The RISKS Digest
Volume 33 Issue 28

Tuesday, 14th June 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Long-term planning and optimization
Single beaver caused mass Internet, cell service outages in Northern B.C.
CTV News
Vulnerability discovered in Apple M1 chip
The Register via Tom Van Vleck
The Billionaires Seeking a U.S. Chip-Making Revival
Ephrat Livni
How Henry Ford Would Deal With Today's Supply Chain Upheaval
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones
The Hacker News
A Story of a Bug Found Fuzzing
Microsoft Browser Vulnerability Research
I was able to access thousands of companies' passwords on #Azure and run code on their VMs. This includes access to Microsoft's own credentials
Tzah Pahima
New Syslogk Linux Rootkit Lets Attackers Remotely Command It Using "Magic Packets"
The Hacker News
The surreal case of the disgruntled CIA hacker accused of exposing the agency's digital arsenal—´╗┐King Joshhn
The New Yorker
Coinbase lays off 1,100 employees in 18% cut
Lauren Weinstein
'The Music Has Stopped': Crypto Firms Quake as Prices Fall
Jay-Z and Jack Dorsey launched a Bitcoin academy in a public housing complex
Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware
The Hacker New
Thefts, Fraud, and Lawsuits at the World's Biggest NFT Marketplace
CRISPR-Based Map Ties Every Human Gene to Its Function
Eva Frederick
Self-Driving Truck Will Deliver Goods to 34 Sam's Club Locations
Alexandra Skores
Has the U.S. Learned Nothing From the UK's Gambling Woes
Re: Parameter Expansion Considered Dangerous
Cliff Kilby with TomHVV
Info on RISKS (comp.risks)

Long-term planning and optimization

Peter Neumann <>
Tue, 14 Jun 2022 14:36:48 PDT
We've been around this topic in RISKS for many different manifestations, and
also in the CACM Inside Risks series:

* The Foresight Saga, Redux: Short-term thinking is the enemy of the
  long-term future, PGN, CACM October 2012:

* A Holistic View of Future Risks: Almost everything is somehow
  interrelated with everything else—and that should not surprise
  us. PGN, CACM October 2020:

The lack of long-term thinking comes up in off-shoring of hardware
fabrication, outsourcing of critical operations to the cloud or
untrustworthy third-parties, supply-chain shortages, food production and
distribution, health care, use of pesticides and toxic wastes,
overdependence on fossil fuels, and—perhaps above all—climate change.
Many of the issues that arise seem to have a common theme, namely, seeking
to saving money and labor in the short term, while suppressing or ignoring
concerns for long-term implications: essentially, kicking the can down the
road rather than picking it up and recycling it.

An opinion piece by Paul Krugman in today's *The New York Times* impels me
to write this short note for RISKS readers.

In the context of the pressing need to save the Great Salt Lake from drying
up totally (with some really nasty implications), Krugman once more leads us
to an absolutely fundamental point: sooner or later, there comes a time when
civiliazions must radically do something dramatic—with costs that vastly
exceed what was saved in the short term.

Krugman's op-ed piece concludes:

 "Finally, we aren't talking about a global problem.  True, globally climate
  change has contributed to reduced snowpack, which is one reason the Great
  Salt Lake has shrunk.  But a large part of the problem is local water
  consumption; if that consumption could be curbed, Utah needn't worry that
  its efforts would be negated by the Chinese or whatever.

  So this should be easy: A threatened region should be accepting modest
  sacrifices, some barely more than inconveniences, to avert a disaster just
  around the corner.  But it doesn't seem to be happening.

  And if we can't save the Great Salt Lake, what chance do we have of saving
  the planet?"

I like to look at problems more holistically—interdisciplinarily,
internationally, globally, and even in some cases universally (as in
the two CACM Inside Risks columns noted above), and always at least
consider the long-term implications before making short-term decisions
that are clearly incompatible with long-term needs.  Not having this
kind of long-term awareness can be eventually be devastating.

Albert Einstein has a pithy quote, which I paraphrase:

  Seemingly difficult problems can often be resolved early.

The Yogi Berra corollary is related, but also valid:

  It gets late early.

