Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #57: Groundskeepers stole the root password

comp / comp.risks / Risks Digest 34.43

SubjectAuthor
o Risks Digest 34.43RISKS List Owner

1
Subject: Risks Digest 34.43
From: RISKS List Owner
Newsgroups: comp.risks
Organization: PANIX Public Access Internet and UNIX, NYC
Date: Fri, 30 Aug 2024 02:18 UTC
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!panix!.POSTED.panix2.panix.com!not-for-mail
From: risko@csl.sri.com (RISKS List Owner)
Newsgroups: comp.risks
Subject: Risks Digest 34.43
Date: 30 Aug 2024 02:18:18 -0000
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 403
Sender: RISKS List Owner <risko@csl.sri.com>
Approved: risks@csl.sri.com
Message-ID: <CMM.0.90.4.1724984159.risko@chiron.csl.sri.com20869>
Injection-Info: reader1.panix.com; posting-host="panix2.panix.com:166.84.1.2";
logging-data="18189"; mail-complaints-to="abuse@panix.com"
To: risko@csl.sri.com
View all headers

RISKS-LIST: Risks-Forum Digest Thursday 29 Aug 2024 Volume 34 : Issue 43

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.43>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Apparent cyberattack at Seattle airport causes internet outages
(WCBV)
Scammers dupe chemical company into wiring $60 million
(Help Net Security)
Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
Sabotage Campaign (Politico)
Android malware steals payment card data using previously unseen
technique (ArsTechnica)
Recent bot campaign backing Poilievre shows AI easily
accessible for political messaging: report (CBC)
Without Guardrails, Generative AI Can Harm Education (Dave Farber)
Foreign Policy: TikTok ban & global data commons (Douglas Lucas)
Telco fined $1M for transmitting Biden deepfake without
verifying Caller ID (ArsTechnica)
RFID cards could turn into a global security mess after
discovery of hardware backdoor (Techspot)
Apple to Let iPhone Users Delete Safari, Other Native Apps to Comply With EU
Law (WSJ)
Re: Feds sue Georgia Tech for lying bigly about computer security
(Cliff Kilby)
Re: Fake QR codes posted on Redondo Beach parking meters to scam drivers,
police say (Geoff Luenning)
Re: Birmingham Oracle (Wol)
Re: Telegram billionaire co-founder Pavel Durov arrested
(Turgut Kalfaoglu)
Re: Policy, due care, and the failure of Heartland Tri-State
(Phil Smith III)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 27 Aug 2024 11:43:45 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apparent cyberattack at Seattle airport causes internet outages (WCBV)

https://www.wcvb.com/article/seattle-airport-cyberattack-internet-outages/61984238

------------------------------

Date: Tue, 27 Aug 2024 13:15:47 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Scammers dupe chemical company into wiring $60 million
(Help Net Security)

Orion S.A., a global chemical company with headquarters in Luxembourg, has
become a victim of fraud: it lost approximately $60 million through
“multiple fraudulently induced outbound wire transfers to accounts
controlled by unknown third parties.”

Was it a BEC attack?

A representative of the company declined to share with Help Net Security any
additional details beyond what is included in the 8-K filing.

“To date, the Company has not found any evidence of additional fraudulent
activity and currently does not believe the incident resulted in any
unauthorized access to data or systems maintained by the Company,” the
filing further says.

“However, the Company’s investigation into the incident and its impacts on
the Company, including its internal controls, remains ongoing. The business
and operations were not affected.”

While Orion’s filing does not outright say that the wire transfers were the
result of business email compromise (BEC), the possibility seems most
likely. Given the above wording, the compromised email was likely that of a
supplier or customer.

(Alternative possibilities, such as a deepfake video conference call
paired with social engineering tricks, are possible, but less likely.)

https://www.helpnetsecurity.com/2024/08/13/orion-fraudulent-wire-transfers-60-
million/

------------------------------

Date: Mon, 26 Aug 2024 15:45:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Moscow’s Spies Were Stealing U.S. Tech, Until the FBI Started a
Sabotage Campaign (Politico)

During the early days of Silicon Valley, a tech industry entrepreneur teamed
up with the FBI to ship faulty devices to Moscow.

https://www.politico.com/news/magazine/2024/08/04/us-spies-soviet-technology-00164126

------------------------------

Date: Sun, 25 Aug 2024 00:10:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Android malware steals payment card data using previously unseen
technique (ArsTechnica)

https://arstechnica.com/?p=2045086

------------------------------

Date: Tue, 27 Aug 2024 06:37:31 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Recent bot campaign backing Poilievre shows AI easily
accessible for political messaging: report (CBC)

https://www.cbc.ca/news/politics/ai-platforms-generate-political-messages-rall
ies-1.7305321

A suspected bot campaign surrounding a recent Pierre Poilievre event shows
that generative artificial intelligence (AI) tools are easily accessible to
anyone looking to influence political messaging online, researchers have
found.

