The RISKS Digest
Volume 32 Issue 67

Thursday, 13th May 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Colonial Pipeline not likely to pay millions in ransom demanded by hackers
CNN Politics
A Closer Look at the DarkSide Ransomware Gang
Krebs on Security
Look who's hiring at Colonial
Richard Forno
Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations
The Hacker News
Fact Sheet on Biden Cybersecurity EO
The White House
ICAO Updates Effort To Clean Up NOTAM ‘Garbage’
AVweb
Covid pandemic was preventable, says WHO-commissioned report
Sarah Boseley
Dark Web Getting Loaded With Bogus Covid-19 Vaccines and Forged Cards
The Hacker News
Re: Marvin Minsky hacked?
Martin Ward
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles
Bernie Cosell Martin Ward
Re: I have been pwned!—but not really
DJC
Cybersecurity, Nuclear Weapon Systems and Strategic Stability: Webinar
Diego Latella
Info on RISKS (comp.risks)

Colonial Pipeline not likely to pay millions in ransom demanded by hackers (CNN Politics)

Gabe Goldberg <gabe@gabegold.com>
Thu, 13 May 2021 15:22:34 -0400

Meanwhile, new details are emerging about Colonial's decision to proactively shut down its pipeline last week, a move that has led to panic buying and massive lines at the gas pump. https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html

The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn't be able to figure out how much to bill customers for fuel they received.

One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.

Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, “In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”

At this time, there is no evidence that the company's operational technology systems were compromised by the attackers, the spokesperson added.

https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html


A Closer Look at the DarkSide Ransomware Gang (Krebs on Security)

geoff goodfellow <geoff@iconia.com>
Thu, 13 May 2021 11:40:28 -1000

Here's a closer look at DarkSide, the relatively new ransomware-as-a-service platform that's been holding 5,500 miles of fuel pipeline hostage. Story includes negotiations btwn DarkSide & a $15B victim that recently negotiated a $30M demand down to $11M.

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/


Look who's hiring at Colonial

Richard Forno <rforno@infowarrior.org>
Thu, 13 May 2021 10:50:25 -0400

(via RSK's list)

You can't make this stuff up.

> Cyber Security Manager At Colonial Pipeline
> https://www.daybook.com/jobs/jDuPoWB4gbFMpS8x5
> Date Posted: May 12th 2021
> Location: Atlanta GA, USA
>
> This appears to have been written quickly, because parts of the corporate
> boilerplate are repeated.  Let's get to the good stuff:
>   “As the Manager, Cyber Security, you are accountable for managing a team
>   of cyber security certified subject matter experts and specialists
>   including but not limited to network security engineers, SCADA & field
>   controls network engineers and a cyber security architect. As the
>   Manager, you will lead the development of the enterprise strategy for
>   cybersecurity; will oversee the development of standards and processes
>   for cyber security; lead the recovery from security incidents; and
>   guide forensics of incidents. You are someone who has an understanding
>   of emerging security threats in order to design security policies and
>   procedures to mitigate threats where possible.”
> I can't decide who's having a worse month: the person who until recently
> held this position, or the person who will next occupy it.

Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Wed, 12 May 2021 09:06:48 -1000

The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met.

“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data,” the gang said in a statement on their data leak site.

“You still have the ability to stop it,” it added.

The Babuk group is said to have stolen 250GB of data <https://thehackernews.com/2021/04/hackers-threaten-to-leak-dc-police.html>, including investigation reports, arrests, disciplinary actions, and other intelligence briefings.

Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers encrypted by the ransomware, as well as for not leaking any data stolen from the victim prior to cutting off access to them.

“We are some kind of a cyberpunks, we randomly test corporate networks security and in case of penetration, we ask money, and publish the information about threats and vulnerabilities we found, in our blog if company doesn't want to pay,” the group describes itself on the dark web site, calling its attacks an “audit.”

