RISKS-LIST: Risks-Forum Digest Monday 20 June 2022 Volume 33 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.30>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [RISKS-33.29 delay on USENET was due to a Panix key upgrade.]
We've only scratched the surface of how bad the crypto[currency] crime wave
has gotten (Yaohoo!)
FBI warns crypto fraud on LinkedIn is a 'significant threat' (Engadget)
"Ethereum Mining Is Going Away (Bloomberg)
Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files
Hostage (The Hacker News)
Micropatching on the fly (Tom Van Vleck)
The Open Secret of Google Search (The Atlantic)
Leaked Audio From 80 Internal TikTok Meetings Shows That U.S. User Data Has
Been Repeatedly Accessed From China (Buzzfeednews)
Lake Mead and Lake Powell, the 2 largest reservoirs in the US, which provide
water to over 40 million Americans in Nevada, Arizona and California, are
at their lowest levels ever. (twtiter via geoff goodfellow)
Stronger Security for Smart Devices (Adam Zewe)
New Mexico's Post-Certification Recounts (Annie Gowan)
It is 2022. My coffee mug wants me to log in, wants to know my location, and
if it can send me promotional emails... (Marc IRL)
A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future
(Georgetown CSET))
A minor example of human factors in security (risks@sctb.net)
Serious Warning Issued For Millions Of Google Gmail Users (Forbes)
Re: the death knell of jSCH (Dmitri Maziuk)
Re: Physics-Based Cryptocurrency Transmits Energy Through Blockchain
(John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 19 Jun 2022 11:28:10 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: We've only scratched the surface of how bad the crypto[currency] crime wave
has gotten (Yaohoo!)

We've only scratched the surface of how bad the crypto crime wave has gotten

https://news.yahoo.com/weve-only-scratched-surface-bad-221758213.html

------------------------------

Date: Fri, 17 Jun 2022 17:16:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FBI warns crypto fraud on LinkedIn is a 'significant threat'
(Engadget)

https://www.engadget.com/fbi-warning-crypto-fraud-linkedin-significant-threat-191600330.html

------------------------------

Date: Mon, 20 Jun 2022 12:23:17 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: "Ethereum Mining Is Going Away

David Pan and Olga Kharif, Bloomberg, 16 Jun 2022,
via ACM TechNews; Monday, 20 Jun 2022

Ethereum mining could end soon due to "the Merge," leaving as many as 1
million miners out of a source of income. The Merge (expected to occur in
August, though it has been pushed back several times already) involves a
shift from the proof-of-work model, which uses a significant amount of
computing power and energy, to the proof-of-stake model to record
transactions. The alternative model will slash the Ethereum network's power
consumption by about 99%, but also will put miners out of work. Following
The Merge, some Ethereum miners plan to mine other coins that require
graphics processing units, like Ethereum Classic or Ravencoin, or to use
their equipment for rendering (an aspect of digital video production) or
machine learning tasks.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecdcx23467ax071600&

------------------------------

Date: Thu, 16 Jun 2022 07:27:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Microsoft Office 365 Feature Could Help Ransomware Hackers Hold
Cloud Files Hostage (The Hacker News)

A "dangerous piece of functionality" has been discovered in Microsoft 365
suite that could be potentially abused by a malicious actor to ransom files
stored on SharePoint and OneDrive and launch attacks on cloud
infrastructure.

The cloud ransomware attack makes it possible to launch file-encrypting
malware to "encrypt files stored on SharePoint and OneDrive in a way that
makes them unrecoverable without dedicated backups or a decryption key from
the attacker," Proofpoint said in a report published today.
<https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality>

The infection sequence can be carried out using a combination of Microsoft
APIs, command-line interface (CLI) scripts, and PowerShell scripts, the
enterprise security firm added.

The attack, at its core, hinges on a Microsoft 365 feature called AutoSave
that creates copies of older file versions as and when users make edits to a
file stored on OneDrive or SharePoint Online.
<https://support.microsoft.com/en-us/office/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5>

It commences with gaining unauthorized access to a target user's SharePoint
Online or OneDrive account, followed by abusing the access to exfiltrate and
encrypt files. The three most common avenues to obtain the initial foothold
involve directly breaching the account via phishing or brute-force attacks,
tricking a user into authorizing a rogue third-party OAuth application, or
taking over the web session of a logged-in user.

But where this attack stands apart from traditional endpoint ransomware
activity is that the encryption phase requires locking each file on
SharePoint Online or OneDrive more than the permitted versioning limit.
[...]

<https://support.microsoft.com/en-us/office/how-versioning-works-in-lists-and-libraries-0f6cd105-974f-44a4-aadb-43ac5bdfd247>
https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.html

------------------------------

Date: Mon, 20 Jun 2022 15:39:28 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Micropatching on the fly

People who are running computers with a lot of old and buggy software are
being wooed by services that will apply binary patches to their code while
it is running.

If a site is running an old down-rev version and can't afford the time,
cost, and effort to upgrade to a later version, the micropatching service
can apply fixes on the fly.

[No flies are injured in the process. PGN]

They patch in storage to avoid verification of code signatures. Sometimes
they extract patches from later versions of the code and back-port them to
older code.

There is a DARPA/I2O program that is awarding ways to patch IoT
appliances and heavy truck engines:
https://www.darpa.mil/program/assured-micropatching

What could possibly go wrong? THVV

[Risks? This reminds me of Doug McIlroy and Bob Morris patching the live
object code of their EPL compiler (early PL/I, starkly subset for
Multics) at the same time Molly Wagner was compiling Multics
memory-management code in 1967. What a mess. (Tom, Thanks for this
item.) Note for younger RISKS readers: Tom dates back to pre-Multics on
CTSS, with what appears to be the very first e-mail system, which he and
Noel Morris developed at MIT. PGN]

------------------------------

Date: Mon, 20 Jun 2022 15:11:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Open Secret of Google Search

One of the most-used tools on the Internet is not what it used to be.

https://www.theatlantic.com/ideas/archive/2022/06/google-search-algorithm-internet/661325/

------------------------------

Date: Fri, 17 Jun 2022 18:37:02 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Leaked Audio From 80 Internal TikTok Meetings Shows That U.S.
User Data Has Been Repeatedly Accessed From China (Buzzfeednews)

https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access

------------------------------

Date: Thu, 16 Jun 2022 16:54:33 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Lake Mead and Lake Powell, the 2 largest reservoirs in the US,
which provide water to over 40 million Americans in Nevada, Arizona and
California, are at their lowest levels ever.

*... This will have unprecedented consequences and require drastic water
restrictions never seen before...*
https://twitter.com/US_Stormwatch/status/1536912734297526272

------------------------------

Date: Fri, 17 Jun 2022 12:14:25 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Stronger Security for Smart Devices (Adam Zewe)

Adam Zewe, *MIT News*, 14 Jun 2022, via ACM TechNews, 17 Jun 2022

Massachusetts Institute of Technology researchers demonstrated two security
techniques that block power and electromagnetic side-channel attacks
targeting analog-to-digital (ADC) converters in smart devices. The
countermeasures involve adding randomization to ADC conversion, which in one
case uses a random number generator to decide when each capacitor switches,
complicating the correlation of power supplies with output data. That method
also keeps the comparator in constant operation, preventing hackers from
ascertaining when each conversion stage begins and ends. The second
technique employs two comparators and an algorithm to randomly establish two
thresholds rather than one, creating millions of ways 76an ADC could reach a
digital output.