The RISKS Digest
Volume 31 Issue 33

Monday, 15th July 2019

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

How Fake News Could Lead to Real War
Politico
Collision on Hong Kong metro
MTR
Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial Vessels
Coast Guard
"Vulnerabilities found in GE anesthesia machines"
Catalin Cimpanu
Inside the world of bogus medicine, where smoothies and salads can supposedly kill cancer
WashPost
"Robot that started fire costs Ocado $137M"
Greg Nichols
Anaesthetic devices 'vulnerable to hackers'
bbc.com
FDA seeks comment on cybersecurity warnings and security upgrades
Federal Register
EU "Galileo" GPS system remains down
BBC
Tiny flying insect robot has four wings and weighs under a gram
New Scientist
Smartphone payment system by Seven-Eleven Japan hacked from day 1: lack of two stage authentication, etc.
Japan Times
Border Patrol agents tried to delete their horrific Facebook posts —but they were already archived
NSFW—The Intercept
Professor faces 219-year prison sentence for sending missile chip tech to China
The Verge
London Police's Facial Recognition System Has 81 Percent Error Rate?
Geek
"GDPR: Record British Airways fine shows how data protection legislation is beginning to bite"
Danny Palmer
D-Link Agrees to Make Security Enhancements to Settle FTC Litigation
Federal Trade Commission
As Florida cities use insurance to pay $1 million in ransoms to hackers, Baltimore and Maryland weigh getting covered
WashPost
House Democrats introduce a bill to tighten airport security stings
WashPost
Introducing ERP software: The biggest risk to your business
Faz
European regulators to tighten rules for use of facial recognition
Politico
"New Windows 7 'security-only' update installs telemetry/snooping, uh, feature"
Woody Leonhard
"The Windows 10 misinformation machine fires up again"
Ed Bott
"WTF, Microsoft?"
Steven J. Vaughan-Nichols
"Raspberry Pi 4 won't work with some power cables due to its USB-C design flaw"
Liam Tung
Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now
Forbes
Texas County Purchases DRE Machines Over Expert Security Objections
Brian Bethel
The Hard-Luck Texas Town That Bet on Bitcoin—and Lost
WiReD
Thoughtcrime --> Thoughtaccidents
WiReD
Mass Attacks in Public Spaces - 2018
Secret Service National Threat Assessment Center
Google audio recordings of users leaked
Marc Thorson
New Bedford computer outages continue for sixth day
WBSM
Feds: New Bedford police officer arrested after 194 child porn files found on computer
WHDH
7-Eleven's 7pay app hacked in a day due to 'appalling security lapse'
TechBeacon
On the Bugginess of This Year's OS Betas From Apple
Daring Fireball
"Apple disables Walkie-Talkie app due to snooping vulnerability"
Adrian Kingsley-Hughes
Stripe Outage Smacked Businesses for Two Hours
Fortune
Google/Amazon/Apple are you listening to me?
Rob Slade
Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
Alex Weinert
The New York Times blocks viewing in private mode
Thomas König
Re: Line just went Orwellian on Japanese users with its social credit-scoring system
Amos Shapir
Re: Autonomous vehicles don't need provisions and protocols
Dan Jacobson
Re: Line just went Orwellian on Japanese users with its social credit-scoring system
Dan Jacobson
Fernando Corbato dies
Katie Hafner via PGN
Info on RISKS (comp.risks)

How Fake News Could Lead to Real War (Politico)

the keyboard of geoff goodfellow <geoff@iconia.com>
Fri, 5 Jul 2019 15:05:48 -1000
*Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for
International Understanding at Dartmouth College and served as coordinator
for counterterrorism at the State Department 2009-2012.Steven Simon is
visiting professor of history at Amherst College. He served as the National
Security Council senior director for counterterrorism and for the Middle
East and North Africa, respectively, in the Clinton and Obama
administrations.*

EXCERPT:

Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it
Iran, as the Trump administration assured us? Or was it Saudi Arabia, the
United Arab Emirates or Israel—or some combination of the three?

Here's a confession from two former senior government officials: For days
after the attacks, we weren't sure. Both of us believed in all sincerity
there was a good chance these actions were part of a false flag operation,
an effort by outsiders to trigger a war between the United States and Iran.
Even the film of Iranians hauling in an unexploded limpet mine from near the
side of tanker, we reasoned, might be a fabrication—deep fake footage
just like the clip of Nancy Pelosi staggering around drunk.

Perhaps you felt that way too. But for the two of us, with 30 years of
government service and almost 20 more as think tankers between us—this
was shocking. Yes, we are card-carrying members of the Blob, the
all-too-conventionally minded Washington foreign policy establishment, but
we weren't sure whether to believe our government or not.

This was more than a little disconcerting. Imagine waking up one morning and
catching yourself thinking that alt-right conspiracy theorist Alex Jones was
making good sense, that perhaps the Sandy Hook shooting was faked or that
the 9/11 attacks were really an inside job? Imagine what it might be like to
be in the grip of a conspiracy theory, when you've spent your whole
professional life being one of those policy mandarins who could smell a
conspiracy theory a mile away?...

https://www.politico.com/magazine/story/2019/07/05/fake-news-real-war-227272


Collision on Hong Kong metro (MTR)

"Clive D.W. Feather" <clive@davros.org>
Sat, 6 Jul 2019 22:33:27 +0100
http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf

MTR (the operators of the Hong Kong metro) are converting several lines to
use the Thales/Alstom SelTrac system. During a test of the system outside
service hours, the computer signaled two trains on to intersecting tracks,
resulting in a collision; one driver was slightly injured.

In this system, there are no fixed signals beside the track indicating
whether it is safe to proceed. Instead, the central control computer gives
each train a "movement authority" indicating exactly where it is allowed to
proceed to. Only when the rear of the train passes an intersection is
another train given a movement authority that passes over the same
intersection. These authorities are updated every few seconds.

