Risks Digest 33.14

40 views
Skip to first unread message

RISKS List Owner

unread,
Apr 12, 2022, 6:18:23 PMApr 12
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Tuesday 12 April 2022 Volume 33 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.14>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
India's Inadvertent Missile Launch Underscores the Risk of Accidental
Nuclear Warfare News and Research - Scientific American (SciAm)
GM Cruise autonomous taxi without humans pulled over by police in San
Francisco (Electrek)
The U.S. opens a risky new front in cyberdefense (Tim Culpan)
You're muted... or are you? Videoconferencing apps may listen even when mic
is off (techxplore.com)
Crypto Firms Have a Wish List. States are Turning It into Law. (NYTimes)
An ex-cop fell for Alice. Then he fell for her $66 million crypto scam
(WashPost)
Binance cryptocurrency traders are pushing back after a crash (WashPost)
Thieves Hit on a New Scam: Synthetic Identity Fraud (Pew Trusts)
Scammers are texting you from your own number now -- here's what to do if
that happens (CNBC)
U.S. FBI Says It Disrupted Russian Hackers (Sarah N. Lynch)
Does This AI Think Like a Human? (Adam Zewe)
Keywords Can Hack the Hiring Process (Herb Booth)
Re: Squirrels and rats attacking AT&T fiber (Susmit Jha)
Re: Tesla Deaths and Apache Log4j instances unpatched (Dmitri Maziuk)
Re: Security of lights-out managers (Anthony Thorn)
Re: Quantum error-correction (Anthony Thorn)
Re: Hackers Steal About $600 Million in One of the Biggest... (Mateos)
Re: Machine learning and uncommon names and common ones, too
(John Levine, Arthur Flatau)
Re: Spreadsheets Are Hot -- and Cranking Out Complex Code (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 11 Apr 2022 20:50:57 -0400
From: Chad Dougherty <c...@acm.org>
Subject: India's Inadvertent Missile Launch Underscores the Risk of
Accidental Nuclear Warfare News and Research - Scientific American (SciAm)

"Last month, while most of the world focused on the war in Ukraine and
worried that a beleaguered Russian leadership might resort to nuclear
weapons, thus escalating the conflict into a direct war with the U.S.-led
NATO nuclear-armed alliance, a nearly tragic accident involving India and
Pakistan pointed to another path to nuclear war. The accident highlighted
how complex technological systems, including those involving nuclear
weapons, can generate unexpected routes to potential disaster -- especially
when managed by overconfident organizations."

https://www.scientificamerican.com/article/indias-inadvertent-missile-launch-underscores-the-risk-of-accidental-nuclear-warfare/

------------------------------

Date: Mon, 11 Apr 2022 21:08:36 -0700
From: Dan Eakins <d...@sweetvinyl.com>
Subject: GM Cruise autonomous taxi without humans pulled over by
police in San Francisco (Electrek)

Seth Weintraub, *Electrek*, 10 Apr 2022

The converted Chevy Bolt 'bolted' ... to a safe spot.

[The 3:13 video starts out like a fasten-your-seatbelt thriller, but then
settles down because the police were really puzzled about how to ticket a
running car with nobody in it. But this episode gives new meaning to
*Cruise Control*. PGN]

GM's Cruise vehicles have been operating autonomously in San Francisco at
night, giving rides to employees around the city. Until now we've only seen
success stories. Recently, Google's Waymo driverless vehicles joined Cruise
in San Francisco.

https://electrek.co/2022/04/10/gm-cruise-autonomous-taxi-pulled-over-by-police-in-san-francisco-without-humans-bolts-off-u-cruise-responds/

------------------------------

Date: Mon, 11 Apr 2022 20:12:28 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: The U.S. opens a risky new front in cyberdefense (Tim Culpan)

Tim Culpan, *Bloomberg*, 8 Apr 2022

https://www.washingtonpost.com/business/the-us-opens-a-risky-new-front-in-cyberdefense/2022/04/08/5a378e2e-b72f-11ec-8358-20aa16355fb4_story.html

A U.S. operation to secretly remove malware from networks at home and
overseas highlights the new front Washington is opening in its approach to
global cyberdefense. It's a much-needed strategy, but one that ought to be
handle delicately if the U.S. is to maintain the cooperation necessary to
keep pulling off such sneaky maneuvers.

The U.S. and its allies found malicious code developed and planted by
Russia's military intelligence agency, the GRU, in thousands of devices
worldwide, Attorney General Merrick Garland revealed Wednesday. The U.S. and
other nations have been on the alert for the possibility that Russia would
conduct cyberattacks on businesses or critical infrastructure to retaliate
against sanctions over the war in Ukraine.