That's certainly true of climate change (where the future seemed
inevitable to some wise people at least 60 years ago—e.g., read
Silent Spring), outsourcing almost everything, being dependent on
potentially untrustworthy entities, etc.  In some cases, it may not be
too late to change.  However, in cases of species extinction,
remediation becomes impossible and the role of the departed species in
a balanced ecology is lost forever, and often results in further
imbalance.  Attempts to compensate by local changes is likely to be
inadequate, especially when the problems are global to begin with, and
have no national boundaries.

Is any of my rant relevant to The ACM Risks Forum?   Yes.

The 737 MAX is just one example where a local software fix was attempted
without understainding the airframe-hardware-software implications.  The
Deepwater Horizon fiasco was another case in which financial issues hindered
reasoned remediation even before things went wonky.  (See the very detailed
Beobert/Blossom book, noted in RISKS-29.49,75,80.)

Single beaver caused mass Internet, cell service outages in Northern B.C. Northern B.C. (CTV News)

geoff goodfellow <>
Tue, 14 Jun 2022 09:44:37 -0700
Officials have now identified a beaver as the cause of a June 7 outage that
left many residents of northwestern B.C. without Internet, landline and
cellular service for more than eight hours.

The beaver gnawed its way through an aspen tree which then fell on both BC
Hydro lines and a Telus fibre-optic cable line strung along BC Hydro poles
between Topley and Houston.

The resulting power outage affected just 21 customers but the fibre optics
damage affected Telus customers in Burns Lake, Granisle, Haida Gwaii, the
Hazeltons, Kitimat, Prince George, Prince Rupert, Smithers, Terrace,
Thornhill, Houston, Topley, Telkwa, Fraser Lake and Vanderhoof.

CityWest, the utilities company owned by the City of Prince Rupert, also had
its customers affected because it uses the Telus fibre optics line.

BC Hydro official Bob Gammer said crews identified a beaver as the culprit
because of chew marks at the bottom of the downed tree. [...]

Vulnerability discovered in Apple M1 chip (The Register)

Tom Van Vleck <>
Fri, 10 Jun 2022 20:03:26 -0400

"In a paper titled "PACMAN: Attacking Arm Pointer Authentication with
Speculative Execution," Joseph Ravichandran, eon Taek Na, Jay Lang, and
Mengjia Yan describe how they were able to use speculative execution—the
way in which modern processors perform calculations before they may or may
not be needed to accelerate execution “ to discern the pointer
authentication code that allows pointer modification on a protected system."

The Billionaires Seeking a U.S. Chip-Making Revival (Ephrat Livni)

Peter Neumann <>
Sat, 11 Jun 2022 16:51:53 PDT
Ephrat Livni, *The New York Times*, 11 Jun 2022

Looking to invest and get Congress to help foot the bill

Eric Schmidt (ex-CEO Google, Dem donor), Peter Thiel (PayPal founder, Trump
supporter), H.R. McMaster, and Ash Carter and are part of the American
Frontier Fund, an "usual nonprofit venture capital fund to invest in
chip-making" in the U.S., asking Congess to provide $1B.  The AFF has been
asked by the White House to lead the "Quad Investor Network", described as
:an independent consortium of investors that seeks to advance access to
capital for critical and emerging technologies across the U.S., Japan, and
Australia."  [Ephrat describes varying nuanced views on this effort.

  [It has long been obvious to most far-sighted people that outsourcing fab
  labs was never a risk-free approach.  This is a bad example of optimizing
  for cost-cutting via off-shoring, while ignoring all other factors.  The
  current unavailability of chips and the risks of supply-chain compromises
  are only two issues that need to be considered.  PGN]

How Henry Ford Would Deal With Today's Supply Chain Upheaval (NYTimes)

Gabe Goldberg <>
Sun, 12 Jun 2022 15:06:40 -0400
The automobile pioneer believed short-term interests must not squeeze out
investment in a business' resilience, a lesson many companies have learned
the hard way since 2020.

