The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 71

Thursday 23 January 2014


Medical "scribes" ease doctor's data entry burden
Ed Ravin
No Girls, Blacks, or Hispanics Take AP Computer Science Exam in Some States
Liana Heiten
How the Chinese Internet ended up at a house in Cheyenne, Wyoming
Brian Fung
FBI snatches Google Glass off the face of innocent AMC movie-goer
Rob Jackson
Google Glass-wearing movie patron questioned by Homeland Security agents as potential pirate
Adi Robertson
'Sex with Glass' is getting either sex or Glass wrong
Adi Robertson via Monty Solomon
`Smart' computer-based systems in your homes
Wendy M. Grossman
The Malware That Duped Target Has Been Found
Lauren Weinstein
Target Hackers Wrote Partly in Russian, Displayed High Skill
Danny Yadron Connect
Neiman Marcus stores reportedly hacked
Krebs via Bob Gezelter
White hat hacker says he found 70,000 records on through a Google search
Adrianne Jeffries via Monty Solomon
"NSA Devises Radio Pathway Into Computers"
And this time it was real SPAM? from Fridge!
Steve Lamont
Risks of the Internet of Things
Robert Schaefer
Mobile apps store credentials in the clear
Bob Gezelter
Software licensing as information leak?
Stuart Levy
What happens when your car comes pre-equipped with monitoring
Bob Gezelter
Warning: I recommend removing your credit/debit cards from NSI
Lauren Weinstein
Re: Backdoor in popular wireless routers/DSL modems
Martin Ward
USENIX Security submissions due 27 Feb 2014
Kevin Fu
Info on RISKS (comp.risks)

Medical "scribes" ease doctor's data entry burden

Ed Ravin <>
Sun, 12 Jan 2014 21:08:26 -0500
Meet the medical scribe, who follows the doctor around and does the data
entry required by all the electronic health records systems that have
been adopted by medical care providers in recent years.  Apparently no
one budgeted for all the time needed to type stuff in, creating a new
job opportunity in the health care field:

   Physicians who use [medical scribes] say they feel liberated from the
   constant note-taking that modern electronic health records systems
   demand. Indeed, many of those doctors say that scribes have helped
   restore joy in the practice of medicine, which has been transformed --
   for good and for bad—by digital record-keeping.  ...

   For decades, physicians pinned their hopes on computers to help them
   manage the overwhelming demands of office visits. Instead, electronic
   health records have become a disease in need of a cure, as physicians do
   their best to diagnose and treat patients while continuously feeding the
   data-hungry computer.

Full article is here:

*The NY Times* notes that the 70% adoption rate of electronic health records
in hospitals and doctors' offices is partly due to "tens of billions of
federal incentive payments".  They don't mention that the companies that
make the medical records systems have lobbied Congress and the public for
those types of incentives. Newt Gingrich comes to mind as one of their more
prominent (and probably more influential) paid lobbyists.

No Girls, Blacks, or Hispanics Take AP Computer Science Exam in Some States (Liana Heiten)

"ACM TechNews" <>
Wed, 15 Jan 2014 11:49:12 -0500 (EST)
Liana Heiten, *Education Week* 10 Jan 2014 [via ACM TechNews, 15 Jan 2014]

No female, African American, or Hispanic students took the Advanced
Placement (AP) computer science exam in some states in 2013, according to
Georgia Institute of Technology computing outreach director Barbara Ericson,
who compiled state comparisons of College Board data.  In Mississippi and
Montana, no students in any of the three categories took the AP computer
science exam last year, although the College Board notes that Mississippi
only administered one of the exams and Montana only administered 11.  Eleven
states had no African-American students taking the exam, and eight states
had no Hispanic students taking the test.  Among the 30,000 students who
took the exam last year, less than 20 percent were female, about 3 percent
were African American, and 8 percent were Hispanic, according to the College
Board website.  Females, African Americans, and Hispanics also had lower
pass rates than white males on the exam, Ericson says.  AP computer science
courses "are more prevalent in suburban and private schools than in urban,
poor schools," says Ericson, noting that only 17 states currently accept
computer science as a core math or science credit.  The College Board is
committed to increasing access to rigorous computing courses and is working
with national organizations, nonprofits, and the private sector to expand
access, says spokesperson Deborah Davis.

