RISKS-LIST: Risks-Forum Digest Sunday 8 Sep 2024 Volume 34 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Bypassing airport security via SQL injection (Tom Van Vleck
How Navy chiefs conspired to get themselves illegal warship Wi-Fi
(Navy Times)
Chinese Government Hackers Penetrate U.S. ISPs (Joseph Menn)
New Yubikey vulnerability (ArsTechnica)
JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to
Authorities (WSJ)
California Passes AI Safety Bill (Bloomberg)
Musk and xAI accused of worsening Memphis smog with unauthorized turbines
(CNBC)
AI Could Engineer a Pandemic, Experts Warn (Time)
The Bands and the Fans Were Fake. The $10 Million Was Real.
(NYTimes)
Kids who use ChatGPT as a study assistant do worse on tests
(Hechinger Report)
Chatbots Are Primed to Warp Reality (The Atlantic)
Automated trading bots scheme results in millions of dollars,
Teslas, Rolexes, and federal wire-fraud convictions (Justice)
Former Tesla Autopilot Head And Ex-OpenAI Researcher Says
'Programming Is Changing So Fast' That He Cannot Think Of Going Back
To Coding Without AI (Benzinga)
Electric toothbrushes and light-up sneakers are setting France on
fire (Politico)
Wake me when the Internet of Things is over (StraitsTimes.com)
Risks of Rogue WiFi on Navy ships (Navy Times)
In feud with Musk, Brazilian justice restricts access to X
(LA Times)
North Korea Aggressively Targeting Crypto Industry with
Well-Disguised Social Engineering Attacks (IC3)
Five-day O2/Telefonica DSL outage in Berlin, Germany (SCTB)
What The CrowdStrike Outage Can Teach Us about Testing and Failure Modes
(Packet Pushers)
Visa required for EU entry starting next year (Edward Hasbrouck)
Russian 'spy whale' found dead off Norway (BBC)
Re:_Moscow's Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage
Campaign (Amos Shapir)
Foreign Policy: TikTok ban & global data commons (Cliff Kilby)
How Telegram Became Criminals’ Favorite Marketplace (WSJ)
Telegram Founder's Indictment Thrusts Encryption into the Spotlightooo
(NYTimes)
Re: Telegram billionaire co-founder Pavel Durov arrested (John Levine)
Re: Feds sue Georgia Tech for lying bigly about computer security
(Dylan Norhtrup)
Re: Standard security policies and variances (Charles Cazabon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 30 Aug 2024 09:13:33 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Bypassing airport security via SQL injection

https://ian.sh/tsa

• Ian Carroll (https://twitter.com/iangcarroll)
• Sam Curry (https://twitter.com/samwcyo)

``KCM is a TSA program that allows pilots and flight attendants to bypass
security screening, even when flying on domestic personal trips. A
similar system also exists for cockpit access, called the Cockpit Access
Security System (CASS).''

ARINC (a subsidiary of Collins Aerospace) operates a site called FlyCASS
which pitches small airlines a web-based interface to CASS. Apparently this
system was operated by only one person.

The FlyCASS site was vulnerable to a very simple SQL injection attack. A
test of this allowed the researchers to add names, authorizations, and
photos to the database. The researchers reported the issue to the Department
of Homeland Security and the problem was addressed... see the web page for
the story.

------------------------------

Date: Thu, 5 Sep 2024 08:31:14 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: How Navy chiefs conspired to get themselves illegal warship Wi-Fi
(Navy Times)

A scathing Navy investigation reveals how USS Manchester's enlisted leaders
endangered their ship with an unauthorized Starlink Wi-Fi setup.

Key paragraphs:

Unauthorized Wi-Fi systems
<https://www.militarytimes.com/news/your-military/2023/09/12/elon-musk-blocking-starlink-to-stop-ukraine-attack-troubling-for-dod/>like
the one Marrero set up are a massive no-no for a deployed Navy ship, and
Marrero’s crime occurred as the ship was deploying to the West Pacific,
where such security concerns become even more paramount among heightened
tensions with the Chinese.

