1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 34.01 (2/2)

    From RISKS List Owner@21:1/5 to All on Sun Dec 31 05:24:33 2023
    [continued from previous message]

    administrative issues with the Subversion repository? Git still needs
    things like historical pruning, backups, dead branch deletion. You can kick
    the can down the road a bit longer with git because its model is smaller on disk, but those 200 dead branches are going to prevent any new developers
    from being able to onboard rapidly.

    If you are using Subversion, the historical-key-file problem still exists,
    if the developer can see the file, they can roll the history back on it. However, as Subversion requires each revision checkout to be a separate request, your inside threat is going to leave some very blatant log
    activity.

    What do you mean that Bitbucket Cloud doesn't provide access logs for
    repos? How does your security team review potential internal threats or
    access control misconfigurations? GitHub Cloud does. Maybe if you were
    running your VCS internally you could use the server logs? Also if your VCS
    was internal, those access logs would be a little smaller as the whole
    world couldn't attempt bulk logins. Oh, your access log doesn't have
    attempts. Only successes. Cool. How do you know if someone is prodding your publicly-accessible private repo more or less than usual?

    You're not that concerned because you're using VCS to host your
    documentation? Why? Are you going to merge your old documents and your new documents? Oh, so you didn't have to setup a CMS (content management system).

    I am also fond of using the electrician's hammer.

    Does that screw look like a nail to you,

    [Cliff, In defense of Subversion and github, you may have overstated your
    case a bit. Both take a bit of learning to cover certaub corner cases,
    and they do have benefits in highly distributed team efforts. PGN]

    ------------------------------

    Date: Sun, 24 Dec 2023 20:13:56 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: iPhone Thief Explains How He Breaks Into Your Phone (WSJ)

    Thieves are stealing Apple iPhones, passcodes and thousands of dollars from their victims' bank accounts.

    WSJ's Joanna Stern sat down with a convicted thief in a high-security prison
    to find how—and how you can protect yourself.

    https://www.youtube.com/watch?v=gi96HKr2vo8

    [High-security has (at least) TWO meanings here. I wonder if Joanna
    came out with her phone intact. PGN]

    ------------------------------

    Date: Fri, 22 Dec 2023 01:08:59 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Former White House scientist was scammed out of $650K and
    must pay taxes (The Washington Post)

    The government that Frances Sharples served for more than four decades considers the money to be income, compounding her pain

    Frances Sharples walked through the glass doors of her credit union, ready
    to make the worst decision of her life.

    She had a script from the man promising to save the retirement account she built over decades as a science adviser to the U.S. government, including in the White House.

    He told her to transfer more than $600,000 — and to keep her cellphone on so he could listen to her. If anyone asked whether she was put up to it, she
    was to reply: “No, absolutely not,” according to her hand-scrawled notes. No
    one did. She handed the clerk the routing number, walked back to her dented 2005 Honda and returned home.

    “Now I'm good,” she told herself. “Now, I'm safe.” [...]

    Billings started small, saying Sharples first needed to protect the $25,000
    in her savings account at Commerce Federal. Williams would keep her on the
    line from 7 a.m. until bedtime — claiming to be removing malicious software from her computer but mostly lingering silently — for more than two weeks.

    Finally, a document appeared on her screen with a list of account names and numbers. Print it out, Billings told her. Drive to your credit union.

    She did.

    According to the script he gave her, if asked, she should say she was moving the money to her investment account, something she does frequently. [...]

    At that point, a precaution set up to backstop bad customer decisions kicked in. After Sharples asked TIAA — which managed the retirement account — to transfer her money, a senior fraud investigator with the company called to question her decision.

    “Is someone else telling you to do this?” he asked.

    “No, it’s my idea,” she said, following the script. “I’ve decided I want to
    invest in a different way.” [...]

