Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.09 RISKS-LIST: Risks-Forum Digest Wednesday 6 March 2024 Volume 34 : Issue 09 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: BACKLOGGED -- MORE TO COME White House urges developers to dump C and C++ (Steve Bacher) NZ Leap Day Self Pay Petrol Pump Failures (sundry via Jim Geissman and Brian Inglis) Risks of Leap Years and Dumb Digital Watches (Mark Brader) Health-care hack spreads pain across hospitals and doctors nationwide (WashPost via Jan Wolitzky) Cyberattack Paralyzes the Largest U.S. Health Care Payment System (NYTimes.com via Jim Geissman) Re: Healthcare Cyberattack (Doug McIlroy) More than 2 Million Research Papers Have Disappeared from the Internet (Sarah Wild) GitHub Besieged by Millions of Malicious Repositories in Ongoing Attack (Dan Goodin) A Vending Machine Error Revealed Secret Face Recognition Tech (WiReD) Vending machines had eyes all over this Ontario campus until the students wised up (CBC) End-to-End Encryption under attack in Nevada (Mastodon) 1-million books and 4-months later, Toronto's library recovers from a cyberattack (CBC via Matthew Kruk) Anycubic 3D Printers Hacked in Attempt to Inform Owners of Security Hole (Christopher Harper) 'Keytrap' DNS bug threatens widespread Internet outages (Becky Bracken) Wyze security issue exposed private cameras to strangers (Heather Kelly) Fingerprints Recreated from Sounds of Swiping a Touchscreen (Mark Tyson) Algorithm Reveals What's Hidden (Rizwan Choudhury) 'AI Godfather', Others Urge More Deepfake Regulation (Amy Tong) AI feedback loop will spell death for future generative models (TechSpot) Malware Worm Can Poison ChatGPT, Gemini-Powered Assistants (Kate Irwin) "AI Warfare Is Already Here" (Katrina Manson) I'm begging you not to Google for airline customer service numbers (Monty Solomon on a WashPost item) comp.risks via Panix? (Ed Ravin on the servers) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 28 Feb 2024 11:18:38 -0800 From: Steve Bacher Subject: White House urges developers to dump C and C++ Biden administration calls for developers to embrace memory-safe programing languages and move away from those that cause buffer overflows and other memory access vulnerabilities. The new 19-page report from ONCD gave C and C++ as two examples of programming languages with memory safety vulnerabilities, and it named Rust as an example of a programming language it considers safe. In addition, an NSA cybersecurity information sheet from November 2022 listed C#, Go, Java, Ruby, and Swift, in addition to Rust, as programming languages it considers to be memory-safe. https://www.infoworld.com/article/3713203/white-house-urges-developers-to-dump-c-and-c.html (About time!  I've been griping about C and C++ design for decades. SB) [The White House press release said: “Future Software Should Be Memory Safe”. I might add that the report “Back to the Building Blocks: A Path toward Secure and Measurable Software” explicitly recommends the UofCambridgeUK/SRI CHERI over MTE, on page 9. That is a really nice plug. https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/ PGN] ------------------------------ Date: Thu, 29 Feb 2024 09:21:08 -0800 From: "Jim" Subject: NZ Leap Day Self Pay Petrol Pump Failures (sundry) Dozens of unattended fuel stations across the country stopped working on Thursday for hours because of a software issue. https://www.nytimes.com/2024/02/29/world/asia/new-zealand-leap-year-glitch-g as-pumps.html [Noted by quite a few of you.] https://www.nzherald.co.nz/hawkes-bay-today/news/february-29-allied-fuel-pum ps-around-nz-ground-to-a-halt-as-systems-forget-leap-year/XEQBK5JLBZG6LO3VGU Q6Q2WGC4/ Brian Inglis noted https://arstechnica.com/gadgets/2024/02/leap-year-glitch-broke-self-pay-pumps-across-new-zealand-for-over-10-hours/ PGN] ------------------------------ Date: Thu, 29 Feb 2024 06:24:19 -0500 (EST) From: Mark Brader Subject: Risks of Leap Years and Dumb Digital Watches [1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81, 20.83, 23.24, 25.07, 26.75, 29.30, and/or 31.60; [2] still wear a wristwatch instead of using a cellphone or something as a pocket watch; [3] have the kind that needs to be set back a day because (unlike the smarter types that track the year or receive information from external sources) it went directly from February 28 to March 1; and [4] *hadn't realized it yet*? (For myself, point 3 no longer applies. I replied my old, worn-out Timex with a superficially identical new one and found that it does track the year.) ------------------------------ Date: Mon, 4 Mar 2024 07:19:41 -0500 From: Jan Wolitzky Subject: Health-care hack spreads pain across hospitals and doctors