Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.64 RISKS-LIST: Risks-Forum Digest Tuesday 4 May 2021 Volume 32 : Issue 64 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD) Dark web child abuse image site with 400,000 members taken down in global police sting (NBC News) U.S. Mulling Domestic Spying Partnership with Private Companies (Infosecurity Magazine) A New Line of Attack that Evades Spectre Defenses (Science Daily) An ambitious plan to tackle ransomware faces long odds (Ars Technica) Paying ransomware doesn't pay (Rob Slade) Legal chatbot firm DoNotPay adds anti-facial recognition filters to its suite of handy tools (The Verge) Known software issue grounds Ingenuity Mars copter as it attempted fourth flight (The Register) Stealthy Linux backdoor malware spotted after three years of minding your business (The Register) BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw (The Register) Pro-Trump web forums are abuzz with directions to forge Covid vaccine cards (NBC News) How to give Feedback about the Feedback Form? (Dan Jacobson) 100 prohibited porcupine quills seized at Dulles Airport (Herndon, VA Patch) Re: The Plane Paradox (Lars-Henrik Eriksson, Peter Bernard Ladkin) Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security (Richard Stein) Re: Outlook/Exchange accounts under attack (Amos Shapir) Re: Hundreds Lose Internet service (A Michael W Bacon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Apr 2021 23:51:23 -0400 From: Gabe Goldberg Subject: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD) Most remarkable, however, is the IRS's account of tracking down Sterlingov using the very same sort of blockchain analysis that his own service was meant to defeat. The complaint outlines how Sterlingov allegedly paid for the server hosting of Bitcoin Fog at one point in 2011 using the now-defunct digital currency Liberty Reserve. It goes on to show the blockchain evidence that identifies Sterlingov's purchase of that Liberty Reserve currency with bitcoins: He first exchanged euros for the bitcoins on the early cryptocurrency exchange Mt. Gox, then moved those bitcoins through several subsequent addresses, and finally traded them on another currency exchange for the Liberty Reserve funds he'd use to set up Bitcoin Fog's domain. Based on tracing those financial transactions, the IRS says, it then identified Mt. Gox accounts that used Sterlingov's home address and phone number, and even a Google account that included a Russian-language document on its Google Drive offering instructions for how to obscure Bitcoin payments. That document described exactly the steps Sterlingov allegedly took to buy the Liberty Reserve funds he'd used. The case shows yet another example of how Bitcoin, once widely believed to be a powerful tool for making anonymous, untraceable transactions, has turned out to be in many cases the very opposite. The blockchain's ledger of all Bitcoin transactions since the cryptocurrency's creation has often instead served as a means for law enforcement to trace even years-old transactions. https://www.wired.com/story/bitcoin-drug-deals-silk-road-blockchain/ The risk? Tracing the untraceable. ------------------------------ Date: Mon, 3 May 2021 20:56:51 -0400 From: Monty Solomon Subject: Dark web child abuse image site with 400,000 members taken down in global police sting (NBC News) Dark web child abuse image site with 400,000 members taken down in global police sting The three main suspects are accused of founding and maintaining the site, as well as giving members advice on how to avoid arrest, German police said. https://www.nbcnews.com/news/world/dark-web-child-abuse-image-site-400-000-members-taken-n1266108 ------------------------------ Date: Tue, 4 May 2021 00:21:11 -0400 From: Gabe Goldberg Subject: U.S. Mulling Domestic Spying Partnership with Private Companies (Infosecurity Magazine) The Biden administration is reportedly considering teaming up with private companies to monitor American citizens' private online activity and digital communications. According to news source CNN, multiple sources have said that the Department of Homeland Security (DHS) is actively seeking a way to monitor citizens online without having to first secure a warrant or prove that such monitoring is an essential part of an ongoing investigation. The sources said that a plan is being formed for the DHS to circumvent these established checks to the government's power by working directly with private firms. Currently, only the unprotected information that Americans share on social media sites and public online platforms can be accessed by federal authorities. However, the alleged plan being formed by the DHS would allow authorities to see what Americans are writing and sharing online in access-restricted spaces such as private Facebook groups. The plan is reportedly not centered on the decryption of data belonging to Americans but is instead focused on getting outside entities with legal access to the information being shared online to report what is being said to the government. Limits are also in place at the Central Intelligence Agency (CIA) and National Security Administration (NSA) when it comes to domestic espionage. https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/ ------------------------------ Date: Sat, 1 May 2021 10:21:17 -0400 From: Bob Gezelter Subject: A New Line of Attack that Evades Spectre Defenses (Science Daily) A team of computer-science researchers has uncovered a line of attack that breaks all Spectre defenses, meaning that billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced. https://www.sciencedaily.com/releases/2021/04/210430165903.htm [This appears to be somewhat misguided reporting. Spectre defenses generally require hardware changes, and cannot be adequately resolved with existing hardware. The new CHERI hardware is trying to provide real solutions. Maybe *Science Daily* meant Meltdowm? PGN] ------------------------------ Date: Sun, 2 May 2021 10:38:00 -0400 From: Monty Solomon Subject: An ambitious plan to tackle ransomware faces long odds (Ars Technica) Heavyweight task force proposes framework to tackle a major cybersecurity problem. https://arstechnica.com/information-technology/2021/05/an-ambitious-plan-to-tackle-ransomware-faces-long-odds/ ------------------------------ Date: Mon, 3 May 2021 12:53:55 -0700 From: Rob Slade Subject: Paying ransomware doesn't pay OK, I have, elsewhere, expressed my opinion that paying the ransom for ransomware is a bad idea. https://community.isc2.org/t5/I/P/m-p/18736 First off, you are funding crime. Secondly, you are encouraging crime. (If nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?) Then there are the various reasons why paying the ransomware isn't a good idea in simply practical terms. Some of the ransomware was never intended to allow you to recover. Some is badly coded, and doesn't work when decrypting. Some of the ransomware families are simply based on symmetric encryption, and one key decrypts all. (You can find lists of those, and the ways to recover, at various places on the net.) Some of the ransomware groups are just disorganized, and lose their keys. (Then there are those who confuse ransomware with breachstortion, and are talking about people who actually do steal your data, and then threaten to publish it unless you pay up. Most of the same reasons why paying ransom to them is a bad idea hold, with the addition of the fact that, if you pay the ransom, you are relying on the promises and integrity of a bunch of thieves, liars, and extortionists.) (Oh, and that argument about the "business model" of ransomware and breachstortion being based on them doing what they promise? That business model only works if you are talking about return or repeat business. Are you telling me that you are going to go through ransom or extortion with the same group all over again? How stupid *are* you?) Now some research from Sophos backs that up. If you pay, you've got a less than 10% chance of getting all your data back. https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back [Speaking of "backs that up", can you spell "backup" -- which allows one to recover without paying. Yes, that does not help with breachstortion, but once again, the real answer seems to better security in hardware and software, and more-aware users and admins. PGN] ------------------------------ Date: Tue, 4 May 2021 12:22:35 -0400 From: Monty Solomon Subject: Legal chatbot firm DoNotPay adds anti-facial recognition filters to its suite of handy tools (The Verge) https://www.theverge.com/2021/4/27/22405570/donotpay-ninja-anti-reverse-image-search-facial-recognition-filter ------------------------------ Date: Fri, 30 Apr 2021 21:15:31 -0400 From: Monty Solomon Subject: Known software issue grounds Ingenuity Mars copter as it attempted fourth flight (The Register) https://go.theregister.com/feed/www.theregister.com/2021/04/30/ingenuity_fourth_flight_flops/ ------------------------------ Date: Fri, 30 Apr 2021 21:24:24 -0400 From: Monty Solomon Subject: Stealthy Linux backdoor malware spotted after three years of minding your business (The Register) https://go.theregister.com/feed/www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/ ------------------------------ Date: Fri, 30 Apr 2021 21:24:14 -0400 From: Monty Solomon Subject: BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw (The Register) https://go.theregister.com/feed/www.theregister.com/2021/04/29/microsoft_badalloc_iot/ ------------------------------ Date: Sun, 2 May 2021 17:44:16 -0400 From: Monty Solomon Subject: Pro-Trump web forums are abuzz with directions to forge Covid vaccine cards (NBC News) Some states put templates online, spurring pro-Trump and anti-vaccination forums to start spreading tips for how to create fake cards. https://www.nbcnews.com/tech/tech-news/covid-vaccination-card-fraud-prompts-cdc-action-rcna802 ------------------------------ Date: Sat, 01 May 2021 18:52:19 +0800 From: Dan Jacobson Subject: How to give Feedback about the Feedback Form? Let's say you are an extra big company, with an extra small single point of contact: the Feedback Form. But what if it breaks? Every other form of contact just plays a recording: "Please use