RISKS-LIST: Risks-Forum Digest Friday 19 April 2024 Volume 34 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.18>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Texas Hack May Be First Disruption of U.S. Water System by Russia (WashPost)
A chunk of metal that tore through a Florida home definitely came from the
ISS (Ars Technica)
FAA investigating after Boston-bound JetBlue flight involved in near
collision (The Boston Globe)
A Paris Olympics' Sure Thing: Cyberattacks (Tariq Panja)
PuTTY vulnerability vuln-p521-bias (sgtatham via Victor Miller)
Multistate 911 outage shows fragility of systems, experts say (NBC News)
Police bust global cyber-gang accused of industrial-scale fraud (BBC)
U.S. Air Force confirms first successful AI dogfight (The Verge)
Feds expand investigation into Honda's automatic emergency braking system
(ArsTechnica)
LastPass users targeted in phishing attacks good enough to trick even the
savvy (ArsTechnica)
Wrong button clicked, wrong divorce cannot be undone (The Guardian)
Big Tech can’t hoard brainwave data for ad targeting, Colorado law says
(ArsTechnica)
Cops can force suspect to unlock phone with thumbprint, U.S. court rules
(ArsTechnica)
Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just
$1M (ArsTechnica)
Tech Friend: Fire at 35,000 feet (WashPost)
Are Flying Cars Finally Here? (Gideon Lewis-Kraus)
Rust Flaw Enables Windows Command Injection Attacks (Sergiu Gatlan)
AI Made These Movies Sharper. Critics Say It Ruined Them. (NYTimes)
Will AI transform baseball forever? (The Washington Post)
Senate advances vote on reauthorizing warrantless surveillance program
(The Verge)
Crypto trader Avi Eisenberg convicted of fraud in $110M tradescheme (Axios)
At Kernel, your veggie burger will be served by a robot (The Verge)
Author granted copyright over book with AI-generated text -- with a twist
(Ars Technica)
Re: AI on Wall Street (Henry Baker)
Re: AI chatbots spread falsehoods about the EU elections, report finds
(Amos Shapir)
Re: Palo Alto Zero Exploit (Steve Bacher, Cliff Kilby)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 19 Apr 2024 11:25:28 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Texas Hack May Be First Disruption of U.S. Water System by Russia
(WashPost)

Ellen Nakashima and Aaron Schaffer, *The Washington Post*, 17 Apr
2024, via ACM TechNews

A water tower serving the town of Muleshoe, TX, overflowed in the system
controlling it was hacked, releasing tens of thousands of gallons of
water. The hackers, who called themselves the Cyber Army of Russia Reborn
(CARR), posted a video online of the town's water-control system and that of
a nearby town being manipulated, showing how they reset the controls. CARR
is believed to be a front for Russia's military spy agency.

------------------------------

Date: Fri, 19 Apr 2024 14:39:13 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A chunk of metal that tore through a Florida home definitely came
from the ISS (Ars Technica)

But a series of delays meant the final cargo pallet of old batteries missed
its ride back to Earth, so NASA jettisoned the batteries from the space
station in 2021 to head for an unguided reentry. Ars published details of
the circumstances that led to this in a previous story.

This isn't the way NASA prefers to get rid of space debris, but managers
decided they couldn't keep the pallet at the space station, where it took up
a storage location needed for other purposes. NASA expected the roughly
5,800 (2.6-metric ton) battery pallet to fully burn up during reentry.

https://arstechnica.com/space/2024/04/florida-man-tells-ars-about-his-encounter-with-something-that-fell-from-space/

------------------------------

Date: Fri, 19 Apr 2024 09:12:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FAA investigating after Boston-bound JetBlue flight involved in
near collision (The Boston Globe)

The JetBlue flight was aborted at take-off after another plane was cleared
to cross the runway at the same time.

https://www.boston.com/news/transportation/2024/04/18/faa-investigating-after-boston-bound-jetblue-flight-involved-in-near-collision/

------------------------------

Date: Fri, 19 Apr 2024 11:25:28 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: A Paris Olympics' Sure Thing: Cyberattacks (Tariq Panja)

Tariq Panja, The New York Times, 17 Apr 2024, via ACM TechNews

Cybersecurity experts with the organizing committee of the Summer Olympic
Games in Paris are preparing for cyberattacks. There were 450 million
attempted "security events" at the Tokyo Summer Games in 2021, a number
expected to surge by eight to 12 times for the Paris Summer Games. The Paris
organizers joined with the International Olympic Committee and official
technology partner Atos to conduct "war games," offering "bug bounties" to
ethical hackers who identify vulnerabilities in the Games' systems.

------------------------------

Date: Tue, 16 Apr 2024 17:33:20 PDT
From: Victor Miller <victorsmiller@gmail.com>
Subject: PuTTY vulnerability vuln-p521-bias (sgtatham)

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

summary: NIST P521 private keys are exposed by biased signature generation
class: vulnerability: This is a security vulnerability.
priority: high: This should be fixed in the next release.
absent-in: 0.67
present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80
fixed-in: c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81)
Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical
vulnerability in the code that generates signatures from ECDSA private keys
which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature
from a key when using it to authenticate you to an SSH server.)

This vulnerability has been assigned CVE-2024-31497. It was discovered by
Fabian BC$umer and Marcus Brinkmann of the Ruhr University Bochum; see their
write-up on the oss-security mailing list.

The bad news: the effect of the vulnerability is to compromise the private
key. An attacker in possession of a few dozen signed messages and the public
key has enough information to recover the private key, and then forge
signatures as if they were from you, allowing them to (for instance) log in
to any servers you use that key for. To obtain these signatures, an attacker
need only briefly compromise any server you use the key to authenticate to,
or momentarily gain access to a copy of Pageant holding the key. (However,
these signatures are not exposed to passive eavesdroppers of SSH
connections.)

Therefore, if you have a key of this type, we recommend you revoke it
immediately: remove the old public key from all OpenSSH authorized_keys
files, and the equivalent in other SSH servers, so that a signature from the
compromised key has no value any more. Then generate a new key pair to
replace it.

(The problem is not with how the key was originally generated; it doesn't
matter whether it came from PuTTYgen or somewhere else. What matters is
whether it was ever used with PuTTY or Pageant.)

The good news: the only affected key type is 521-bit ECDSA. That is, a key
that appears in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of
the 'Key fingerprint' box, or is described as 'NIST p521' when loaded into
Windows Pageant, or has an id starting ecdsa-sha2-nistp521 in the SSH
protocol or the key file. Other sizes of ECDSA, and other key algorithms,
are unaffected. In particular, Ed25519 is not affected.

Details of the error: [...]

------------------------------

Date: Fri, 19 Apr 2024 06:51:15 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Multistate 911 outage shows fragility of systems, experts say
(NBC News)

This is a multi-part message in MIME format.

<https://www.nbcnews.com/news/us-news/major-911-outages-4-states-leave-millions-way-contact-local-authoritie-rcna148345>
A major 911 outage Wednesday showed the urgent need for increased
modernization and regulation of the emergency system, experts in
telecommunications and public safety told NBC News.

On Thursday, Lumen Technologies, a telecommunications company based in
Louisiana, said in a statement that "some customers in Nevada, South Dakota,
and Nebraska experienced an outage due to a third-party company installing a
light pole — unrelated to our services."

authorities for about 2½ hours. [...]

Key paragraphs at the end:

[...]

The current system is “missing resilient backups” that could prevent outages
on several levels, Simpson said, like having more cables for path diversity
and multiple telecommunications carriers, updated equipment and multiple
routers.