nationwide (WashPost) The fallout from the hack of a little-known but pivotal health-care company is inflicting pain on hospitals, doctor offices, pharmacies and millions of patients across the nation, with government and industry officials calling it one of the most serious attacks on the health-care system in U.S. history. The 21 Feb 2024 cyberattack on Change Healthcare, owned by UnitedHealth Group, has cut off many health-care organizations from the systems they rely on to transmit patients' health-care claims and get paid. The ensuing outage doesn't appear to affect any of the systems that provide direct, critical care to patients. But it has laid bare a vulnerability that cuts across the U.S. health-care system, frustrating patients unable to pay for their medications at the pharmacy counter and threatening the financial solvency of some organizations that rely heavily on Change's platform. ------------------------------ Date: Tue, 5 Mar 2024 18:46:21 -0800 From: "Jim" Subject: Cyberattack Paralyzes the Largest U.S. Health Care Payment System (NYTimes.com) [Explore this gift article from The New York Times. You can read it for free without a subscription.] The hacking shut down the nation's biggest health care payment system, causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices. https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html?u nlocked_article_code=1.ak0.DC0g.Vjacvvma4SOQ [Lauren Weinstein found: Ransomware attack on U.S. health care payment processor 'most serious incident of its kind' https://www.nbcnews.com/tech/security/ransomware-attack-us-health-care-payment-processor-serious-incident-ki-rcna141322 REALLY??? PGN] ------------------------------ Date: Wed, 6 Mar 2024 10:04:42 -0500 From: Douglas McIlroy Subject: Re: Healthcare Cyberattack This article came as a complete surprise, although it's about an attack that happened two weeks ago: https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html How did UnitedHealth (the parent of Change Healthcare) keep it out of the news so long? Or have these things become so common that they're no longer newsworthy? [I believe that the combination of AI hype, Bitcoin reaching an all-time high, and all the rampant cyberattacks has so overwhelmed the media that they no longer have a sense of what is most important. The Change Healthcare fiasco is surely a sign of the times (lower case) and of The Times. Doug, were you really surprised? PGN] ------------------------------ Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST) From: ACM TechNews Subject: More than 2 Million Research Papers Have Disappeared from the Internet (Sarah Wild) Sarah Wild, *Nature*, 4 Mar 2024, via ACM TechNews Martin Eve of the U.K.'s University of London assessed whether 7,438,037 research papers with digital object identifiers (DOIs) were held in archives and determined that around 28%, or more than 2 million, were not held in a major digital archive despite having an active DOI. Only 58% of the sample had been stored in at least one archive. However, Eve's research focuses only on articles with DOIs and did not involve a search of every digital repository. ------------------------------ Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST) From: ACM TechNews Subject: GitHub Besieged by Millions of Malicious Repositories in Ongoing Attack (Dan Goodin) Dan Goodin, *Ars Technica*, 28 Feb 2024, via ACM TechNews An ongoing cyberattack at GitHub has resulted in millions of malicious code repositories that use malware to steal developers' passwords and cryptocurrency. GitHub's "automation detection seems to miss many repos," contend Apiiro security researchers Matan Giladi and Gil David, "and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos." ------------------------------ Date: Sat, 24 Feb 2024 23:03:02 -0500 From: Gabe Goldberg Subject: A Vending Machine Error Revealed Secret Face Recognition Tech (WiReD) Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine. "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS. https://www.wired.com/story/facial-recognition-vending-machine-error-investigation The risks? Error messages. Like airport displays, billboards, etc. showing fatal Windows errors. ------------------------------ Date: Tue, 27 Feb 2024 06:53:09 -0700 From: Matthew Kruk Subject: Vending machines had eyes all over this Ontario campus until the students wised up (CBC) https://www.cbc.ca/news/business/vending-machine-facial-analysis-invenda-waterloo-1.7126196 An Ontario university is pulling dozens of vending machines that were tracking the age and gender of customers in the latest example of pushback against technology that tests the boundaries of privacy rules. The move