    As she prepared her taxes online, Sharples was sickened by what she saw on
    her Form 1040, which showed the fraud raising her taxes by hundreds of thousands of dollars. She was then drawn through an excruciating education
    in the nation's sprawling tax code.

    https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/

    ------------------------------

    Date: Mon, 18 Dec 2023 17:08:11 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Re: Ex-Amazon security engineer admits to stealing over $12M in
    crypto (ReadWrite)

    Ahmed's first target was the undisclosed crypto exchange on the Solana blockchain. He manipulated a smart contract to introduce false pricing data, which led to the generation of approximately $9 million in inflated
    fees. After withdrawing these funds, Ahmed brazenly offered to return the stolen amount, minus $1.5 million, on the condition that the exchange would
    not involve law enforcement. This attack closely resembles the breach that impacted the Crema Finance decentralized finance platform in July 2022.

    Following this initial hack, Ahmed turned his attention to Nirvana
    Finance. He exploited a loophole in the DeFi protocol's smart contract,
    taking a flash loan of ANA cryptocurrency tokens at a low price and selling them back at a higher rate. This maneuver netted him around $3.6
    million. Despite being offered a $300,000 bounty to return the stolen
    assets, Ahmed refused, demanding $1.4 million and ultimately leading to the shutdown of Nirvana Finance after no agreement was reached.

    https://readwrite.com/ex-amazon-security-engineer-admits-to-stealing-over-12m-in-crypto/

    If those are smart contracts, what would dumb ones be?

    ------------------------------

    Date: Mon, 18 Dec 2023 18:07:43 -0500
    From: Joseph Gwinn <joegwinn@comcast.net>
    Subject: Re: What to do when receiving unprompted MFA OTP codes (RISKS-33.97)

    The bleeping computer article misses the distinction between TFA (two-factor authentication) and TSA (two-step authentication), TFA being far more secure than TSA.

    With TFA, one must possess a physical crypto token (like an RSA SecureID
    token) plus a password, the factors being something one possesses (token)
    and something one knows (password). The computer is not providing authentication.

    With the TSA, no physical token is used, it's something one knows (a
    password) provided to a computer, and it is done in two steps. If malware
    has managed to sufficiently infect the computer, the malware can perform
    both steps.

    In the story of unsolicited OTP codes, the malware had not gained sufficient control and was thwarted. But the whole drama would not have happened if
    true TFA had been implemented.

    Amazon certainly knows the difference, which is why they call what they do
    TSA, not TFA.

    ------------------------------

    Date: Sat, 23 Dec 2023 11:25:56 +0000
    From: Martin Ward <mwardgkc@gmail.com>
    Subject: Re: WeWork has failed, leaving damage in its wake (Kilby and Ward)

    Is capitalism an efficient economic system? It depends on what you want to optimise for: if the purpose of your economic system is to transfer wealth
    from everyone else to a handful of billionaires, then capitalism is already very efficient and becoming ever more efficient. If the purpose is the long term thriving of the human race, then capitalism is a terrible system: the thing you are optimisimg for (called "profit") is actually a form of
    friction and *loss* to the system as stores of value (money) get extracted
    from the economic cycle and stashed away unproductively. Whole industries, such as advertising and banking, are purely destructive of value.

    A better economic system would eliminate the concept of "profit" as
    something extracted by shareholders and board members. Activities that are most efficient when nationalised, such as fire service, police, army, energy distribution, transport, and of course, the health service, should never be allowed to fall into private hands or should be taken out of private hands. Each of these activities gets a budget to do a certain thing and should be laser focused on doing that thing. The post office delivers letters and parcels, the railway network runs railways, the health service keeps the population healthy, the universities generate knowledge and so on. This
    leads to a lot of difficult discussions about how much each service needs in order to ensure human thriving without a negative impact on other
    services. But the current approach where everything is reduced to profit is once again, optimising for the wrong thing.

    For private industry, small family businesses and small to medium
    cooperatives will ensure that any "profit" is recycled back into the
    economy.

    In conclusion: The reason that poverty and homelessness exist is not because capitalism is not working properly, but because that is the way it works.poappp

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.01
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)