The RISKS Digest
Volume 33 Issue 14

Tuesday, 12th April 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

India's Inadvertent Missile Launch Underscores the Risk of Accidental Nuclear Warfare News and Research - Scientific American
SciAm
GM Cruise autonomous taxi without humans pulled over by police in San Francisco
Electrek
The U.S. opens a risky new front in cyberdefense
Tim Culpan
You're muted… or are you? Videoconferencing apps may listen even when mic is off
techxplore.com
Crypto Firms Have a Wish List. States are Turning It into Law.
NYTimes
An ex-cop fell for Alice. Then he fell for her $66 million crypto scam
WashPost
Binance cryptocurrency traders are pushing back after a crash
WashPost
Thieves Hit on a New Scam: Synthetic Identity Fraud
Pew Trusts
Scammers are texting you from your own number now—here's what to do if that happens
CNBC
U.S. FBI Says It Disrupted Russian Hackers
Sarah N. Lynch
Does This AI Think Like a Human?
Adam Zewe
Keywords Can Hack the Hiring Process
Herb Booth
Re: Squirrels and rats attacking AT&T fiber
Susmit Jha
Re: Tesla Deaths and Apache Log4j instances unpatched
Dmitri Maziuk
Re: Security of lights-out managers
Anthony Thorn
Re: Quantum error-correction
Anthony Thorn
Re: Hackers Steal About $600 Million in One of the Biggest…
Mateos
Re: Machine learning and uncommon names and common ones, too
John Levine Arthur Flatau
Re: Spreadsheets Are Hot—and Cranking Out Complex Code
John Levine
Info on RISKS (comp.risks)

India's Inadvertent Missile Launch Underscores the Risk of Accidental Nuclear Warfare News and Research - Scientific American (SciAm)

Chad Dougherty <crd@acm.org>
Mon, 11 Apr 2022 20:50:57 -0400

“Last month, while most of the world focused on the war in Ukraine and worried that a beleaguered Russian leadership might resort to nuclear weapons, thus escalating the conflict into a direct war with the U.S.-led NATO nuclear-armed alliance, a nearly tragic accident involving India and Pakistan pointed to another path to nuclear war. The accident highlighted how complex technological systems, including those involving nuclear weapons, can generate unexpected routes to potential disaster—especially when managed by overconfident organizations.”

https://www.scientificamerican.com/article/indias-inadvertent-missile-launch-underscores-the-risk-of-accidental-nuclear-warfare/


GM Cruise autonomous taxi without humans pulled over by police in San Francisco (Electrek)

Dan Eakins <dan@sweetvinyl.com>
Mon, 11 Apr 2022 21:08:36 -0700

Seth Weintraub, Electrek, 10 Apr 2022

The converted Chevy Bolt ‘bolted’ … to a safe spot.

GM's Cruise vehicles have been operating autonomously in San Francisco at night, giving rides to employees around the city. Until now we've only seen success stories. Recently, Google's Waymo driverless vehicles joined Cruise in San Francisco.

https://electrek.co/2022/04/10/gm-cruise-autonomous-taxi-pulled-over-by-police-in-san-francisco-without-humans-bolts-off-u-cruise-responds/


The U.S. opens a risky new front in cyberdefense (Tim Culpan)

Peter Neumann <neumann@csl.sri.com>
Mon, 11 Apr 2022 20:12:28 PDT

Tim Culpan, Bloomberg, 8 Apr 2022

https://www.washingtonpost.com/business/the-us-opens-a-risky-new-front-in-cyberdefense/2022/04/08/5a378e2e-b72f-11ec-8358-20aa16355fb4_story.html

A U.S. operation to secretly remove malware from networks at home and overseas highlights the new front Washington is opening in its approach to global cyberdefense. It's a much-needed strategy, but one that ought to be handle delicately if the U.S. is to maintain the cooperation necessary to keep pulling off such sneaky maneuvers.

The U.S. and its allies found malicious code developed and planted by Russia's military intelligence agency, the GRU, in thousands of devices worldwide, Attorney General Merrick Garland revealed Wednesday. The U.S. and other nations have been on the alert for the possibility that Russia would conduct cyberattacks on businesses or critical infrastructure to retaliate against sanctions over the war in Ukraine.

But the mission disclosed this week went further than identifying where malware had turned up. According to the New York Times, secret court orders allowed the U.S. to remove the malicious software from Russian control by taking steps that included entering corporate networks without the companies' knowledge.