But the mission disclosed this week went further than identifying where
malware had turned up. According to the New York Times, secret court orders
allowed the U.S. to remove the malicious software from Russian control by
taking steps that included entering corporate networks without the
companies' knowledge.

------------------------------

Date: Tue, 12 Apr 2022 07:49:16 +0800
From: Richard Stein <rms...@ieee.org>
Subject: You're muted... or are you? Videoconferencing apps may listen even
when mic is off (techxplore.com)

https://techxplore.com/news/2022-04-youre-muted-videoconferencing-apps-mic.html

"It turns out, in the vast majority of cases, when you mute yourself, these
apps do not give up access to the microphone," says Fawaz. "And that's a
problem. When you're muted, people don't expect these apps to collect data."

When mute != mute.

[So, "mute" is mutable -- and mootable! PGN]

------------------------------

Date: Tue, 12 Apr 2022 11:11:45 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Crypto Firms Have a Wish List. States are Turning It into Law.
(NYTimes)

Eric Lipton and David Yaffe-Bellany, *The New York Times* front page story,
11 Apr 2022.

Captions on four photos:

* In Florida, a bill that makes buying and selling cryptocurrency
easier past last month after collaboration with the crypto industry.
"Whether you're Binance or Ethereum, Dogecoin or Bitcoin, this is a
great bill" said representative John Snyder, a Republican.

* Representative Vance Aloupis Jr. became interested in crypto-currency
legislation after reading *Bitcoin Billionaires*

* A Bitcoin mining machine at a site owned by Bit5ive in Florida,
which plans to raise money by crypto-friendly legislation there.

* Some states have doubs about the environmental impact of
cryptomining, which uses large amounts of electricity, and New York
has pending legislation to ban these centers. Lobbying has flooded

------------------------------

Date: Sun, 10 Apr 2022 01:46:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: An ex-cop fell for Alice. Then he fell for her $66 million crypto
scam (WashPost)

A former police officer lost $15,000 overnight as part of a large-scale
crypto swindle. It underlines the startling increase in these scams -- and
their growing power to affect anyone.

Savvy people are getting hustled out of their crypto left and right. And
there's almost nothing they can do to get it back.

Some days PJ Jenkins just likes to look at his money. He can't get to that
money, which totals about $15,000 in cryptocurrency -- it's been lifted from
him by scammers. But thanks to the quirks of crypto, the cash sits visible
to him online via the blockchain, taunting him.

``It's right there; everyone can see it. But I can't touch it,'' Jenkins,
still sounding a little dazed a few months after the swindle.

Jenkins isn't some greenhorn fresh to the world of money and crime. In fact,
if anyone shouldn't have been duped in a scam, it's him -- a 57-year-old
retired cop from outside Atlantic City, who prides himself on his law
enforcement wiles. He even used to direct security at a casino, his eagle
eyes spotting the shady types who would take the house for a ride.

But over a months-long slow play -- led by an attractive woman and fueled by
a spate of confidence-winning gestures -- Jenkins slowly gave his money to
the crooks. He has little hope of ever recovering it.

https://www.washingtonpost.com/technology/2022/04/04/crypto-scams-coinbase-liquidity-mining/

The risk? Phony attractive women? That's new?

------------------------------

Date: Sun, 10 Apr 2022 17:45:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Binance cryptocurrency traders are pushing back after a crash
(WashPost)

On platforms like Binance, traders are taking unprecedented risks. Some have
had enough.

https://www.washingtonpost.com/outlook/2022/04/01/binance-may-19-lawsuit-cryptocurrency/

Cryptocurrency could help governments and businesses spy on us. The
popularity of digital currencies like bitcoin could erode the last vestiges
of financial privacy online.

https://www.washingtonpost.com/outlook/2022/04/01/cryptocurrency-privacy-mainstream/

Why some charities are rethinking cryptocurrency donations. Accepting a
bitcoin gift might get you that new hospital wing, but resisters worry about
a predatory, planet-killing scheme.

https://www.washingtonpost.com/outlook/2022/03/31/bitcoin-donations-cryptocurrency-charities/

Oh, dear...

------------------------------

Date: Sat, 9 Apr 2022 14:17:08 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Thieves Hit on a New Scam: Synthetic Identity Fraud (Pew Trusts)

Websites show information for collecting unemployment insurance in
Virginia, right, and reporting fraud and identity theft in Pennsylvania.
Thieves are using synthetic identity fraud to rip off state and federal
programs as well as consumers' credit.

In fall 2020, 43-year-old Adam Arena and a dozen suspected co-conspirators
were indicted in New York on charges of trying to swindle banks out of more
than $1 million through a scheme known as *synthetic identity fraud*.

They combined real Social Security numbers with mismatched or phony names to
create new identities, according to investigators. Prosecutors began the
investigation in 2018 and charged them with 108 counts of illegal financial
activity, mostly borrowing huge amounts of money they never intended to pay
back, according to investigators.

