RISKS-LIST: Risks-Forum Digest Thursday 11 Jun 2024 Volume 34 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.35>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Electronic voting in Switzerland (Bertrand Mayer)
U.S. and Allies Issue Rare Warning on Chinese Hacking Group (WSJ)
Nations Warn Key Open-Source Programs Not Sufficiently Protected
(Craig Hale)
Russia Breaches TeamViewer: No Evidence Billions of Devices at Risk
(Security Boulevard)
10 Billion Passwords Exposed in Largest Leak Ever (Emily Price)
Canada warns of AI-driven Russian 'bot farm' spreading disinformation online
(CBC)
A Bugatti car, a first lady and the fake stories aimed at Americans (BBC)
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
(The Hacker News)
New tool for creating exploits (Rik Farrow)
AI Accelerates Software Development to Breakneck Speeds (Joe McKendrick)
Microsoft Security Sieve (Cliff Kilby)
Americans abroad suffering hours-long roaming outage (The Register)
Second Factor SMS: Worse Than Its Reputation (CCC Denmark)
Hackers reverse engineer Ticketmaster (404media)
BLAST RADIUS (Victor Miller)
Feds *finally* starting to take privacy records seriously
(HHS press release)
Unintended consequences of building population tracking for COVID; public
semi-nudity (riaka in ch)
Nike killing app for $350 self-tying sneakers (Ars Technica)
Re: Software engineers, not astronauts, are the heroes of
today's, space industry (Niklas Holsti)
Re: What to do when you send money to the wrong person through Zelle
(John Levine)
Re: Firefighter charity bot call (Jurek Kirakowski)
Re: Fwd: Ozone Hole Mk. II (Martin Ward)
Re: More productive AI => Self-Poisoned Training GIGO (Amos Shapir)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 1 Jul 2024 18:36:21 +0200
From: Bertrand Meyer <Bertrand.Meyer@inf.ethz.ch>
Subject: Electronic voting in Switzerland

Over the years I have seen, in RISKS, many doomsday assessments of
electronic voting, supposedly impossible to organize without unsurmountable
risks. This is not my field of expertise but as a plain user I can report
about its use in the recent French legislative elections.

For the first time Internet-voting was available, but only for foreign
residents. The process seemed impeccable to me, well thought through. (The
irony is that the reason for this effectiveness may be that in the past few
years the country had for the first time in decades a highly competent
government, now about to be swept away as a result of these very elections.)
You must have registered with the local consulate both a phone number and an
email address. (Again, the mechanism is only for expats, who have registered
to vote in their foreign place of residence and in the process were invited
to provide this information.) Ahead of the vote you get a text message on
the phone and, separately, an email. The window for electronic voting is
very short, something like 48 hours, which I guess lowers the likelihood of
foul play. You still have the opportunity to go to the voting place in
person if you prefer. If you do vote electronically, you get a crypto
certificate.

At the polling place, where I accompanied someone who never managed to get
the SMS, there were no queues -- even though participation was much higher
than in the previous election, where I had to queue for a good hour -- and a
poll worker said 44% of the votes were electronic, testifying to the broad
success of the scheme. I hope they keep it in place for the future.

------------------------------

Date: Wed, 10 Jul 2024 06:49:23 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: U.S. and Allies Issue Rare Warning on Chinese Hacking Group (WSJ)

*An advisory by Australia, along with the U.S. and six other countries,
details a group known as APT40*

Australia, the U.S. and six other allies warned that a Chinese
state-sponsored hacking group poses a threat to their networks, in an
unusual coordinated move by Western governments to call out a global
hacking operation they say is directed by Beijing’s intelligence services.

Tuesday’s advisory was a rare instance of Washington’s major allies in the
Pacific and elsewhere joining to sound the alarm on China’s cyber activity.
Australia led and published the advisory. It was joined by the U.S., U.K.,
Canada and New Zealand, which along with Australia are part of an
intelligence-sharing group of countries known as the Five Eyes. Germany,
Japan and South Korea also signed on.

The warning marked the first time South Korea and Japan joined with
Australia in attributing malicious cyber activity to China. It was also the
first time that Australia—which has been reluctant to point the finger at
China, its largest trading partner—led such an effort, according to a
person familiar with the matter.

“In our current strategic circumstances, these attributions are
increasingly important tools in deterring malicious cyber activity,” said
Richard Marles, Australia’s deputy prime minister and defense minister.

On Tuesday, China accused the U.S. and its allies of hyping China’s cyber
activities to smear Beijing and distract from Washington’s efforts to
engage in surveillance and espionage worldwide. “Who is the biggest threat
to global cybersecurity? I believe the international community sees this
clearly,” said Foreign Ministry spokesman Lin Jian.

The technical advisory detailed a group known in cybersecurity circles as
Advanced Persistent Threat 40, or APT40, which conducts cybersecurity
operations for China’s Ministry of State Security and has been based in the
southern island province of Hainan. The advisory detailed how the group
targeted two networks in 2022—though it didn’t identify the
organizations—and said the threat is continuing.

“Having all eight nations collectively call this out is significant,” said
Rachael Falk, chief executive of the Cyber Security Cooperative Research
Centre in Australia. “You don’t see collective attribution from so many
agencies about one malicious cyber threat actor very often.”

Falk said APT40 carefully carries out reconnaissance, can look like a
legitimate user and is very effective at stealing valuable data. She said
APT40 rapidly exploits new, and sometimes old, public vulnerabilities in
widely used software and uses compromised small home office devices. That
enables the group to launch attacks and blend in with traffic. [...]
https://www.wsj.com/politics/national-security/u-s-allies-issue-rare-warning-on-chinese-hacking-group-9eebb0ce?st=cdo1eyb7rl4e9y9

------------------------------

Date: Mon, 1 Jul 2024 10:41:32 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Nations Warn Key Open-Source Programs Not Sufficiently
Protected (Craig Hale)

Craig Hale, *TechRadar*, 27 Jun 2024

The FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA),
and their counterparts in Canada and Australia warn that many open source
programs fail to protect against emerging and evolving threat actors. A CISA
report found that 52% of 172 open source projects studied contained code
written in a memory-unsafe language. The report revealed that Linux
comprises 95% unsafe code, compared to open source projects using unsafe
code in Tor (93%), MySQL Server (84%), and Chromium (51%).

------------------------------

Date: Tue, 2 Jul 2024 02:18:21 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Russia Breaches TeamViewer: No Evidence Billions of Devices
at Risk (Security Boulevard)

Remote access service hacked by APT29, says  TeamViewer.

TeamViewer says “a compromised employee account” led to a Russian
breach. While the company makes reassuring noises about its segmented
network, it also said the tool was installed on more than 2.5 billion
devices.

And that’s a worry, despite the calming PR. In today’s SB  Blogwatch, we
wonder why TeamViewer didn’t enforce MFA for employees (see also: Snowflake,
Okta, Uber, etc., etc.)

https://securityboulevard.com/2024/07/teamviewer-apt29-richixbw/

------------------------------

Date: Wed, 10 Jul 2024 11:18:50 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: 10 Billion Passwords Exposed in Largest Leak Ever
(Emily Price)

Emily Price, *PC Magazine*, 06 Jul 2024

Cybernews researchers discovered what they described as the largest-ever
password compilation on a popular hacking forum. The rockyou2024.txt file,
posted July 4 by a user known as "ObamaCare," contains 9,948,575,739 unique
plaintext passwords. Although these passwords are from a combination of old
and new data breaches, the researchers said the risk of credential stuffing
attacks is higher given that the passwords were compiled into a single,
searchable database.

------------------------------