You're muted… or are you? Videoconferencing apps may listen even when mic is off (techxplore.com)

Richard Stein <rmstein@ieee.org>
Tue, 12 Apr 2022 07:49:16 +0800

https://techxplore.com/news/2022-04-youre-muted-videoconferencing-apps-mic.html

“It turns out, in the vast majority of cases, when you mute yourself, these apps do not give up access to the microphone,” says Fawaz. “And that's a problem. When you're muted, people don't expect these apps to collect data.”

When mute != mute.


Crypto Firms Have a Wish List. States are Turning It into Law. (NYTimes)

Peter G Neumann <neumann@csl.sri.com>
Tue, 12 Apr 2022 11:11:45 PDT

Eric Lipton and David Yaffe-Bellany, The New York Times front page story, 11 Apr 2022.

Captions on four photos:


An ex-cop fell for Alice. Then he fell for her $66 million crypto scam (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 10 Apr 2022 01:46:02 -0400

A former police officer lost $15,000 overnight as part of a large-scale crypto swindle. It underlines the startling increase in these scams—and their growing power to affect anyone.

Savvy people are getting hustled out of their crypto left and right. And there's almost nothing they can do to get it back.

Some days PJ Jenkins just likes to look at his money. He can't get to that money, which totals about $15,000 in cryptocurrency—it's been lifted from him by scammers. But thanks to the quirks of crypto, the cash sits visible to him online via the blockchain, taunting him.

“It's right there; everyone can see it. But I can't touch it,” Jenkins, still sounding a little dazed a few months after the swindle.

Jenkins isn't some greenhorn fresh to the world of money and crime. In fact, if anyone shouldn't have been duped in a scam, it's him—a 57-year-old retired cop from outside Atlantic City, who prides himself on his law enforcement wiles. He even used to direct security at a casino, his eagle eyes spotting the shady types who would take the house for a ride.

But over a months-long slow play—led by an attractive woman and fueled by a spate of confidence-winning gestures—Jenkins slowly gave his money to the crooks. He has little hope of ever recovering it.

https://www.washingtonpost.com/technology/2022/04/04/crypto-scams-coinbase-liquidity-mining/

The risk? Phony attractive women? That's new?


Binance cryptocurrency traders are pushing back after a crash (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 10 Apr 2022 17:45:13 -0400

On platforms like Binance, traders are taking unprecedented risks. Some have had enough.

https://www.washingtonpost.com/outlook/2022/04/01/binance-may-19-lawsuit-cryptocurrency/

Cryptocurrency could help governments and businesses spy on us. The popularity of digital currencies like bitcoin could erode the last vestiges of financial privacy online.

https://www.washingtonpost.com/outlook/2022/04/01/cryptocurrency-privacy-mainstream/

Why some charities are rethinking cryptocurrency donations. Accepting a bitcoin gift might get you that new hospital wing, but resisters worry about a predatory, planet-killing scheme.

https://www.washingtonpost.com/outlook/2022/03/31/bitcoin-donations-cryptocurrency-charities/

Oh, dear…


Thieves Hit on a New Scam: Synthetic Identity Fraud (Pew Trusts)

geoff goodfellow <geoff@iconia.com>
Sat, 9 Apr 2022 14:17:08 -1000

Websites show information for collecting unemployment insurance in Virginia, right, and reporting fraud and identity theft in Pennsylvania. Thieves are using synthetic identity fraud to rip off state and federal programs as well as consumers' credit.

In fall 2020, 43-year-old Adam Arena and a dozen suspected co-conspirators were indicted in New York on charges of trying to swindle banks out of more than $1 million through a scheme known as synthetic identity fraud.

They combined real Social Security numbers with mismatched or phony names to create new identities, according to investigators. Prosecutors began the investigation in 2018 and charged them with 108 counts of illegal financial activity, mostly borrowing huge amounts of money they never intended to pay back, according to investigators.

The scheme was so fruitful that in May 2020, according to prosecutors, Arena apparently did it again.

