Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.67 RISKS-LIST: Risks-Forum Digest Thursday 13 May 2021 Volume 32 : Issue 67 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Colonial Pipeline not likely to pay millions in ransom demanded by hackers (CNN Politics) A Closer Look at the DarkSide Ransomware Gang (Krebs on Security) Look who's hiring at Colonial (Richard Forno) Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations (The Hacker News) Fact Sheet on Biden Cybersecurity EO (The White House) ICAO Updates Effort To Clean Up NOTAM 'Garbage' (AVweb) Covid pandemic was preventable, says WHO-commissioned report (Sarah Boseley) Dark Web Getting Loaded With Bogus Covid-19 Vaccines and Forged Cards (The Hacker News) Re: Marvin Minsky hacked? (Martin Ward0 Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles (Bernie Cosell, Martin Ward) Re: I have been pwned! -- but not really (DJC) Cybersecurity, Nuclear Weapon Systems and Strategic Stability: Webinar (Diego Latella) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 13 May 2021 15:22:34 -0400 From: Gabe Goldberg Subject: Colonial Pipeline not likely to pay millions in ransom demanded by hackers (CNN Politics) [Spoiler Alert: The subject line is FALSE. https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom PGN] Meanwhile, new details are emerging about Colonial's decision to proactively shut down its pipeline last week, a move that has led to panic buying and massive lines at the gas pump. https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn't be able to figure out how much to bill customers for fuel they received. One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said. Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, "In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems." At this time, there is no evidence that the company's operational technology systems were compromised by the attackers, the spokesperson added. https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html ------------------------------ Date: Thu, 13 May 2021 11:40:28 -1000 From: geoff goodfellow Subject: A Closer Look at the DarkSide Ransomware Gang (Krebs on Security) Here's a closer look at DarkSide, the relatively new ransomware-as-a-service platform that's been holding 5,500 miles of fuel pipeline hostage. Story includes negotiations btwn DarkSide & a $15B victim that recently negotiated a $30M demand down to $11M. https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ ------------------------------ Date: Thu, 13 May 2021 10:50:25 -0400 From: Richard Forno Subject: Look who's hiring at Colonial (via RSK's list) You can't make this stuff up. > Cyber Security Manager At Colonial Pipeline > https://www.daybook.com/jobs/jDuPoWB4gbFMpS8x5 > Date Posted: May 12th 2021 > Location: Atlanta GA, USA > > This appears to have been written quickly, because parts of the corporate > boilerplate are repeated. Let's get to the good stuff: > "As the Manager, Cyber Security, you are accountable for managing a team > of cyber security certified subject matter experts and specialists > > including but not limited to network security engineers, SCADA & field > > controls network engineers and a cyber security architect. As the > Manager, > you will lead the development of the enterprise strategy for > > cybersecurity; will oversee the development of standards and processes > for > cyber security; lead the recovery from security incidents; and > guide > forensics of incidents. You are someone who has an understanding > of > emerging security threats in order to design security policies and > > procedures to mitigate threats where possible." > I can't decide who's having a worse month: the person who until recently > held this position, or the person who will next occupy it. ------------------------------ Date: Wed, 12 May 2021 09:06:48 -1000 From: geoff goodfellow Subject: Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations (The Hacker News) The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. "The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data," the gang said in a statement on their data leak site. "You still have the ability to stop it," it added. The Babuk group is said to have stolen 250GB of data , including investigation reports, arrests, disciplinary actions, and other intelligence briefings. Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers encrypted by the ransomware, as well as for not leaking any data stolen from the victim prior to cutting off access to them. "We are some kind of a cyberpunks, we randomly test corporate networks security and in case of penetration, we ask money, and publish the information about threats and vulnerabilities we found, in our blog if company doesn't want to pay," the group describes itself on the dark web site, calling its attacks an "audit." Screenshots shared by the Babuk group, and seen by The Hacker News, reveal that the data was published after the amount DC Police was willing to pay did not match their ransom amount of $4 million. The MPD has allegedly offered $100,000 to fend off the release of stolen information. [...] https://thehackernews.com/2021/05/ransomware-gang-leaks-metropolitan.html ------------------------------ Date: May 13, 2021 20:55:48 JST From: Richard Forno Subject: Fact Sheet on Biden Cybersecurity EO (The White House) via Dave Farber https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/ FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks 12 May 2021 Today, President Biden signed an Executive Order to improve the nation's cybersecurity and protect federal government networks. Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.=20 This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur. It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses. However, the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents. Specifically, the Executive Order the President is signing today will: Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation's cybersecurity as a whole. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption. Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an ``energy star'' type of label so the government =93 and the public at large =93 can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up. Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents. Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts. Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential. Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization's ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem. ------------------------------ Date: Wed, 12 May 2021 20:15:27 -0400 From: Gabe Goldberg Subject: ICAO Updates Effort To Clean Up NOTAM 'Garbage' (AVweb) “(NOTAMs) are just a bunch of garbage that nobody pays any attention to,” said NTSB Chairman Robert Sumwalt during the 2018 hearing on the infamous Air Canada incident, in which pilots missed a critical piece of information. Unnoticed on page eight of a 27-page briefing package was the fact that one of the destination airport’s two runways was closed. [...] Finally, the organization suggests updating the format of NOTAMs to make them more reader-friendly. Australian Federation of Air Pilots Safety and Technical Director Stuart Beveridge said, “So, we’ve actually suggested they move into the 21st century and look at upper and lower case, punctuation, plain standardized language, and time formats that are not just strings of numbers.” https://www.avweb.com/aviation-news/icao-updates-effort-to-clean-up-notam-garbage/ ------------------------------ Date: May 13, 2021 7:09:01 JST From: Dewayne Hendricks Subject: Covid pandemic was preventable, says WHO-commissioned report (Sarah Boseley) [Note: This item comes from reader Randall Head. DLH] Sarah Boseley, *The Guardian*, May 12 2021 Covid pandemic was preventable, says WHO-commissioned report Independent panel castigates global leaders and calls for major changes to ensure it cannot happen again The Covid pandemic was a preventable disaster that need not have cost millions of lives if the world had reacted more quickly, according to an independent high-level panel, which castigates global leaders and calls for major changes to bring it to an end and ensure it cannot happen again. The report of the panel, chaired by the former New Zealand prime minister Helen Clark and Ellen Johnson Sirleaf, a former president of Liberia, found ``weak links at every point in the chain''. It said preparation was inconsistent and underfunded, the alert system too slow and too meek, while the World Health Organization was underpowered. It concluded the response had exacerbated inequalities. ``Global political leadership was absent,'' the report said. Clark described February 2020 as ``a month of lost opportunity to avert a pandemic, as so many countries chose to wait and see''. ``For some, it wasn't until hospital ICU beds began to fill that more action was taken,'' she said. ``And by then it was too late to avert the pandemic impact. What followed then was a winner takes all scramble for PPE and therapeutics. Globally, health workers were tested to their limits and the rates of infection, illness and death soared and continue to soar.'' Sirleaf said: ``The situation we find ourselves in today could have been prevented. An outbreak of a new pathogen, Sars CoV-2 became a catastrophic pandemic that has now killed more than 3.25 million people, and continues to threaten lives and livelihoods all over the world. It is due to a myriad of failures, gaps and delays in preparedness and response. This was partly due to failure to learn from the past.'' Urgent action must be taken, she said. ``There