RISKS-LIST: Risks-Forum Digest Friday 11 August 2023 Volume 33 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.77>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [Way backlogged. Here's a start at catch-up. PGN]
Failed communications left Maui residents trapped by fire,
unable to escape (LATimes)
Firmware vulnerabilities in millions of computers could
give hackers superuser status (Ars Technica)
Cyberattack Sabotages Medical Sites in Four States
(Rebecca Carballo)
UK electoral register hacked in August 2021 (The Guardian)
New acoustic attack steals data from keystrokes with 95%
(Bleeping Computer)
Downfall Attacks on Intel CPUs Steal Encryption Keys, Data
(Ionut Ilascu)
California privacy regulator���s first case: Probing
Internet-connected cars (WashPost)
Hackers Stole $6M from Connecticut public school system
Lola Fadulu)
VR Headsets Are Vulnerable to Hackers (UC Riverside)
Security and Human Behavior -- SHB 2023 (Bruce Schneier)
Typo sends millions of U.S. military emails to Russian ally Mali
(BBC)
Bots and Spam attack Meta's Threads (TechCrunch)
Facebook sent information on visitors to police *anonymous'
reporting* site (The Guardian)
Tech companies acknowledge machine-learning algorithms can perpetuate
discrimination and need improvement. (NYTimes)
Wikipedia's Moment of Truth? (NYTimes)
Why AI detectors think the U.S. Constitution was written by AI (Ars Technica)
ChatGPT's Accuracy Has Gotten Worse (Andrew Paul)
In the Age of AI, Tech���s Little Guys Need Big Friends (NYTimes)
OpenAI's trust and safety lead is leaving the company
(Engadget)
AI That Teaches Other AI (Greg Hardesty)
Researchers Find Deliberate Backdoor in Police Radio Encryption Algorithm
(Kim Zetter)
Researchers Poke Holes in Safety Controls of ChatGPT, Othoer Chatbots
(Cade Metz)
Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrade
(Brandon Hill)
Eight-Months Pregnant Woman Arrested After False Facial
Recognition Match (Kashmir Hill)
MIT Makes Probability-Based Computing a Bit Brighter
(IEEE Spectrum)
Wikipedia���s Moment of Truth (NYTimes)
Possible Typo Leads to Actual Scam (Bob Smith)
'Redacted Redactions' Strike Again (Henry Baker)
Re: Defective train safety controls lead to bus rides for South Auckland
commuters (George Neville-Neil)
Re: Myth about innovation ... (Henry Baker, Martyn Thomas,
John Levine)
Internet censorship (Gene Spafford)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 11 Aug 2023 13:02:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Failed communications left Maui residents trapped by fire,
unable to escape (LATimes)

https://www.latimes.com/world-nation/story/2023-08-11/failed-communication-and-huge-death-toll-in-maui-fires

------------------------------

Date: Fri, 21 Jul 2023 16:17:32 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Firmware vulnerabilities in millions of computers could
give hackers superuser status (Ars Technica)

https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/

------------------------------

Date: Mon, 7 Aug 2023 18:12:02 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Cyberattack Sabotages Medical Sites in Four States
(Rebecca Carballo)

Rebecca Carballo, *The New York Times*, 7 Aug 2023
As hospitals go online, they become more vulnerable.

Ransomware. Prospect Medical Holdings in CA/CT/PA/RI
16 Hospitals, over 176 clinics affected. [PGN-ed in just
another demonstration of how untrustworthy this can be.]

------------------------------

Date: Tue, 8 Aug 2023 14:42:12 +0100
From: "Robert N. M. Watson"
Subject: UK electoral register hacked in August 2021 (The Guardian)

https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers?CMP=Share_iOSApp_Other

------------------------------

Date: Wed, 9 Aug 2023 06:45:13 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: New acoustic attack steals data from keystrokes with 95%
accuracy (Bleeping Computer)

https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/

------------------------------

Date: Fri, 11 Aug 2023 11:23:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Downfall Attacks on Intel CPUs Steal Encryption Keys, Data
(Ionut Ilascu)

