RISKS-LIST: Risks-Forum Digest Tuesday 11 October 2022 Volume 33 : Issue 48

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.48>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Hospital networks computer outage in Pacific North West (Seattle Times)
Rivian recalls 13,000 EVs due to potential steering control problem
(Engadget)
Russian hackers attack US airport Websites (NPR)
Electronic gaming can trigger potentially lethal heart rhythm problems in
susceptible children (Medical Press)
Lufthansa Says Passengers Can't Use Apple AirTags to Track Checked Bags
(NYTimes)
Binance is hit by a $570M hack (Ephrat Livini)
Cleaning up Cryptomining (Ben Arnoldy)
Meta warns 1 million Facebook users their login info may have been
compromised (WashPost)
How a DJI Mini drone enabled a $147,000 ATM robbery (Dronedj)
Presumptions of Intercontinental Broadband Availability are a significant
business risk (RLGSC)
The Problem With Mental Health Bots (WiReD)
Uber bill for 35,000 GBP (Nick Brown)
Unpatched Zimbra flaw under attack is letting hackers backdoor servers
(Ars Technica)
A physical DDoS attack on the Australian Postal system (Auspost)
iPhones with iOS 14 call 911 from rollercoasters (The Verge)
iPhones calling 911 from owners' pockets on rollercoasters (Paul Cornish)
Are school "SWATting" calls discord attacks? (NPR)
AI-driven 'thermal attack' system reveals computer and smartphone passwords
in seconds (Techxplore)
Linux kernel 5.19.12 code could cause permanent damage to some laptop
displays (Ars Technica)
A judge has decided that jurors who are asked to decide whether a man killed
his wife in New Jersey will not be told that he was convicted earlier of
having killed his first wife in Ohio (WFMJ)
Twitter in China (Lauren Weinstein)
Re: Shut-Off Switch Was Supposed to Prevent 99% of Generator-Related Deaths
(Barry Gold)
Re: Automakers are ignoring the simple solution to the rise of traffic
deaths (Wol)
Re: Automatic emergency braking is not great at preventing crashes at normal
speeds (Steve Lamont)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 11 Oct 2022 01:25:30 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: Hospital networks computer outage in Pacific North West
(Seattle Times)

No one's talking about what's going on.

Seattle-area patients frustrated by days of system outages at Virginia Mason Franciscan Health facilities

8 Oct 2022 at 4:55 pm Updated Oct. 9, 2022 at 1:24 pm

Shaun D'Sylva was trying to get a handle on his stepfather's medical care
this past week by logging in to MyChart, a patient portal used by medical
providers for users to track appointments, test results, medications and
other health records.

The website wouldn't load.

Hospital-wide system outages, stemming from an IT security issue reported
by Virginia Mason Franciscan Health's parent company, have led to several
days of disruptions for patients and providers at VMFH facilities
throughout Puget Sound, with no estimated restoration date. Along with
outages of the MyChart system, appointments were canceled or rescheduled,
some with no notice because schedulers couldn't look up patients' contact
information in a database.

CommonSpirit Health, the company affiliated with 10 VMFH hospitals
throughout the Puget Sound region, said it has identified the security
issue but hasn't provided additional details on who or what may have
caused the issue.

CommonSpirit Health has 140 hospitals in 21 states and was created in 2019
when Catholic Health Initiatives and Dignity Health merged, according to
its website. It's unclear how many facilities have been affected, though
several have reported disruptions. In Iowa, ambulances were diverted from
MercyOne Des Moines Medical Center's emergency department because of a
system shutdown.

https://www.seattletimes.com/seattle-news/health/seattle-area-patients-frustrate
d-by-days-of-system-outages-at-virginia-mason-franciscan-health-facilities/

------------------------------

Date: Mon, 10 Oct 2022 14:42:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Rivian recalls 13,000 EVs due to potential steering control problem
(Engadget)

https://www.engadget.com/rivian-recall-13000-ev-steering-control-problem-095548602.html

------------------------------

Date: Tue, 11 Oct 2022 02:58:47 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Russian hackers attack US airport Websites (NPR)

Killnet, a pro-Russian hacker group, called for hackers to mount a DDoS (Distributed Denial of Service) attack against various American airport Websites. A number of them were subsequently partially or fully
unavailable for a few hours.