This time, investigators say, Arena and a partner used synthetic identities to bilk the federal government out of nearly $1 million from the Paycheck Protection Program, designed to help people who had lost their businesses or employment due to the pandemic. The duo used a fake ID to get a $954,000 loan and spent it on two vehicles, spa services, clothing, restaurant meals and gym memberships, according to prosecutors. […]

https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/04/07/thieves-hit-on-a-new-scam-synthetic-identity-fraud


Scammers are texting you from your own number now—here's what to do if that happens (CNBC)

geoff goodfellow <geoff@iconia.com>
Sun, 3 Apr 2022 18:49:18 -1000

https://www.cnbc.com/2022/04/02/scammers-are-texting-you-from-your-own-number-now-what-to-do-about-it.html


U.S. FBI Says It Disrupted Russian Hackers (Sarah N. Lynch)

ACM TechNews <technews-editor@acm.org>
Mon, 11 Apr 2022 11:54:57 -0400 (EDT)

Sarah N. Lynch, Reuters, 6 Apr 2022, via ACM TechNews, 11 Apr 2022

U.S. officials said the Federal Bureau of Investigation (FBI) seized control of thousands of routers and firewall appliances from Russian hackers by appropriating the infrastructure used to communicate with the devices. An unsealed redacted affidavit said the operation attempted to prevent the hackers from networking the devices into a botnet with which they could assail other servers with rogue traffic. Said U.S. Attorney General Merrick Garland, “Fortunately, we were able to disrupt this botnet before it could be used.” The botnet was governed by Cyclops Blink malware, which U.S. and U.K. cyberdefense agencies had publicly attributed to Sandworm, a group associated with Russian military intelligence. FBI Director Chris Wray said, “We removed malware from devices used by thousands of mostly small businesses for network security all over the world. We shut the door the Russians had used to get into them.”

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233093x072222&


Does This AI Think Like a Human? (Adam Zewe)

ACM TechNews <technews-editor@acm.org>
Mon, 11 Apr 2022 11:54:57 -0400 (EDT)

Adam Zewe, MIT News, 6 Apr 2022, via ACM TechNews, 11 Apr 2022

Massachusetts Institute of Technology (MIT) and IBM Research scientists have developed the Shared Interest method for rapidly analyzing a machine learning model's behavior by evaluating its individual explanations. The technique uses saliency methods to highlight how the model made specific decisions, comparing them to ground-truth data. Shared Interest then applies quantifiable metrics that compare the model's reasoning to that of a human by measuring the alignment between its decisions and the ground truth, then classifying those decisions into eight categories. The method can be used for image and text classification. MIT's Angie Boggust warned that the technique is only as good as the saliency methods on which it is based; if those techniques are biased or contain inaccuracies, the technique will inherit those limitations.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233096x072222&


Keywords Can Hack the Hiring Process (Herb Booth)

ACM TechNews <technews-editor@acm.org>
Mon, 11 Apr 2022 11:54:57 -0400 (EDT)

Herb Booth, University of Texas at Arlington, 7 Apr 2022, via ACM TechNews, 11 Apr 2022

The University of Texas at Arlington (UTA)'s Shirin Nilizadeh found that an algorithm that uses job-specific keywords can help applicants improve their position by at least 16 spots on average in a pool of 100 applicants. “We found out that you can tailor your resume for a specific job by using specific keywords that could get you pushed toward the top,” she explained. Text-embedding algorithms pair words and sentences in resumes with the job description to produce similarity scores on which resumes are ranked. Nilizadeh found that while adding more keywords improves the ranking, adding too many might not. UTA's Hong Jiang suggested Nilizadeh's work “might be a tool prospective employees and employers could use in the job search process.”

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e669x233099x072222&


Re: Squirrels and rats attacking AT&T fiber (RISKS-33.13)

Susmit Jha <susmit.jha@sri.com>
Sun, 10 Apr 2022 00:45:52 +0000

https://www.thedrive.com/tech/33236/hondas-chili-flavored-wire-wrap-could-save-your-car-from-a-rodent-invasion

It appears Honda thinks chili-flavored wire mught work, though there is a concern that habituation would decrease long-term effectiveness: https://www.sciencedirect.com/science/article/abs/pii/009130579090541O


Re: Tesla Deaths and Apache Log4j instances unpatched (RISKS-33.13)

dmitri maziuk <dmitri.maziuk@gmail.com>
Sun, 10 Apr 2022 11:07:28 -0500

Also, how did they count 'em?

E.g. Apache Solr from some old version up to 8.11 includes vulnerable log4j jars. One could look at the versions of existing Solr installation count the instances < 8.11 (and hopefully > whichever that “some old version” was). The result would be wrong because one can replace only the log4j jars, without upgrading the entire Solr installation. In fact a lot of us did: upgrading a large Solr index is not always trivial.

