The RISKS Digest
Volume 33 Issue 25

Saturday, 4th June 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Firm proposes using Taser-armed drones to stop school shootings
NPR.ORG
Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers
FDA
FBI blocked planned cyberattack on children's hospital
NBC
Three times in one year, gamers release classified military documents on game forum
Kotaku
Voting Software Vulnerable in Some States
Kate Brumback
Activists say cyber agency weakens voting tech advisory
AP News
The Airline Changed My Flight Itinerary—for the Worse
NYTimes
Parameter Expansion Considered Dangerous
The Hacker News
I tried to read all my app privacy policies. It was 1 million words.
Geoffrey A. Fowler
D.C. stop-sign camera brought in $1.3 million in tickets in 2 years
WashPost
Tim Hortons app tracked too much personal information without adequate consent, investigation finds
CBC
Cape Cod Regional Transit Authority hit by ransomware attack
CapeCodTimes
Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office 365
WiReD
User Generated Content moderation?
Lauren Weinstein
Same Symptom—Different Cause?
TUMunich
Google bans deepfake-generating AI from Colab
Techcrunch
Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence
Scott Chipolina
She documented the alt-right. Now she's coming for cryptocurrency.
WashPost
Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure resiliency is part of next-G wireless telecommunications
NYU
Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites
NYTimes
China is looking for 'other Earths' to colonize
CGTN
Why Silicon Valley's Tech Titans Are In 'Serious Trouble'
YouTube
With Cameras on Every Phone, Will Broadway' Nude Scenes Survive?
NYTimes
Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System
John Levine
Info on RISKS (comp.risks)

Firm proposes using Taser-armed drones to stop school shootings (NPR.ORG)

Richard Stein <rmstein@ieee.org>
Sat, 4 Jun 2022 22:31:15 +0800
https://www.npr.org/2022/06/04/1103066205/taser-armed-drones-school-shootings

"The product idea had been kicked around at Axon since at least 2019 and the
company has been working to try to figure out whether a drone with a Taser
was even a feasible idea. Over the last year, the company created
computer-generated art renderings to mock up a product design and conducted
an internal test to see if Taser darts—which transmit an immobilizing
electric jolt—could be fired from a flying drone, Smith said. He added
that he had discussed the possibility of developing such a product with the
ethics board."

Would Axon deploy this drone-tazerbot to patrol of their corporate HQ and
other facilities? Nuts!


Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers *FDA)

Monty Solomon <monty@roscom.com>
Thu, 2 Jun 2022 16:26:28 -0400
The U.S. Food and Drug Administration (FDA) is informing laboratory
personnel and health care providers about a cybersecurity vulnerability
affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq
500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing
instruments. These instruments are medical devices that may be specified
either for clinical diagnostic use in sequencing a person's DNA or testing
for various genetic conditions, or for research use only (RUO). Some of
these instruments have a dual boot mode that allows a user to operate them
in either clinical diagnostic mode or RUO mode. Devices intended for RUO are
typically in a development stage and must be labeled “For Research Use
Only. Not for use in diagnostic procedures.” “ though many laboratories may
be using them with tests for clinical diagnostic use.

The cybersecurity vulnerability affects the Local Run Manager (LRM)
software. An unauthorized user could exploit the vulnerability by:

* taking control of the instrument remotely;

* operating the system to alter settings, configurations, software, or data
  on the instrument or a customer's network; or

* impacting patient test results in the instruments intended for clinical
  diagnosis, including causing the instruments to provide no results or
  incorrect results, altered results, or a potential data breach.

Illumina has developed a software patch to protect against the exploitation
of this vulnerability and is working to provide a permanent software fix for
current and future instruments. The FDA wants laboratory personnel and
health care providers to be aware of the required actions to mitigate these
cybersecurity risks.  [...]

https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter


FBI blocked planned cyberattack on children's hospital (NBC)

Monty Solomon <monty@roscom.com>
Wed, 1 Jun 2022 14:00:17 -0400
FBI Director Christopher Wray said the bureau and Boston Children' Hospital
had worked closely together after a hacktivist attacked the hospital's
computer network in 2014.

https://www.nbcnews.com/tech/security/fbi-blocked-planned-cyberattack-childrens-hospital-director-says-rcna31456


Three times in one year, gamers release classified military documents on game forum (Kotaku)

Jan Wolitzky <jan.wolitzky@gmail.com>
Fri, 3 Jun 2022 14:03:00 -0400
How seriously do video gamers take the games' depictions of military
hardware?  Seriously enough that three times in the past year, players of
"War Thunder" have leaked classified military documents on the game's online
forums, either to settle arguments about their favorite tanks' capabilities
or to get the games' designers to make them more true-to-life.

