RISKS-LIST: Risks-Forum Digest Saturday 4 June 2022 Volume 33 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.35>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Firm proposes using Taser-armed drones to stop school shootings (NPR.ORG)
Illumina Cybersecurity Vulnerability May Present Risks for Patient Results
and Customer Networks: Letter to Health Care Providers (FDA)
FBI blocked planned cyberattack on children's hospital (NBC)
Three times in one year, gamers release classified military documents on
game forum (Kotaku)
Voting Software Vulnerable in Some States (Kate Brumback)
Activists say cyber agency weakens voting tech advisory (AP News)
The Airline Changed My Flight Itinerary -- for the Worse (NYTimes)
Parameter Expansion Considered Dangerous (The Hacker News)
I tried to read all my app privacy policies. It was 1 million words.
(Geoffrey A. Fowler)
D.C. stop-sign camera brought in $1.3 million in tickets in 2 years
(WashPost)
Tim Hortons app tracked too much personal information without adequate
consent, investigation finds (CBC)
Cape Cod Regional Transit Authority hit by ransomware attack (CapeCodTimes)
Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office
365 (WiReD)
User Generated Content moderation? (Lauren Weinstein)
Same Symptom -- Different Cause? (TUMunich)
Google bans deepfake-generating AI from Colab (Techcrunch)
Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence
(Scott Chipolina)
She documented the alt-right. Now she's coming for cryptocurrency.
(WashPost)
Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure
resiliency is part of next-G wireless telecommunications (NYU)
Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites
(NYTimes)
China is looking for 'other Earths' to colonize (CGTN)
Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube)
With Cameras on Every Phone, Will Broadway' Nude Scenes Survive? (NYTimes)
Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System
(John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 4 Jun 2022 22:31:15 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Firm proposes using Taser-armed drones to stop school shootings
(NPR.ORG)

https://www.npr.org/2022/06/04/1103066205/taser-armed-drones-school-shootings

"The product idea had been kicked around at Axon since at least 2019 and the
company has been working to try to figure out whether a drone with a Taser
was even a feasible idea. Over the last year, the company created
computer-generated art renderings to mock up a product design and conducted
an internal test to see if Taser darts -- which transmit an immobilizing
electric jolt -- could be fired from a flying drone, Smith said. He added
that he had discussed the possibility of developing such a product with the
ethics board."

Would Axon deploy this drone-tazerbot to patrol of their corporate HQ and
other facilities? Nuts!

------------------------------

Date: Thu, 2 Jun 2022 16:26:28 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Illumina Cybersecurity Vulnerability May Present Risks for Patient
Results and Customer Networks: Letter to Health Care Providers *FDA)

The U.S. Food and Drug Administration (FDA) is informing laboratory
personnel and health care providers about a cybersecurity vulnerability
affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq
500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing
instruments. These instruments are medical devices that may be specified
either for clinical diagnostic use in sequencing a person's DNA or testing
for various genetic conditions, or for research use only (RUO). Some of
these instruments have a dual boot mode that allows a user to operate them
in either clinical diagnostic mode or RUO mode. Devices intended for RUO are
typically in a development stage and must be labeled “For Research Use
Only. Not for use in diagnostic procedures.” – though many laboratories may
be using them with tests for clinical diagnostic use.

The cybersecurity vulnerability affects the Local Run Manager (LRM)
software. An unauthorized user could exploit the vulnerability by:

* taking control of the instrument remotely;

* operating the system to alter settings, configurations, software, or data
on the instrument or a customer's network; or

* impacting patient test results in the instruments intended for clinical
diagnosis, including causing the instruments to provide no results or
incorrect results, altered results, or a potential data breach.

Illumina has developed a software patch to protect against the exploitation
of this vulnerability and is working to provide a permanent software fix for
current and future instruments. The FDA wants laboratory personnel and
health care providers to be aware of the required actions to mitigate these
cybersecurity risks. [...]

https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter

------------------------------

Date: Wed, 1 Jun 2022 14:00:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FBI blocked planned cyberattack on children's hospital (NBC)

FBI Director Christopher Wray said the bureau and Boston Children' Hospital
had worked closely together after a hacktivist attacked the hospital's
computer network in 2014.

https://www.nbcnews.com/tech/security/fbi-blocked-planned-cyberattack-childrens-hospital-director-says-rcna31456

------------------------------

Date: Fri, 3 Jun 2022 14:03:00 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Three times in one year, gamers release classified military
documents on game forum (Kotaku)

How seriously do video gamers take the games' depictions of military
hardware? Seriously enough that three times in the past year, players of
"War Thunder" have leaked classified military documents on the game's online
forums, either to settle arguments about their favorite tanks' capabilities
or to get the games' designers to make them more true-to-life.

https://kotaku.com/war-thunder-tank-classified-military-document-leak-chin-1849005359

------------------------------

Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Voting Software Vulnerable in Some States (Kate Brumback)

Kate Brumback, Associated Press, 1 Jun 2022, via ACM TechNews, 1 Jun 2022

The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state
election officials that Dominion Voting Systems' electronic voting machines
contain software flaws that could be exploited if left unpatched. Although
there is no evidence the machines have been hacked to change election
results, the advisory discloses nine vulnerabilities, and recommends
safeguards to prevent or detect exploitation. Despite CISA executive
director Brandon Wales' statement that "states' standard election security
procedures would detect exploitation of these vulnerabilities, and in many
cases would prevent attempts entirely," the advisory seems to suggest those
efforts are inadequate. Advised mitigation strategies include application of
continued and enhanced "defensive measures to reduce the risk of
exploitation of these vulnerabilities" prior to every election. CISA also
urged aggressive pre- and post-election testing on the machines,
post-election audits, and having voters confirm the human-readable portion
on printed ballots.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a1x072730&

------------------------------

Date: Sun, 5 Jun 2022 01:33:15 +0900
From: Dave Farber <farber@gmail.com>
Subject: Activists say cyber agency weakens voting tech advisory (AP News)

The nation's leading cybersecurity agency released a final version Friday of
an advisory it previously sent state officials on voting machine
vulnerabilities in Georgia and other states that voting integrity activists
say weakens a security recommendation on using barcodes to tally votes.

The advisory put out by the U.S. Cybersecurity and Infrastructure Security
Agency, or CISA, has to do with vulnerabilities identified in Dominion
Voting Systems' ImageCast X touchscreen voting machines, which produce a
paper ballot or record votes electronically. The agency said that although
the vulnerabilities should be quickly mitigated, the agency ``has no
evidence that these vulnerabilities have been exploited in any elections.''

Dominion's systems have been unjustifiably attacked since the 2020 election
by people who embraced the false belief that the election was stolen from
former President Donald Trump. The company has filed defamation lawsuits in
response to incorrect and outrageous claims made by high-profile Trump
allies.