Each control area (the line in question has two) has three control
computers: A (normally active), B (hot standby), and C (warm standby). All
three are the same design and run the same software. Computer C is at a
different physical location. Computer A keeps B constantly updated with the
complete status but, to prevent common mode failures, it only passed some
data to computer C. In particular, the "Conflict Zone Data" (which I am
guessing is a table of which train is allowed on a given intersection) is
not passed across; computer C is expected to re-compute it independently.

During a test computers A and B were both turned off, causing computer C to
take over. At this point C does not transmit any movement authorities to
the trains, which therefore all make an emergency stop. The traffic
controller (a person in the control centre) then tells C to allow each
train in turn to depart, giving it a new movement authority.

The report's conclusions are:

(1) The software development documentation did not state that the conflict
zone data was not passed to computer C, so no test and safety analysis was
done.

(2) A bug in the software meant that computer C failed to recalculate the
conflict zone data correctly, allowing the collision.

(3) The take-over process did not require the conflict zone data to be
present before C moved from warm backup state to active state.


Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial Vessels (Coast Guard)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jul 2019 18:00:15 -0400
In February 2019, a deep draft vessel on an international voyage bound for
the Port of New York and New Jersey reported that they were experiencing a
significant cyber-incident impacting their shipboard network.   An
inter-agency team of cyber-experts, led by the Coast Guard, responded and
conducted an analysis of the vessel's network and essential control
systems. The team concluded that although the malware significantly degraded
the functionality of the onboard computer system, essential vessel control
systems had not been impacted.  Nevertheless, the interagency response found
that the vessel was operating without effective cybersecurity measures in
place, exposing critical vessel control systems to significant
vulnerabilities.

https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/CG-5PC/INV/Alerts/0619.pdf


"Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)

Gene Wirchenko <gene@shaw.ca>
Wed, 10 Jul 2019 09:35:41 -0700
Catalin Cimpanu for Zero Day | 9 Jul 2019
https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/

GE recommends not connecting vulnerable anesthesia machines to hospital
networks.

Security researchers have discovered vulnerabilities in two models of
hospital anesthesia machines manufactured by General Electric (GE).

The two devices found to be vulnerable are GE Aestiva and GE Aespire --
models 7100 and 7900. According to researchers from CyberMDX, a healthcare
cybersecurity firm, the vulnerabilities reside in the two devices' firmware.

CyberMDX said attackers on the same network as the devices—a hospital's
network—can send remote commands that can alter devices' settings.

The researcher claims the commands can be used to make unauthorized
adjustments to the anesthetic machines' gas composition, such as modifying
the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the
gas' barometric pressure.

CyberMDX said that such unauthorized modifications could put patients at
risk. Furthermore, attackers could also silence device alarms for low/high
levels of various agents and modify timestamps inside logs.


Inside the world of bogus medicine, where smoothies and salads can supposedly kill cancer (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 6 Jul 2019 13:20:24 -0400
Companies are trying to rein in medical misinformation on social media, but the problem isn't just technological. It's also human.

https://www.washingtonpost.com/lifestyle/style/they-turn-to-facebook-and-youtube-to-find-a-cure-for-cancer--and-get-sucked-into-a-world-of-bogus-medicine/2019/06/25/6df3ddae-7cdc-11e9-a5b3-34f3edf1351e_story.html


"Robot that started fire costs Ocado $137M" (Greg Nichols)

Gene Wirchenko <gene@shaw.ca>
Wed, 10 Jul 2019 09:58:24 -0700
Greg Nichols for Robotics | 10 Jul 2019

Safety is a massive unaddressed issue in the rapidly evolving automation
sector.

https://www.zdnet.com/article/robot-that-started-fire-costs-ocado-137m/

In February, a robot at an Ocado fulfillment warehouse sparked a massive
fire. The warehouse was destroyed, and the British grocer has just revealed
the price tag of the damage: $137M.


Anaesthetic devices 'vulnerable to hackers' (bbc.com)

Richard Stein <rmstein@ieee.org>
Thu, 11 Jul 2019 07:53:59 -0700
https://www.bbc.com/news/technology-48935111

"A type of anaesthetic machine that has been used in NHS hospitals can be
hacked and controlled from afar if left accessible on a hospital computer
network, a cyber-security company says.

"A successful attacker would be able to change the amount of anaesthetic
delivered to a patient, CyberMDX said."

The DHS CERT link https://www.us-cert.gov/ics/advisories/icsma-19-190-01.

I have been digging into FDA MAUDE on a different device class over the past
few months, and wrote a crawler using mechanize.py and beautifulsoup4 to
fish through the HTML reports. It was easy enough to find medical device
reports (MDRs) on the anesthesia machines mentioned in the BBC article.

For instance:
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8319602

  "'the hospital reported a patient had cardiac arrest during a case. It was
  alleged the ventilator had stopped mechanically ventilating in pressure
  mode towards the end of the case without alarming. It was unknown how long
  ventilation had stopped. The patient was resuscitated and remains in the
  icu."

This particular MDR, submitted by the manufacturer, is curious because it
lists the device manufacturing date as 01/01/1970! Must be a typo.

Another MDR:

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8451207
"It was reported that when replacing a failing internal power backup
battery, our company representative noticed that the battery had leaked
battery acid into the battery compartment of the anesthesia workstation.
There was no injury reported. (b)(4)."

The following Pareto documents deaths, malfunctions, and injuries reported
for all devices assigned the product code BSZ—gas-machine,
anesthesia. The product code includes all manufacturers, including the
Aespire and Aestiva 7100 and 7900 mentioned in the article. Here's the data
from 01JAN2017-30JUN2019:

Deaths—9
Injury—65
Malfunctions—As shown per period (5181 total, average ~370 +/- 107
per 60 days, or ~6 per day).