comes amid opposition from University of Waterloo students, who became aware of the technology after a Reddit user spotted an on-screen error message on one of the machines earlier this month, about an apparent problem with its facial recognition program. ------------------------------ Date: Fri, 23 Feb 2024 15:32:12 PST From: Peter Neumann Subject: End-to-End Encryption under attack in Nevada (Mastodon) Idiots who don't understand the importance of ENCRYPTION, SECURITY, PRIVACY? Or just ANTI-TECHNOLOGISTS? https://mastodon.lawprofs.org/@riana/111982802756354530 ------------------------------ Date: Tue, 27 Feb 2024 06:54:30 -0700 From: Matthew Kruk Subject: 1-million books and 4-months later, Toronto's library recovers from a cyberattack (CBC) https://www.cbc.ca/news/canada/toronto/toronto-library-ransomware-recovery-= 1.7126412 More than four months after a ransomware attack shut down the Toronto Public Library's computer systems, staff are finally putting a million stranded books back on the shelves. At the library's distribution centre in the east end of the city, Domenic Lollino wheeled pallet after pallet of library books off a tractor-trailer -- one of 15 such vehicles storing those books that were returned while the electronic cataloguing system was down. "It's a big backlog," he said, and it means employees like him are working 12-hour shifts to get through it all. ------------------------------ Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST) From: ACM TechNews Subject: Anycubic 3D Printers Hacked in Attempt to Inform Owners of Security Hole (Christopher Harper) Christopher Harper, *Tom's Hardware*, 1 Mar 2024,via ACM TechNews Hackers reportedly discovered security vulnerabilities in Anycubic 3D printers and are using a readme file on the printer display to inform users about the issue and encourage them to disable the Internet connection until a patch is issued. The hackers indicated that they had contacted Anycubic regarding the two critical security flaws they uncovered but resorted to informing users directly after not receiving a response from the company. ------------------------------ Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST) From: ACM Technews Subject: 'Keytrap' DNS bug threatens widespread Internet outages (Becky Bracken) Becky Bracken, Dark Reading, 20 Feb 2024, via ACM Technews Researchers at Germany's ATHENE (National Research Center for Applied Cybersecurity) found a design flaw in a domain name system (DNS) security`q extension that could cause widespread Internet disruptions if it were exploited on multiple DNS servers simultaneously. DNS servers that use the DNSSEC extension to validate traffic are vulnerable to the "keytrap" dns bug, which has existed since 2000. The researchers worked with Google, Cloudflare, and other major DNS service providers on patches before publishing their work. ------------------------------ Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST) From: ACM Technews Subject: Wyze security issue exposed private cameras to strangers (Heather Kelly) Heather Kelly, *The Washington Post*, 20 Feb 2024, via ACM Technews Kirkland, WA-based Wyze said about 13,000 users of its security cameras were able to view sensitive content from the devices of other users when the cameras came back online 16 Feb following an hours-long service outage attributed to Amazon Web Services. Some users were able to see thumbnails from other users' feeds in their apps and clicked to view the videos. Wyze attributed the mixup of device IDs and user ID mapping to a partner that has since fixed the issue. ------------------------------ Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST) From: ACM TechNews Subject: Fingerprints Recreated from Sounds of Swiping a Touchscreen (Mark Tyson) Mark Tyson, Tom's Hardware, 19 Feb 2024, via ACM TechNews Researchers in the U.S. and China have demonstrated a side-channel attack on the Automatic Fingerprint Identification System that allows fingerprint pattern features to be extracted from the sounds of a user's finger swiping a touchscreen. The attack, dubbed PrintListener, can be made through apps like Discord, Skype, WeChat, and FaceTime when a device's microphone is on. Tests of PrintListener found it could extract up to 27.9% of partial fingerprints, and 9.3% of complete fingerprints, within five attempts at the highest-security false acceptance rate setting of 0.01%. ------------------------------ Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST) From: ACM TechNews Subject: Algorithm Reveals What's Hidden (Rizwan Choudhury) Rizwan Choudhury, Interesting Engineering, 20 Feb 2024, via ACM TechNews An algorithm developed by University of South