Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.64

RISKS-LIST: Risks-Forum Digest  Tuesday 4 May 2021  Volume 32 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.64>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD)
Dark web child abuse image site with 400,000 members taken down in
  global police sting (NBC News)
U.S. Mulling Domestic Spying Partnership with Private Companies
  (Infosecurity Magazine)
A New Line of Attack that Evades Spectre Defenses (Science Daily)
An ambitious plan to tackle ransomware faces long odds (Ars Technica)
Paying ransomware doesn't pay (Rob Slade)
Legal chatbot firm DoNotPay adds anti-facial recognition filters
  to its suite of handy tools (The Verge)
Known software issue grounds Ingenuity Mars copter as it attempted
  fourth flight (The Register)
Stealthy Linux backdoor malware spotted after three years of
  minding your business (The Register)
BadAlloc: Microsoft looked at memory allocation code in tons of
  devices and found this one common security flaw (The Register)
Pro-Trump web forums are abuzz with directions to forge Covid
  vaccine cards (NBC News)
How to give Feedback about the Feedback Form? (Dan Jacobson)
100 prohibited porcupine quills seized at Dulles Airport (Herndon, VA Patch)
Re: The Plane Paradox (Lars-Henrik Eriksson, Peter Bernard Ladkin)
Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
  (Richard Stein)
Re: Outlook/Exchange accounts under attack (Amos Shapir)
Re: Hundreds Lose Internet service (A Michael W Bacon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 30 Apr 2021 23:51:23 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (WiReD)

Most remarkable, however, is the IRS's account of tracking down Sterlingov
using the very same sort of blockchain analysis that his own service was
meant to defeat. The complaint outlines how Sterlingov allegedly paid for
the server hosting of Bitcoin Fog at one point in 2011 using the now-defunct
digital currency Liberty Reserve. It goes on to show the blockchain evidence
that identifies Sterlingov's purchase of that Liberty Reserve currency with
bitcoins: He first exchanged euros for the bitcoins on the early
cryptocurrency exchange Mt. Gox, then moved those bitcoins through several
subsequent addresses, and finally traded them on another currency exchange
for the Liberty Reserve funds he'd use to set up Bitcoin Fog's domain.

Based on tracing those financial transactions, the IRS says, it then
identified Mt. Gox accounts that used Sterlingov's home address and phone
number, and even a Google account that included a Russian-language document
on its Google Drive offering instructions for how to obscure Bitcoin
payments. That document described exactly the steps Sterlingov allegedly
took to buy the Liberty Reserve funds he'd used.

The case shows yet another example of how Bitcoin, once widely believed to
be a powerful tool for making anonymous, untraceable transactions, has
turned out to be in many cases the very opposite. The blockchain's ledger of
all Bitcoin transactions since the cryptocurrency's creation has often
instead served as a means for law enforcement to trace even years-old
transactions.

https://www.wired.com/story/bitcoin-drug-deals-silk-road-blockchain/

The risk? Tracing the untraceable.

------------------------------

Date: Mon, 3 May 2021 20:56:51 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Dark web child abuse image site with 400,000 members taken down in
  global police sting (NBC News)

Dark web child abuse image site with 400,000 members taken down in global
police sting

The three main suspects are accused of founding and maintaining the site, as
well as giving members advice on how to avoid arrest, German police said.

https://www.nbcnews.com/news/world/dark-web-child-abuse-image-site-400-000-members-taken-n1266108

------------------------------

Date: Tue, 4 May 2021 00:21:11 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: U.S. Mulling Domestic Spying Partnership with Private Companies
  (Infosecurity Magazine)

The Biden administration is reportedly considering teaming up with private
companies to monitor American citizens' private online activity and digital
communications.

According to news source CNN, multiple sources have said that the Department
of Homeland Security (DHS) is actively seeking a way to monitor citizens
online without having to first secure a warrant or prove that such
monitoring is an essential part of an ongoing investigation.

The sources said that a plan is being formed for the DHS to circumvent these
established checks to the government's power by working directly with
private firms.

Currently, only the unprotected information that Americans share on social
media sites and public online platforms can be accessed by federal
authorities.

However, the alleged plan being formed by the DHS would allow authorities to
see what Americans are writing and sharing online in access-restricted
spaces such as private Facebook groups.

The plan is reportedly not centered on the decryption of data belonging to
Americans but is instead focused on getting outside entities with legal
access to the information being shared online to report what is being said
to the government.

