RISKS-LIST: Risks-Forum Digest Saturday 9 July 2022 Volume 33 : Issue 32

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.32>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Canadian network outage misunderstatement OTD (The Guardian)
Mass layoff looms for Japanese researchers (Science)
Cruise's Robot Car Outages Are Jamming Up San Francisco (WiReD)
OpenSSL Security Advisory, 5 July 2022 (OpenSSL)
In April 2022, a team of cyberattackers attempted to breach an undersea
cable off the coast of Hawaii... (Twitter via geoff goodfellow)
Japan to start jailing people for online insults (KyodoNews)
Ransomware Switched Programming Languages From Go to Rust (ZDNet)
Google Allowed a Sanctioned Russian Ad Company to Harvest User Data for
Months (Propublica)
A huge data leak of 1 billion records exposes China's vast surveillance
state (TechCrunch)
Computer glitch at American Airlines leads to triple pay (CNN via
Jeremy Epstein)
My Thoughts About Google's New Blog Post Regarding Health-Related Data
Privacy (Lauren Weinstein)
The major health care and cybersecurity risk of "Right-to-Repair" laws
(The Hill)
Lack of Chips Puts Big Dent in Auto Sales (Neal E. Boudette)
Humans are making it hard to listen for aliens (NBC News)
Even in Death, Internet Explorer Lives On in South Korea (NYTimes)
Where's the herd immunity? Our research shows why Covid is still wreaking
havoc (The Guardian)
Re: China is looking for 'other Earths' to colonize (Martin D Kealey)
Re: When customers say their money was stolen on Zelle, banks (King Ables)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 8 Jul 2022 18:57:02 -0600
From: Jonathan Levine <jonathan.canuck.levine@gmail.com>
Subject: Canadian network outage misunderstatement OTD (The Guardian)

One of Canada's largest phone/data carriers is still experiencing a major
outage today. As reported in The Guardian:

https://www.theguardian.com/world/2022/jul/08/internet-down-canada-rogers-mobile-network-outage

But what's stunning in the piece is this statement:

"Interac, which operates an email money transfer service used by several
Canadian banks, said the outage was affecting its services.
Toronto-Dominion Bank said it was facing system issues with Interac
e-Transfer service."

In reality, Interac isn't just some obscure interbank service; it's the
debit payment system used by millions of Canadians -- only some of which are
Rogers customers -- in millions of end-user transactions every day, through
every bank in the land, and it is DOWN. Are the people running the Interac
network actually so clueless as to not have multihomed it via at least one
other major network? Apparently so.

We hope that meaningful postmortems will follow.

------------------------------

Date: Thu, 7 Jul 2022 13:23:52 +0900
From: Dave Farber <farber@keio.jp>
Subject: Mass layoff looms for Japanese researchers (Science)

[This is one of the dumbest things Japan could do if they let this happen.
Dave]

From: Geoffrey Carr <geoffcarr@me.com>
The ten-year delay for this sword of Damocles is about to end...
https://www.science.org/content/article/mass-layoff-looms-japanese-researchers

Thousands of researchers at Japanese institutes and universities may see
their jobs disappear by next spring, an unintended result of labor
legislation.

https://www.science.org/content/article/mass-layoff-looms-japanese-researchers

------------------------------

Date: Fri, 8 Jul 2022 10:54:08 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Cruise's Robot Car Outages Are Jamming Up San Francisco (WiReD)

https://www.wired.com/story/cruises-robot-car-outages/

------------------------------

Date: Fri, 8 Jul 2022 09:38:47 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: OpenSSL Security Advisory, 5 July 2022 (OpenSSL)

Heap memory corruption with RSA private key operation (CVE-2022-2274)

Severity: High

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation
for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes
the RSA implementation with 2048 bit private keys incorrect on such machines
and memory corruption will happen during the computation. As a consequence
of the memory corruption an attacker may be able to trigger a remote code
execution on the machine performing the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on
machines supporting AVX512IFMA instructions of the X86_64 architecture are
affected by this issue.

Note that on a vulnerable machine, proper testing of OpenSSL would fail and
should be noticed before deployment.

Users of the OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was reported to OpenSSL on 22nd June 2022 by Xi Ruoyao. The
fix was developed by Xi Ruoyao.

URL for this Security:
Advisory:https://www.openssl.org/news/secadv/20220705.txt
[...]

------------------------------

Date: Thu, 7 Jul 2022 07:28:50 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: In April 2022, a team of cyberattackers attempted to breach an
undersea cable off the coast of Hawaii...

https://twitter.com/WillManidis/status/1537071965608943616

------------------------------

Date: Thu, 7 Jul 2022 17:47:48 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Japan to start jailing people for online insults (KyodoNews)

*The new law goes into effect Thursday*EXCERPT:

Posting *online insults* will be punishable by up to a year in prison time
in Japan starting Thursday, when a new law passed earlier this summer will
go into effect.
<https://english.kyodonews.net/news/2022/07/1590b983e681-japan-to-introduce-jail-time-tougher-penalties-for-online-insults.html>

People convicted of online insults can also be fined up to 300,000 yen
(just over $2,200). Previously, the punishment was fewer than 30 days in
prison and up to 10,000 yen ($75).

The law will be reexamined in three years to determine if it's impacting
freedom of expression -- a concern raised by critics of the bill. Proponents
said it was necessary to slow cyberbullying in the country.

But there aren't clear definitions of what counts as an insult, Seiho Cho, a
criminal lawyer in Japan, told CNN after the law passed. The law says an
insult means demeaning someone without a specific fact about them -- as
opposed to defamation, which it classifies as demeaning someone while
pointing to a specific fact about them. ``At the moment, even if someone
calls the leader of Japan an idiot, then maybe under the revised law that
could be classed as an insult,'' [...]

<https://www.cnn.com/2022/06/14/asia/japan-cyberbullying-law-intl-hnk-scli/index.html>
https://www.theverge.com/2022/7/6/23196593/japan-jail-online-insult-cyberbullying

------------------------------

Date: Fri, 8 Jul 2022 12:58:32 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Ransomware Switched Programming Languages From Go to Rust (ZDNet)

Liam Tung, *ZDNet*, 6 Jul 2022, via ACM TechNews, 8 July 2022

Microsoft security researchers have found new variants of Hive ransomware
that were originally written in the Go coding language have been rewritten
in Rust. The switch has been underway for a few months, as Hive's authors
appear to be copying tactics from BlackCat ransomware, also written in
Rust. Researchers at cyberintelligence firm Group-IB determined the Hive
gang had converted its Linux encryptor for targeting VMware ESXi servers to
Rust so security researchers would be less able to surveill its ransom
discussions with victims. The Microsoft Threat Intelligence Center blogged
that the transition also involves more complex file encryption.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee22x234ae3x069133&

------------------------------

Date: Fri, 1 Jul 2022 17:53:50 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Google Allowed a Sanctioned Russian Ad Company to Harvest User
Data for Months (Propublica)

The Internet giant may have provided Sberbank-owned RuTarget with unique
mobile phone IDs, IP addresses, location information and details about
users' interests and online activity.

https://www.propublica.org/article/google-russia-rutarget-sberbank-sanctions-ukraine

------------------------------

Date: Thu, 7 Jul 2022 19:34:36 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: A huge data leak of 1 billion records exposes China's vast
surveillance state (TechCrunch)

Reports are that it may not have had a password for months. -L

https://techcrunch.com/2022/07/07/china-leak-police-database/

------------------------------

Date: Thu, 7 Jul 2022 22:27:38 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Computer glitch at American Airlines leads to triple pay (CNN)