint
security functions built in.)

This points out one of the basic points that we have to keep drilling into
people: you have to consider the totality of security. It's a kind of
layered security or defence in depth in a different way. You may have good
individual security tools, but you don't have security if you don't manage
them, and the entire environment, properly.

------------------------------

Date: Wed, 23 Mar 2022 14:22:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: 30% of Apache Log4j Security Holes Remain Unpatched (The New Stack)

It sounds like a bad joke. I mean we all knew that the open source Java
logging library Apache Log4j was nasty with a capital N. The National
Vulnerability Database (NVD), rated it a 10.0 CVSSv3 which is the worst
possible. Last, but not least, Log4j is also used all over the place. So
months later how many instances of this security hole have been fixed? All
of them? Far from it! According to cloud security company Qualys, only 70%
has been patched. “30% of Log4j instances remain vulnerable to
exploitation.”

https://thenewstack.io/30-of-apache-log4j-security-holes-remain-unpatched/

------------------------------

Date: Mon, 28 Mar 2022 15:42:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Supply-chain crisis data (WiReD)

A seemingly endless supply chain crunch has fueled interest in tech that
promises to track problems or predict where new ones might occur.

The supply chain is in chaos, and it's getting worse. Air freight warehouses
at Shanghai Pudong Airport are log-jammed as a result of strict Covid
testing protocols imposed on China's biggest city following a local
outbreak. At the city's port, Shanghai-Ningbo, more than 120 container
vessels are stuck on hold. In Shenzhen, a major manufacturing hub in the
country's south, trucking costs have shot up 300 percent due to a backlog of
orders and a shortage of drivers following the introduction of similar Covid
restrictions. Major ports the world over, which used to operate like
clockwork, are now beset by delays, with container ships queuing for days in
some of the worst congestion ever recorded. The list goes on.

More than a million containers due to travel to Europe from China by train
-- on a route that goes through Russia -- must now make their journey by sea
as sanctions bite. Russia's invasion of Ukraine has also severed key supply
lines for nickel, aluminum, wheat, and sunflower oil, causing commodity
prices to skyrocket. Countries in the Middle East and Africa that rely on
produce from Ukraine are likely to experience serious food shortages in the
coming weeks and months. Some European automotive production lines have cut
their output due to a shortage of wiring normally sourced from factories in
Ukraine. If the pandemic, which triggered a surge in purchasing of goods,
caused the global supply chain to buckle, Russia's invasion of Ukraine and
China's continuing zero-Covid policy risk breaking it completely.

https://www.wired.com/story/supply-chain-crisis-data/

------------------------------

Date: Fri, 25 Mar 2022 13:31:09 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: U.S. Accuses Russians of Hacking Infrastructure, Including Nuclear
Plant (NYTimes)

Katie Benner and Kate Conger, *The New York Times*, 25 Mar 2022
Indictments serve as a warning of Moscow's cyberattack prowess.

Four Russian officials accused of carrying out a series of cyberattacks on
U.S. critical infrastructure including a nuclear-power plant in Kansas, as
well as compromising a petrochemical facility in Saudi Arabia during 2012 to
2018, and breaching hundreds of energy companies around the world. Among
others, Evgeny V. Gladkikh is accused of using Triton malware that led to
two emergency shutdowns of a nuclear power plant (implicitly seeming to be
the one in Saudia Arabia). [Long item PGN-ed for RISKS]

------------------------------

Date: Thu, 24 Mar 2022 02:27:34 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Is Yandex, Russia's Largest Tech Company, Too Big to Fail (WiReD)

It took 20 years for Arkady Volozh to build Yandex into Russia's Google,
Uber, Spotify, and Amazon combined. It took 20 days for everything to
crumble.

https://www.wired.com/story/yandex-arkady-volozh-russia-largest-tech-company

------------------------------

Date: Fri, 25 Mar 2022 12:45:48 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Corrupted Open Source Software Enters Russian Battlefield (NYTimes)

Steven Vaughan-Nichols, ZDNet, 21 Mar 2022
https://www.zdnet.com/article/corrupted-open-source-software-enters-the-russian-battlefield/

JavaScript programmer Brandon Nozaki Miller's innocent attempt to protest
Russia's invasion of Ukraine by crafting the peacenotwar open-source npm
source-code package has been used to delete the file systems of Russian or
Belorussian computers. Miller inserted code in the package to delete the
hard drive, then added the module as a dependency to the node-ipc mode.
Miller encoded his code revisions in base-64 to thwart detection via code
reading. Developer security company Snyk has classified the software as
malicious. Such "protestware" creates a dangerous precedent; as one GitHub
programmer wrote, "What's going to happen with this is that security teams
in Western corporations that have absolutely nothing to do with Russia or
politics are going to start seeing free and open source software as an
avenue for supply chain attacks (which this totally is) and simply start
banning free and open source software -- all free and open source software
-- within their companies."