The scheme was so fruitful that in May 2020, according to prosecutors, Arena
apparently did it again.

This time, investigators say, Arena and a partner used synthetic identities
to bilk the federal government out of nearly $1 million from the Paycheck
Protection Program, designed to help people who had lost their businesses or
employment due to the pandemic. The duo used a fake ID to get a $954,000
loan and spent it on two vehicles, spa services, clothing, restaurant meals
and gym memberships, according to prosecutors. [...]

https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/04/07/thieves-hit-on-a-new-scam-synthetic-identity-fraud

------------------------------

Date: Sun, 3 Apr 2022 18:49:18 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Scammers are texting you from your own number now -- here's
what to do if that happens (CNBC)

https://www.cnbc.com/2022/04/02/scammers-are-texting-you-from-your-own-number-now-what-to-do-about-it.html

------------------------------

Date: Mon, 11 Apr 2022 11:54:57 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: U.S. FBI Says It Disrupted Russian Hackers (Sarah N. Lynch)

Sarah N. Lynch, Reuters, 6 Apr 2022, via ACM TechNews, 11 Apr 2022

U.S. officials said the Federal Bureau of Investigation (FBI) seized control
of thousands of routers and firewall appliances from Russian hackers by
appropriating the infrastructure used to communicate with the devices. An
unsealed redacted affidavit said the operation attempted to prevent the
hackers from networking the devices into a botnet with which they could
assail other servers with rogue traffic. Said U.S. Attorney General Merrick
Garland, "Fortunately, we were able to disrupt this botnet before it could
be used." The botnet was governed by Cyclops Blink malware, which U.S. and
U.K. cyberdefense agencies had publicly attributed to Sandworm, a group
associated with Russian military intelligence. FBI Director Chris Wray said,
"We removed malware from devices used by thousands of mostly small
businesses for network security all over the world. We shut the door the
Russians had used to get into them."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233093x072222&

------------------------------

Date: Mon, 11 Apr 2022 11:54:57 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Does This AI Think Like a Human? (Adam Zewe)

Adam Zewe, MIT News, 6 Apr 2022,
via ACM TechNews, 11 Apr 2022

Massachusetts Institute of Technology (MIT) and IBM Research scientists have
developed the Shared Interest method for rapidly analyzing a machine
learning model's behavior by evaluating its individual explanations. The
technique uses saliency methods to highlight how the model made specific
decisions, comparing them to ground-truth data. Shared Interest then applies
quantifiable metrics that compare the model's reasoning to that of a human
by measuring the alignment between its decisions and the ground truth, then
classifying those decisions into eight categories. The method can be used
for image and text classification. MIT's Angie Boggust warned that the
technique is only as good as the saliency methods on which it is based; if
those techniques are biased or contain inaccuracies, the technique will
inherit those limitations.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233096x072222&

------------------------------

Date: Mon, 11 Apr 2022 11:54:57 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Keywords Can Hack the Hiring Process (Herb Booth)

Herb Booth, University of Texas at Arlington, 7 Apr 2022,
via ACM TechNews, 11 Apr 2022

The University of Texas at Arlington (UTA)'s Shirin Nilizadeh found that an
algorithm that uses job-specific keywords can help applicants improve their
position by at least 16 spots on average in a pool of 100 applicants. "We
found out that you can tailor your resume for a specific job by using
specific keywords that could get you pushed toward the top," she explained.
Text-embedding algorithms pair words and sentences in resumes with the job
description to produce similarity scores on which resumes are ranked.
Nilizadeh found that while adding more keywords improves the ranking, adding
too many might not. UTA's Hong Jiang suggested Nilizadeh's work "might be a
tool prospective employees and employers could use in the job search
process."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233099x072222&

------------------------------

Date: Sun, 10 Apr 2022 00:45:52 +0000
From: Susmit Jha <susmi...@sri.com>
Subject: Re: Squirrels and rats attacking AT&T fiber (RISKS-33.13)

https://www.thedrive.com/tech/33236/hondas-chili-flavored-wire-wrap-could-save-your-car-from-a-rodent-invasion

It appears Honda thinks chili-flavored wire mught work, though there is a
concern that habituation would decrease long-term effectiveness:
https://www.sciencedirect.com/science/article/abs/pii/009130579090541O

------------------------------

Date: Sun, 10 Apr 2022 11:07:28 -0500
From: dmitri maziuk <dmitri...@gmail.com>
Subject: Re: Tesla Deaths and Apache Log4j instances unpatched (RISKS-33.13)

Also, how did they count 'em?