Limits are also in place at the Central Intelligence Agency (CIA) and
National Security Administration (NSA) when it comes to domestic espionage.

https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/

------------------------------

Date: Sat, 1 May 2021 10:21:17 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: A New Line of Attack that Evades Spectre Defenses (Science Daily)

A team of computer-science researchers has uncovered a line of attack that
breaks all Spectre defenses, meaning that billions of computers and other
devices across the globe are just as vulnerable today as they were when
Spectre was first announced.

https://www.sciencedaily.com/releases/2021/04/210430165903.htm

  [This appears to be somewhat misguided reporting.  Spectre defenses
  generally require hardware changes, and cannot be adequately resolved with
  existing hardware.  The new CHERI hardware is trying to provide real
  solutions.  Maybe *Science Daily* meant Meltdowm?  PGN]

------------------------------

Date: Sun, 2 May 2021 10:38:00 -0400
From: Monty Solomon <monty@roscom.com>
Subject: An ambitious plan to tackle ransomware faces long odds
 (Ars Technica)

Heavyweight task force proposes framework to tackle a major cybersecurity problem.

https://arstechnica.com/information-technology/2021/05/an-ambitious-plan-to-tackle-ransomware-faces-long-odds/

------------------------------

Date: Mon, 3 May 2021 12:53:55 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Paying ransomware doesn't pay

OK, I have, elsewhere, expressed my opinion that paying the ransom for
ransomware is a bad idea.  https://community.isc2.org/t5/I/P/m-p/18736 First
off, you are funding crime.  Secondly, you are encouraging crime.  (If
nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?)

Then there are the various reasons why paying the ransomware isn't a good
idea in simply practical terms.  Some of the ransomware was never intended
to allow you to recover.  Some is badly coded, and doesn't work when
decrypting.  Some of the ransomware families are simply based on symmetric
encryption, and one key decrypts all.  (You can find lists of those, and the
ways to recover, at various places on the net.)  Some of the ransomware
groups are just disorganized, and lose their keys.

(Then there are those who confuse ransomware with breachstortion, and are
talking about people who actually do steal your data, and then threaten to
publish it unless you pay up.  Most of the same reasons why paying ransom
to them is a bad idea hold, with the addition of the fact that, if you pay
the ransom, you are relying on the promises and integrity of a bunch of
thieves, liars, and extortionists.)

(Oh, and that argument about the "business model" of ransomware and
breachstortion being based on them doing what they promise?  That business
model only works if you are talking about return or repeat business.  Are
you telling me that you are going to go through ransom or extortion with
the same group all over again?  How stupid *are* you?)

Now some research from Sophos backs that up.  If you pay, you've got a less
than 10% chance of getting all your data back.
https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back

  [Speaking of "backs that up", can you spell "backup" -- which allows one
  to recover without paying.  Yes, that does not help with breachstortion,
  but once again, the real answer seems to better security in hardware and
  software, and more-aware users and admins.  PGN]

------------------------------

Date: Tue, 4 May 2021 12:22:35 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Legal chatbot firm DoNotPay adds anti-facial recognition filters
  to its suite of handy tools (The Verge)

https://www.theverge.com/2021/4/27/22405570/donotpay-ninja-anti-reverse-image-search-facial-recognition-filter

------------------------------

Date: Fri, 30 Apr 2021 21:15:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Known software issue grounds Ingenuity Mars copter as it attempted
  fourth flight (The Register)

https://go.theregister.com/feed/www.theregister.com/2021/04/30/ingenuity_fourth_flight_flops/

------------------------------

Date: Fri, 30 Apr 2021 21:24:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Stealthy Linux backdoor malware spotted after three years of
  minding your business (The Register)

https://go.theregister.com/feed/www.theregister.com/2021/04/29/stealthy_linux_backdoor_malware_spotted/

------------------------------

Date: Fri, 30 Apr 2021 21:24:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: BadAlloc: Microsoft looked at memory allocation code in tons of
  devices and found this one common security flaw (The Register)

https://go.theregister.com/feed/www.theregister.com/2021/04/29/microsoft_badalloc_iot/

------------------------------

Date: Sun, 2 May 2021 17:44:16 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Pro-Trump web forums are abuzz with directions to forge Covid
  vaccine cards (NBC News)

Some states put templates online, spurring pro-Trump and anti-vaccination forums to start spreading tips for how to create fake cards.

https://www.nbcnews.com/tech/tech-news/covid-vaccination-card-fraud-prompts-cdc-action-rcna802

------------------------------

Date: Sat, 01 May 2021 18:52:19 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: How to give Feedback about the Feedback Form?

Let's say you are an extra big company, with an extra small single point of
contact: the Feedback Form. But what if it breaks?  Every other form of
contact just plays a recording:
  "Please use the Feedback Form."
How to give Feedback about the Feedback Form?