Screenshots shared by the Babuk group, and seen by The Hacker News, reveal that the data was published after the amount DC Police was willing to pay did not match their ransom amount of $4 million. The MPD has allegedly offered $100,000 to fend off the release of stolen information. […]

https://thehackernews.com/2021/05/ransomware-gang-leaks-metropolitan.html


Fact Sheet on Biden Cybersecurity EO (The White House)

Richard Forno <rforno@infowarrior.org>
May 13, 2021 20:55:48 JST

via Dave Farber

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks 12 May 2021

Today, President Biden signed an Executive Order to improve the nation's cybersecurity and protect federal government networks. Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.=20

This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur. It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses. However, the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.

Specifically, the Executive Order the President is signing today will:

Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation's cybersecurity as a whole.

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an “energy star'' type of label so the government =93 and the public at large =93 can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.

Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.

Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.

Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.

Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization's ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.


ICAO Updates Effort To Clean Up NOTAM ‘Garbage’ (AVweb)

Gabe Goldberg <gabe@gabegold.com>
Wed, 12 May 2021 20:15:27 -0400

“(NOTAMs) are just a bunch of garbage that nobody pays any attention to,” said NTSB Chairman Robert Sumwalt during the 2018 hearing on the infamous Air Canada incident, in which pilots missed a critical piece of information. Unnoticed on page eight of a 27-page briefing package was the fact that one of the destination airport’s two runways was closed. […]

Finally, the organization suggests updating the format of NOTAMs to make them more reader-friendly. Australian Federation of Air Pilots Safety and Technical Director Stuart Beveridge said, “So, we’ve actually suggested they move into the 21st century and look at upper and lower case, punctuation, plain standardized language, and time formats that are not just strings of numbers.”

https://www.avweb.com/aviation-news/icao-updates-effort-to-clean-up-notam-garbage/


Covid pandemic was preventable, says WHO-commissioned report (Sarah Boseley)

Dewayne Hendricks <dewayne@warpspeed.com>
May 13, 2021 7:09:01 JST

[Note: This item comes from reader Randall Head. DLH] <via Dave Farber>

Sarah Boseley, The Guardian, May 12 2021 Covid pandemic was preventable, says WHO-commissioned report Independent panel castigates global leaders and calls for major changes to ensure it cannot happen again

<https://www.theguardian.com/world/2021/may/12/covid-pandemic-was-preventable-says-who-commissioned-report>

The Covid pandemic was a preventable disaster that need not have cost millions of lives if the world had reacted more quickly, according to an independent high-level panel, which castigates global leaders and calls for major changes to bring it to an end and ensure it cannot happen again.

The report of the panel, chaired by the former New Zealand prime minister Helen Clark and Ellen Johnson Sirleaf, a former president of Liberia, found “weak links at every point in the chain''.

It said preparation was inconsistent and underfunded, the alert system too slow and too meek, while the World Health Organization was underpowered. It concluded the response had exacerbated inequalities. “Global political leadership was absent,'' the report said.

Clark described February 2020 as “a month of lost opportunity to avert a pandemic, as so many countries chose to wait and see''.

“For some, it wasn't until hospital ICU beds began to fill that more action was taken,'' she said. “And by then it was too late to avert the pandemic impact. What followed then was a winner takes all scramble for PPE and therapeutics. Globally, health workers were tested to their limits and the rates of infection, illness and death soared and continue to soar.''

Sirleaf said: “The situation we find ourselves in today could have been prevented. An outbreak of a new pathogen, Sars CoV-2 became a catastrophic pandemic that has now killed more than 3.25 million people, and continues to threaten lives and livelihoods all over the world. It is due to a myriad of failures, gaps and delays in preparedness and response. This was partly due to failure to learn from the past.''

Urgent action must be taken, she said. “There are many reviews of previous health crises that include sensible recommendations. Yet, they sit gathering dust in UN basements and on government shelves =A6 Our report shows that most countries of the world were simply not prepared for a pandemic.''

The report was commissioned by the WHO director general at the instigation of member states, who called at the World Health Assembly in May last year for an impartial review of what happened and what could be learned from the pandemic.

The panel calls for radical changes to bring heads of state together to oversee pandemic preparations, ensuring the finance and tools the world needs are in place. They want a faster-moving, better-resourced WHO. And they want a commitment now from leaders of affluent countries to supply vaccines for the rest of the world.

