RISKS-LIST: Risks-Forum Digest Saturday 1* April 2023 Volume 33 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.67>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: BACKLOGGED with pre-1Apr unread messages. Will get to it.
Speculative out-of-order execution on my part? (PGN)
Airline baggage drops (JSX)
How space storms miscue train signals (phys.org)
Why Long Trains Keep Derailing (ProPublica)
Trojanized Windows and Mac apps rain down on 3CX users in massive supply
chain attack (Sentinel One)
Chinese fraudsters: evading detection and monetizing stolen credit-card
information (ATT)
A Front Company and a Fake Identity: How the U.S. Came to Use Spyware It Was
Trying to Kill. (NYTimes)
It's like children turned loose on a jungle gym (CBC)
AI application ChatGPT temporarily banned in Italy over data collection
concerns (CBC)
Even More on Trust & Safety and AI (Lauren Weinstein)
Australian mayor prepares world's first defamation lawsuit over ChatGPT
content (The Guardian)
Pausing AI Developments Isn't Enough. We Need to Shut It All Down
(Eliezer Yudkowsky)
Forgive or Forget: What Happens When Robots Lie? (Catherine Barzler)
I am not afraid of robots. I am afraid of people. (Gary Marcus)
Are robot waiters the future? Some restaurants think so. (AP News)
It's Their Content,You're Just Licensing it, (NYTimes)
Stupid physical risk (Nextdoor via Phil Smith III)
Re: DC Metro Will Retrofit Faregates To Cut Down On Fare Evasion
(Stan Brown)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 06 Apr 2023 16:57:44 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: Speculative out-of-order execution on my part?

* In that I somehow managed to put out the 1 April issue as RISKS-33.68 one
day early, an off-by-one error in the issue number, so I now figure that I
should backdate this RISKS-33.67 issue five days to April Fools' Day, to
balance off my previous *post*-dated issue. It seems only natural, but
was actually *not* an April-Fools prank.

------------------------------

Date: Sat, 01 Apr 2023 18:07:01 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Airline baggage drops (JSX)

I just received this *April Fool's* email from JSX, a startup airline
serving California.

The amazing thing is that I suggested something eerily similar about
a decade ago.

My non-April-Fool's suggestion was to have Fedex/UPS simply dump
all their packages from ~10,000' altitude, and have them GPS-guided
to their destinations, JDAM-style:

https://en.wikipedia.org/wiki/Joint_Direct_Attack_Munition

"The JDAM is not a stand-alone weapon; rather it is a 'bolt-on' guidance
package that converts unguided gravity bombs into precision-guided munitions
(PGMs)."

I figured that UPS/Fedex could deliver packages with the same precision
as JDAM bombs.

Beating swords into plowshares...

[In RISKS-26.78, I noted from my Bell Labs days that Vic Vyssotsky had a
wonderful piece on a Cable-laying Satellite, programmed to drop a cable
between two specified points, carefully engineered to avoid snap-back and
collateral damage . PGN]

------------------------------

Date: Sun, 02 Apr 2023 02:55:48 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: How space storms miscue train signals (phys.org)

[Re: Over 1,000 Trains Derail Each Year in America (NYTimes, RISKS-33.63.
PGN]

https://phys.org/news/2023-03-space-storms-miscue.html

"Train track disruptions are particularly troublesome because space storms
can interfere with detection systems that prevent collisions. Railways
detect trains using electrical currents and send stop signals to others to
avoid crashes. But when Earth's magnetic field is disrupted, they might send
false signals to stop or go, affecting operations and potentially
endangering the freight and passengers on board."

Recent train derailings across the U.S. are being investigated.

Certain trains (in the U.S.) with HazMat cargoes are remotely piloted by
joystick -- virtually crewed. They are currently exempt from certain safety
regulations.

https://www.nbcnews.com/politics/congress/remote-hazmat-trains-fall-congress-push-rail-regulation-rcna77667

------------------------------

Date: Mon, 3 Apr 2023 14:59:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why Long Trains Keep Derailing (ProPublica)

Before that morning in Hyndman in August 2017, regulators had already
investigated seven long-train accidents in which the length was a culprit,
and the nation's largest rail-worker union had sounded alarms about a
pattern of problems.

None of this caused the Federal Railroad Administration, the agency in
charge of train safety, to intercede -- even as more long trains crashed in
the years after the Hyndman derailment, sending cars spilling into other
communities.

Today, the rail administration says it lacks enough evidence that long
trains pose a particular risk. But ProPublica discovered it is a quandary of
the agency's own making: It doesn't require companies to provide certain
basic information after accidents -- notably, the length of the train --
that would allow it to assess once and for all the extent agency of the
danger.

... [More on Hunter Harrison PGN-truncated]

https://www.propublica.org/article/train-derailment-long-trains

------------------------------

Date: Fri, 31 Mar 2023 20:19:13 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Trojanized Windows and Mac apps rain down on 3CX users in
massive supply chain attack (Sentinel One)

Remember SolarWinds? A similar attack is playing out now against a new
software supplier.

Hackers working on behalf of the North Korean government have pulled off a
massive supply chain attack on Windows and macOS users of 3CX, a widely
used voice and video calling desktop client, researchers from multiple
security firms said.

Through means that aren't yet clear, the attack managed to distribute
Windows and macOS versions of the app, which provides both VoIP and PBX
services to 600,000+ customers <https://www.3cx.com/company/customers/>,
including American Express, Mercedes-Benz, and Price Waterhouse Cooper. The
attackers somehow gained the ability to hide malware inside 3CX apps that
were digitally signed using the company's official signing key. The macOS
version, according to <https://objective-see.org/blog/blog_0x73.html> macOS
security expert Patrick Wardle, was also notarized by Apple, indicating that
the company analyzed the app and detected no malicious functionality.

In the making since 2022

``This is a classic supply chain attack, designed to exploit trust
relationships between an organization and external parties,'' Lotem
Finkelstein, Director of Threat Intelligence & Research at Check Point
Software, said in an email. ``This includes partnerships with vendors or
the use of a third-party software which most businesses are reliant on in
some way. This incident is a reminder of just how critical it is that we do
our due diligence in terms of scrutinizing who we conduct business
with.''

Security firm CrowdStrike said the infrastructure and an encryption key
used in the attack match those seen in a March 7 campaign carried out by
Labyrinth Chollima, the tracking name for a threat actor aligned with the
North Korean government.

The attack came to light late on Wednesday, when products from various
security companies began detecting malicious activity coming from
legitimately signed binaries for 3CX desktop apps. Preparations for the
sophisticated operation began no later than February 2022, when the threat
actor registered a sprawling set of domains used to communicate with
infected devices. By 22 Mar 2023, security firm Sentinel One saw a spike in
behavioral detections
<https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/>

------------------------------

Date: Wed, 5 Apr 2023 07:37:52 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Chinese fraudsters: evading detection and monetizing stolen
credit-card information (ATT)

Cyber-attacks are common occurrences that often make headlines, but the
leakage of personal information, particularly credit-card data, can have
severe consequences for individuals. It is essential to understand the
techniques employed by cyber-criminals to steal this sensitive information.

Credit-card fraud in the United States has been on the rise, with total
losses reaching approximately $12.16 billion in 2021, according to Insider
Intelligence. Card-Not-Present (CNP) fraud constituted 72% of these losses,
with a substantial portion attributed to Chinese fraudsters.

This article discusses the tactics employed by Chinese cyber-actors in
committing CNP fraud and their value chain.