01/01/2017-02/28/2017	364
03/01/2017-04/30/2017	344
05/01/2017-06/30/2017	424
07/01/2017-08/31/2017	391
09/01/2017-10/31/2017	346
11/01/2017-12/31/2017	470
01/01/2018-02/28/2018	369
03/01/2018-04/30/2018	389
05/01/2018-06/30/2018	420
07/01/2018-08/31/2018	425
09/01/2018-10/31/2018	459
11/01/2018-12/31/2018	489
01/01/2019-03/31/2019	88
04/01/2019-06/30/2019	203

Note that FDA's MAUDE platform carries a long list of disclaimers and
advisory information about the Medical Device Report Content. Among them
are:

"MDR data alone cannot be used to establish rates of events, evaluate a
change in event rates over time or compare event rates between devices.  The
number of reports cannot be interpreted or used in isolation to reach
conclusions about the existence, severity, or frequency of problems
associated with devices."

Find the full list at
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.cfm


FDA seeks comment on cybersecurity warnings and security upgrades (Federal Register)

Paul Burke <box1320@gmail.com>
Fri, 12 Jul 2019 11:29:15 -0700
https://federalregister.gov/d/2019-14141
Meeting Sept 10 in Maryland, open to public, and comments can be sent by
July 30. Requests to speak due by July 22

The committee receiving comments does not approve/disapprove medical
devices.  They advise on "which factors should be considered by FDA and
industry when communicating cybersecurity risks to patients and to the
public, including but not limited to the content, phrasing, the methods used
to disseminate the message and the timing of that communication. The
recommendations will also address concerns patients have about changes to
their devices to reduce cybersecurity risk...

  background material available to the public no later than 2 business days
  before the meeting... at
  https://www.fda.gov/advisory-committees/committees-and-meeting-materials/patient-engagement-advisory-committee

The committee members seem politically connected, and not cyber experts, so
one hopes they would value expert comments.
https://www.fda.gov/advisory-committees/patient-engagement-advisory-committee/roster-patient-engagement-advisory-committee

FDA has pages of guidance on communicating device risks, (pages 7, 13-15,
39), though not yet on cyber specifically.
https://www.fda.gov/media/71030/download


EU "Galileo" GPS system remains down (BBC)

Lauren Weinstein <lauren@vortex.com>
Sun, 14 Jul 2019 15:46:53 -0700
The EU's "Galileo" GPS system is down. And it remains down, except for
search and rescue transmissions functionality:

https://www.bbc.com/news/science-environment-48985399


Tiny flying insect robot has four wings and weighs under a gram (New Scientist)

geoff goodfellow <geoff@iconia.com>
Fri, 12 Jul 2019 15:30:03 -1000
A solar-powered winged robot has become the lightest machine capable of
flying without being attached to a power source.

Weighing just 259 milligrams, the insect-inspired RoboBee X-Wing has four
wings that flap 170 times per second. It has a wingspan of 3.5 centimetres
and stands 6.5 centimetres high.

The flying robot was developed by Noah Jafferis and his colleagues at
Harvard University...

https://www.newscientist.com/article/dn24638-four-winged-robot-flies-like-a-jellyfish/
https://www.newscientist.com/article/0-watch-this-robotic-fruit-fly-swoop-dive-and-perform-impressive-flips/
https://www.newscientist.com/article/2207687-tiny-flying-insect-robot-has-four-wings-and-weighs-under-a-gram

  [Not encouraging.  The equivalent of a mosquito bite can be deadly.  PGN]


Smartphone payment system by Seven-Eleven Japan hacked from day 1: lack of two stage authentication, etc. (Japan Times)

"Ishikawa,chiaki" <ishikawa@yk.rim.or.jp>
Sun, 7 Jul 2019 16:56:27 +0900
Japanese operator of ubiquitous Seven-Eleven has introduced its
smartphone-based payment system since July 1st.  It has been hacked since
day 1 and the press conference announcing the limited operation to protect
the users revealed that the president of the operation did not know what
"two stage authentication" is, and its VIP of IT claimed that the system did
not have any security issues whereas

- the system did not have two-stage authentication, and

- the system would send out the link to change password to an e-mail address
that is *NOT* the original e-mail address that was used when the user
registered for the service, etc.

Unbelievable lapse of proper security.

No wonder it was abused form day 1.

The press reported about 900 users' accounts were abused and about JPN
55,000,000 YEN (about half a million US dollars) have been used by third
party to buy easy to cash items such as cigarette cartons.

I have read the lapse of security mechanisms and could not believe a big
name company like Seven-Eleven would let such a system put into
operation. But it did.  To be honest, ever since the emergence of web-based
services, I noticed the drop of the quality of software in general, not to
mention the security side of the services, but this confirms my suspicion
that there are many improperly trained so called professional in ICT
industry in Japan. But I am afraid that the situation may not be that great
in other countries, too.

Some English articles from Japan Times.
https://www.japantimes.co.jp/news/2019/07/04/business/corporate-business/users-7-elevens-mobile-payment-service-lose-total-Â¥55-million-900-accounts-hacked/

https://www.japantimes.co.jp/news/2019/07/06/national/crime-legal/government-urges-seven-eleven-japan-beef-security-7pay-mobile-payment-fraud/

Seven-Eleven has a lot to explain and clean up and improve their internal ID
system, which I suspect was already know to be vulnerable to crackers.