are many reviews of previous health crises that include sensible recommendations. Yet, they sit gathering dust in UN basements and on government shelves =A6 Our report shows that most countries of the world were simply not prepared for a pandemic.'' The report was commissioned by the WHO director general at the instigation of member states, who called at the World Health Assembly in May last year for an impartial review of what happened and what could be learned from the pandemic. The panel calls for radical changes to bring heads of state together to oversee pandemic preparations, ensuring the finance and tools the world needs are in place. They want a faster-moving, better-resourced WHO. And they want a commitment now from leaders of affluent countries to supply vaccines for the rest of the world. The report says the Chinese detected and identified the new virus promptly when it emerged at the end of 2019 and gave warnings that should have been heeded. ``When we look back to that period in late December, 2019, clinicians in Wuhan acted quickly when they recognised individuals in a cluster of pneumonia cases that were not normal,'' said Sirleaf. An alert was sent out in Wuhan about a potentially new virus, which was ``picked up quickly by neighbouring areas, countries, the media =93 on an online disease reporting site =93 and by the WHO,'' she said. ``This shows the benefit and speed of open-source reporting, but then the systems that were meant to validate and respond to this alert were too slow. The alert system does not operate with sufficient speed when faced with a fast-moving respiratory pathogen.'' The WHO ``was hindered and not helped by the international health regulations and procedures'', said Clark. The regulations that govern when the WHO can declare a public health emergency of international concern were adopted in 2007. They bind WHO to confidentiality and verification, preventing rapid action, and prohibit countries from unnecessarily closing their borders against trade. Every day counts, said the panel, which believes the emergency could have been declared by 22 January, instead of 30 January, as happened. During ``the lost month'' of February, countries should have been preparing. Some did and have suffered far less than those that did not. ``Countries with the ambition to aggressively contain and stop the spread whenever and wherever it occurs have shown that this is possible,'' says the report. Some countries ``devalued and debunked'' the science, denying the severity of the disease. ``This has had deadly consequences,'' said Clark. ``This has been compounded by a lack of global leadership and coordination of geopolitical tensions and nationalism weakening the multilateral system, which should act to keep the world safe.'' The report recommends the creation of a ``global health threats council'', to be led by heads of state, to keep attention on the threats of pandemics between emergencies and ensure collective action. It calls for a special session of the UN general assembly later this year to agree a political declaration. The WHO must have more power and more funding, while its regional directors and the director general should serve just a single term of seven years. The panel says it is ``deeply concerned and alarmed'' about the current high rates of transmission of the virus and the emergence of variants. Every country must take the necessary measures to curb the spread, says the report. High-income countries with enough vaccines ordered for their own needs must commit to providing at least 1bn doses by 1 September to Covax, the UN-backed initiative to get vaccines to 92 low- and middle-income countries, and more than 2bn doses by mid-2022. ------------------------------ Date: Thu, 13 May 2021 01:06:23 -1000 From: geoff goodfellow Subject: Dark Web Getting Loaded With Bogus Covid-19 Vaccines and Forged Cards (The Hacker News) Bogus COVID-19 test results, fraudulent vaccination cards, and questionable vaccines are emerging a hot commodity on the dark web in what's the latest in a long list of cybercrimes capitalizing on the coronavirus pandemic. "A new and troubling phenomenon is that consumers are buying COVID-19 vaccines on the black market due to the increased demand around the world," said Anne An, a senior security researcher at McAfee's Advanced Programs Group (APG). "As a result, illegal COVID-19 vaccines and vaccination records are in high demand on darknet marketplaces." The growing demand and the race towards achieving herd immunity means at least a dozen underground marketplaces are peddling COVID-19 related merchandise, with Pfizer-BioNTech vaccines purchasable for $500 per dose from top-selling vendors who rely on services like Wickr, Telegram, WhatsApp, and Gmail for advertising and communications. Darknet listings for the