Ionut Ilascu, *Bleeping Computer*, 8 Aug 2023

Google's Daniel Moghimi exploited the so-called "Downfall" bug in Intel
central processing units to steal passwords, encryption keys, and private
data from computers shared by multiple users. The transient execution
side-channel vulnerability affects multiple Intel microprocessor lines,
allowing hackers to exfiltrate Software Guard eXtensions-encrypted
information. Moghimi said Downfall attacks leverage the <i>gather</i>
instruction that "leaks the content of the internal vector register file
during speculative execution." He developed the Gather Data Sampling exploit
to extract AES 128-bit and 256-bit cryptographic keys on a separate virtual
machine from the controlled one, combining them to decrypt the information
in less than 10 seconds. Moghimi disclosed the flaw to Intel and worked with
the company on a microcode update to address it.

------------------------------

Date: Tue, 1 Aug 2023 18:24:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: California privacy regulator���s first case: Probing
Internet-connected cars (WashPost)

Data collection in cars has surged in recent years, especially in cars that
encourage users to plug in their phones to play music, get spoken directions
and make hands-free calls.

https://www.washingtonpost.com/technology/2023/07/31/cppa-privacy-car-data/

[If the Internet of Things has no appreciable trustworthiness, why should
we be surprised when cars are just IoT things! PGN]

------------------------------

Date: Fri, 11 Aug 2023 9:23:39 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Hackers Stole $6M from Connecticut public school system
(Lola Fadulu)

Lola Fadulu, *The New York Times*, 11 Aug 2023

New Haven CT has stopped the use of electronic transfers (except
payrolls). $3.6M has been recovered. (PGN-ed)

------------------------------

Date: Fri, 11 Aug 2023 11:23:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: VR Headsets Are Vulnerable to Hackers
(UC Riverside)

David Danelski, UC Riverside News, 8 Aug 2023

Computer scientists at the University of California, Riverside found hackers
can translate the movements of virtual reality (VR) and augmented reality
(AR) headset users into words using spyware and artificial intelligence. In
one example, spyware used a headset user's motions to record their Facebook
password as they air-typed it on a virtual keyboard. Spies also could
potentially access a user's actions during virtual meetings involving
confidential information by interpreting body movements. One exploit showed
hackers retrieving a target's hand gestures, voice commands, and keystrokes
on a virtual keyboard with over 90% accuracy. Researchers also developed a
system called TyPose that uses machine learning to extract AR/VR users' head
motions to deduce words or characters they are typing.

------------------------------

Date: Sat, 15 Jul 2023 08:27:20 +0000
From: Bruce Schneier <schneier@schneier.com>
Subject: Security and Human Behavior -- SHB 2023

For back issues, or to subscribe, visit Crypto-Gram's web page.
https://www.schneier.com/crypto-gram/
https://www.schneier.com/crypto-gram/archives/2023/0715.html

These same essays and news items appear in the Schneier on Security
[https://www.schneier.com/] blog, along with a lively and
intelligent comment section. An RSS feed is available.

[PGN-excerpted from Bruce Schneier's CRYPTO-GRAM, 15 Jul 2023, as both
timely and historically relevant to a topic that has been in RISKS
since the first issue.]

** SECURITY AND HUMAN BEHAVIOR (SHB) 2023

[2023.06.16]
[https://www.schneier.com/blog/archives/2023/06/security-and-human-behavior-shb-2023.html]
I'm just back from the sixteenth Workshop on Security and Human
Behavior [https://www.heinz.cmu.edu/~acquisti/SHB2023/index.htm]
hosted by Alessandro Acquisti at Carnegie Mellon University in
Pittsburgh.

SHB is a small annual invitational workshop of people studying various
aspects of the human side of security, organized each year by
Alessandro Acquisti, Ross Anderson, and myself. The fifty or so
attendees include psychologists, economists, computer security
researchers, criminologists, sociologists, political scientists,
designers, lawyers, philosophers, anthropologists, geographers,
neuroscientists, business-school professors, and a smattering of
others. It's not just an interdisciplinary event; most of the people
here are individually interdisciplinary.