https://kotaku.com/war-thunder-tank-classified-military-document-leak-chin-1849005359


Voting Software Vulnerable in Some States (Kate Brumback)

ACM TechNews <technews-editor@acm.org>
Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
Kate Brumback, Associated Press, 1 Jun 2022, via ACM TechNews, 1 Jun 2022

The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state
election officials that Dominion Voting Systems' electronic voting machines
contain software flaws that could be exploited if left unpatched. Although
there is no evidence the machines have been hacked to change election
results, the advisory discloses nine vulnerabilities, and recommends
safeguards to prevent or detect exploitation. Despite CISA executive
director Brandon Wales' statement that "states' standard election security
procedures would detect exploitation of these vulnerabilities, and in many
cases would prevent attempts entirely," the advisory seems to suggest those
efforts are inadequate. Advised mitigation strategies include application of
continued and enhanced "defensive measures to reduce the risk of
exploitation of these vulnerabilities" prior to every election. CISA also
urged aggressive pre- and post-election testing on the machines,
post-election audits, and having voters confirm the human-readable portion
on printed ballots.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a1x072730&


Activists say cyber agency weakens voting tech advisory (AP News)

Dave Farber <farber@gmail.com>
Sun, 5 Jun 2022 01:33:15 +0900
The nation's leading cybersecurity agency released a final version Friday of
an advisory it previously sent state officials on voting machine
vulnerabilities in Georgia and other states that voting integrity activists
say weakens a security recommendation on using barcodes to tally votes.

The advisory put out by the U.S. Cybersecurity and Infrastructure Security
Agency, or CISA, has to do with vulnerabilities identified in Dominion
Voting Systems' ImageCast X touchscreen voting machines, which produce a
paper ballot or record votes electronically. The agency said that although
the vulnerabilities should be quickly mitigated, the agency “has no
evidence that these vulnerabilities have been exploited in any elections.''

Dominion's systems have been unjustifiably attacked since the 2020 election
by people who embraced the false belief that the election was stolen from
former President Donald Trump. The company has filed defamation lawsuits in
response to incorrect and outrageous claims made by high-profile Trump
allies.


The Airline Changed My Flight Itinerary—for the Worse (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 2 Jun 2022 10:17:49 -0400
Airlines are within their contractual rights to cancel booked flights and
place passengers on less-convenient routes with hours-long layovers. Our
columnist investigates whether travelers have any recourse.

https://www.nytimes.com/2022/05/24/travel/airline-flight-itinerary.html


Parameter Expansion Considered Dangerous (The Hacker News)

Cliff Kilby <cliffjkilby@gmail.com>
Fri, 3 Jun 2022 13:30:15 -0400
After the Log4j issue came to light [See RISKS-33.11,13,14]
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance), I would
have expected the industry to realIze the problem wasn't just with Log4j, or
even Java. It's unguarded user submitted parameter expansion.

https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html
Seems to indicate I was overly optimistic.

Several templating engines exist with several parameter formats. Offhand,
there is jsp with <jsp, <%, <c, ${, asp(x) with <%, smarty and freemarker
with {$, Django, Mustache and Jinja with {{. Apache's Velocity templates
have a list worthy of a BNF rule, but I don't know BNF, so how about
"dollar-sign or hash optional bang optional bracket


I tried to read all my app privacy policies. It was 1 million words. (Geoffrey A. Fowler)

Monty Solomon <monty@roscom.com>
Wed, 1 Jun 2022 14:19:02 -0400
Let's abolish reading privacy policies. Here's how we can use the law and
technology to give us real privacy choices.

https://www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/

  [Also noted by Gabe Goldberg.  PGN]


D.C. stop-sign camera brought in $1.3 million in tickets in 2 years (WashPost)

Monty Solomon <monty@roscom.com>
Wed, 1 Jun 2022 02:10:10 -0400
A traffic camera at this stop sign, which has proven lucrative for the
District, is loathed by some residents who say it is overly sensitive and
praised by others who say it promotes safe driving.

https://www.washingtonpost.com/dc-md-va/2022/05/31/stop-sign-camera-northwest-washington/


Tim Hortons app tracked too much personal information without adequate consent, investigation finds (CBC)

"Matthew Kruk" <mkrukg@gmail.com>
Wed, 1 Jun 2022 20:43:26 -0600
https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584

The federal privacy commissioner's investigation into the Tim Hortons mobile
app found that the app unnecessarily collected extensive amounts of data
without obtaining adequate consent from users.