The report says the Chinese detected and identified the new virus promptly when it emerged at the end of 2019 and gave warnings that should have been heeded.

“When we look back to that period in late December, 2019, clinicians in Wuhan acted quickly when they recognised individuals in a cluster of pneumonia cases that were not normal,'' said Sirleaf.

An alert was sent out in Wuhan about a potentially new virus, which was “picked up quickly by neighbouring areas, countries, the media =93 on an online disease reporting site =93 and by the WHO,'' she said.

“This shows the benefit and speed of open-source reporting, but then the systems that were meant to validate and respond to this alert were too slow. The alert system does not operate with sufficient speed when faced with a fast-moving respiratory pathogen.''

The WHO “was hindered and not helped by the international health regulations and procedures'', said Clark. The regulations that govern when the WHO can declare a public health emergency of international concern were adopted in 2007. They bind WHO to confidentiality and verification, preventing rapid action, and prohibit countries from unnecessarily closing their borders against trade.

Every day counts, said the panel, which believes the emergency could have been declared by 22 January, instead of 30 January, as happened.

During “the lost month'' of February, countries should have been preparing. Some did and have suffered far less than those that did not. “Countries with the ambition to aggressively contain and stop the spread whenever and wherever it occurs have shown that this is possible,'' says the report.

Some countries “devalued and debunked'' the science, denying the severity of the disease. “This has had deadly consequences,'' said Clark. “This has been compounded by a lack of global leadership and coordination of geopolitical tensions and nationalism weakening the multilateral system, which should act to keep the world safe.''

The report recommends the creation of a “global health threats council'', to be led by heads of state, to keep attention on the threats of pandemics between emergencies and ensure collective action. It calls for a special session of the UN general assembly later this year to agree a political declaration. The WHO must have more power and more funding, while its regional directors and the director general should serve just a single term of seven years.

The panel says it is “deeply concerned and alarmed'' about the current high rates of transmission of the virus and the emergence of variants. Every country must take the necessary measures to curb the spread, says the report. High-income countries with enough vaccines ordered for their own needs must commit to providing at least 1bn doses by 1 September to Covax, the UN-backed initiative to get vaccines to 92 low- and middle-income countries, and more than 2bn doses by mid-2022.


Dark Web Getting Loaded With Bogus Covid-19 Vaccines and Forged Cards (The Hacker News)

geoff goodfellow <geoff@iconia.com>
Thu, 13 May 2021 01:06:23 -1000

Bogus COVID-19 test results, fraudulent vaccination cards, and questionable vaccines are emerging a hot commodity on the dark web in what's the latest in a long list of cybercrimes capitalizing <https://thehackernews.com/2020/12/hackers-targeting-companies-involved-in.html> on the coronavirus <https://thehackernews.com/2020/12/north-korean-hackers-trying-to-steal.html> pandemic.

“A new and troubling phenomenon is that consumers are buying COVID-19 vaccines on the black market due to the increased demand around the world,” said <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fools-gold-questionable-vaccines-bogus-results-and-forged-cards/> Anne An, a senior security researcher at McAfee's Advanced Programs Group (APG). “As a result, illegal COVID-19 vaccines and vaccination records are in high demand on darknet marketplaces.”

The growing demand and the race towards achieving herd immunity means at least a dozen underground marketplaces are peddling COVID-19 related merchandise, with Pfizer-BioNTech vaccines purchasable for $500 per dose from top-selling vendors who rely on services like Wickr, Telegram, WhatsApp, and Gmail for advertising and communications.

Darknet listings for the supposed vaccines are being sold for anywhere between $600 to $2,500, enabling prospective buyers to receive the product within two to 10 days. A second vendor has been identified as selling 10 doses of what's purportedly Moderna COVID-19 vaccine for $2,000. The vaccines are said to be either imported from the U.S. or packed in the U.K. and then shipped to other countries worldwide.

