Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.65 RISKS-LIST: Risks-Forum Digest Sunday 9 May 2021 Volume 32 : Issue 65 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Prescribing software in some hospitals in South Australia adds digit to dosages (ABC.AU) Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down (The Hacker News) This massive DDoS attack took large sections of a country's Internet offline (ZDNet) Dogecoin tumbles nearly 50% after Musk calls it a 'hustle' on SNL (Breaking Alpha) Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild (The Hacker News) They Told Their Therapists Everything. Hackers Leaked It All (WiReD) Railroad Signaling Explained: Crossings (YouTube) USPS claims slowing down the mail won't actually slow down the mail (GovExec) The Lithium Gold Rush: Inside the Race to Power Electric Vehicles (NYTimes) FTC report blasts manufacturers for restricting product repairs (Jon Porter) New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations (The Hacker News) Cellular Industry's Clash Over the Movement to Remake Networks (IEEE Spectrum) Hack-to-Patch by Law Enforcement Is a Dangerous Practice (Just Security) DHS kicks off workforce sprint with push to hire 200 cyber pros (FCW) Latest "How I ended up posting my password for all to see" (Dan Jacobson) To Solve 3 Cold Cases, This Small County Got a DNA Crash Course (NYTimes) A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles. Good Samaritans are paying (WashPost) Re: How to give Feedback about the Feedback Form? (Mark Brader) Re: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (Peter Houppermans) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 8 May 2021 08:47:13 +1000 From: Boyd Adamson Subject: Prescribing software in some hospitals in South Australia adds digit to dosages (ABC.AU) On Wednesday night, staff at several major public hospitals were sent an urgent memo informing them of an issue with the Sunrise EMR computer system. The system was duplicating the last digit of dosage quantities, with patients potentially receiving more than 10 times the necessary amount of medication. "It's added another digit and replicated the last digit, so if you were to have 17 milligrams, it would have prescribed 177 milligrams," SA Health CEO Chris McGowan told ABC Radio Adelaide's David Bevan. "It was a generic issue in the prescribing software. It's a patch relating to upgrading to Microsoft 10. That's the operating hypothesis at least, but that's being checked and that'll all be part of the review. Source: Health boss unsure how many hospital patients were overdosed due to Windows upgrade https://www.abc.net.au/news/2021-05-07/sa-health-unsure-of-patient-impact-of-medication-dosage-bungle/100122958 [Simon Scott noted this story at https://www.abc.net.au/news/2021-05-06/sa-sunrise-dosing-error-hospitals-dosing-glitch/100122642 and he commented: [I] always used to think it's only IT, not life or death... PGN] ------------------------------ Date: Sat, 8 May 2021 22:24:27 -1000 From: geoff goodfellow Subject: Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down (The Hacker News) Colonial Pipeline, which carries 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack, once again demonstrating how infrastructure is vulnerable to cyberattacks. "On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack," the company said in a statement posted on its website. "We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems." Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor. Cybersecurity firm FireEye's Mandiant incident response division is said to be assisting with the investigation, according to reports from Bloomberg and The Wall Street Journal , with the attack linked to a ransomware strain called DarkSide. [...] https://thehackernews.com/2021/05/ransomware-cyber-attack-forced-largest.html [See also Cyberattack Forces a Shutdown of Colonial Pipeline, noted by Jan Wolitzky: PGN] ------------------------------ Date: Wed, 5 May 2021 23:38:58 -1000 From: geoff goodfellow Subject: This massive DDoS attack took large sections of a country's Internet offline (ZDNet) More than 200 organisations across Belgium including the government and parliament were affected by a DDoS attack that overwhelmed them with bad traffic. [...] https://www.zdnet.com/article/this-massive-ddos-attack-took-large-sections-of-a-countrys-internet-offline/ ------------------------------ Date: Sun, 9 May 2021 08:39:13 -0700 From: Lauren Weinstein Subject: Dogecoin tumbles nearly 50% after Musk calls it a 'hustle' on SNL (Breaking Alpha) https://seekingalpha.com/news/3693620-dogecoin-tumbles-nearly-50-after-musk-calls-it-a-hustle-on-snl Also this [PGN-combined]: The Internet Was Furious After Robinhood's Servers Crashed While Watching Dogecoin Prices Plummet During Elon Musk's SNL Appearance (BroBible) https://brobible.com/culture/article/dogecoin-prices-elon-musk-robinhood/ ------------------------------ Date: Sat, 8 May 2021 11:13:42 -1000 From: geoff goodfellow Subject: Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild (The Hacker News) Cyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous public disclosures of their attack methods, according to a new advisory jointly published by intelligence agencies from the U.K. and U.S. Friday. "SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the National Cyber Security Centre (NCSC) said. These include the deployment of an open-source tool called Sliver to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities. The development followed the public attribution of SVR-linked actors to the SolarWinds supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities. [...] https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html ------------------------------ Date: Wed, 5 May 2021 01:34:39 -0400 From: Gabe Goldberg Subject: They Told Their Therapists Everything. Hackers Leaked It All (WiReD) A mental health startup