The commissioner's report, which was published Wednesday morning, states
that Tim Hortons collected granular location data for the purpose of
targeted advertising and the promotion of its products but that the company
never used the data for those purposes


Cape Cod Regional Transit Authority hit by ransomware attack

Monty Solomon <monty@roscom.com>
Sat, 4 Jun 2022 10:18:23 -0400
https://www.capecodtimes.com/story/news/2022/06/04/cape-cod-regional-transit-authority-ransomware-cyber-attack-fbi-investigating/7501982001/


Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office 365 (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sat, 4 Jun 2022 00:47:42 -0400
The company continues to downplay the severity of the Follina vulnerability,
which remains present in all supported versions of Windows.

The Follina vulnerability in a Windows support tool can be easily exploited
by a specially crafted Word document. The lure is outfitted with a remote
template that can retrieve a malicious HTML file and ultimately allow an
attacker to execute Powershell commands within Windows. Researchers note
that they would describe the bug as a "zero-day," or previously unknown
vulnerability, but Microsoft has not classified it as such.  [...]

With all this real-world exploitation, the question is whether the guidance
Microsoft has published so far is adequate and proportionate to the risk.

"Security teams could view Microsoft's nonchalant approach as a sign that
this is 'just another vulnerability,' which it most certainly is not," says
Jake Williams, director of cyber threat intelligence at the security firm
Scythe. "It's not clear why Microsoft continues to downplay this
vulnerability, especially while it's being actively exploited in the wild."

https://www.wired.com/story/microsoft-follina-vulnerability-windows-office-365


User Generated Content moderation?

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Jun 2022 09:26:22 -0700
It's not impossible that ultimately platforms will be required to moderate
all UGC (User Generated Content) before it appears publicly.  This would
likely require a drastic cutback in UGC availability, with many
ramifications. But the regulatory arrow is moving in this direction.


Same Symptom—Different Cause? (TUMunich)

ACM TechNews <technews-editor@acm.org>
Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
Technical University of Munich, Germany, 27 May 2022
via ACM TechNews, 1 Jun 2022

Scientists at Germany's Technical University of Munich (TUM) have developed
a machine learning algorithm to extract subtypes of illnesses from molecular
data. The Molecular Signatures using Biclustering (MoSBi) tool merges the
results of existing algorithms to acquire stronger, more precise clinical
subtype predictions, removing the need for time-consuming adjustment. "We
have developed a Web-based tool that permits online analysis of molecular
clinical data by practitioners without prior knowledge of bioinformatics,"
explained TUM's Josch Konstantin Pauling. Researchers can submit data to a
website for automated analysis, and use the results to interpret their
research. The team worked with colleagues at Germany's Max Planck Institute,
Technical University of Dresden, and Kiel University Clinic to apply MoSBi
to identify two potential biomarkers for progression to non-alcoholic fatty
liver disease.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a7x072730&


Google bans deepfake-generating AI from Colab (Techcrunch)

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Jun 2022 14:58:49 -0700
https://techcrunch.com/2022/06/01/2328459/

  GOOD!


Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence (Scott Chipolina)

ACM TechNews <technews-editor@acm.org>
Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
Scott Chipolina, *Financial Times*, 31 May 2022,
via ACM TechNews, 1 Jun 2022

A coalition of 26 leading computer scientists and academics has submitted a
letter to U.S. lawmakers urging a crackdown on cryptocurrency investments
and blockchain technology. The letter calls on major Senate figures "to
resist pressure from digital asset industry financiers, lobbyists, and
boosters to create a regulatory safe haven for these risky, flawed, and
unproven digital financial instruments." Signatory Bruce Schneier at Harvard
University said blockchain, contrary to advocates' assurances, is insecure
and not decentralized. Events like the recent implosion of the TerraUSD
stablecoin have rekindled worries about crypto's financial stability, while
letter signatory and former Microsoft engineer Miguel de Icaza argued, "The
computational power [of blockchain] is equivalent to what you could do in a
centralized way with a $100 computer."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341abx072730&


She documented the alt-right. Now she's coming for cryptocurrency. (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 4 Jun 2022 09:46:28 -0400
Molly White, a 28-year-old software engineer who edits Wikipedia pages in
her spare time, has become an unlikely thorn in the side of the burgeoning
cryptocurrency movement. As the tech and finance world largely embrace
crypto tech, she's helping lead a band of skeptics pushing the other
direction.