  [I would add that many companies have apparently *not yet* learned that
  lesson.  PGN]

Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (The Hacker News)

geoff goodfellow <>
Sat, 11 Jun 2022 07:49:49 -0700
A new research undertaken by a group of academics from the University of
California San Diego has revealed for the first time that Bluetooth signals
can be fingerprinted to track smartphones (and therefore, individuals).

The identification, at its core, hinges on imperfections in the Bluetooth
chipset hardware introduced during the manufacturing process, resulting in
a "unique physical-layer fingerprint."

"To perform a physical-layer fingerprinting attack, the attacker must be
equipped with a Software Defined Radio sniffer: a radio receiver capable of
recording raw IQ radio signals," the researchers said
<> in a new paper
<> titled
<> "Evaluating Physical-Layer
BLE Location Tracking Attacks on Mobile Devices."

The attack <> is
made possible due to the ubiquitous nature of Bluetooth Low Energy (BLE)
beacons that are continuously transmitted by modern devices to enable
crucial functions such as contact tracing
<> during public health

The hardware defects, on the other hand, stem from the fact that both Wi-Fi
and BLE components are often integrated together into a specialized "combo
effectively subjecting Bluetooth to the same set of metrics that can be
used to uniquely fingerprint Wi-Fi devices: carrier frequency offset
<> and IQ imbalance.
<>   [...]

A Story of a Bug Found Fuzzing (Microsoft Browser Vulnerability Research)

geoff goodfellow <>
Sat, 11 Jun 2022 08:44:32 -0700
In a previous blogpost, it covered and mentioned automation and how it is
great at finding memory issues. We also got some feedback to expand on
fuzzing, so this post will cover how we came to develop a fuzzer and how it
found its first security issue early in development.

The main intention of this fuzzer is to use the signal from MSRC cases and
see if it can find the next bug before it gets reported which follows the
same pattern. The result was a cool browser fuzzer and the experiment
yielded interesting results.

The Target

We noticed a pattern in recent memory corruption bugs affecting both Edge
and Chromium where an extension was used as a proof of concept. This was
particularly interesting to me because I looked at extensions
<> a few years ago and
only found logic bugs and, with an itch to make an experimental fuzzer why
not try to create an extension based fuzzer for some variant hunting.

Now that I have a general component (Web Extensions) as a target, where to

When reading through all of the publicly disclosed chromium bugs that
involved an extension and a browser crash, two bugs from David Erceg
<> stood out (1188889
<>, 1190550
<>) where the
chrome.debugger.sendCommand was used and it was interesting.

The chrome.debugger extension API allows you to control some tabs using the
devtools protocol <>,
this is the same protocol remote debugging uses. The function sendCommand
stood out which looks like the following:

  target: Debuggee,
  method: string,
  commandParams?: object,
  callback?: function,

This looks like a promising function to start fuzzing.  [...]

I was able to access thousands of companies' passwords on #Azure and run code on their VMs. This includes access to Microsoft's own

geoff goodfellow <>
Tue, 14 Jun 2022 10:34:09 -0700
Here's HOW I did it.
This is the story of #SynLapse. (1/11)

New Syslogk Linux Rootkit Lets Attackers Remotely Command It Using "Magic Packets" (The Hacker News)

geoff goodfellow <>
Tue, 14 Jun 2022 09:56:44 -0700
A new covert Linux kernel rootkit named Syslogk has been spotted under
development in the wild and cloaking a malicious payload that can be
remotely commandeered by an adversary using a magic network traffic packet.

"The Syslogk rootkit is heavily based on Adore-Ng but incorporates new
functionalities making the user-mode application and the kernel rootkit hard
to detect," Avast security researchers David =C3=81lvarez and Jan Neduchal
said in a report published Monday.

Adore-Ng, an open-source rootkit
<> available
since 2004, equips the attacker with full control over a compromised
system. It also facilitates hiding processes as well as custom malicious
artifacts, files, and even the kernel module, making it harder to detect.

"The module starts by hooking itself into various file systems. It digs up
the inode for the root filesystem, and replaces that inode's readdir()
<> function pointer
with one of its own," noted <> at
the time. "The Adore version performs like the one it replaces, except that
it hides any files owned by a specific user and group ID."

