Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Biden administration calls for developers to embrace memory-safe programing languages and move away from those that cause buffer overflows and other memory access vulnerabilities.
The new 19-page report from ONCD gave C and C++ as two examples of programming languages with memory safety vulnerabilities, and it named Rust as an example of a programming language it considers safe. In addition, an NSA cybersecurity information sheet from November 2022 listed C#, Go, Java, Ruby, and Swift, in addition to Rust, as programming languages it considers to be memory-safe. <https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF> https://www.infoworld.com/article/3713203/white-house-urges-developers-to-dump-c-and-c.html
(About time! I've been griping about C and C++ design for decades. SB)
Dozens of unattended fuel stations across the country stopped working on Thursday for hours because of a software issue.
https://www.nytimes.com/2024/02/29/world/asia/new-zealand-leap-year-glitch-g as-pumps.html
[1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81, 20.83, 23.24, 25.07, 26.75, 29.30, and/or 31.60;
[2] still wear a wristwatch instead of using a cellphone or something as a pocket watch;
[3] have the kind that needs to be set back a day because (unlike the smarter types that track the year or receive information from external sources) it went directly from February 28 to March 1;
and
[4] hadn't realized it yet?
(For myself, point 3 no longer applies. I replied my old, worn-out Timex with a superficially identical new one and found that it does track the year.)
The fallout from the hack of a little-known but pivotal health-care company is inflicting pain on hospitals, doctor offices, pharmacies and millions of patients across the nation, with government and industry officials calling it one of the most serious attacks on the health-care system in U.S. history.
The 21 Feb 2024 cyberattack on Change Healthcare, owned by UnitedHealth Group, has cut off many health-care organizations from the systems they rely on to transmit patients' health-care claims and get paid. The ensuing outage doesn't appear to affect any of the systems that provide direct, critical care to patients. But it has laid bare a vulnerability that cuts across the U.S. health-care system, frustrating patients unable to pay for their medications at the pharmacy counter and threatening the financial solvency of some organizations that rely heavily on Change's platform.
[Explore this gift article from The New York Times. You can read it for free without a subscription.]
The hacking shut down the nation's biggest health care payment system, causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices.
https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html?u nlocked_article_code=1.ak0.DC0g.Vjacvvma4SOQ
This article came as a complete surprise, although it's about an attack that happened two weeks ago: https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html
How did UnitedHealth (the parent of Change Healthcare) keep it out of the news so long? Or have these things become so common that they're no longer newsworthy?
Sarah Wild, Nature, 4 Mar 2024, via ACM TechNews
Martin Eve of the U.K.'s University of London assessed whether 7,438,037 research papers with digital object identifiers (DOIs) were held in archives and determined that around 28%, or more than 2 million, were not held in a major digital archive despite having an active DOI. Only 58% of the sample had been stored in at least one archive. However, Eve's research focuses only on articles with DOIs and did not involve a search of every digital repository.
Dan Goodin, Ars Technica, 28 Feb 2024, via ACM TechNews
An ongoing cyberattack at GitHub has resulted in millions of malicious code repositories that use malware to steal developers' passwords and cryptocurrency. GitHub's “automation detection seems to miss many repos,” contend Apiiro security researchers Matan Giladi and Gil David, “and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”
Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.
The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine.
“Hey, so why do the stupid M&M machines have facial recognition?” SquidKid47 pondered.
The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.
https://www.wired.com/story/facial-recognition-vending-machine-error-investigation
The risks? Error messages. Like airport displays, billboards, etc. showing fatal Windows errors.
https://www.cbc.ca/news/business/vending-machine-facial-analysis-invenda-waterloo-1.7126196
An Ontario university is pulling dozens of vending machines that were tracking the age and gender of customers in the latest example of pushback against technology that tests the boundaries of privacy rules.
The move comes amid opposition from University of Waterloo students, who became aware of the technology after a Reddit user spotted an on-screen error message on one of the machines earlier this month, about an apparent problem with its facial recognition program.
Idiots who don't understand the importance of ENCRYPTION, SECURITY, PRIVACY? Or just ANTI-TECHNOLOGISTS?
https://mastodon.lawprofs.org/@riana/111982802756354530
https://www.cbc.ca/news/canada/toronto/toronto-library-ransomware-recovery-= 1.7126412
More than four months after a ransomware attack shut down the Toronto Public Library's computer systems, staff are finally putting a million stranded books back on the shelves.
At the library's distribution centre in the east end of the city, Domenic Lollino wheeled pallet after pallet of library books off a tractor-trailer — one of 15 such vehicles storing those books that were returned while the electronic cataloguing system was down.
“It's a big backlog,” he said, and it means employees like him are working 12-hour shifts to get through it all.