supposed vaccines are being sold for anywhere between $600 to $2,500, enabling prospective buyers to receive the product within two to 10 days. A second vendor has been identified as selling 10 doses of what's purportedly Moderna COVID-19 vaccine for $2,000. The vaccines are said to be either imported from the U.S. or packed in the U.K. and then shipped to other countries worldwide. What's more, fake vaccination cards allegedly issued by the U.S. Centers for Disease Control and Prevention (CDC) are available starting for $50 and going all the way to $1,500. Likewise, another unnamed seller on a different dark web market is offering counterfeit German COVID-19 certificates for a mere $22.35. [...] https://thehackernews.com/2021/05/dark-web-getting-loaded-with-bogus.html ------------------------------ Date: Thu, 13 May 2021 14:43:37 +0100 From: Martin Ward Subject: Re: Marvin Minsky hacked? (THVV, RISKS-32.66) A "Universal Turing Machine" is a machine that simulates an arbitrary Turing machine on arbitrary input: in other words it is designed to execute arbitrary code. So a "hack" which allows arbitrary code execution is just the machine running as designed. ------------------------------ Date: Wed, 12 May 2021 15:49:45 -0400 From: "Bernie Cosell" Subject: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles (RISKS-32.65) Easy enough to find other stories about it: https://www.msn.com/en-us/news/world/boy-accidentally-orders-2600-worth-of-spongebob-ice-cream-online Seems that he used his Mom's Amazon account and it was probably set up with her credit card. [Richard Stein suggested https://www.hawaiinewsnow.com/2021/05/10/boy-secretly-orders-more-than-spongebob-popsicles-amazon/ PGN' ------------------------------ Date: Thu, 13 May 2021 15:02:46 +0100 From: Martin Ward Subject: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles (RISKS-32.65) Install the NoScript Firefox extension and ensure that washingtonpost.com is blocked. You can then read all the articles without the annoying popup asking you to subscribe or login. ------------------------------ Date: Thu, 13 May 2021 12:11:50 +0200 From: DJC Subject: Re: I have been pwned! -- but not really (Slade, RISKS-32.65) My Gmail account -- which I use rather little -- gets lots of mail intended for others with my name. People enter their own addresses wrong (should be my.name.DIGITS@gmail.com, but they enter my.name@gmail.com) or they're transcribed wrong... the whole mess. I've gotten personal notes to friends and spouses, diplomatic mail, invitations to job interviews (and their outcomes), work documents, health records, meeting notices, lots of invoices and bills, invitations to parties, you name it, including evidence of many scams. Plus signup confirmation requests for Facebook and other channels. Where they look harmless I often write to the senders let them know. They're often clueless. Occasionally someone thanks me, but they're sometimes angry: How did you get my address, you *%%#@! (ranting on...) If it wasn't for you, why did you read it, stupid? Why are you bothering me about this? Where I see a scam in action I usually try to interrupt it. (I hope those people had a long wait and got proper attention when they arrived at the airport to make a flight paid for with a stolen credit card -- not mine, but email confirmation to me -- and found that their travel had been canceled. They wouldn't have known about the cancellation, which I handled personally, because the confirmation came to me only the day before the flight.) At worst, it's a temporary bother, and at best a source of innocent merriment. ------------------------------ Date: Thu, 13 May 2021 14:02:08 +0200 From: "Diego.Latella" Subject: Cybersecurity, Nuclear Weapon Systems and Strategic Stability: Webinar Thursday 27 May 2021 at 5:30 pm (CEST) * Antonello Provenzale, President - Area della Ricerca CNR di Pisa Diego Latella, CNR-ISTI (IT) * Cyber-security and Critical Infrastructures, a Global Challenge Domenico Laforenza, CNR-IIT (IT) * Strategic Stability and Cyber and Space Dependency in Nuclear Assets Beyza Unal, Chatham House (UK) The webinar is organised by Gruppo Interdisciplinare su Scienza, Tecnologia e Società (GI-STS) dell'Area della Ricerca di Pisa del CNR In cooperation with Areaperta - Area della Ricerca CNR di Pisa Centro Interdisciplinare Scienze per La Pace dell'Università di Pisa Istituto di Biofisica del CNR Istituto di Scienza e Tecnologie dell'Informazione ``A. Faedo'' del CNR Laboratorio Informatica e Società del CINI Pugwash Conferences on Science and World Affairs Unione degli Scienziati Per Il Disarmo Under the auspices of La Nuova Limonaia, Rete Università per la Pace https://us02web.zoom.us/j/85979020637?pwd=ZmNMbWxoVllXUmxBVUw4TllXZFBVdz09 ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.67 ************************