Border Patrol agents tried to delete their horrific Facebook posts—but they were already archived (NSFW—The Intercept)

Lauren Weinstein <lauren@vortex.com>
Sat, 6 Jul 2019 07:15:56 -0700
https://theintercept.com/2019/07/05/border-patrol-facebook-group/

  [via NNSquad]


Professor faces 219-year prison sentence for sending missile chip tech to China (The Verge)

Monty Solomon <monty@roscom.com>
Sat, 6 Jul 2019 11:58:06 -0400
https://www.theverge.com/2019/7/6/20683177/china-missile-semiconductors-trial-professor-yi-chi-shih-guilty


London Police's Facial Recognition System Has 81 Percent Error Rate? (Geek)

the keyboard of geoff goodfellow <geoff@iconia.com>
Mon, 8 Jul 2019 15:10:00 -1000
Don't be surprised if you're arrested next time you visit the UK.

Facial recognition technology trialed by the Metropolitan Police is
reportedly 81 percent inaccurate.  The system, according to a study by the
University of Essex mistakenly targets four out of five innocent people as
wanted suspects.

It is likely to be found unlawful if challenged in court.

In order to compile an independent report on the London police service's
testing, Peter Fussey and Daragh Murray were granted what the University
called *unprecedented* access to six of the 10 trials, completed between
June 2018 to February 2019.

The pair joined officers in LFR control rooms and on the ground; they also
attended briefing and debriefing sessions and planning meetings...

https://www.geek.com/tech/london-polices-facial-recognition-system-has-81-percent-error-rate-1794564/


"GDPR: Record British Airways fine shows how data protection legislation is beginning to bite" (Danny Palmer)

Gene Wirchenko <gene@shaw.ca>
Mon, 08 Jul 2019 10:04:32 -0700
https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/

Danny Palmer | 8 Jul 2019

The ICO's proposed £183m fine should act as a wake-up call for other
organisations: make sure your cybersecurity and data protection policies are
GDPR-compliant - or you could be next.

opening text:

It was always only a matter of time, and a little over a year after General
Data Protection Regulation (GDPR) came into force across Europe, a data
protection agency has announced plans to issue the first mega-fine as the
result of a data breach.


D-Link Agrees to Make Security Enhancements to Settle FTC Litigation (Federal Trade Commission)

Gabe Goldberg <gabe@gabegold.com>
Tue, 9 Jul 2019 00:15:45 -0400
Commission alleged the company failed to secure its routers and
Internet-connected cameras

Smart home products manufacturer D-Link Systems, Inc., has agreed to
implement a comprehensive software security program in order to settle
Federal Trade Commission allegations over misrepresentations that the
company took reasonable steps to secure its wireless routers and
Internet-connected cameras.

The settlement ends FTC litigation against D-Link stemming from a 2017
complaint
<https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate>
in which the agency alleged that, despite claims touting device security,
vulnerabilities in the company's routers and Internet-connected cameras left
sensitive consumer information, including live video and audio feeds,
exposed to third parties and vulnerable to hackers.

“We sued D-Link over the security of its routers and IP cameras, and these
security flaws risked exposing users' most sensitive personal information to
prying eyes,'' said Andrew Smith, Director of the FTC's Bureau of Consumer
Protection. “Manufacturers and sellers of connected devices should be aware
that the FTC will hold them to account for failures that expose user data to
risk of compromise.''

Despite promoting the security of its products by claiming it offered
“advanced network security,'' D-Link failed to perform basic secure
software development, including testing and remediation to address
well-known and preventable security flaws, according to the FTC's
complaint. These flaws included using hard-coded login credentials on its
D-Link camera software with the easily guessed username and password,
“guest,'' and storing mobile app login credentials in clear, readable text
on a user's mobile device.

As part of the proposed settlement, D-Link is required
<https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf>
to implement a comprehensive software security program, including specific
steps to ensure that its Internet-connected cameras and routers are
secure. This includes implementing security planning, threat modeling,
testing for vulnerabilities before releasing products, ongoing monitoring to
address security flaws, and automatic firmware updates, as well as accepting
vulnerability reports from security researchers.

In addition, D-Link is required for 10 years to obtain biennial,
independent, third-party assessments of its software security program.  The
assessor must keep all documents it relies on for its assessment for five
years and provide them to the Commission upon request. The settlement also
requires the assessor to identify specific evidence for its findings—and
not rely solely on the assertions of D-Link's management. Finally, the order
gives the FTC authority to approve the third-party assessor D-Link chooses.

https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation


As Florida cities use insurance to pay $1 million in ransoms to hackers, Baltimore and Maryland weigh getting covered (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 7 Jul 2019 21:02:00 -0400
https://www.washingtonpost.com/local/as-florida-cities-use-insurance-to-pay-1-million-in-ransoms-to-hackers-baltimore-and-maryland-weigh-getting-covered/2019/07/06/d1c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html


House Democrats introduce a bill to tighten airport security stings (WashPost)

Gabe Goldberg <gabe@gabegold.com>
Sun, 7 Jul 2019 21:02:29 -0400
https://www.washingtonpost.com/transportation/2019/06/26/house-democrats-introduce-bill-tighten-airport-security-stings/


Introducing ERP software: The biggest risk to your business (Faz)

Thomas König <tkoenig@netcologne.de>
Thu, 11 Jul 2019 08:10:33 +0200
If you want to see the face of a CEO of a company which has just
introduced new ERP software, look at

https://www.faz.net/aktuell/wirtschaft/erp-software-chaos-erzuernt-liqui-moly-chef-ernst-prost-16277813.html

(the article itself is in German).

EPR (enterprise resource planning) software is absolutely central to
companies do these days - almost all business processes are done
done using this software.

The company in question, Liqui Moly, has just switched from home-grown
COBOL programs to an ERP supplier and is now facing increased costs and
delays in their business processes ("Only the hourglass is running on
everybody's screen...").

To keep delivery dates, new people have to be hired, containers are only
half filled, trucks have to wait, and expensive air freight needs to be
booked.