1) Determine the headquarters of aforementioned extra big company is merely
  a couple miles from the headquarters of RISKS moderator PGN.

2) Send PGN on a mission to give a certain Mr. Zuckerburg feedback. PGN says
  "Having walked all the way from SRI, I'll be dead soon." Alas, the
  secretary says "He's with a client. I don't know what to do."
  https://www.youtube.com/watch?v=Tp8XcAKYsKo

------------------------------

Date: Sat, 1 May 2021 00:10:35 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 100 prohibited porcupine quills seized at Dulles Airport
  (Herndon, VA Patch)

"Travelers should be aware that those seemingly safe animal souvenirs they
purchase overseas may accidentally introduce animal diseases that could
devastate our livestock industries, sicken our citizens, and impact our
nation's economy," said Keith Fleming, acting director of Field Operations
for CBP's Baltimore Field Office, in a release.  "Customs and Border
Protection remains on our nation's frontline as protectors of our
agricultural resources, and we will continue to work with our partners to
intercept all potential threats at our nation's ports of entry."

https://patch.com/virginia/herndon/100-prohibited-porcupine-quills-seized-dulles-airport

------------------------------

Date: Sat, 1 May 2021 07:18:44 +0200
From: Lars-Henrik Eriksson <lhe@it.uu.se>
Subject: Re: The Plane Paradox: More Automation Should Mean More Training
  (WiReD, RISKS-32.63)

> "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28,
> 2018, all four of the aircraft's flight control computers stopped
> working."

That description is misleading to the point of being incorrect. The incident
began on the runway during a touch and go after several hours of training
flights the same day. During that time there had been almost a dozen alerts
that something was wrong with the pitch-control system. All alerts had been
reset and then ignored. At some point one alert was not reset, causing a
loss of redundancy.

Indeed, one of the casual factors determined by the accident investigation
was the training instructor's decision to continue the training flights
despite the multiple fault messages. So arguably this was not a case of
automation surprising pilots, but rather of poor decision-making.

Accident investigation report:
https://www.ojk.ee/et/system/files/fail/manus/ee0180_es_san_investigation_report.pdf

------------------------------

Date: Sat, 1 May 2021 11:37:21 +0200
From: Peter Bernard Ladkin <ladkin@causalis.com>
Subject: Re: The Plane Paradox (RISKS-32.63)

> "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28,
> 2018, all four of the aircraft's flight control computers stopped
> working. ...  Only the skill of the instructor pilot on board prevented a
> fatal crash."

This, of course, is nonsense.

1. The A320 has two elevator aileron computers (ELAC), three spoiler
  elevator computers (SEC), and two flight augmentation computers (FAC), for
  a total of seven. The aerodynamic control surface actuators are commanded
  by combinations of these.

2. There is no way to control the aircraft aerodynamically if all FCCs fail.

------------------------------

Date: Sat, 1 May 2021 11:20:01 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Re: SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
  (James Rundle, RISKS-32.63)

James Rundle wrote: "At an April 22 virtual event hosted by Cyber Education
Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's
John Sherman said the public and private sectors should adopt zero-trust
models that constantly verify whether a device, user, or program should be
able to do what it is asking to do."

The "Zero Trust Architecture" from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Deployment of ZTA strategies appears to advocate a centralized policy
decision point (PDP) and policy enforcement point (PEP) that oversees and
continuously monitors identity, credential, access, and authorization to
legitimate an organization's resources (devices, services, and users). A
complex, multi-dimensional privilege matrix is likely monitored and
characterized for resource operation based on access, authorization,
feature/capability/purpose, role, etc.

On paper, ZTA enhances infosec defense-in-depth and is proactive. A
significant change from the reactive infosec practices widely deployed today
that invite data breach/malware infection.

Risk: Legitimized resource access through a control gateway.

Compromise the PDP/PEP and/or the policy administrator who operates it, and
the resource is compromised.

------------------------------

Date: Sun, 2 May 2021 17:33:17 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Outlook/Exchange accounts under attack (Slade, RISKS-32.63)

Me too.  The source of the leaked (or rather publicized) email addresses is
none other than the RISKS list itself, and its archives.  These addresses
are gathered in bunches which are sold over and over; a new wave of junk
appears each time a bunch is bought by a new operator.  (Your address may
appear several times in each bunch).

------------------------------

Date: Sat, 1 May 2021 13:26:35 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Hundreds Lose Internet service (RISKS-32.63)

[[Michael was really surprised that I ESCHEWED the opportunity to make a pun.

  How about "Beaver damns the Internet">  PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.64
************************