In July, the social media platform X was inundated with posts following the
Conservative leader's tour of Northern Ontario.

The posts claimed to be from people who attended Poilievre's event in
Kirkland Lake, Ont., but were actually generated by accounts in Russia,
France and other places, and many of them had similar messaging.

------------------------------

Date: Wed, 28 Aug 2024 20:49:18 +0900
From: =?utf-8?B?44OV44Kh44O844OQ44O844OH44Kk44OT44OD44OJIO+8qg==?=
<farber@keio.jp>
Subject: Without Guardrails, Generative AI Can Harm Education

A new study led by researchers at Wharton and Penn reveals that using
generative AI improves student performance, but also makes it harder for
students to learn and acquire new skills.

The researchers designed an experiment with nearly 1,000 high school math
students in Turkey to determine whether large language models can harm or
help their education. One group of students was given GPT Base, a chat
interface similar to ChatGPT-4, to help them during practice sessions. A
second group was given GPT Tutor, an interface similar to ChatGPT-4 but with
safeguards. It includes teacher input and is designed to guide students with
hints rather than directly giving answers.

------------------------------

Date: Tue, 27 Aug 2024 18:20:08 -0700
From: Douglas Lucas <dal@riseup.net>
Subject: Foreign Policy: TikTok ban & global data commons (by me)

On Aug. 27, Foreign Policy published my new article "Banning TikTok won't
keep your data safe: Pompous billionaires, authoritarian regimes, and opaque
oligarchs are hoarding our data. Only an alternative online ecosystem will
stop them." The working title was "TikTok ban shows need for real global
data commons."

From the article:

"'This is why I am working on a universal database: to try to democratize
this access to a megaphone and bring us information from everyone,' Canadian
programmer and philosopher Heather Marsh said at a censored Oxford Union
whistle-blowing panel. [...]

"Marsh proposes decoupling apps and databases with a framework separating
information into layers. The foundation [probably on IPFS] would be a
universal database where, say, professors could place instructional videos
as public data. Apps would offer additional features, such as captioning or
translation, without vacuuming up personal data as the price of
entry. Personal data would instead be treated as each individual's sole
property.

"Apps would become just apps, adding functionality and that's it, no longer
married to any company’s exclusive database. Work on middle layers—via
public or private federated servers—would enhance the universal database
with meaning and trust networks, and ready it for apps. This middle data,
and the apps themselves, could be confidential or deleted. But as long as
international consortia maintained the foundational universal database and
framework, akin to international bodies maintaining the web now, the
database would persist—a global commons."

Links:

Regular URL:
https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-knowledge-commons/

Erratically performing, paywall-jumping gift hyperlink for sharing
everywhere:
https://foreignpolicy.com/2024/08/27/biden-tiktok-bytedance-china-ban-getgee-keenowledge-commons/?utm_content=gifting&tpcc=gifting_article&gifting_article=YmlkZW4tdGlrdG9rLWJ5dGVkYW5jZS1jaGluYS1iYW4tZ2V0Z2VlLWtub3dsZWRnZS1jb21tb25z&pid=OC20506955

Alternate hyperlink: https://archive.ph/9Ss1S

What are the RISKS of establishing a new ecosystem decoupling apps from
databases and stratifying information into layers? As my article says,
"corporate-owned data, personal data, and public data are all hopelessly
mixed, polarizing people into inflammatory thought bubbles and stripping
them of privacy and dignity"; but also, bad actors poaching lingo from
idealistic articles to help them sell seems-similar snake oil; nobody
offering to lift a finger to fund, code, or open doors for the global data
commons project; gift hyperlinks with probably malfunctioning query strings;
exhausted underpaid journalists.

------------------------------

Date: Sun, 25 Aug 2024 00:15:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Telco fined $1M for transmitting Biden deepfake without
verifying Caller ID (ArsTechnica)


Click here to read the complete article
1

rocksolid light 0.9.8
clearnet tor