Besides its capabilities to hide network traffic from utilities like netstat
<>, housed within the rootkit is a
payload named "PgSD93ql" that's nothing but a C-based compiled backdoor
trojan named Rekoobe
<> and gets
triggered upon receiving a magic packet. [...]

The surreal case of the disgruntled CIA hacker accused of exposing the agency's digital arsenal—King Josh

Monty Solomon <>
Mon, 13 Jun 2022 09:16:50 -0400

Coinbase lays off 1,100 employees in 18% cut

Lauren Weinstein <>
Tue, 14 Jun 2022 12:36:02 -0700

'The Music Has Stopped': Crypto Firms Quake as Prices Fall (NYTimes)

Lauren Weinstein <>
Tue, 14 Jun 2022 14:52:34 -0700
And the tulips are dying. Yet people have been urged to put their retirement
savings into this nightmare. People who couldn't possibly understand the
technology quicksand underpinning it. -L

Jay-Z and Jack Dorsey launched a Bitcoin academy in a public housing complex (TechCrunch)

Gabe Goldberg <>
Mon, 13 Jun 2022 23:21:23 -0400
Is billionaire-funded crypto education really what low-income people need?

Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware (The Hacker New)

geoff goodfellow <>
Tue, 14 Jun 2022 09:58:38 -0700
Cybersecurity researchers have detailed the workings of a fully-featured
malware loader dubbed PureCrypter that's being purchased by cyber criminals
to deliver remote access trojans (RATs) and information stealers.

"The loader is a .NET executable obfuscated with SmartAssembly and makes
use of compression, encryption, and obfuscation to evade antivirus software
products," Zscaler's Romain Dumont said in a new report.>

Some of the malware families distributed using PureCrypter include Agent
Tesla <>,
, AsyncRAT <>,
AZORult <>,
DarkCrystal RAT
(DCRat), LokiBot
NanoCore <>,
RedLine Stealer
, Remcos <>,
Snake Keylogger
and Warzone RAT

Sold for a price of $59 by its developer named "PureCoder" for a one-month
plan (and $249 for a one-off lifetime purchase) since at least March 2021,
PureCrypter is advertised as the "only crypter in the market that uses
offline and online delivery technique."

Crypters act as the first layer of defense
reverse engineering and are typically used to pack the malicious payload.
PureCrypter also features what it says is an advanced mechanism to inject
the embedded malware into native processes and a variety of configurable
options to achieve persistence on startup and turn on additional options to
fly under the radar.

Also offered is a Microsoft Office macro builder and a downloader,
highlighting the potential initial infection routes that can be employed to
propagate the malware. [...]

Thefts, Fraud, and Lawsuits at the World's Biggest NFT Marketplace (NYTimes)

Gabe Goldberg <>
Sun, 12 Jun 2022 17:28:22 -0400
OpenSea, one of the highest-profile crypto start-ups, is facing a backlash
over stolen and plagiarized nonfungible tokens.

  Shocking, no?

CRISPR-Based Map Ties Every Human Gene to Its Function (Eva Frederick)

ACM TechNews <>
Mon, 13 Jun 2022 11:59:50 -0400 (EDT)
Eva Frederick, MIT News, 9 Jun 2022, via ACM TechNews, 13 Jun 2022

A group of researchers from the Massachusetts Institute of Technology (MIT),
Memorial Sloan Kettering Cancer Center, Princeton University, and
biotechnology company 10x Genomics have published the first comprehensive
functional map of genes expressed in human cells. The Perturb-seq map was
derived from CRISPR-Cas9 genome editing, which introduces genetic changes in
cells, then applies single-cell RNA sequencing to record data about RNAs
yielded by a given change. The researchers scaled up the technique to
encompass the full human genome; MIT's Jonathan Weissman used human blood
cancer cell lines and noncancerous retinal cells to conduct Perturb-seq
across 2.5 million-plus cells, and constructed a map linking genotypes to

Self-Driving Truck Will Deliver Goods to 34 Sam's Club Locations (Alexandra Skores)

ACM TechNews <>
Mon, 13 Jun 2022 11:59:50 -0400 (EDT)
Alexandra Skores, *The Dallas Morning News*, 7 Jun 2022,
via ACM TechNews, 13 Jun 2022