E.g. Apache Solr from some old version up to 8.11 includes vulnerable log4j
jars. One could look at the versions of existing Solr installation count the
instances < 8.11 (and hopefully > whichever that "some old version"
was). The result would be wrong because one can replace only the log4j jars,
without upgrading the entire Solr installation. In fact a lot of us did:
upgrading a large Solr index is not always trivial.

To make things worse, some of log4j CVEs only apply if the user (or an
attacker who already controls the target system) has configured log4j to be
vulnerable. We can count these instances as "unpatched" but that doesn't
mean they are vulnerable.

------------------------------

Date: Sun, 10 Apr 2022 08:20:52 +0200
From: Anthony Thorn <anthon...@atss.ch>
Subject: Re: Security of lights-out managers (RISKS-33.13)

*Protect ALL admin systems*

This issue applies to a whole slew of management tools.

When I looked at the security of a user-management (identity-management)
tool in a large unix environment (many years ago), I was shocked to find
that there were a whole lot of tools in use by various different teams which
also had the capability to create users with root privileges.

Obviously *all* these tools must be afforded maximum protection, and not
just the "lights-out" manager.

------------------------------

Date: Sun, 10 Apr 2022 08:05:18 +0200
From: Anthony Thorn <anthon...@atss.ch>
Subject: Re: Quantum error-correction (phys.org, RISKS-33.13)

I do not think that "The reason why this does not work is that rotation and
translation are not commutative -- the order in which the actions of one
type or the other are executed changes the outcome." More that the
frequency of the corrections governs the maximum excursion from the desired
path.

If you want to generalise it is related to the frequency response in
negative feedback loops.

------------------------------

Date: Sun, 10 Apr 2022 18:04:42 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: Re: Hackers Steal About $600 Million in One of the Biggest...
(Kruk, RISKS-33.13)

English is not my first language, but I've had some pretty interesting ideas
about it thanks to the "cryptospace". For example, there's the word
"scam". It's already pretty short, but it turns out one can shorten it even
more by writing it as "NFT". Amazingly, when pronounced, the shorter version
is longer. Isn't it really a curious language?

------------------------------

Date: 11 Apr 2022 18:10:40 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Machine learning and uncommon names and common ones, too
(Flatau, RISKS-33.13)

Who knew that web scraping was cutting edge?

My name is quite common, and I have written before about how many people
with names similar to mine wrongly imagine that my Gmail account is their
gmail account, because I got there first and have my name as the mailbox.

There are a lot of academics with names similar to mine, including at least
two who work in computing fields similar to mine. I am endlessly telling
sites like academia.edu that no, I am not the co-author of some random paper
in some random field by some random guy with my name.

There are attempts to fix this by giving people unique identifiers like
ORCID (mine is 0000-0001-7553-5024) but we're a long way from that being
widely enough used to help much.

------------------------------

Date: Mon, 11 Apr 2022 18:08:17 -0500
From: Arthur Flatau <fla...@acm.org>
Subject: Re: Machine learning and uncommon names and common ones, too
(RISKS-33.14)

I got an ORCID as part of the paper submission (0000-0002-6274-4756), which
did not help. On the positive side, MediFind has remove the erroneous
citation.

------------------------------

Date: 11 Apr 2022 22:04:17 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Spreadsheets Are Hot -- and Cranking Out Complex Code (WiReD,
RISKS-33.13)

Back in the 1980s I worked for a startup called Javelin Software, where we
wrote a PC package called Javelin. It was a time-series modeling package,
which sounds boring but in fact it was useful for many of the things that
people use spreadsheets (at the time 1-2-3) to do.

You could create named variables like

PROFIT = SALES - EXPENSE
SALES = EAST SALES + WEST SALES

Each variable could be a time series with a specified period from days to
years, and it could easily convert between periods. There were several views
so you could see the inputs to or outputs from any variable, and a
spreadsheet-like view where you could put names or parts of names in the
border and it would fill in the data from the variables. Since the names
were explicit and the date handling automatic, it avoided a lot of the off
by one and missing entry errors common in spreadsheets. It was pretty
slick. Unfortunately, the company positioned it as a direct competitor to
1-2-3 which it was not, and the company failed.

We converted a lot of 1-2-3 spreadsheets to Javelin models for prospective
and current customers, and found that to a first approximation, any
spreadsheet large enough to be interesting had mistakes. We also found that
people Did Not Care. A particularly telling comment was "it's my manager's
job to find the errors in my speadsheets."

In the ensuing 35 years spreadsheets have gotten a lot more complicated,
while the methods to test them have not improved. There have been a few
attempts to add audit tools like ours, but none are widely used. Given the
quality of spreadsheets people use, I'm amazed that we don't get another
Great Depression each time someone bounces a check.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.14
************************

Reply all
Reply to author
Forward
0 new messages