RISKS-LIST: Risks-Forum Digest Saturday 7 October 2023 Volume 33 : Issue 88

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.88>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
False news spreads faster than the truth (Science)
Millions of Exim mail servers exposed to zero-day RCE attacks
(Bleeping Computer)
RSA, Other Crypto Systems Vulnerable to Side-Channel Attack (Cliff Saran)
State Dept e-mails hacked (CISAC via BackgroundBriefing)
Researcher Reveals New Techniques to Bypass Cloudflare's Firewall
and DDoS Protection (The Hacker News)
23andMe User Data Stolen (WiReD)
Kia and Hyundai Blame TikTok and Instagram For Their Cars Getting Stolen
(Vice)
Rooftop Solar ongoing maintenance issues (Henry Baker)
U.S. issues first ever fine for space junk to Dish Network (bbc.com)
Tesla Autopilot arbitration win could set legal
benchmark in auto industry (TechCrunch)
Conspiracy theories about FEMA’s Oct. 4 emergency alert test spread online
(The Boston Globe)
Blackbaud agrees to $49.5 million settlement for ransomware data breach
(Bleeping Computer)
North Korea's Lazarus Group Launders $900 Million in Cryptocurrency
(The Hacker News)
Bankman-Fried and Crypto[currency] Go on Trial (NYTimes)
Takeaways From a New Book on Sam Bankman-Fried (NYTimes)
Why Silicon Valley Falls for Frauds (WiReD)
Chinese Hackers Target Semiconductor Firms in East Asia with
Cobalt Strike (The Hacker News)
Chinese self-driving car testing in California stirs controversy
(NBC News)
Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station
(Fox)
W3LL phishing kit hijacks thousands of Microsoft 365accounts, bypasses MFA
(Bleeping Computer)
NYPD Robot Gets Tryout to Patrol Times Square Subway (NYimes)
Dead grandma locket request tricks Bing Chat's AI into solving security
puzzle (Ars Technica)
AI Designs New Robot from Scratch in Seconds (Northwestern News)
Remember Marvin the paranoid android? (Gabe Goldberg)
Thousands of Android devices come with unkillable backdoor preinstalled
(Ars Technica)
Hundreds of U.S. schools hit by potentially organized swatting hoaxes,
report says (Ars Technica)
Re: Google accused of directing motorist to drive off collapsed bridge
(John Levine)
Re: Cal. Gov. vetoes autonomous trucking bill (Steve Bacher)
Quote of The Day (Adyashanti -- and Cicero)
Quotes of The Day (Nisargadatta)
ACM subdomain abused? (Chiki Ishikawa)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 4 Oct 2023 06:32:07 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: False news spreads faster than the truth (Science)

*To stop the spread of false news, first we have to understand it.*

A new study published in *Science*
<http://science.sciencemag.org/content/359/6380/1146> finds that false news
online travels ``farther, faster, deeper, and more broadly than the truth.''
And the effect is more pronounced for false political news than for false
news about terrorism, natural disasters, science, urban legends, or
financial information.

Falsehoods are 70 percent more likely to be retweeted on Twitter than the
truth, researchers found. And false news reached 1,500 people about six
times faster than the truth.

The study, by Soroush Vosoughi and associate professor Deb Roy, both of the
MIT Media Lab, and MIT Sloan professor Sinan Aral, is the largest-ever
longitudinal study of the spread of false news online. It uses the term
*false news* instead of *fake news* because the latter ``has lost all
connection to the actual veracity of the information presented, rendering it
meaningless for use in academic classification,'' the authors write.

To track the spread of news, the researchers investigated all the true and
false news stories verified by six independent fact-checking organizations
that were distributed on Twitter from 2006 to 2017. They studied
approximately 126,000 cascades -- defined as ``instances of a rumor
spreading pattern that exhibits an unbroken retweet chain with a common,
singular origin'' -- on Twitter about contested news stories tweeted by 3
million people more than 4.5 million times. Twitter provided access to data
and provided funding for the study.

