Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 31.33 RISKS-LIST: Risks-Forum Digest Monday 15 July 2019 Volume 31 : Issue 33 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.33> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: How Fake News Could Lead to Real War (Politico) Collision on Hong Kong metro (MTR) Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial Vessels (Coast Guard) "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu) Inside the world of bogus medicine, where smoothies and salads can supposedly kill cancer (WashPost) "Robot that started fire costs Ocado $137M" (Greg Nichols) Anaesthetic devices 'vulnerable to hackers' (bbc.com) FDA seeks comment on cybersecurity warnings and security upgrades (Federal Register) EU "Galileo" GPS system remains down (BBC) Tiny flying insect robot has four wings and weighs under a gram (New Scientist) Smartphone payment system by Seven-Eleven Japan hacked from day 1: lack of two stage authentication, etc. (Japan Times) Border Patrol agents tried to delete their horrific Facebook posts -- but they were already archived (NSFW -- The Intercept) Professor faces 219-year prison sentence for sending missile chip tech to China (The Verge) London Police's Facial Recognition System Has 81 Percent Error Rate? (Geek) "GDPR: Record British Airways fine shows how data protection legislation is beginning to bite" (Danny Palmer) D-Link Agrees to Make Security Enhancements to Settle FTC Litigation (Federal Trade Commission) As Florida cities use insurance to pay $1 million in ransoms to hackers, Baltimore and Maryland weigh getting covered (WashPost) House Democrats introduce a bill to tighten airport security stings (WashPost) Introducing ERP software: The biggest risk to your business (Faz) European regulators to tighten rules for use of facial recognition (Politico) "New Windows 7 'security-only' update installs telemetry/snooping, uh, feature" (Woody Leonhard) "The Windows 10 misinformation machine fires up again" (Ed Bott) "WTF, Microsoft?" (Steven J. Vaughan-Nichols) "Raspberry Pi 4 won't work with some power cables due to its USB-C design flaw" (Liam Tung) Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now (Forbes) Texas County Purchases DRE Machines Over Expert Security Objections (Brian Bethel) The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD) Thoughtcrime --> Thoughtaccidents (WiReD) Mass Attacks in Public Spaces - 2018 (Secret Service National Threat Assessment Center) Google audio recordings of users leaked (Marc Thorson) New Bedford computer outages continue for sixth day (WBSM) Feds: New Bedford police officer arrested after 194 child porn files found on computer (WHDH) 7-Eleven's 7pay app hacked in a day due to 'appalling security lapse' (TechBeacon) On the Bugginess of This Year's OS Betas From Apple (Daring Fireball) "Apple disables Walkie-Talkie app due to snooping vulnerability" (Adrian Kingsley-Hughes) Stripe Outage Smacked Businesses for Two Hours (Fortune) Google/Amazon/Apple are you listening to me? (Rob Slade) Your Pa$$word doesn't matter - Microsoft Tech Community - 731984 (Alex Weinert) The New York Times blocks viewing in private mode (Thomas Koenig) Re: Line just went Orwellian on Japanese users with its social credit-scoring system (Amos Shapir) Re: Autonomous vehicles don't need provisions and protocols (Dan Jacobson) Re: Line just went Orwellian on Japanese users with its social credit-scoring system (Dan Jacobson) Fernando Corbato dies (Katie Hafner via PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 5 Jul 2019 15:05:48 -1000 From: the keyboard of geoff goodfellow <geoff@iconia.com> Subject: How Fake News Could Lead to Real War (Politico) *Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for International Understanding at Dartmouth College and served as coordinator for counterterrorism at the State Department 2009-2012.Steven Simon is visiting professor of history at Amherst College. He served as the National Security Council senior director for counterterrorism and for the Middle East and North Africa, respectively, in the Clinton and Obama administrations.* EXCERPT: Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it Iran, as the Trump administration assured us? Or was it Saudi Arabia, the United Arab Emirates or Israel -- or some combination of the three? Here's a confession from two former senior government officials: For days after the attacks, we weren't sure. Both of us believed in all sincerity there was a good chance these actions were part of a false flag operation, an effort by outsiders to trigger a war between the United States and Iran. Even the film of Iranians hauling in an unexploded limpet mine from near the side of tanker, we reasoned, might be a fabrication -- deep fake footage just like the clip of Nancy Pelosi staggering around drunk. Perhaps you felt that way too. But for the two of us, with 30 years of government service and almost 20 more as think tankers between us -- this was shocking. Yes, we are card-carrying members of the Blob, the all-too-conventionally minded Washington foreign policy establishment, but we weren't sure whether to believe our government or not. This was more than a little disconcerting. Imagine waking up one morning and catching yourself thinking that alt-right conspiracy theorist Alex Jones was making good sense, that perhaps the Sandy Hook shooting was faked or that the 9/11 attacks were really an inside job? Imagine what it might be like to be in the grip of a conspiracy theory, when you've spent your whole professional life being one of those policy mandarins who could smell a conspiracy theory a mile away?... https://www.politico.com/magazine/story/2019/07/05/fake-news-real-war-227272 ------------------------------ Date: Sat, 6 Jul 2019 22:33:27 +0100 From: "Clive D.W. Feather" <clive@davros.org> Subject: Collision on Hong Kong metro (MTR) http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf MTR (the operators of the Hong Kong metro) are converting several lines to use the Thales/Alstom SelTrac system. During a test of the system outside service hours, the computer signaled two trains on to intersecting tracks, resulting in a collision; one driver was slightly injured. In this system, there are no fixed signals beside the track indicating whether it is safe to proceed. Instead, the central control computer gives each train a "movement authority" indicating exactly where it is allowed to proceed to. Only when the rear of the train passes an intersection is another train given a movement authority that passes over the same intersection. These authorities are updated every few seconds. Each control area (the line in question has two) has three control computers: A (normally active), B (hot standby), and C (warm standby). All three are the same design and run the same software. Computer C is at a different physical location. Computer A keeps B constantly updated with the complete status but, to prevent common mode failures, it only passed some data to computer C. In particular, the "Conflict Zone Data" (which I am guessing is a table of which train is allowed on a given intersection) is not passed across; computer C is expected to re-compute it independently. During a test computers A and B were both turned off, causing computer C to take over. At this point C does not transmit any movement authorities to the trains, which therefore all make an emergency stop. The traffic controller (a person in the control centre) then tells C to allow each train in turn to depart, giving it a new movement authority. The report's conclusions are: (1) The software development documentation did not state that the conflict zone data was not passed to computer C, so no test and safety analysis was done. (2) A bug in the software meant that computer C failed to recalculate the conflict zone data correctly, allowing the collision. (3) The take-over process did not require the conflict zone data to be present before C moved from warm backup state to active state. ------------------------------ Date: Thu, 11 Jul 2019 18:00:15 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial Vessels (Coast Guard) In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a