------------------------------

Date: Mon, 21 Mar 2022 21:46:05 -0400
From: Cliff Kilby
Subject: Veeam and Backups

If your ransomware protection includes Veeam, you may not be as protected
as you think.

https://www.veeam.com/kb4288

The default configuration of an internal API allows access to
unauthenticated users, providing a high value target for lateral movement.
Patch and ensure your network segmentation plan isolates backups from
general connectivity.

My opinions are my own and may not represent those of my employer.

[NOTE: This disclaimer is implicit in every RISKS message by default
and will be deleted in all future messages from Cliff. PGN]

------------------------------

Date: Tue, 15 Mar 2022 09:26:45 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Germany warns against using Kaspersky software citing
'considerable' cyberrisk after Russia's invasion (TechCrunch)

https://techcrunch.com/2022/03/15/germany-kaspersky-risk-invasion/

------------------------------

Date: Sun, 27 Mar 2022 12:40:22 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Russian Anti-Virus Company Kaspersky Officially Branded as
National Security Threat (ITechpost)

Russian cybersecurity firm, Kaspersky, has been added to the Federal
Communications Commission's (FCC) Covered List with the agency stating that
it poses unacceptable risks to national security in the United States.

https://www.itechpost.com/articles/109734/20220326/russian-anti-virus-company-kaspersky-officially-branded-national-security-threat.htm

------------------------------

Date: Sat, 26 Mar 2022 08:41:51 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: FCC puts Kaspersky on security threat list, says it poses
"unacceptable risk" (Ars Technica)

https://arstechnica.com/information-technology/2022/03/fcc-puts-kaspersky-on-security-threat-list-says-it-poses-unacceptable-risk/

------------------------------

Date: Tue, 22 Mar 2022 12:14:41 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: MMS spam? (Rob Slade, RISKS-33.10)

According to Eugene Kaspersky, the recently publicized Pegasus malware
employs zero-click unsolicited SMS and MMS messages to infect iPhone
devices.

https://twitter.com/e_kaspersky/status/849306559796699136

------------------------------

Date: Tue, 15 Mar 2022 12:21:51 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: The US Tried Permanent Daylight Saving Time in the '70s. People
Hated It (WashPost)

https://www.washingtonian.com/2022/03/15/the-us-tried-permanent-daylight-saving-time-in-the-70s-people-hated-it/

------------------------------

Date: 21 Mar 2022 16:36:14 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: One problem with permanent daylight saving time: Geography

>It's pretty much always the case that anything Congress does in a hurry
>hasn't been thought out. ...

Hi from the frozen north. (Well, not so frozen this week.) We know that the
sun rises late in the winter, and even on standard time, the school bus
sometimes runs before dawn. On the other hand, the sun sets at 4:30 EST and
some of us would be pleased if it set at 5:30 EDT instead.

Where this bill really screwed up is in the parts of the US that have never
used daylight time. The bill moves Hawaii from UTC-10 to UTC-9, which would
be awful since the solar time in Honolulu is about UTC-10:40. Or they have
the option of keeping their current time which will be renamed Samoa
Standard time.

Farther west in American Samoa, Guam, and Saipan, they have an even stranger
choice, get moved to a zone an hour too far ahead, or keep their current
time which will be in zones with no name at all. Well, no U.S. name. The
time zone for Guam and Saipan is also called Vladivostok Time.

------------------------------

Date: Mon, 21 Mar 2022 10:35:29 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Senate vote for permanent daylight saving time wasn't supposed to
pass

Turns out this was a Marx Brothers type mess. No offense to the Marx
Brothers. Luckily, it appears almost certain the House will sit on this
indefinitely.

https://www.electoral-vote.com/evp2022/Senate/Maps/Mar18.html#item-2

------------------------------

Date: Mon, 21 Mar 2022 16:02:36 -0400 (EDT)
From: Mark Brader <m...@Vex.Net>
Subject: URL problem on the Doug Jones op-ed

> My long-time colleague (Prof.) Doug Jones (not the politician) has
> published an op-ed relating to recent attempts to abandon ballot
> scanners in favor of hand-counting ballots. It is in The Des Moines
> Register. This is worth reading. [PGN]

> https://www.msn.com/en-us/news/politics/opinion-we-shouldnt-abandon-machine-counted-election-ballots/ar-AAVhCzE

When I tried to open this URL in Firefox, I got a blank page. The NoScript
icon indicated 2 sources blocked, but when I pulled it down it only showed
msn.com. I temporarily enabled JavaScript from that source, but the page
was still blank and the icon indicated one source blocked. I don't
understand what that means in NoScript.

However, I found what is presumably the same piece at:

https://www.desmoinesregister.com/story/opinion/columnists/iowa-view/2022/03/20/elections-vote-counting-keep-machine-counted-ballots/7048488001/

Why bring msn.com into it?

[Beats me. Thanks for the improvement. PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.11
************************

Reply all
Reply to author
Forward
0 new messages