built its business on easy-to-use technology. Patients joined in droves. Then came a catastrophic data breach. https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/ [Very long item by William Ralston, 04 May 2021. The final paragraph is PGN-appended.] If the scale of the attack was shocking, so was its cruelty. Not just because the records were so sensitive; not just because the attacker, or attackers, singled out patients like wounded animals; but also because, out of all the countries on earth, Finland should have been among the best able to prevent such a breach. Along with neighboring Estonia, it is widely considered a pioneer in digital health. Since the late 1990s, Finnish leaders have pursued the principle of *citizen-centered, seamless* care, backed up by investments in technology infrastructure. Today, every Finnish citizen has access to a highly secure service called Kanta, where they can browse their own treatment records and order prescriptions. Their health providers can use the system to coordinate care. ------------------------------ Date: Sun, 9 May 2021 00:31:26 -0400 From: Gabe Goldberg Subject: Railroad Signaling Explained: Crossings (YouTube) https://www.youtube.com/watch?v=YkzYMi-PY5U The risk? The train always wins. ------------------------------ Date: Wed, 5 May 2021 15:31:06 -0700 From: Lauren Weinstein Subject: USPS claims slowing down the mail won't actually slow down the mail At hearing, USPS admits it hasn't studied most impacts of their plans to drastically slow down the mail, and claims that slowing down the mail won't actually slow down the mail. Pure Trump, even with Trump gone. https://www.govexec.com/management/2021/05/usps-defends-slower-mail-proposal-its-regulator/173780/ ------------------------------ Date: Thu, 6 May 2021 23:47:36 -0400 From: Gabe Goldberg Subject: The Lithium Gold Rush: Inside the Race to Power Electric Vehicles (NYTimes) A race is on to produce lithium in the United States, but competing projects are taking very different approaches to extracting the vital raw material. Some might not be very green. The Lithium Gold Rush: Inside the Race to Power Electric Vehicles https://www.nytimes.com/2021/05/06/business/lithium-mining-race.html Different shades of green. ------------------------------ Date: May 7, 2021 21:12:52 JST From: Richard Forno Subject: FTC report blasts manufacturers for restricting product repairs (Jon Porter in The Verge) [via Dave Farber] Jon Porter@JonPorty 7 May 2021 There is scant evidence to support manufacturers' justifications for repair restrictions https://www.theverge.com/2021/5/7/22424363/ftc-repair-restrictions-report-nixing-the-fix-smartphones-automakers FTC report: https://www.ftc.gov/system/files/documents/reports/nixing-fix-ftc-report-congress-repair-restrictions/nixing_the_fix_report_final_5521_630pm-508_002.pdf ------------------------------ Date: Fri, 7 May 2021 11:02:54 -1000 From: geoff goodfellow Subject: New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations (The Hacker News) An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called 'Moriya ,' the malware is a "passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them," said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive. The Russian cybersecurity firm termed the ongoing espionage campaign 'TunnelSnake .' Based on telemetry analysis, less than 10 victims around the world have been targeted to date, with the most prominent targets being two large diplomatic entities in Southeast Asia and Africa. All the other victims were located in South Asia. The first reports of Moriya emerged last November when Kaspersky said it discovered the stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. Malicious activity associated with the operation is said to have dated back to November 2019, with the rootkit persisting in the victim networks for several months following the initial infection. [...] https://thehackernews.com/2021/05/new-stealthy-rootkit-infiltrated.html ------------------------------ Date: Fri, 7 May 2021 00:19:54 -0400 From: Gabe Goldberg Subject: Cellular Industry's Clash Over the Movement to Remake Networks (IEEE Spectrum) The wireless industry is divided on Open RAN’s goal to make network components interoperable We’ve all been told that 5G wireless is going to deliver amazing capabilities and services. But it won’t come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible? Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years. These vendors initially opposed the scheme, called Open RAN, because they believed that if implemented, it would damage—if not destroy—their existing business model. But faced with the collective power of the operators clamoring for a new way to build wireless networks, these vendors have been left with few options, none of them very appealing. Some have responded by trying to set the terms for how Open RAN will be develo https://spectrum.ieee.org/telecom/wireless/the-cellular-industrys-clash-over-the-movement-to-remake-networks ------------------------------ Date: Fri, 7 May 2021 00:22:32 -0400 From: Gabe Goldberg Subject: Hack-to-Patch by Law Enforcement Is a Dangerous Practice (Just Security) The Department of Justice announced recently that the FBI had unilaterally removed malicious web shells from hundreds of private systems. These shells were the remnants of a major security problem that emerged earlier in March in Microsoft Exchange Server software.  