This attack is part of a series of such attacks by Killnet, in opposition to the US support of Ukraine following the Russian invasion, and may have been prompted by the damage to the Kerch bridges.

Although the unavailability of the airport Websites may have been
inconvenient for travelers and friends wishing to check flight departure
and arrival times, no impact was seen on air operations, and the flight information would have been available from other sources.

https://www.npr.org/2022/10/10/1127902795/airport-killnet-cyberattack-hacker-russia

------------------------------

Date: Tue, 11 Oct 2022 23:53:26 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Electronic gaming can trigger potentially lethal heart rhythm
problems in susceptible children (Medical Press)

https://medicalxpress.com/news/2022-10-electronic-gaming-trigger-potentially-let
hal.html

"The investigators performed a systematic review of literature and initiated
a multisite international outreach effort to identify cases of children with sudden loss of consciousness while playing video games. Across the 22 cases they found, multiplayer war gaming was the most frequent trigger. Some
children died following a cardiac arrest. Subsequent diagnoses of several
heart rhythm conditions put the children at continuing risk.
Catecholaminergic polymorphic ventricular tachycardia (CPVT) and congenital long QT syndrome (LQTS) types 1 and 2 were the most common underlying
causes."

------------------------------

From: Jan Wolitzky <jan.wolitzky@gmail.com>
Date: Tue, 11 Oct 2022 19:37:19 -0400
Subject: Lufthansa Says Passengers Can't Use Apple AirTags to Track
Checked Bags (NYTimes)

It appears to be the sole airline saying that international standards don't allow passengers to use the Bluetooth devices in the cargo hold. Apple said that regulators allow their use for all baggage.

https://www.nytimes.com/2022/10/11/travel/lufthansa-apple-airtags-luggage.html

------------------------------

Date: Sat, 8 Oct 2022 20:02:11 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Binance is hit by a $570M hack (Ephrat Livini)

Ephrat Livini, *The New York Times*, 8 Oct 2022

Binance, the world's biggest crypto[currency] exchange, confirmed that $570 million had been stolen in a hack of a blockchain it runs that serves as a bridge for asset transfers between networks. The attack on the Binance
Smart Chain network highlighted weaknesses in decentralized finance (DeFi), where transactions are controlled by code. [...]

Vitalik Buterin, one of the founders of the Ethereum network -- and the second-most popular cryptocurrency, Ether -- has been a vocal critic of cross-chain bridges, noting that they have "fundamental security limits."

------------------------------

Date: Mon, 10 Oct 2022 12:47:34 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Cleaning up Cryptomining

Ben Arnoldy, Cleaning up Crypto, Earthjustice, Fall 2022, pp. 22--31
Some cryptocurrencies are using so much energy that they are bringing
dirty power plants out of retirement.

How CRYPTO is heating the Planet:

Miners around the world compete:
125,988,000,000,000,000,000,000 guesses

All of these guesses use about as much as 11 million U.S. homes.
The carbon footprint equals nearly 16-million cars on the road.
Most of that electricity comes from fossil fuels,
First miner to guess correctly gets 6.25 Bitcoins or $133,241 at press time.

------------------------------

Date: Sat, 8 Oct 2022 07:51:46 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Meta warns 1 million Facebook users their login info may have been
compromised (WashPost)

Facebook parent Meta is warning 1 million users that their login information may have been compromised through malicious apps.

Meta's researchers found more than 400 malicious Android and Apple iOS apps this year that were designed to steal the personal Facebook login
information of its users, the company said Friday in a blog post. Meta spokesperson Gabby Curtis confirmed that Meta is warning 1 million users who may have been affected by the apps.

https://www.washingtonpost.com/technology/2022/10/07/facebook-malicious-apps-logins/

------------------------------

Date: Sun, 9 Oct 2022 09:56:04 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: How a DJI Mini drone enabled a $147,000 ATM robbery (Dronedj)

How a DJI Mini drone enabled a $147,000 ATM robbery

Not quite "Mission Impossible" level, but getting close!

https://dronedj.com/2022/10/07/dji-mini-drone-atm-theft/

------------------------------

Date: Sat, 8 Oct 2022 14:34:15 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: Presumptions of Intercontinental Broadband Availability
are a significant business risk (RLGSC)

On 26 Sep 2022, the Nord Stream 1 and 2 natural gas pipelines beneath the Baltic Sea sustained near-simultaneous breaches (RISKS-33.47). Less than a week later, on 1 Oct 2022, Professor John Naughton, of the Open University
and the author of "From Gutenberg to Zuckerberg: What You Really Need to
Know About the Internet", published an OpEd in *The Guardian*. The OpEd
asked an important question:

"What would happen if someone were to deliberately sever the worldwide
communications infrastructure?"

