RISKS-LIST: Risks-Forum Digest Saturday 24 Aug 2024 Volume 34 : Issue 41

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats,
etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.41>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
FAA Proposes New Cybersecurity Standards For Aircraft (AVweb)
Power Outages at Port of Los Angeles (LA Times)
High-end racing bikes are now vulnerable to hacking (The Verge)
Halliburton Hit by Apparent Cyberattack (Matt Egan)
German Cyber-Agency Wants Changes in Microsoft, CrowdStrike
Products after Outage (Catherine Stupp)
Revoked DigiCert Digital Certificates: 27% Not Yet Replaced
(BankinfoSecurity)
GM to Cut More Than 1,000 Software Engineers, Mostly in U.S.
(David Welch)
Feds sue Georgia Tech for lying bigly about computer security (DoJ)
Policy, due care, and the failure of Heartland Tri-State Bank (NBC News)
Birmingham council faces huge loss over Oracle debacle
(The Register)
Which devices on your network are most vulnerable? (Kaspersky)
The Long Arms of Terms of Service (NYTimes)
Meta Kills Off Misinformation Tracking Tool (Barbara Ortutay)
Microsoft Copilot makes a court reporter into a child molester (Heise)
AI Cheating Is Getting Worse (The Atlantic)
U.S. Government Wants You -- Yes, You -- to Hunt Down
Generative AI Flaws (Lily Hay Newman)
Silicon Valley Is Coming Out in Force Against an AI-Safety Bill
(The Atlantic)
A Loophole in Digital Wallet Security (UMass)
AI is an energy hog. It's a strain on the power grid (LA Times)
AI and stand-up comedy (BBC)
These 'living computers' are made from human neurons — and you can
rent one for $500 a month (LiveScience)
Florida company faces multiple lawsuits after massive data breach (CBC)
Number of Women Taking CS Degrees in UK Continues to Grow (BCS)
Is it safer to use an app or a website on your phone? (WashPost)
My latest column: How the lab leak controversy will harm you
(Jim Geissman)
Android Phones Sold with Hidden Insecure Feature (Joseph Menn)
Nightly Waymo Robotaxi Parking Lot Honkfest Is Waking Neighbors
(Wes Davis)
Denver Water's loss of pressure at 5 AM every Monday is the same problem as
San Francisco's 4 AM robot taxi honkfest (The Verge)
OpenAI Blocks Iranian Influence Operation Using
ChatGPT for U.S. Election Propaganda (geoff goodfellow)
Regulators May Not Like Deepfakes, But Businesses Are Using Them Anyway
(WSJ)
AI Detection Tools Often Fail to Catch Election Deepfakes (WashPost)
Trump posts fake AI images of Taylor Swift and Swifties, falsely
suggesting he has the singer's support (CNN)
Re: Illinois Voter Data Exposed by Unsecured Databases
(Kevin Kostols)
Re: Corporation Email Looks Like A Scam
(Steve Bacher, Geoff Kuenning)
Re: Kroger unveils AI-powered automatic price gouger (John Levine)
Re: NIST announces post quantum encryption standards (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 24 Aug 2024 16:00:47 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: FAA Proposes New Cybersecurity Standards For Aircraft (AVweb)

The Federal Aviation Administration introduced changes to its cybersecurity
standards for new aircraft and equipment in a Notice of Proposed Rulemaking
(NPRM) issued Wednesday.

https://www.avweb.com/aviation-news/faa-introduces-new-cybersecurity-for-airplanes-and-aircraft-equipment/

------------------------------

Date: Fri, 16 Aug 2024 11:37:55 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Power Outages at Port of Los Angeles (LA Times)

If the public face of the port is the forest of cranes and mountain range of
cargo containers, its invisible heart is a network of computers that
controls almost the entire operation. That system, along with a growing
multitude of electric-powered equipment and vehicles, depends on an
uninterrupted supply of electricity. Rebooting all those smart devices,
sometimes requiring workers to climb to the tops of 200-foot cranes, can
take several hours, no matter how brief the outage.

https://www.latimes.com/business/story/2024-08-16/power-outages-a-growing-co
ncern-for-port-of-los-angeles-now-and-down-the-road

------------------------------

Date: Thu, 15 Aug 2024 10:14:09 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: High-end racing bikes are now vulnerable to hacking (The Verge)

https://www.theverge.com/2024/8/14/24220390/bike-hack-wireless-gear-shifters

Researchers found security vulnerabilities that could let hackers mess with
riders’ gear shifters even from a short distance away. Those weak points
could be exploited “to gain an unfair advantage, potentially causing crashes
or injuries by manipulating gear shifts or jamming the shifting operation.”