The vendor for his ERP software is not mentioned, because "this is such
a typical problem." And yet, this kind of thing has attracted very
attention, probably because nobody likes to talk about their failures.

Let us hope that this article helps to break the circle of silence.


European regulators to tighten rules for use of facial recognition (Politico)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 9 Jul 2019 7:49:28 PDT
Mark Scott and Laurens Cerulus, Politico Europe:

Europe's privacy watchdogs are looking to beef up restrictions for the use
of facial recognition in a move that will affect how governments and big
tech companies use the technology. Data protection agencies will discuss new
guidelines Tuesday at a joint meeting in Brussels that would reclassify
facial recognition data as biometric data, which under European privacy
rules requires explicit consent from the person whose data is being
collected. Under the GDPR, biometric information—a category under which
the technology would soon fall—is considered as sensitive data, meaning
that its collection is prohibited
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en?utm_source=3DPOLITICO.EU
unless individuals give explicit consent or the information has been made
public.

The draft change, which was confirmed by two data protection officials from
different authorities who spoke on the condition of anonymity because the
guidelines are not yet public, has potentially far-reaching impact at a time
when facial recognition tools are becoming more widespread in public spaces
and consumer technology. More stringent demands for consent could challenge
police forces and security services that are turning to facial recognition
to keep tabs on crowds, with experiments already under way or completed in
London,
https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc

They are also likely to weigh on tech companies like Facebook. The social
media giant reintroduced its use of facial recognition
https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc
in Europe last year following a ban. The company had used the onset of the
General Data Protection Regulation (GDPR) as a chance to ask users whether
they want to opt in to using the platform's facial recognition tool for
automatic tagging of their photographs. At the time, privacy activists
argued that the consent was not valid because even users who opted out would
have their biometric data scanned.

The Irish Data Protection agency—Facebook's lead regulator within the EU
-- sought guidance from other European agencies. A spokesman for Facebook
declined to comment.  “We'll get the right level of consent to use facial
recognition going forward,'' Stephen Deadman, Facebook's global deputy chief
privacy officer, said in an interview last year in reference to the
technology's rollout in Europe.

If companies and governments fail to obtain a higher level of consent, they
may not be able to deploy facial recognition tools. Current tools for
obtaining consent for video surveillance, like signs informing people they
being recorded, are not likely to meet the higher standard of consent
required for collection of biometric data.

The guidelines are expected to go through a public consultation process
before being finalized by the watchdogs. A spokesperson for the European
Data Protection Board, the pan-EU group of privacy regulators, declined to
comment.


"New Windows 7 'security-only' update installs telemetry/snooping, uh, feature" (Woody Leonhard)

Gene Wirchenko <gene@shaw.ca>
Thu, 11 Jul 2019 08:43:07 -0700
Woody Leonhard, Columnist, Computerworld | PT

https://www.computerworld.com/article/3408496/new-windows-7-security-only-update-installs-telemetrysnooping-uh-feature.html

Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two
tracks of patches—Monthly Rollups that include everything and
"security-only" patches that are supposed to be limited to security
fixes. Guess what just happened.


"The Windows 10 misinformation machine fires up again" (Ed Bott)

Gene Wirchenko <gene@shaw.ca>
Sun, 07 Jul 2019 20:16:05 -0700
Ed Bott, ZDNet, 8 Jul 2019
https://www.zdnet.com/article/the-windows-10-misinformation-machine-fires-up-again/

The loudest voices screaming about Windows 10 sometimes have no idea what
they're talking about. Case in point: This dire warning from Gordon Kelly at
Forbes, who is as ill-informed as ever.

opening text:

Gordon Kelly of Forbes is at it again, pushing his unique blend of scary
words about Windows 10, mixed with an absolutely overwhelming lack of
knowledge about the underlying technologies.

[And so on.  He then debunks Kelly.  The risk?  At least one of them is
wrong.  There is a lot of wrong data out there.  Too many people have an
overly high opinion of their opinions.  (It is hard to avoid, and I do not
think that I do a perfect job myself.)  In the middle of this mess, we have
to work out what is or appears to be true and decide what to do.  I wish it
were easier.]


"WTF, Microsoft?" (Steven J. Vaughan-Nichols)

Gene Wirchenko <gene@shaw.ca>
Thu, 11 Jul 2019 08:39:03 -0700
Steven J. Vaughan-Nichols, Computerworld
For months Microsoft hid the fact that its Registry backup feature no longer
worked, while Windows 10 kept reporting that it was completing
successfully. What were you thinking, guys?

https://www.computerworld.com/article/3406846/wtf-microsoft.html

selected text:

When things have gone wrong on standalone Windows machines—and they often
have—one of my repair tricks of last resort has been to restore the
Windows Registry to an earlier known good state.  A lot of times, doing a
restore was faster than a backup.

Good thing I haven't had to do that lately, though. Microsoft quietly
removed this feature in October 2018's Windows 10 version 1803. But it
didn't bother to tell users about it until late June 2019.

But let's get back to the really important question for Microsoft: Why did
you hide this from users? Windows kept reporting that the backups were being
*completed successfully*.  But were you to browse to the
\Windows\System32\config\RegBack folder in Windows Explorer, you would see
each Registry hive backup—with a size of 0Kbit. Zero.

I said “were you to browse,—meaning, on the slim, not to say minuscule,
chance that you would do this.''  I mean, I always dive deep into obscure
file folders to make sure the operating system isn't lying to me when it
tells me a job has been completed. Doesn't everyone?

That is the real pain in the rump of this entire affair: not that the
feature is missing, but that Windows lied to its users, and Microsoft hid
this from us for months. That is unacceptable.