Professor Naughton likely understates the hazard. "Severing" implies total disconnection. Though less severe, the far more likely degradation is as damaging to supply chains and society as disconnection. Critical information systems that presume low-latency wide-area communications are widespread.
Some are life-threatening in the short term, e.g., health care systems.
Others, while not short-term immediate dangers, e.g., logistics and
transport, can easily set the stage for life-threatening consequences. The danger is widespread and a ongoing risk.

Extended discussion: "Worldwide Bandwidth Vulnerability", an entry in "Ruminations -- An IT Blog": http://www.rlgsc.com/blog/ruminations/worldwide-bandwidth-vulnerability.html

------------------------------

Date: Sun, 9 Oct 2022 23:54:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Problem With Mental Health Bots (WiReD)

With human therapists in short supply, AI chatbots are trying to plug the
gap -- but it's not clear how well they work.

Unlike their living-and-breathing counterparts, AI therapists can lend a robotic ear any time, day or night. They're cheap, if not free -- a
significant factor considering cost is often one of the biggest barriers to accessing help. Plus, some people feel more comfortable confessing their feelings to an insentient bot rather than a person, research has found.

https://www.wired.com/story/mental-health-chatbots

------------------------------

Date: Mon, 10 Oct 2022 00:23:30 +0200 (CEST)
From: nick.brown@free.fr
Subject: Uber bill for 35,000 GBP

An Uber passenger in the UK received a bill for over 35,000 pounds for an
Uber ride.

https://www.manchestereveningnews.co.uk/news/uber-passenger-22-charged-35000-25206987

It's 2022 and a huge company like Uber still apparently doesn't have basic
sanity checks in its billing system.

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Sat, 8 Oct 2022 11:26:37 -0400
Subject: Unpatched Zimbra flaw under attack is letting hackers backdoor
servers (Ars Technica)

https://arstechnica.com/information-technology/2022/10/ongoing-0-day-attacks-backdoor-zimbra-servers-by-sending-a-malicious-email/

------------------------------

Date: Sun, 9 Oct 2022 09:24:40 +0100
From: Tom Gardner <tggzzz@gmail.com>
Subject: A physical DDoS attack on the Australian Postal system (Auspost)

A reminder, as if one was necessary, that distributed denial of service
attacks are not limited to modern electronic systems. https://auspost.com.au/service-updates/international-service-updates

Sea Mail -- temporary inbound suspension

There are temporary delivery delays for items sent to Australia by Sea Mail. This is due to the increasing number of prohibited items coming into
Australia by sea. We've informed the relevant authorities about a temporary suspension on incoming Sea Mail from 1 Oct 2022.

------------------------------

Date: Mon, 10 Oct 2022 06:57:31 -0700
From: Rob Slade <rslade@gmail.com>
Subject: iPhones with iOS 14 call 911 from rollercoasters (The Verge)

Certain iPhones with iOS 14 have a "crash detect" feature that uses a
gyroscope and accelerometer to detect when you've been in a car crash.
However, other situations, such as being on a rollercoaster, will also
trigger the feature -- which then dials 911 and plays a recorded message,
tying up 911 lines, operators, and law enforcement, and possibly other first responder services who are dispatched to the scene.

https://www.theverge.com/2022/10/9/23395222/iphone-14-calling-911-rollercoasters
-apple-crash-detection

(It can be, and probably should be, disabled in any situations where you
expect a bumpy ride, including off-road riding, and high speed watercraft.
But that kind of defeats the whole purpose ... RS)