Starting in July, Gatik, a California-based autonomous trucking company,
will make deliveries to 34 Sam's Club locations in Dallas-Fort Worth, TX,
using autonomous 26-foot box trucks. Gatik's Richard Steiner said each truck
will make an average of three runs per day, driving about 100 miles
round-trip. The trucks initially will include a safety driver, but
eventually will operate without such a driver. Gatik started testing the
technology with Sam's Club parent company Walmart in December 2020,
operating on a seven-mile loop in Bentonville, AR. Said Steiner, "It's
something which is new for the space, and we're excited to be doing it first
here in Texas."

Has the U.S. Learned Nothing From the UK's Gambling Woes (WiReD)

Gabe Goldberg <>
Sun, 12 Jun 2022 21:25:35 -0400
As American sports betting accelerates, a similar reckoning is sure to

In essence, the "gamblification" of sports in the U.S. would shock a UK
bettor. "What has happened in the States since 2018, has, in so many ways,
been a 'Hold my beer' moment," says Darragh McGee, an assistant professor in
the Department of Health at the University of Bath who has examined the
impact of online sports gambling on young adult males in the UK. "Gambling
stateside has already accelerated far beyond what we would consider
acceptable here in the UK."

Re: Parameter Expansion Considered Dangerous (RISKS 33.25.26)

Cliff Kilby <>
Tue, 14 Jun 2022 18:06:44 -0400
A sidebar occurred between myself and Tom Van Vleck after the initial
publication of this RISKS item, and I believe that discussion has some value
for Risk's audience. As such, that side bar follows (edited to try to
provide more concrete guidelines).

Certainly true! ..and it's even more risky and complicated, because the
> special characters
> that cause expansion may be the result of other expansions.  For example,
> percent encoding
> might express <% as %3C%25.  or what about %253C%2525 if it is done
> twice.
> or \37253C\372525 if octal escapes are applied first and then percent
> escapes twice.
> Each program in a processing sequence scans an input string looking for
> "magic"
> character sequences, and replaces some patterns with builtin values or the
> result
> of another program.  The result of processing a string depends on the kind
> and order
> of expansions.
> Sometimes I worry about string sanitizing programs I have written, and
> whether they
> could catch every possible attack without making needed valid inputs
> inexpressible.
> --Tom Van Vleck

A sane framework or application limits its sanitizing to the characters it
considers magic and exposes that rule to developers and the rest of the
Input/Output chain as a function.  As the user input progresses through the
IO chain down from input down to processing and eventual storage, each
filter should take responsibility for its own magic characters. Upon
retrieval, the reverse of the chain should put the characters back.

As a developer I should not care if the filter replaces & with &amp; or
char-escape-seq-marker-start-ampersand-waka-waka, because if I want the
ampersand back, I should be able to ask that filter to give me the unsafe

The situation you describe appears to attempt to intercept data outside the
context it was developed in. To attempt this requires knowing the IO chain
that created the representation of the data you are viewing.

Of course, knowing the IO chain would require some kind of application
planning and agile has seemed to undermine that, so, without testing
literally every combination of characters, if you find yourself with an
unknowable filter stack, don't replace. Truncate. Limiting the domain of the
problem is the only reasonable response.

This advice does not hold for languages or frameworks that consider plain
text magic. (Hello to [0-9][a-zA-Z] and \p{L}).

If you don't know \p{L} and their sibling \p{M} let me give you an

If you know you have a form processor that only consumes human entered data,
put a Web Application Firewall in front of that endpoint and scrub out the
characters you will not accept, or provide errors to your users if they try
to submit a character you won't accept, based on your organizations' risk

If you know your API accepts XML, You're probably going to have to accept
'[' and '!', but, '(' is probably right out.

If you know your API accepts something that looks like URL query
parameters, you can replace/drop all the characters that didn't get encoded.

As always, test for both the positive and negative application flow before
implementing any kind of intercept, or if you find yourself intercepting
some active anomalous traffic, document everything, and consider rolling
back as soon as the anomalous traffic stops so you can perform in depth

Please report problems with the web pages to the maintainer