"Raspberry Pi 4 won't work with some power cables due to its USB-C design flaw" (Liam Tung)

Gene Wirchenko <gene@shaw.ca>
Wed, 10 Jul 2019 09:30:33 -0700
Liam Tung, ZDNet, 9 Jul 2019
Did Raspberry Pi Foundation fail to test Raspberry Pi 4 properly?
Either way, one expert says new flagship is not USB-C compliant and
must be fixed.
https://www.zdnet.com/article/raspberry-pi-4-wont-work-with-some-power-cables-due-to-its-usb-c-design-flaw/

opening text:

The Raspberry Pi Foundation has confirmed its brand-new Raspberry Pi 4 Model
B has a problem with some USB-C cables failing to charge the little
computer.

The Raspberry Pi 4 is the first version to include a USB-C port capable of
supplying power to it. The problem, as some early users have found, is that
certain charging cables don't work. But they would have if the Raspberry Pi
Foundation had simply followed the USB-C specification to the letter.


Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now (Forbes)

Gabe Goldberg <gabe@gabegold.com>
Tue, 9 Jul 2019 12:28:57 -0400
  Forwarded message:

Seems to be specific to Mac users of the Zoom videoconferencing app, but all
should check your settings.

https://www.forbes.com/sites/zakdoffman/2019/07/09/warning-as-millions-of-zoom-users-risk-webcam-hijack-change-your-settings-now/

I have tough-to-hack handy slide shield over iPad camera (not that iOS seems
implicated in this risk.


Texas County Purchases DRE Machines Over Expert Security Objections (Brian Bethel)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 10 Jul 2019 4:06:28 PDT
That decision, likely to be cemented by county commissioners Tuesday, has
raised questions from a science advocacy organization, the Center for
Scientific Evidence in Public Issues (EPI Center). It recommends the use of
paper ballots as a way of ensuring that votes are counted securely and
accurately.

But Freda Ragan, the county's elections administrator, countered Monday that
the type of machines selected, known as direct recording electronic machines
(DREs) are highly secure, with redundancies built in and no remote access.

The system should be familiar to voters, while making the path smooth for
the county's elections office, she said.

"There are currently no state mandates or requirements for counties to
purchase paper," Ragan said.

The system the county likely will purchase does have the ability to be
converted to paper ballots, "if we are ever required or mandated to do so,"
she said.

https://eb2.3lift.com/pass?tl_clickthrough=3Dtrue
[cid:e0fea9da-6e27-42a6-88e9-d204ff482dd4]

Ragan said in an email last week the voting program being considered,
Texas-based Hart InterCivic's Verity Voting system, is already in use
throughout the state.

The system attained certification from the federal U.S. Election Assistance
Commission, she said, and successfully has passed through Texas Secretary of
State Elections Office independent testing and certification processes.

To be awarded certification at the federal level, by the EAC, and to attain
state certification, which is required in Texas, voting systems must meet or
exceed established security standards.


The Hard-Luck Texas Town That Bet on Bitcoin—and Lost (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jul 2019 20:37:36 -0400
In 1952, The Saturday Evening Post christened Rockdale, Texas, “The Town
Where It Rains Money.'' An estimated 100-million tons of lignite coal lay
buried a few miles south of the city limits, and Alcoa had just swooped in
to build a $100-million smelter that would use the cheap energy source to
produce aluminum for fighter planes, skyscrapers, automobiles, and
more. “At the mere mention of somebody blowing into town with $100,000,000
to spend, many citizens were seized by attacks of vertigo,'' wrote local
author George Sessions-Perry. “Others merely went off and lay down in an
effort to regain their composure. Then things began to happen.''

Seemingly overnight, Rockdale's population doubled to 5,000. A photo
accompanying the Post story shows resident millionaire H. H. “Pete''
Coffield and the mayor hosting a party for new Alcoa employees on a patio
surrounded by a lush garden. The women wear cocktail dresses, and the men
wear ties. “What makes us feel best of all,'' Sessions-Perry continued,
“is that we're making a sizable pile of something that the nation needs.''

More recently, though, prosperity has eluded Rockdale. The Alcoa smelter was
shuttered in 2008, and an adjoining coal-fired power plant closed last
year. More than 1,000 jobs vanished, sending Rockdale and surrounding Milam
County, population 25,000, into a nosedive.

Then, last summer, a ray of hope pierced the gloom. Bitmain, a Chinese
company that makes specialized computers for “mining'' cryptocurrency, said
it would invest $500 million in what was to be the world's largest
bitcoin-mining facility at the closed Alcoa smelter, which, crucially, was
still connected to massive electrical lines. The large buildings where
aluminum was made, called potrooms, would be filled with shipping containers
stocked with 325,000 mining machines. Most important for Milam County,
Bitmain promised to create between 400 and 600 jobs. New industry would
replace the old.

https://www.wired.com/story/hard-luck-texas-town-bet-bitcoin-lost/


Thoughtcrime --> Thoughtaccidents (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Wed, 10 Jul 2019 17:40:16 -0400
https://www.wired.com/story/waze-data-help-predict-car-crashes-cut-response-time/

FOOD FOR THOUGHT

Users of the Google traffic app Waze are fastidious about reporting all
manner of roadside obstacles and slowdowns, including traffic accidents.
Some studies show that "Wazers" actually reports crashes more quickly than
callers to emergency services. Aarian Marshall reports for Wired on
researchers now seeing if they can combine vast amounts of Waze reports with
other data sets to predict crashes before they happen. It's not an easy
problem, as computer apps generally are not good at predicting rare events.

“You have to have a lot of data, and diverse types of data, and then be
able to analyze it for it to be actionable instead of just piling up,'' says
Christopher Cherry, an engineering professor with the University of Kentucky
who recently completed a study of how traffic data could be used to improve
road safety. The traffic data itself is useful, sure.  But to predict the
risk of crashes, and to prevent them, you should also probably have a sense
for where crashes are happening, and what the roads in question look like,
and how those roads perform under different weather conditions. And then you
have to link all those datasets up and help them “talk'' to each other --
no small feat.