the Feedback Form." How to give Feedback about the Feedback Form? 1) Determine the headquarters of aforementioned extra big company is merely a couple miles from the headquarters of RISKS moderator PGN. 2) Send PGN on a mission to give a certain Mr. Zuckerburg feedback. PGN says "Having walked all the way from SRI, I'll be dead soon." Alas, the secretary says "He's with a client. I don't know what to do." https://www.youtube.com/watch?v=Tp8XcAKYsKo ------------------------------ Date: Sat, 1 May 2021 00:10:35 -0400 From: Gabe Goldberg Subject: 100 prohibited porcupine quills seized at Dulles Airport (Herndon, VA Patch) "Travelers should be aware that those seemingly safe animal souvenirs they purchase overseas may accidentally introduce animal diseases that could devastate our livestock industries, sicken our citizens, and impact our nation's economy," said Keith Fleming, acting director of Field Operations for CBP's Baltimore Field Office, in a release. "Customs and Border Protection remains on our nation's frontline as protectors of our agricultural resources, and we will continue to work with our partners to intercept all potential threats at our nation's ports of entry." https://patch.com/virginia/herndon/100-prohibited-porcupine-quills-seized-dulles-airport ------------------------------ Date: Sat, 1 May 2021 07:18:44 +0200 From: Lars-Henrik Eriksson Subject: Re: The Plane Paradox: More Automation Should Mean More Training (WiReD, RISKS-32.63) > "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, > 2018, all four of the aircraft's flight control computers stopped > working." That description is misleading to the point of being incorrect. The incident began on the runway during a touch and go after several hours of training flights the same day. During that time there had been almost a dozen alerts that something was wrong with the pitch-control system. All alerts had been reset and then ignored. At some point one alert was not reset, causing a loss of redundancy. Indeed, one of the casual factors determined by the accident investigation was the training instructor's decision to continue the training flights despite the multiple fault messages. So arguably this was not a case of automation surprising pilots, but rather of poor decision-making. Accident investigation report: https://www.ojk.ee/et/system/files/fail/manus/ee0180_es_san_investigation_report.pdf ------------------------------ Date: Sat, 1 May 2021 11:37:21 +0200 From: Peter Bernard Ladkin Subject: Re: The Plane Paradox (RISKS-32.63) > "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, > 2018, all four of the aircraft's flight control computers stopped > working. ... Only the skill of the instructor pilot on board prevented a > fatal crash." This, of course, is nonsense. 1. The A320 has two elevator aileron computers (ELAC), three spoiler elevator computers (SEC), and two flight augmentation computers (FAC), for a total of seven. The aerodynamic control surface actuators are commanded by combinations of these. 2. There is no way to control the aircraft aerodynamically if all FCCs fail. ------------------------------ Date: Sat, 1 May 2021 11:20:01 +0800 From: Richard Stein Subject: Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security (James Rundle, RISKS-32.63) James Rundle wrote: "At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do what it is asking to do." The "Zero Trust Architecture" from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Deployment of ZTA strategies appears to advocate a centralized policy decision point (PDP) and policy enforcement point (PEP) that oversees and continuously monitors identity, credential, access, and authorization to legitimate an organization's resources (devices, services, and users). A complex, multi-dimensional privilege matrix is likely monitored and characterized for resource operation based on access, authorization, feature/capability/purpose, role, etc. On paper, ZTA enhances infosec defense-in-depth and is proactive. A significant change from the reactive infosec practices widely deployed today that invite data breach/malware infection. Risk: Legitimized resource access through a control gateway. Compromise the PDP/PEP and/or the policy administrator who operates it, and the resource is compromised. ------------------------------ Date: Sun, 2 May 2021 17:33:17 +0300 From: Amos Shapir Subject: Re: Outlook/Exchange accounts under attack (Slade, RISKS-32.63) Me too. The source of the leaked (or rather publicized) email addresses is none other than the RISKS list itself, and its archives. These addresses are gathered in bunches which are sold over and over; a new wave of junk appears each time a bunch is bought by a new operator. (Your address may appear several times in each bunch). ------------------------------ Date: Sat, 1 May 2021 13:26:35 +0100 From: A Michael W Bacon Subject: Re: Hundreds Lose Internet service (RISKS-32.63) [[Michael was really surprised that I ESCHEWED the opportunity to make a pun. How about "Beaver damns the Internet"> PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.64 ************************