------------------------------

Date: Tue, 11 Oct 2022 17:02:09 +0100
From: Paul Cornish <paul.a.cornish@googlemail.com>
Subject: iPhones calling 911 from owners' pockets on rollercoasters

[...] It looks like the violent decelerations on a roller coaster ride are similar enough to a car crash. The dangers of false positives are well
known. Perhaps Apple may need to update their phone to exclude, by geo-location, possible emergencies near known roller-coasters? Or maybe
ensure that as a bare minimum that the phone is traveling along the surface
of the earth and not vertically towards / away from it? But that 'vertical' use case could exclude a car falling down an embankment / off a bridge. So there's also the risk of adding functions, e.g., automatic crash detection without considering all the use cases. It also makes me wonder if Apple actually got real data from car crashes before designing their software feature. Leading to another risk of designing features with partial
data-sets.

https://www.theguardian.com/technology/2022/oct/11/iphones-calling-911-from-owners-pockets-on-rollercoasters?CMP=share_btn_link

[Also commented on by Henry Baker, suggesting some other activities that
might set the watches off. RISKS does not need to indulge in such
speculations here. We will leave it to his and your imaginations. PGN]

------------------------------

Date: Tue, 11 Oct 2022 03:15:57 -0700
From: Rob Slade <rslade@gmail.com>]
Subject: Are school "SWATting" calls discord attacks? (NPR)

During the course of the pandemic, we have seen an extraordinary rise in
social misbehaviour, in a variety of forms. (A friend has attributed much
of it to aspects of grief, and, having been forced to study the issue
recently, I tend to concur, and feel that this should be studied further.)
At the same time (possibly coincidentally, possibly not) intelligence
agencies have noted a rise in what are being referred to as "discord"
attacks, where foreign nation-state actors are posting material online in calculated efforts to inflame divisions in Western and democratic societies.

Currently, false calls to emergency responders about potential or supposedly ongoing attacks at schools (a category of what are known as "SWATting" calls
or attacks) are increasing. Some researchers have noted coordination and commonalities between the calls, indicating a deliberate attack along
discord lines.

https://www.npr.org/2022/10/07/1127242702/false-calls-about-active-shooters-at-schools-are-up-why

------------------------------

Date: Tue, 11 Oct 2022 05:53:31 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: AI-driven 'thermal attack' system reveals computer and smartphone
passwords in seconds (Techxplore)

https://techxplore.com/news/2022-10-ai-driven-thermal-reveals-smartphone-passwor
ds.html

"Then, they trained an artificial intelligence model to effectively read the ima ges and make informed guesses about the passwords from the heat
signature clues using a probabilistic model. Through two user studies, they found that ThermoSecure was capable of revealing 86% of passwords when
thermal images are taken within 20 seconds, and 76% when within 30 seconds, dropping to 62% after 60 seconds of entry."

------------------------------

Date: Sat, 8 Oct 2022 11:31:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Linux kernel 5.19.12 code could cause permanent damage to some
laptop displays (Ars Technica)

Power-sequence bugs can cause damaging flickers on built-in displays.
Update now.

https://arstechnica.com/gadgets/2022/10/linux-5-19-2-kernel-can-flicker-and-damage-screens-on-some-intel-gpu-laptops/

------------------------------

Date: Mon, 10 Oct 2022 08:00:35 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: A judge has decided that jurors who are asked to decide whether a
man killed his wife in New Jersey will not be told that he was convicted
earlier of having killed his first wife in Ohio (WFMJ)

A judge has decided that jurors who are asked to decide whether a man killed his wife in New Jersey will not be told that he was convicted earlier of
having killed his first wife in Ohio.

No wonder so many people consider the U.S. jury system such a travesty,
and why so many jurors after the fact express rage at being given
incomplete information that would have affected their decision either for
or against a defendant. -L

https://www.wfmj.com/story/47446950/judge-jury-in-wife-slaying-wont-be-told-abou
t-earlier-case

------------------------------

Date: Sun, 9 Oct 2022 21:07:12 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Twitter in China

Interesting how Musk, ready to hand Taiwan back to Communist China & still wanting to buy Twitter, conveniently forgot -- or more likely just doesn't
care -- that the Communist Chinese Regime BANS Twitter in China. So you couldn't even see Musk's tweets there. Hypocrisy run amok. -L