What's more, fake vaccination cards allegedly issued by the U.S. Centers for Disease Control and Prevention (CDC) are available starting for $50 and going all the way to $1,500. Likewise, another unnamed seller on a different dark web market is offering counterfeit German COVID-19 certificates for a mere $22.35. […]

https://thehackernews.com/2021/05/dark-web-getting-loaded-with-bogus.html


Re: Marvin Minsky hacked? (THVV, RISKS-32.66)

Martin Ward <martin@gkc.org.uk>
Thu, 13 May 2021 14:43:37 +0100

A “Universal Turing Machine” is a machine that simulates an arbitrary Turing machine on arbitrary input: in other words it is designed to execute arbitrary code.

So a “hack” which allows arbitrary code execution is just the machine running as designed.


Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles (RISKS-32.65)

“Bernie Cosell” <cosell@alum.mit.edu>
Wed, 12 May 2021 15:49:45 -0400

Easy enough to find other stories about it:

https://www.msn.com/en-us/news/world/boy-accidentally-orders-2600-worth-of-spongebob-ice-cream-online

Seems that he used his Mom's Amazon account and it was probably set up with her credit card.


Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles (RISKS-32.65)

Martin Ward <martin@gkc.org.uk>
Thu, 13 May 2021 15:02:46 +0100

Install the NoScript Firefox extension and ensure that washingtonpost.com is blocked. You can then read all the articles without the annoying popup asking you to subscribe or login.


Re: I have been pwned!—but not really (Slade, RISKS-32.65)

DJC <djc@resiak.org>
Thu, 13 May 2021 12:11:50 +0200

My Gmail account—which I use rather little—gets lots of mail intended for others with my name. People enter their own addresses wrong (should be my.name.DIGITS@gmail.com, but they enter my.name@gmail.com) or they're transcribed wrong… the whole mess.

I've gotten personal notes to friends and spouses, diplomatic mail, invitations to job interviews (and their outcomes), work documents, health records, meeting notices, lots of invoices and bills, invitations to parties, you name it, including evidence of many scams. Plus signup confirmation requests for Facebook and other channels.

Where they look harmless I often write to the senders let them know. They're often clueless. Occasionally someone thanks me, but they're sometimes angry:

How did you get my address, you *%%#@! (ranting on…)
If it wasn't for you, why did you read it, stupid?
Why are you bothering me about this?

Where I see a scam in action I usually try to interrupt it. (I hope those people had a long wait and got proper attention when they arrived at the airport to make a flight paid for with a stolen credit card—not mine, but email confirmation to me—and found that their travel had been canceled. They wouldn't have known about the cancellation, which I handled personally, because the confirmation came to me only the day before the flight.)

At worst, it's a temporary bother, and at best a source of innocent merriment.


Cybersecurity, Nuclear Weapon Systems and Strategic Stability: Webinar

“Diego.Latella” <diego.latella@isti.cnr.it>
Thu, 13 May 2021 14:02:08 +0200

Thursday 27 May 2021 at 5:30 pm (CEST)

* Antonello Provenzale, President - Area della Ricerca CNR di Pisa
Diego Latella, CNR-ISTI (IT)
* Cyber-security and Critical Infrastructures, a Global Challenge
Domenico Laforenza, CNR-IIT (IT)
* Strategic Stability and Cyber and Space Dependency in Nuclear Assets
Beyza Unal, Chatham House (UK)

The webinar is organised by

Gruppo Interdisciplinare su Scienza, Tecnologia e Societ� (GI-STS) dell'Area della Ricerca di Pisa del CNR

In cooperation with

Areaperta - Area della Ricerca CNR di Pisa Centro Interdisciplinare Scienze per La Pace dell'Universit� di Pisa Istituto di Biofisica del CNR Istituto di Scienza e Tecnologie dell'Informazione “A. Faedo'' del CNR Laboratorio Informatica e Societ� del CINI Pugwash Conferences on Science and World Affairs Unione degli Scienziati Per Il Disarmo

Under the auspices of La Nuova Limonaia, Rete Universit� per la Pace https://us02web.zoom.us/j/85979020637?pwd=ZmNMbWxoVllXUmxBVUw4TllXZFBVdz09

Please report problems with the web pages to the maintainer

x
Top