To make things worse, some of log4j CVEs only apply if the user (or an attacker who already controls the target system) has configured log4j to be vulnerable. We can count these instances as “unpatched” but that doesn't mean they are vulnerable.


Re: Security of lights-out managers (RISKS-33.13)

Anthony Thorn <anthony.thorn@atss.ch>
Sun, 10 Apr 2022 08:20:52 +0200

Protect ALL admin systems

This issue applies to a whole slew of management tools.

When I looked at the security of a user-management (identity-management) tool in a large unix environment (many years ago), I was shocked to find that there were a whole lot of tools in use by various different teams which also had the capability to create users with root privileges.

Obviously all these tools must be afforded maximum protection, and not just the “lights-out” manager.


Re: Quantum error-correction (phys.org, RISKS-33.13)

Anthony Thorn <anthony.thorn@atss.ch>
Sun, 10 Apr 2022 08:05:18 +0200

I do not think that “The reason why this does not work is that rotation and translation are not commutative—the order in which the actions of one type or the other are executed changes the outcome.” More that the frequency of the corrections governs the maximum excursion from the desired path.

If you want to generalise it is related to the frequency response in negative feedback loops.


Re: Hackers Steal About $600 Million in One of the Biggest… (Kruk, RISKS-33.13)

=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Sun, 10 Apr 2022 18:04:42 -0400

English is not my first language, but I've had some pretty interesting ideas about it thanks to the “cryptospace”. For example, there's the word “scam”. It's already pretty short, but it turns out one can shorten it even more by writing it as “NFT”. Amazingly, when pronounced, the shorter version is longer. Isn't it really a curious language?


Re: Machine learning and uncommon names and common ones, too (Flatau, RISKS-33.13)

“John Levine” <johnl@iecc.com>
11 Apr 2022 18:10:40 -0400

Who knew that web scraping was cutting edge?

My name is quite common, and I have written before about how many people with names similar to mine wrongly imagine that my Gmail account is their gmail account, because I got there first and have my name as the mailbox.

There are a lot of academics with names similar to mine, including at least two who work in computing fields similar to mine. I am endlessly telling sites like academia.edu that no, I am not the co-author of some random paper in some random field by some random guy with my name.

There are attempts to fix this by giving people unique identifiers like ORCID (mine is 0000-0001-7553-5024) but we're a long way from that being widely enough used to help much.


Re: Machine learning and uncommon names and common ones, too (RISKS-33.14)

Arthur Flatau <flataua@acm.org>
Mon, 11 Apr 2022 18:08:17 -0500

I got an ORCID as part of the paper submission (0000-0002-6274-4756), which did not help. On the positive side, MediFind has remove the erroneous citation.


Re: Spreadsheets Are Hot—and Cranking Out Complex Code (WiReD, RISKS-33.13)

“John Levine” <johnl@iecc.com>
11 Apr 2022 22:04:17 -0400

Back in the 1980s I worked for a startup called Javelin Software, where we wrote a PC package called Javelin. It was a time-series modeling package, which sounds boring but in fact it was useful for many of the things that people use spreadsheets (at the time 1-2-3) to do.

You could create named variables like

PROFIT = SALES - EXPENSE SALES = EAST SALES + WEST SALES

Each variable could be a time series with a specified period from days to years, and it could easily convert between periods. There were several views so you could see the inputs to or outputs from any variable, and a spreadsheet-like view where you could put names or parts of names in the border and it would fill in the data from the variables. Since the names were explicit and the date handling automatic, it avoided a lot of the off by one and missing entry errors common in spreadsheets. It was pretty slick. Unfortunately, the company positioned it as a direct competitor to 1-2-3 which it was not, and the company failed.

We converted a lot of 1-2-3 spreadsheets to Javelin models for prospective and current customers, and found that to a first approximation, any spreadsheet large enough to be interesting had mistakes. We also found that people Did Not Care. A particularly telling comment was “it's my manager's job to find the errors in my speadsheets.”

In the ensuing 35 years spreadsheets have gotten a lot more complicated, while the methods to test them have not improved. There have been a few attempts to add audit tools like ours, but none are widely used. Given the quality of spreadsheets people use, I'm amazed that we don't get another Great Depression each time someone bounces a check.

Please report problems with the web pages to the maintainer

x
Top