Hackers linked to the Chinese government exploited at least four zero-day vulnerabilities in Microsoft’s code that allowed remote access to sensitive data. The web shells were left behind to facilitate later exploitation of the infected systems. The White House and Microsoft urged the machine owners to patch the various underlying vulnerabilities and to remove the web shells, but not everyone did. On Friday, April 9, the FBI secretly asked a federal magistrate judge in Texas to issue a warrant allowing the Bureau, without prior notice, to access, copy, and remove the web shells from “hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service.” The next Tuesday, April 13, DOJ issued a press release announcing that the operation had been completed. The FBI’s attempt to fix these systems appears to have been successful, although an accurate and detailed result summary for this hack-to-patch campaign is not available. Much of the punditry has been favorable: The action was “bold and innovative” and a “practical response to a serious problem.” And the positive aspects of this sort of government intervention are obvious: “Hacks to patch” can close vulnerabilities, reduce cyber risk, and provide assistance from experts to organizations that might lack the capability to protect their own systems. https://www.justsecurity.org/75955/hack-to-patch-by-law-enforcement-is-a-dangerous-practice/ ------------------------------ Date: Fri, 7 May 2021 11:07:20 PDT From: Peter Neumann Subject: DHS kicks off workforce sprint with push to hire 200 cyber pros (FCW) https://fcw.com/articles/2021/05/06/dhs-cyber-hiring-sprint.aspx Department of Homeland Security Secretary Alejandro Mayorkas said on Wednesday his agency will begin its 60-day workforce sprint with an aggressive hiring campaign to expand the agency's cadre of cybersecurity professionals. During remarks at a U.S. Chamber of Commerce event, Mayorkas called the effort "the most significant hiring initiative that DHS has undertaken in its history." He also said Wednesday was the first day of the department's workforce sprint. The secretary in March announced a series of concentrated 60-day efforts focusing on a variety of topics. The first was on ransomware, which was prioritized because of "the gravity of the threat" and because "the threat is not tomorrow's threat, but it is upon us," he said. The new campaign, according to a DHS statement, aims to hire 200 cyber-personnel by July 1. Half of those "conditional job offers" will be made by the Cybersecurity and Infrastructure Security Agency while the other half will be made by various DHS component agencies. The cybersecurity workforce gap is well documented by projects such as CyberSeek, which tracks the workforce and is backed by the National Institute of Standards and Technology and the Department of Commerce. The event on Wednesday was largely focused on the threat of ransomware to small businesses. Mayorkas in April said DHS had formed its own ransomware task force and the White House is actively developing a plan to confront the issue. The Department of Justice has also established its own ransomware taskforce in recent weeks. Meanwhile, the administration for several weeks now has been expected to publish a wide-ranging executive order focused on a myriad of cybersecurity issues. ------------------------------ Date: Sat, 08 May 2021 11:38:22 +0800 From: Dan Jacobson Subject: Latest "How I ended up posting my password for all to see" "xdotool lets you programmatically (or manually) simulate keyboard input and mouse activity, move and resize windows, etc." Just the thing I need to automate logging into chrome LINE extension. It only took a year of use until sure enough one day when I forgot I was already logged in, and it ended up pasting my password right into the chat for everybody to see. OK, so I should start using passwords that don't look like pass7word!S . Maybe I should use HaHahahah etc. so next time it happens people will just think I am laughing. Except if they are discussing funerals. OK, back to our story. Noticing I had just spilled the beans, naturally I went reaching for the Unsend button. But alas, I was using the Desktop simplified version with no Unsend button... OK, at this point I could post a lot of "Modem noise" or "cat walked on my keyboard" junk to distract readers... ------------------------------ Date: Tue, 4 May 2021 19:41:56 -0400 From: Monty Solomon Subject: To Solve 3 Cold Cases, This Small County Got a DNA Crash Course (NYTimes) Forensic genealogy helped nab the Golden State Killer in 2018. Now investigators across the country are using it to revisit hundreds of unsolved crimes. https://www.nytimes.com/2021/05/03/science/cold-cases-genetic-genealogy.html ------------------------------ Date: Sat, 8 May 2021 12:09:22 -0400 From: Gabe Goldberg Subject: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles. Good Samaritans are paying (WashPost) A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles. Good Samaritans are paying. GoFundMe donors raised more than enough to cover Noah Ruiz's Popsicle spree. https://www.washingtonpost.com/lifestyle/2021/05/07/spongebob-popsicles-noah/ ------------------------------ Date: Wed, 5 May 2021 01:53:39 -0400 (EDT) From: Mark Brader Subject: Re: How to give Feedback about the Feedback Form? (Jacobson, RISKS-32.64) > But what if it breaks? Every other form of contact just plays a recording: But the Committee of the Mending Apparatus now came forward, and... confessed that the Mending Apparatus was itself in need of repair. --E.M. Forster, "The Machine Stops", 1909. ------------------------------ Date: Wed, 5 May 2021 13:20:03 +0200 From: Peter Houppermans Subject: Re: Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (Goldberg, RISKS-32.64) Bonus irony: > The case shows yet another example of how Bitcoin, once widely believed to > be a powerful tool for making anonymous, untraceable transactions, has > turned out to be in many cases the very opposite. The blockchain's ledger of > all Bitcoin transactions since the cryptocurrency's creation has often > instead served as a means for law enforcement to trace even years-old > transactions. I'm guessing the entertaining part for law enforcement is that the integrity of the evidence is assured .. by blockchain. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.65 ************************