“The installation and usage of Starlink, without the approval of higher
headquarters, poses a serious risk to mission, operational security, and
information security,” the investigation states.

https://www.navytimes.com/news/your-navy/2024/09/03/how-navy-chiefs-conspired-to-get-themselves-illegal-warship-wi-fi/

The article also says:

Marrero’s “egregious misconduct” with the illegal Wi-Fi “cannot be
understated,” the investigating officer wrote

[Of course it can be understated!
OTOH, it probably cannot be overstated, and/or should not be
understated.]

------------------------------

Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Chinese Government Hackers Penetrate U.S. ISPs
(Joseph Menn)

Joseph Menn, *The Washington Post, 27 Aug, via ACM TechNews

U.S. Internet service providers (ISPs) have been breached by Chinese
government-backed hackers, say researchers, with the goal of gathering
intelligence on users. Government and military personnel working undercover
and groups of strategic interest to China are thought to be the primary
targets. Lumen Technologies researchers said three U.S. ISPs were hacked
this summer via a previously unknown zero-day flaw in a Versa Networks
program used for managing wide-area networks.

------------------------------

Date: Tue, 3 Sep 2024 16:04:16 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: New Yubikey vulnerability (ArsTechnica)

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/2/

FWIW, this changes nothing.
FIDO is still better than
TOTP is still better than
Either SMS or Email verification.

To effect a clone, the fob must be out of your possession for an extended
period of time (Source denotes 10 hours but calls that short) and the
attacker needs a full lab and external data to do anything with it.

Do monthly inventories of all assets (including backup fobs), and have a
lost device process (which should include fobs).
Authentication attempts should be throttled, captcha'ed, and have auto
disable/lock enforced.
I would add the specifics that any account that is flagged as "break-glass"
should be monitored and alarmed for any authentication attempt, successful
or not.

If attempting to use it doesn't set off every alarm in the building, or it
can be used if every alarm isn't already going off, it cannot be a
break-glass account.

Still, shame on yubico for not validating constant time encryption on all
their products. I understand the Infineon cryptographic library comes with
a "trust us, bro" NDA, which may have hampered testing.

I guess that means that obscurity still means insecurity.

[I've had THREE yubikeys lately. The second was part of an SRI-wide, but
it could not be installed. PGN]

------------------------------

Date: Sat, 7 Sep 2024 22:23:05 -0400
From: Monty Solomon <monty@roscom.com>
Subject: JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to
Authorities (WSJ)

Thousands of people withdrew money after depositing bad checks

https://www.wsj.com/finance/banking/jpmorgan-plans-to-report-customers-who-exploited-tiktok-glitch-to-authorities-cb5f5cef

------------------------------

Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: California Passes AI Safety Bill (Bloomberg)

Shirin Ghaffary, *Bloomberg*, 29 Aug 2024, via ACM TechNews

California's legislature approved an AI safety bill opposed by many
tech companies. The measure moved to Governor Gavin Newsom's desk
after passing the state Assembly Wednesday, with the Senate granting
final approval Thursday. SB 1047 mandates that companies developing AI
models take "reasonable care" to ensure that their technologies don't
cause "severe harm," such as mass casualties or property damage above
$500 million.

[One problem with this is that Human Safety is an emergent property of the
entire system -- hardware, software, networks, and apps -- and not a
property that can be evaluated in the AI alone. If the AI cannot satisfy
its own properties, that is a bad thing. However, even if it can do so,
the rest of the system may still do harm. Ergo, the AI itself may not be
user-friendly and safe unless everything else is also. PGN]

------------------------------

Date: Fri, 30 Aug 2024 10:51:12 -0400
From: Chad Dougherty <crd@acm.org>
Subject: Musk and xAI accused of worsening Memphis smog with
unauthorized turbines (CNBC)