How the Chinese Internet ended up at a house in Cheyenne, Wyoming (Brian Fung)

Dewayne Hendricks <>
January 22, 2014 at 3:47:45 PM EST
[Note:  This item comes from friend Steve Goldstein.  DLH][via Dave Farber]

How the Chinese Internet ended up at a house in Cheyenne, Wyoming
Brian Fung, *The Washington Post*, 22 Jan 2014

It's not clear how it happened, but for several hours on Tuesday thousands
if not millions of Chinese Internet users were being dumped at the door of a
tiny, brick-front house on 2710 Thomes Ave. in Cheyenne, Wyo.

The users' Internet traffic, bound initially for Chinese social networking
sites and search engines, was redirected due to a mysterious error in the
country's domain name system, *The New York Times* reports. At first, some
speculated the malfunction in the traffic-routing machinery might have been
a cyberattack. Others said that China's Great Firewall—the collection of
human and technological censors that blocks Web sites deemed undesirable by
the government—simply made a tactical error.

"Either it was an intentional DNS [domain name system] hack or the
unintentional result of the Great Firewall, but I haven't seen any technical
analysis of what was more likely," Adam Segal, a scholar on China and
cybersecurity at the Council on Foreign Relations, told me.

The true nature of the mix-up may still be unclear, but there's a growing
consensus for the latter explanation. To get around the Great Firewall, many
Chinese (and expats, too) use services that route Web traffic through a
foreign IP address, effectively making it look like the traffic isn't coming
from inside China. One of these services, Sophidea, happens to be registered
at the very address in Wyoming that bore the brunt of all that traffic.

So the prevailing theory is that in trying to block Chinese traffic going to
Sophidea, the Great Firewall's operators accidentally diverted more traffic
there instead. According to a Chinese anti-virus software company, the Times
reports, about 75 percent of China's domain name system servers were
affected by the roughly eight-hour malfunction, during which Web browsers
failed to load .com, .net and .org Internet addresses.

As for the Wyoming house itself, it's not a bit unlike the wardrobe from
C.S. Lewis's "Chronicles of Narnia." It may look small on the outside, but
it technically houses around 2,000 corporate entities and people. A 2011
Reuters report says the place is filled with numbered mailboxes and serves
as the headquarters for Wyoming Corporate Services, a business that helps
set up shell companies that exist only on paper. [...]

FBI snatches Google Glass off the face of innocent AMC movie-goer (Rob Jackson)

Dewayne Hendricks <>
January 21, 2014 at 7:26:11 AM EST
  [via David Farber]

[Note:  This item comes from friend David Isenberg.  DLH]

Rob Jackson, Phandroid, 20 Jan 2014
FBI snatches Google Glass off the face of innocent AMC movie-goer

Love it or hate it, Google Glass has been the cause for a lot of excitement
lately. Last week it was pronounced legal to wear but not use while driving
in the state of California. Shortly after, Glass was making waves again with
the launch of an app called `Sex with Glass', allowing participants to
essentially create their own sex tapes with the facial tech. Apparently, the
FBI felt left out of all the fun.

At an AMC theater in Easton Mall in Columbus, Ohio, one Google Glass
Explorer went to see Jack Ryan: Shadow Recruit, but got a rude awakening
instead. An hour into the movie he was approached by a federal agent who,
without hesitation, snatched the Google Glass off the man's face and removed
him from the theater.

Outside there were 5 to 10 officers and agents who proceeded to allegedly
badger and question him for over 3 hours, suggesting he was illegally
recording the movie. Let's get a few facts out of the way:

* It's probably not smart to bring a recording device into a movie theater,
  but let's not forget mostly everyone takes a mobile phone into a theater
  that is perfectly capable of recording.

* The man's Google Glass were the prescription version, so he essentially
  needed them on to see the movie (maybe he should have worn other glasses).