Mass Attacks in Public Spaces - 2018 (Secret Service National Threat Assessment Center)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jul 2019 18:01:46 -0400
https://www.secretservice.gov/data/press/reports/USSS_FY2019_MAPS.pdf


Google audio recordings of users leaked

Mark Thorson <eee@dialup4less.com>
Fri, 12 Jul 2019 11:23:31 -0700
"More than 1,000 recordings were obtained by Belgian broadcaster VRT NWS,
which noted in a story that some contained sensitive personal conversations
--- as well as information that identified the person speaking."

I suppose it's bad enough when a company obtains sensitive personal
information without the full awareness of the user, but then they gotta leak
it too?

http://www.taipeitimes.com/News/biz/archives/2019/07/13/2003718564


New Bedford computer outages continue for sixth day (WBSM)

Monty Solomon <monty@roscom.com>
Fri, 12 Jul 2019 18:09:17 -0400
https://www.southcoasttoday.com/news/20190710/new-bedford-computer-outages-continue-for-sixth-day

Earlier:
https://wbsm.com/new-bedford-computer-outage-spreads-to-fire-department/


Feds: New Bedford police officer arrested after 194 child porn files found on computer (WHDH)

Monty Solomon <monty@roscom.com>
Fri, 12 Jul 2019 18:10:02 -0400
https://whdh.com/news/feds-new-bedford-police-officer-arrested-after-194-child-porn-files-found-on-computer/


7-Eleven's 7pay app hacked in a day due to 'appalling security lapse' (TechBeacon)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jul 2019 15:53:23 -0400
7-Eleven in Japan caused hundreds of customers to lose about $600 each.
Hackers stole the money via the convenience store's newly
launched mobile payments app, 7pay.

The app design had a frankly ludicrous flaw in its lost-password UX. As the
reality of the stupendous error sinks in, infosec experts are left
scratching their heads, dumbfounded.

https://techbeacon.com/security/7-elevens-7pay-app-hacked-day-due-appalling-security-lapse


On the Bugginess of This Year's OS Betas From Apple (Daring Fireball)

Gabe Goldberg <gabe@gabegold.com>
Thu, 11 Jul 2019 16:46:16 -0400
https://daringfireball.net/linked/2019/07/09/ulysses-icloud-os-betas


"Apple disables Walkie-Talkie app due to snooping vulnerability" (Adrian Kingsley-Hughes)

Gene Wirchenko <gene@shaw.ca>
Thu, 11 Jul 2019 09:03:55 -0700
Adrian Kingsley-Hughes, ZNDet, 11 Jul 2019

The feature has been disabled while Apple fixes the bug.
https://www.zdnet.com/article/apple-disables-walkie-talkie-app-due-to-snooping-vulnerability/

opening text:

Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due
to a vulnerability that could allow someone to eavesdrop on an iPhone
without the owner's consent.

    Also
  Apple disables Walkie Talkie app due to vulnerability that could
  allow iPhone eavesdropping (TechCrunch)
https://techcrunch.com/2019/07/10/apple-disables-walkie-talkie-app-due-to-vulnerability-that-could-allow-iphone-eavesdropping/


Stripe Outage Smacked Businesses for Two Hours (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jul 2019 16:09:43 -0400
Stripe, one of the most valuable financial technology startups in the world,
was hit with one of its longest periods of downtime ever on Wednesday. The
company's services were offline for almost two hours cumulatively throughout
the day, meaning some companies that rely on Stripe to process payments
could not accept orders during that time.

Stripe was last valued by investors at $23 billion, and builds software
and payment infrastructure to help businesses accept money online.

https://fortune.com/2019/07/11/stripe-outage-technology-payment-processing/


Google/Amazon/Apple are you listening to me?

Rob Slade <rmslade@shaw.ca>
Fri, 12 Jul 2019 12:23:20 -0700
One of the kids uses Siri.  Another uses Alexa.  My baby brother uses "Hey
Google" on his Android phone.  (His eyes are going, and I'm a bit jealous
because I really *hate* those soft keyboards ...)

Way back when PDAs (remember them?) first started to become a "thing," I
predicted that they wouldn't be big until they could talk (and listen) to
us.  What I did *not* foresee was that the heavy lifting in the listening
department would be done by giant servers at the corporate end, and that,
therefore, all of our interactions with the devices would be accessible to
giant enterprises that would mine all of our conversations in a way that
makes "big data" look like a little black book.

I don't use Siri or Cortana or Hey Google, and, whenever one of them
switches on I turn it off.  My TV is cheap enough that it doesn't have a
camera or a microphone.  I don't have on of those cylinders or pucks that
turns on your lights because I don't have smart light bulbs.  We don't have
to have constant "tunes" or "playlists" playing in the house.  (This
actually leaves Gloria and I free to talk to each other, something that we
apparently do much more than most people.)

My extremely old car does have a computer in it, but it only talks to the
service department (and then only when I bring it in).  We drive little
enough, now, that, by the time I have to replace it, I may be able to simply
get rid of it and use taxis.  (Yes, taxis.  I know some of you *love*
ride-sharing, but I still see too many problems with it to go that route.
Besides, for most of my transport-related problems, I see very few issues
that the 210 bus doesn't solve.)  So I probably won't have to get used to a
self-driving car, that's talking with every other car on the road (*and* the
manufacturer, *and* my insurer, *and* the local police).  (As much as I hate
machines that think they are smarter than I am, I do believe we should get
the self-driving cars on the road as quickly as possible, because, for all
the "this car killed it's driver" anecdotes, they already drive better than
we do, and it would, even now, save lives.)