Christopher Harper, Tom's Hardware, 1 Mar 2024,via ACM TechNews
Hackers reportedly discovered security vulnerabilities in Anycubic 3D printers and are using a readme file on the printer display to inform users about the issue and encourage them to disable the Internet connection until a patch is issued. The hackers indicated that they had contacted Anycubic regarding the two critical security flaws they uncovered but resorted to informing users directly after not receiving a response from the company.
Becky Bracken, Dark Reading, 20 Feb 2024, via ACM Technews
Researchers at Germany's ATHENE (National Research Center for Applied Cybersecurity) found a design flaw in a domain name system (DNS) security‘q extension that could cause widespread Internet disruptions if it were exploited on multiple DNS servers simultaneously. DNS servers that use the DNSSEC extension to validate traffic are vulnerable to the “keytrap” dns bug, which has existed since 2000. The researchers worked with Google, Cloudflare, and other major DNS service providers on patches before publishing their work.
Heather Kelly, The Washington Post, 20 Feb 2024, via ACM Technews
Kirkland, WA-based Wyze said about 13,000 users of its security cameras were able to view sensitive content from the devices of other users when the cameras came back online 16 Feb following an hours-long service outage attributed to Amazon Web Services. Some users were able to see thumbnails from other users' feeds in their apps and clicked to view the videos. Wyze attributed the mixup of device IDs and user ID mapping to a partner that has since fixed the issue.
Mark Tyson, Tom's Hardware, 19 Feb 2024, via ACM TechNews
Researchers in the U.S. and China have demonstrated a side-channel attack on the Automatic Fingerprint Identification System that allows fingerprint pattern features to be extracted from the sounds of a user's finger swiping a touchscreen. The attack, dubbed PrintListener, can be made through apps like Discord, Skype, WeChat, and FaceTime when a device's microphone is on. Tests of PrintListener found it could extract up to 27.9% of partial fingerprints, and 9.3% of complete fingerprints, within five attempts at the highest-security false acceptance rate setting of 0.01%.
Rizwan Choudhury, Interesting Engineering, 20 Feb 2024, via ACM TechNews
An algorithm developed by University of South Florida (USF) researchers can produce 3D models of scenes behind walls, doors, and cars using the faint shadows cast by objects on nearby surfaces. The algorithm can reconstruct hidden scenes in just minutes using a single photo from a digital camera. Said USF's John Murray-Bruce, “We live in a 3D world, so obtaining a more complete 3D picture of a scenario can be critical in several situations and applications.”
Anna Tong, Reuters, 21 Feb 2024, via ACM TechNews
More than 400 AI experts and executives from various industries, including AI “godfather” and ACM A.M. Turing Award laureate Yoshua Bengio, signed an open letter calling for increased regulation of deepfakes. The letter states, “Today, deepfakes often involve sexual imagery, fraud, or political disinformation. Since AI is progressing rapidly and making deepfakes much easier to create, safeguards are needed.” The letter provides recommendations for regulation, such as criminal penalties for individuals who knowingly produce or facilitate the spread of harmful deepfakes, and requiring AI companies to prevent their products from creating harmful deepfakes.
https://www.techspot.com/news/99064-ai-feedback-loop-spell-death-future-generative-models.html
Forward-looking: Popular Large Language Models (LLM) such as OpenAI's ChatGPT have been trained on human-made data, which still is the most abundant type of content available on the Internet right now. The future, however, could hold some very nasty surprises for the reliability of LLMs trained almost exclusively on previously generated blobs of AI bits.
Kate Irwin, PC Magazine, 1 Mar 2024, via ACM TechNews
A “zero-click” AI worm able to launch an “adversarial self-replicating prompt” via text and image inputs has been developed by researchers at Cornell University, Intuit, and Technion—Israel Institute of Technology to exploit OpenAI's ChatGPT-4, Google's Gemini, and the LLaVA open source AI model. In a test of affected AI email assistants, the researchers found that the worm could extract personal data, launch phishing attacks, and send spam messages. The researchers attributed the self-replicating malware's success to “bad architecture design” in the generative AI ecosystem.
Katrina Manson, Bloomberg, 28 Feb 2024
In recent weeks, the U.S. Department of Defense's Maven Smart System was used to identify rocket launchers in Yemen and surface vessels in the Red Sea and assisted in narrowing down targets in Iraq and Syria. Maven, which merges satellite imagery, sensor data, and geolocation data into a single computer interface, uses machine learning to identify personnel and equipment on the battlefield and detect weapons factories and other objects of interest in various environmental conditions.
Sure, probably that's the right number for Delta. But it could be a crook posing as an airline representative. Here's what to do instead of trusting Google.
https://www.washingtonpost.com/technology/2024/02/27/airline-customer-service-phone-numbers/
It's hard to find a good news server these days. Even Google has dropped their Usenet connection—no new Usenet articles in Google Groups starting last week.
If you want RISKS without having to search around, go straight to the official archive: http://catless.ncl.ac.uk/Risks/ [rather than https during the slowness of the NCL admins. PGN]
Please report problems with the web pages to the maintainer