------------------------------

Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Halliburton Hit by Apparent Cyberattack (Matt Egan)

Matt Egan, CNN, 22 Aug 2024, via ACM TechNews

A source said a cyberattack at Halliburton is affecting business operations
at the oilfield services firm's Houston campus and some global networks. In
a statement, Halliburton said, ``We are aware of an issue affecting certain
company systems and are working diligently to assess the cause and potential
impact.'' A U.S. Department of Energy spokesperson said the agency is ``aware
of reports of a cyber-incident impacting an energy services company,''
adding, ``There are no indications that the incident is impacting energy
servics at this tine.''

------------------------------

Date: Fri, 16 Aug 2024 12:24:47 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: German Cyber-Agency Wants Changes in Microsoft, CrowdStrike
Products after Outage (Catherine Stupp)

Catherine Stupp, *WSJ* Pro Cybersecurity, 14 Aug 2024, via ACM TechNews

Germany's Federal Office for Information Security (BSI) wants changes in the
way Microsoft gives security providers access to its Windows kernel and the
way CrowdStrike and other cyber firms design their tools, in hopes of
curbing that access. The agency says that its efforts are focused on
reducing the likelihood of a massive tech outage, like the one that resulted
from faulty CrowdStrike software last month.

------------------------------

Date: Sat, 17 Aug 2024 12:45:48 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Revoked DigiCert Digital Certificates: 27% Not Yet Replaced
(BankinfoSecurity)

https://www.bankinfosecurity.com/revoked-digicert-digital-certificates-27-yet-
replaced-a-26032

------------------------------

Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: GM to Cut More Than 1,000 Software Engineers, Mostly in
U.S. (David Welch)

David Welch, *Bloomberg*, 19 Aug 2024, via ACM TechNews

General Motors Inc. (GM) reportedly will lay off more than 1,000 software
engineers just two months after former Apple executives were hired as senior
vice presidents in the automaker's software and services organization. The
cuts follow GM's increased hiring in software development in recent years as
it expanded into electric vehicles, self-driving cars, and software-related
services.

------------------------------

Date: Fri, 23 Aug 2024 20:55:02 +0000
From: "danny burstein" <dannyb@panix.com>
Subject: Feds sue Georgia Tech for lying bigly about computer security
(DoJ)

United States Files Suit Against the Georgia Institute of Technology and
Georgia Tech Research Corporation Alleging Cybersecurity Violations

Specifically, the lawsuit alleges that until at least February 2020, the
Astrolavos Lab at Georgia Tech failed to develop and implement a system
security plan, which is required by DoD cybersecurity regulations, that set out
the cybersecurity controls that Georgia Tech was required to put in place in
the lab. Even when the Astrolavos Lab finally implemented a system security
plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly
scope that plan to include all covered laptops, desktops, and servers.

Additionally, the lawsuit alleges until December 2021, the Astrolavos lab
failed to install, update or run anti-virus or anti-malware tools on
desktops, laptops, servers and networks at the lab. Instead, Georgia Tech
approved the lab's refusal to install antivirus software -- in violation of
both federal cybersecurity requirements and Georgia Tech's own policies --
to satisfy the demands of the professor who headed the lab.

The lawsuit further alleges that in December 2020 Georgia Tech and GTRC
submitted a false cybersecurity assessment score to DoD for the Georgia Tech
campus. DoD requires contractors to submit summary level scores reflecting
the status of their compliance with applicable cybersecurity requirements on
covered contracting systems that are used to store or access covered defense
information. The submission of this score was a "condition of contract
award" for Georgia Tech's DoD contracts.