This may sound funny, as I'm writing this on a computer, and I'm surrounded
by three more computers and another three "devices."  But, as the joke has
it, I'm not going to worry about all my computers ganging up on me until the
computer actually starts reliably talking to the printer that's right beside
it.  I still have to reboot my cable modem (and sometimes short out the coax
cable) to get the Internet back at times, and I still have to power cycle
the spiffy new PVR the cable company gave me to fix problems with the old
one.

It's not the computers that scare me, it's the companies.  Facebook, of
course, has amply demonstrated that it cares nothing about its users.
Google scared me, ini tially, with the masses of information it collected,
but, over the years, the "don't be evil" mantra seemed to work out.
Recently, though, Google has demonstrated some very worrying tendencies.
Apple has always wanted to lock you into their world, but hasn't seemed to
care for much beyond getting you.  Microsoft, of course, was always the big
evil empire, but lately isn't quite so ... big.

And, no, thanks, I *don't* want the government to take over and regulate
everything in sight.  I started out in malware research, and watched various
governments make bone-headed decisions about creating laws just to try and
make viruses illegal.  Governments are having a tough enough time (and
taking a long time) to get "sufficient" regulation to reign in some of the
corporate excesses.

We have a lot of things to learn about privacy and security, and constant
vigilance is the price of et cetera, et cetera.  We are going to have to
struggle through, and it will be a lot of work, and it means we have to pay
attention to a lot of stuff going on.

Welcome to security.


Your Pa$$word doesn't matter - Microsoft Tech Community - 731984 (Alex Weinert)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jul 2019 16:00:58 -0400
Alex Weinert—Microsoft

Every week I have at least one conversation with a security decision maker
explaining why a lot of the hyperbole about passwords—“never use a
password that has ever been seen in a breach,'' “use really long
passwords'', “passphrases-will-save-us'', and so on—is inconsistent with
our research and with the reality our team sees as we defend against 100s of
millions of password-based attacks every day. Focusing on password rules,
rather than things that can really help—like multi-factor authentication
(MFA), or great threat detection—is just a distraction.

Because here's the thing: When it comes to composition and length, your
password (mostly) doesn't matter.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984


The New York Times blocks viewing in private mode

Thomas König <tkoenig@netcologne.de>
Thu, 11 Jul 2019 08:26:19 +0200
*The New York Times* now blocks views in private mode of browers such
as Firefox or Chromium.

If you do that, you get an error message stating

  "You're in private mode.

  Log in or create a free New York Times account to continue reading in
  private mode."

which is actually quite funny.

This is, of course, the NYT's business decision.  However, I do not think
the problems of pay-in for content with your data need to be spelled out for
the readers of comp.risks.

However, I would like to ask comp.risks contributors to no longer post links
to nytimes.com. Contributing to uncontrolled gathering of data is not what a
forum about computer risks should do.

  [I am a subscriber, and read as much of the paper as i can in print over
  breakfast.  I do not have time or patience to read long articles on a cell
  phone.  Many others subscribe online only.  The NYTimes, WashPost, and
  very few others are becoming the only ones that support a staff of news
  folks who actually generate news articles rather than simply copy them
  from elsewhere.  We value good journalism, which is becoming rare—as it
  is increasingly strangled by other media and fifteen-second sound bites on
  TV.  PGN]


Re: Line just went Orwellian on Japanese users with its social credit-scoring system (RISKS-31.32)

Amos Shapir <amos083@gmail.com>
Sat, 6 Jul 2019 14:28:30 +0300
"Line stresses Line Score is opt-in only"—yes, but the customers who do
not opt in are already denied certain "special deals"; how soon will that
they find out that they are the only ones paying full price for a gradually
degrading service?

And "the company will never share a user's Line Score with third parties"
-- but how about sharing with other companies of the same owners, or with
all companies owned by the next Big Company which would acquire Line?


Re: Autonomous vehicles don't need provisions and protocols (Drewe, RISKS-31.21-30)

Dan Jacobson <jidanni@jidanni.org>
Sat, 06 Jul 2019 19:30:10 +0800
CD> Personally I feel that the simplest solution would be to have some sort
CD> of radio/wi-fi signal for autonomous vehicles (and maybe to conventional

Sounds good but sure hope such add-on systems' clocks don't drift, else
after about a month (when the first autonomous vehicle shows up) radio red
might already correspond to visual green...


Re: Line just went Orwellian on Japanese users with its social credit-scoring system (RISKS-31.32)

Dan Jacobson <jidanni@jidanni.org>
Sat, 06 Jul 2019 20:45:15 +0800
> Still, it's unnerving that tech companies seem to think that social
> credit ratings are the next big thing for now. Hopefully, this is a
> trend that will not catch on.

Stack Exchange was first.
Some might say not the same thing...
But users quickly learn to dot their i's and cross their t's...

Indeed, here on RISKS readers' RISK_POINTS shall be deducted for each
missing dot (U+0131 LATIN SMALL LETTER DOTLESS I). Furthermore, and just
for sadistic pleasure, you can only lose RISK_POINTS (that you never had
in the first place) and never gain them.


Fernando Corbato dies

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 12 Jul 2019 21:18:53 PDT
Fernando Corbato', a Father of Your Computer (and Your Password), Dies at 93
Katie Hafner, *The New York Times*, 12 Jul 2019
https://www.nytimes.com/2019/07/12/science/fernando-corbato-dead.html

  Personal note: Corby was a mentor, colleague, and close friend from 1965
  on.  He is deeply missed.  Pioneer `father' of time-shared computing (CTSS
  at MIT in 1962), Multics (MIT, with Honeywell [as Katie notes, originally
  GE], and Bell Labs), inspirational professor, even a dean for a while.
  The obit by Katie is worth reading, especially for those of you who did not
  know him.  PGN

Please report problems with the web pages to the maintainer

x
Top