The researchers removed Twitter bots before running their analysis. They
then included the bots and ran the analysis again and found ``none of our
main conclusions changed.''

``This suggests that false news spreads farther, faster, deeper, and more
broadly than the truth because humans, not robots, are more likely to spread
it,'' the researchers wrote.

So what to do? In an interview
<http://mitsloanexperts.mit.edu/watch-now-the-truth-about-fake-news-with-sinan-aral-and-tim-oreilly/>
for the MIT Sloan Experts video series, Aral said possible solutions include
labeling fake news much as food is labeled, creating financial disincentives
such as reducing the flow of advertising dollars to accounts that spread
fake news, and using algorithms to find and dampen the effect of fake news.
[...]

https://mitsloan.mit.edu/ideas-made-to-matter/study-false-news-spreads-faster-truth

------------------------------

Date: Sat, 30 Sep 2023 04:00:02 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Millions of Exim mail servers exposed to zero-day RCE attacks
(Bleeping Computer)

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/

[Monty spotted this one, somewhat fewer servers!
Critical vulnerabilities in Exim threaten over 250k email
servers worldwide
https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/
PGN]

------------------------------

Date: Wed, 4 Oct 2023 11:27:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: RSA, Other Crypto Systems Vulnerable to Side-Channel Attack
(Cliff Saran)

Cliff Saran, *Computer Weekly*, 3 Oct 2023, via ACM TechNews, 4 Oct 2023

Hubert Kario at open source solutions provider Red Hat found a flaw
dating from 1998 that enables a "padding mode" side-channel attack
targeting RSA encryption. The exploit cracks the Transport Layer
Security (TLS) protocol's confidentiality when used with RSA
encryption, and researchers in 2019 highlighted the continued
vulnerability of many Internet servers to tweaks of the original
attack. Kario said attackers can leverage the flaw to decrypt RSA
ciphertexts and forge signatures, and record sessions on a TLS server
that defaults to RSA encryption key exchanges for decryption later. He
also said hackers can apply the exploit to other interfaces that
automatically execute RSA decryption, including Secure/Multipurpose
Internet Mail Extensions, JavaScript Object Notation web tokens, and
hardware tokens. Said Kario," We have identified the vulnerability in
multiple implementations and confirmed fixes in a few of them but
believe that most cryptographic implementations are vulnerable in
practice."

------------------------------

Date: Sat, 30 Sep 2023 10:11:23 -0700
From: Jim <jgeissman@socal.rr.com>
Subject: State Dept e-mails hacked (CISAC via BackgroundBriefing)

With 60,000 Emails Hacked From the State Department, An Assessment of
the Government’s Cybersecurity
28 Sep 2023, https://www.backgroundbriefing.org/

Then finally with the State Department revealing that 60,000 of its emails
were hacked along with the emails of the Secretary of Commerce, we assess
the state of the government’s cybersecurity with *Dr. Herb Lin*
<http://cisac.fsi.stanford.edu/people/herbert_lin>, a senior research
scholar for cyber policy and security at the Center for International
Security and Cooperation at Stanford University. He is Chief Scientist
Emeritus for the Computer Science and Telecommunications Board at the
National Research Council of the National Academies and, in 2016, served on
President Obama’s Commission on Enhancing National Cybersecurity. He was
also a professional staff member and staff scientist for the House Armed
Services Committee where his portfolio included defense policy and arms
control issues.

------------------------------

Date: Sat, 7 Oct 2023 11:23:57 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Researcher Reveals New Techniques to Bypass Cloudflare's Firewall
and DDoS Protection (The Hacker News)

https://thehackernews.com/2023/10/researcher-reveal-new-technique-to.html

------------------------------

Date: Sat, 7 Oct 2023 04:01:53 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: 23andMe User Data Stolen (WiReD)

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

At least a million data points from 23andMe accounts appear to have been
exposed on BreachForums. While the scale of the campaign is unknown,
n23andMe says it's working to verify the data.