------------------------------

Date: Fri, 7 Oct 2022 22:43:29 -0700
From: Barry Gold <BarryDGold@ca.rr.com>
Subject: Re: Shut-Off Switch Was Supposed to Prevent 99% of
Generator-Related Deaths (RISKS-33.47)

On 10/7/2022 8:39 PM, RISKS List Owner wrote:

The generator industry has touted automatic shut-off switches as a
lifesaving fix for carbon monoxide poisoning. But the voluntary standard falls short of what federal regulators say is necessary to eliminate
deaths.

https://www.texastribune.org/2022/09/21/generators-carbon-monoxide-shutoff-switch-texas-cpsc

I see no contradiction here. The article quotes the manufacturer as saying
that the cutoff prevents 99% of carbon monoxide poisoning deaths. The
article does not present any statistics to contradict that claim.

Surely a system that prevents 99% of deaths is better than one that doesn't prevent any?

I'll add that even that death could probably have been prevented by a carbon monoxide detector that costs less than $40 at major hardware stores. The beeping is almost certain to wake the sleeping family up before the CO concentration reaches dangerous levels.

A common fallacy: that a human life is worth an infinite amount of money. No matter what you do, nobody lives forever. Nor will they in the foreseeable future. Maybe someday we'll be able to transfer human consciousness into a computer and distribute it all over the network. And still a network failure...

I remember an editorial by (IIRC) John Campbell (editor of Astounding, later Analog). He pointed out that the plot of life expectancy against age is an inverse exponential curve. If you remove the cause of half the deaths, you extend life by 8 years. Remove another half, you get another 8 years. You'll never get to infinity. (And even if you eliminated everything else, there's still the heat death.)

------------------------------

Date: Sat, 8 Oct 2022 10:00:39 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Automakers are ignoring the simple solution to the rise of
traffic deaths (RISKS-33.46)

Many years ago I read an article in a car magazine. In the UK the approach
to many roundabouts is preceded by a series of yellow lines (rumble strips) painted proud of the road surface, and the car judders slightly as it goes
over them. Everybody assumes that the (clearly visible in the statistics) accidents at the roundabout are reduced because it makes the drivers slow
down.

This article cited the (apparently only) real study into the phenomenon,
which concluded that actually, while it was not statistically significant,
cars appeared to *speed* *up* on the roundabout approach. But the alertness level of drivers seemed much higher.

Similarly, an attempt was made to protect country villages by introducing chicanes, but this only increased the number of crashes as cars crashed into the chicane itself. My mother's village had tiny rumble strips put at the
start of it, and these are noticeably far more effective. The problem is
that, in order to work, they need to be placed very close to the first house
on the road, and, of course, the residents of said house are not happy with
the noise ...

The best technologies seems to be the ones that nudge the driver - "hey,
wake up, something's not right ..."

------------------------------

Date: Sat, 08 Oct 2022 07:42:18 -0700
From: Steve Lamont <spl@tirebiter.org>
Subject: Re: Automatic emergency braking is not great at preventing crashes
at normal speeds (The Verge)

I have to take a bit of exception to The Verge's headline for this
item.

Automatic emergency braking is not great at preventing crashes at normal
speeds

However, the article says

"Automatic Emergency Braking does well at tackling the limited task it was
designed to do," said Greg Brannon, director of AAA's automotive
engineering and industry relations, in a statement. "Unfortunately, that
task was drawn up years ago, and regulator's slow-speed crash standards
haven't evolved."

In other words, AEB works as advertised and seems to actually do a decent
job.

AEB has proven itself useful over the years at reducing low-speed rear-end
crashes, but AAA wanted to see how well it performs in two more common --
and more deadly -- crash scenarios: T-bones and left turns in front of
oncoming vehicles. [. . .]

The results were pretty dispiriting. In both the T-bones and left
turns in front of an oncoming vehicle tests, AEB failed to prevent 100
percent of crashes staged by AAA. The system also failed to alert the
driver and slow the vehicle's speed.

You can argue that we need systems to prevent T-bone and left turn crashes,
but to say that a system not designed to prevent them doesn't do so just
seems a bit silly.

My toaster oven isn't real great at making microwave popcorn, either.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.48
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)