RISKS-LIST: Risks-Forum Digest Wednesday 22 November 2022 Volume 33 : Issue 53

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.53>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Russian software disguised as American finds its way into U.S. Army, CDC
apps (Jan Wolitzky)
How North Korea became a mastermind of crypto cybercrime (Ars Technica)
U.S. NSA recommends 'memory safe' languages (Media Defense)
Re: Rust (dmitri maziuk)
Cyber Vulnerability in Networks Used by Spacecraft, Aircraft, Energy
Generation Systems (U.Michigan)
Reducing Redundancy to Accelerate Complicated Computations (TJNAF)
Vulnerabilities of electric vehicle charging infrastructure (techxplore.com)
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
(Threatpost)
Code grey: Inside a 'catastrophic' IT failure at the Queensway Carleton
Hospital (CBC)
Open-Source Software Has Never Been More Important (TechRadar)
Autonomous Vehicles Join the List of U.S. National Security Threats (WiReD)
Hotel barfs on two people with the same name (gcluley via Wendy M. Grossman)
DeepMind says its new AI coding engine is as good as an average human
programmer (The Verge)
Time Has Run Out for the Leap Second (NYTimes)
Timer on GE ovens automagically reprogrammed to gobble rather than ding
(Business Wire)
Akamai finds 13 million malicious newly observed domains a month (SC Media)
Inside the turmoil at Sobeys-owned stores after ransomware attack (CBC)
$10.7 Million Payment To Virginia In Google Privacy Settlement (VA Patch)
Short Videos on Ethics in AI and Software Development (Gene Spafford)
Electronic Health Record Legal Settlements (JAMA Health Forum)
Is This the End Game for Cryptocurrency? (Paul Krugman via PGN et al.)
Tuvalu Turns to Metaverse as Rising Seas Threaten Existence (Lucy Craymer)
Smart Home Hubs Leave Users Vulnerable to Hackers (Leigh Beeson)
Twitter update (Lauren Weinstein PGN-simmerized)
In Memoriam: Drew Dean (Peter G. Neumann)
In Memoriam: Frederick P. Brooks Jr. (Steve Bellovin)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 14 Nov 2022 10:37:05 -0500
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Russian software disguised as American finds its way into
U.S. Army, CDC apps

Thousands of smartphone applications in Apple and Google's online stores
contain computer code developed by a technology company, Pushwoosh, that
presents itself as based in the United States, but is actually Russian,
Reuters has found.

The Centers for Disease Control and Prevention (CDC), the United States'
main agency for fighting major health threats, said it had been deceived
into believing Pushwoosh was based in the U.S. capital. After learning about
its Russian roots from Reuters, it removed Pushwoosh software from seven
public-facing apps, citing security concerns.

The U.S. Army said it had removed an app containing Pushwoosh code in March.

[Monty Solomon noted another version:
Russian Code Found in Thousands of American Apps, Including the CDC's (Gizmodo)
https://gizmodo.com/russian-pushwoosh-code-american-apps-cdc-army-1849779521
PGN]

------------------------------

Date: Mon, 14 Nov 2022 23:57:34 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How North Korea became a mastermind of crypto cybercrime
(Ars Technica)

Cryptocurrency theft has become one of the regimeâs main sources of
regvenue. Created by a Vietnamese gaming studio, Axie Infinity offers
players the chance to breed, trade, and fight Pokémon-like cartoon monsters
to earn cryptocurrency. But earlier this year, the network of blockchains
that underpin the game's virtual world was raided by a North Korean hacking
syndicate, which made off with roughly $620 million in the ether
cryptocurrency.

The crypto heist, one of the largest of its kind in history, was confirmed
by the FBI, which vowed to continue to expose and combat [North Korea's] use
of illicit activities -- including cybercrime and cryptocurrency theft -- to
generate revenue for the regime.