https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/


Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure resiliency is part of next-G wireless telecommunications (NYU)

Gabe Goldberg <gabe@gabegold.com>
Thu, 2 Jun 2022 16:14:15 -0400
Tandon School of Engineering

BROOKLYN, New York, 11 May 2022—Lightning-fast, low-latency wireless,
from 5G to 6G and beyond, will enable such services as virtual and augmented
reality streaming, near-zero latency vehicle-to-cloud communications to help
self-driving cars navigate in real time, remote surgery, coordination of
automated systems in factories and other facilities, and a plethora of
futuristic consumer apps. But it will also open a Pandora's box of security
vulnerabilities in the hardware serving as its backbone and software driving
its networks.  [,,,]


Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 2 Jun 2022 11:00:46 -0400
Despite some efforts by the largest tech companies to limit the spread of
hateful content, it often remains only a click or two away.

https://www.nytimes.com/2022/06/01/technology/fringe-mainstream-social-media.html


China is looking for 'other Earths' to colonize (CGTN)

geoff goodfellow <geoff@iconia.com>
Mon, 30 May 2022 19:19:31 -1000
China has announced its first plans to search the stars for nearby habitable
planets that could one day expand humanity's "living space" across the Milky
Way.  If it gets funding, the telescope could launch as soon as 2026.

In the project, called Closeby Habitable Exoplanet Survey (CHES), officials
propose launching a 3.9-foot-aperture (1.2 meters) space telescope roughly
930,000 miles (1.5 million kilometers) to a gravitationally stable Lagrange
point between Earth and the Sun, according to the Chinese state-run news
service CGTN.  Lagrange points trek around the sun at exactly the same rate
as Earth does, meaning a craft at one of those points will remain the same
distance from our planet indefinitely.

Once at the L2 Lagrange point (which is also home to NASA's James Webb Space
Telescope, the CHES telescope will spend five years searching for habitable
worlds across the roughly 100 sun-like stars within 33 light-years (10
parsecs) of Earth. From this data, astronomers hope to spot Earth-size
*exoplanets* <https://www.livescience.com/what-are-exoplanets> that are
moving around their stars in similar orbits to our own—a clue that these
potential "Earth 2.0's" may harbor water, and possibly even life.

"The discovery of the nearby habitable worlds will be a great breakthrough
for humankind, and will also help humans visit those Earth twins and expand
our living space in the future," Ji Jianghui, an astronomer at the Chinese
Academy of Sciences and the principal investigator of the CHES mission,
*told CGTN*, the website of the China Global Television Network. The
scientists say they hope to find roughly 50 Earth-like or super-Earth
exoplanets in their search.  [...]

<https://news.cgtn.com/news/2022-05-19/China-plans-world-s-first-habitable-planet-search-outside-solar-system-1a9W98DLA52/index.html>,

https://www.livescience.com/china-is-looking-for-other-earths-to-colonize

  [What are risks?  It's likely to be hugely expensive.  It seems somewhat
  delusional and beyond rational thought, in light of needing mass transit
  over the light-years required for travel, although that would perhaps be
  limited to future government leaders wishing to escape.  The use of the
  word "nearby" in the trans-galactic sense is particularly amusing.  It's
  too late for an April Fool's posting, so perhaps it is actually being
  considered seriously.  <I wonder what Bill Cheswick (widely known as
  "CHES") might think of it.  He has always been a far-sighted thinker.>
  PGN]


Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube)

"Matthew Kruk" <mkrukg@gmail.com>
Sat, 4 Jun 2022 00:27:25 -0600
https://www.youtube.com/watch?v=6VKpJeNoRlA

Business Insider's Linette Lopez joins Morning Joe to discuss her latest
piece on why the tech titans of Silicon Valley are in serious trouble.


With Cameras on Every Phone, Will Broadway' Nude Scenes Survive? (NYTimes)

Monty Solomon <monty@roscom.com>
Thu, 2 Jun 2022 09:41:33 -0400
https://www.nytimes.com/2022/06/01/arts/broadway-nudity-phone-cameras.html


Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System (ProPublica, RISKS-33.24)

"John Levine" <johnl@iecc.com>
31 May 2022 22:48:12 -0400
This is an unusually poor piece for ProPublica, a lot of DC inside baseball
but nothing on the key question of whether C band signals really will make
airliners' radio altimeters fail. The answer for the most part turns out to
be no.

Harold Feld did a really good series on this last fall:

https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/

Please report problems with the web pages to the maintainer

x
Top