Florida (USF) researchers can produce 3D models of scenes behind walls, doors, and cars using the faint shadows cast by objects on nearby surfaces. The algorithm can reconstruct hidden scenes in just minutes using a single photo from a digital camera. Said USF's John Murray-Bruce, "We live in a 3D world, so obtaining a more complete 3D picture of a scenario can be critical in several situations and applications." ------------------------------ Date: Fri, 23 Feb 2024 11:13:07 -0500 (EST) From: ACM TechNews Subject: 'AI Godfather', Others Urge More Deepfake Regulation (Amy Tong) Anna Tong, Reuters, 21 Feb 2024, via ACM TechNews More than 400 AI experts and executives from various industries, including AI "godfather" and ACM A.M. Turing Award laureate Yoshua Bengio, signed an open letter calling for increased regulation of deepfakes. The letter states, "Today, deepfakes often involve sexual imagery, fraud, or political disinformation. Since AI is progressing rapidly and making deepfakes much easier to create, safeguards are needed." The letter provides recommendations for regulation, such as criminal penalties for individuals who knowingly produce or facilitate the spread of harmful deepfakes, and requiring AI companies to prevent their products from creating harmful deepfakes. ------------------------------ Date: Sat, 24 Feb 2024 18:25:53 +0900 From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?= Subject: AI feedback loop will spell death for future generative models (TechSpot) https://www.techspot.com/news/99064-ai-feedback-loop-spell-death-future-generative-models.html Forward-looking: Popular Large Language Models (LLM) such as OpenAI's ChatGPT have been trained on human-made data, which still is the most abundant type of content available on the Internet right now. The future, however, could hold some very nasty surprises for the reliability of LLMs trained almost exclusively on previously generated blobs of AI bits. ------------------------------ Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST) From: ACM TechNews Subject: Malware Worm Can Poison ChatGPT, Gemini-Powered Assistants (Kate Irwin) Kate Irwin, *PC Magazine*, 1 Mar 2024, via ACM TechNews A "zero-click" AI worm able to launch an "adversarial self-replicating prompt" via text and image inputs has been developed by researchers at Cornell University, Intuit, and Technion--Israel Institute of Technology to exploit OpenAI's ChatGPT-4, Google's Gemini, and the LLaVA open source AI model. In a test of affected AI email assistants, the researchers found that the worm could extract personal data, launch phishing attacks, and send spam messages. The researchers attributed the self-replicating malware's success to "bad architecture design" in the generative AI ecosystem. ------------------------------ Date: Wed, 6 Mar 2024 12:48:32 -0500 (EST) From: ACM TechNews Subject: "AI Warfare Is Already Here" (Katrina Manson) Katrina Manson, *Bloomberg*, 28 Feb 2024 In recent weeks, the U.S. Department of Defense's Maven Smart System was used to identify rocket launchers in Yemen and surface vessels in the Red Sea and assisted in narrowing down targets in Iraq and Syria. Maven, which merges satellite imagery, sensor data, and geolocation data into a single computer interface, uses machine learning to identify personnel and equipment on the battlefield and detect weapons factories and other objects of interest in various environmental conditions. ------------------------------ Date: Tue, 27 Feb 2024 23:24:36 -0500 From: Monty Solomon Subject: I'm begging you not to Google for airline customer service numbers Sure, probably that's the right number for Delta. But it could be a crook posing as an airline representative. Here's what to do instead of trusting Google. https://www.washingtonpost.com/technology/2024/02/27/airline-customer-service-phone-numbers/ ------------------------------ Date: Tue, 27 Feb 2024 23:33:06 -0500 From: Ed Ravin Subject: comp.risks via Panix? [Ed is my liaison to Panix and comp.risks distribution. This is in response to Steve Bacher complaining about a Newcastle expired cert. (Lindsay is retired, but still shepherding NCL.) Steve noted that this came up because my screwed up prevented RISKS-34.08 from showing up on catless. Oops! PGN] It's hard to find a good news server these days. Even Google has dropped their Usenet connection -- no new Usenet articles in Google Groups starting last week. If you want RISKS without having to search around, go straight to the official archive: http://catless.ncl.ac.uk/Risks/ [rather than https during the slowness of the NCL admins. PGN] ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.09 ************************ .