The successful crypto heists illustrate North Korea’s growing sophistication
as a malign cyber actor. Western security agencies and cyber security
companies treat it as one of the world's four principal nation-state-based
cyberthreats, alongside China, Russia, and Iran.

According to a UN panel of experts monitoring the implementation of
international sanctions, money raised by North Korea's criminal
cyber-operations are helping to fund the country's illicit ballistic missile
and nuclear programs. Anne Neuberger, US deputy national security adviser
for cybersecurity, said in July that North Korea ``uses cyber to gain, we
estimate, up to a third of their funds for their missile program.''

Crypto analysis firm Chainalysis estimates that North Korea stole
approximately $1 billion in the first nine months of 2022 from decentralized
crypto exchanges alone. ...

https://arstechnica.com/information-technology/2022/11/how-north-korea-became-a-mastermind-of-crypto-cyber-crime/

------------------------------

Date: Mon, 14 Nov 2022 19:35:38 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: U.S. NSA recommends 'memory safe' languages (Media Defense)

The U.S. NSA finally came out this week to strongly endorse `memory-safe'
languages for most software programming, specifically mentioning C#, Go,
Java, Ruby, Rust, and Swift as examples.

Apparently orphaned DoD language *Ada* was conspicuously left out of

NSA's list, even though versions of Ada that target JVM can utilize Java
JVM's GC. https://en.wikipedia.org/wiki/Ada_(programming_language)

Ubiquitous web language *Javascript* was also conspicuous by its absence,
even though Javascript has a sophisticated GC.
https://javascript.info/garbage-collection

Also curiously, NSA left out any mention of Arm's *CHERI*
(Capability Hardware Enhanced RISC Instructions) architecture
which should address NSA's performance concerns:

``Memory safety can be costly in performance ... There is also considerable
performance overhead associated with checking the bounds on every array
access that could potentially be outside of the array.''
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

CHERI, can you come out tonight (Come come, come out tonight)
You, ooh better ask your NSA (CHERI baby)
Tell her everything is *all right*.

(Apologies to Frankie Valli &amp; Bob Gaudio)

With Arm's new 'Morello' processor, can I finally replace my *Raspberry Pi*
with a *CHERI Pi*??

[Now I know what startup sound will play when CHERI Pi boots... :-) ]

While waiting, use CHERI as a QEMU virtual machine?
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/cheri-llvm.html

https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

``Memory issues in software comprise a large portion of the exploitable
vulnerabilities in existence. NSA advises organizations to consider making a
strategic shift from programming languages that provide little or no
inherent memory protection, suchas C/C++, to a memory safe language when
possible. [Examples noted above, with html trademarks omitted here. PGN]
Memory-safe languages provide differing degrees of memory usage protections,
so available code hardening defenses, such as compiler options, tool
analysis, and operating system configurations, should be used for their
protections as well. By using memory-safe languages and available code
hardening defenses, many memory vulnerabilities can be prevented, mitigated,
or made very difficult for cyber-actors to exploit.''

------------------------------

Date: Sun, 13 Nov 2022 20:28:23 -0600
From: dmitri maziuk <dmitri.maziuk@gmail.com>
Subject: Re: Rust (RISKS-33.52)

Memory is the resource every computer program uses, but it's not the
only resource.

Nobody (that I know of) managed to pull off proper object destruction in a
garbage-collected language. Thus, if a program written in a
*garbage-collected* language uses those *other* resources, there is no
guarantee as to when it might release them. The best they can do is
*sometime between when the object goes out of scope, and when the program
terminates*. And that's just not good enough for many applications including
systems programming.

That's what Rust has that automatic memory management doesn't: *when a
variable goes out of scope, its destructor is run, or it's dropped*.

------------------------------

Date: Wed, 16 Nov 2022 11:46:50 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Cyber Vulnerability in Networks Used by Spacecraft, Aircraft,
Energy Generation Systems (U.Michigan)

Zachary Champion, University of Michigan News, 15 Nov 2022
via ACM TechNews, 16 Nov 2022