* The man had his Google Glass powered off in advance to avoid any

The authorities eventually let the man go, but not without hours of
intimidation and a frightening story that has him shaking—literally --
even a day after the event. A Movie Association representative compensated
the Glass Explorer with 2 free movie tickets for his night of troubles.

The authorities certainly have the right to remove a patron from the theater
suspected of recording the screen, but should wearing Google Glass be
suspicion enough? The Explorer cooperated with the authorities, but
considering his rights and his innocence, would you have acted differently
or pursued a better outcome?

As Google Glass and other wearable tech become more prevalent, you can bet
we'll hear a lot more of these stories popping up across the world. ...

Google Glass-wearing movie patron questioned by Homeland Security agents as potential pirate (Adi Robertson)

Monty Solomon <>
Tue, 21 Jan 2014 23:39:32 -0500
Adi Robertson, 21 Jan 2014

Wearing Google Glass recently proved perilous for a movie patron in
Columbus, Ohio. On Monday, The Gadgeteer posted a frightening story
apparently from a member of the Glass Explorer program. An hour into
watching Jack Ryan: Shadow Recruit wearing his prescription version of
Glass, he said, he'd been abruptly pulled from the theater and interrogated
at length by "feds," who accused him of attempting to pirate the movie by
recording it.

What followed was over an hour of the "feds" telling me I am not under
arrest, and that this is a "voluntary interview", but if I choose not to
cooperate bad things may happen to me (is it legal for authorities to
threaten people like that?). [...] They wanted to know who I am, where I
live, where I work, how much I'm making, how many computers I have at home,
why am I recording the movie, who am I going to give the recording to, why
don't I just give up the guy up the chain, 'cause they are not interested in
me. Over and over and over again.

After going through the photos on his device, the man says, the officers
concluded that there'd been a misunderstanding, and theater owner AMC called
a man from the "Movie Association," who gave him free passes to see the film
again. But the man described himself as shaken by the incident, especially
because he'd worn Glass to the theater before and had no trouble. The story
initially seemed too dramatic to be true, but both AMC and the Department of
Homeland Security's Immigration and Customs Enforcement division have
confirmed it. [...]

'Sex with Glass' is getting either sex or Glass wrong (Adi Robertson)

Monty Solomon <>
Tue, 21 Jan 2014 23:44:52 -0500
Adi Robertson, 20 Jan 2014

Eager to tap the largely unexplored market for erotic Google Glass
experiences, a team of hackathon participants have somehow created both an
intriguing app and a weird, depressing commentary on gender.

Called Sex with Glass, the app shares some DNA with James Deen's parody
video: assuming that you and your partner are both participating in a closed
beta that requires purchase of a $1,500 headset, you can both don the
fragile prototypes and have extremely cautious intercourse while watching a
live camera feed from the other person's viewpoint. There are a few other
commands ("Okay Glass, play Marvin Gaye" and "Okay Glass, give me ideas")
and a few dirty puns, but these are all distractions from the main event.
Afterwards, it promises to "put all the footage together" into a video,
which will disappear five hours after being constructed.

`Smart' computer-based systems in your homes

"Wendy M. Grossman" <>
Thu, 16 Jan 2014 13:52:36 +0000
Obvious points:

1. NEST has apparently failed to learn from many decades of computer
programming experience that you don't roll out an upgrade to all your
customers until you've done a thorough small-scale test and you always
ensure you have a readily applicable rollback method. See also CompuServe
UK, c. 1991, AT&T...

2. Despite the scathing comments from one poster, problems for the entire
category are quite clear: how "smart home" components will be patched, who
will be liable for failures, and how to cope when critical elements fail if
you've taken out all the fallbacks.  Plus the fact that "smart" systems that
learn from your past behavior are ignoring a lesson dunned into all of us
with respect to financial investments: past performance is no guarantee of
future behavior.  Twitter: @wendyg

The Malware That Duped Target Has Been Found

Lauren Weinstein <>
Thu, 16 Jan 2014 17:13:54 -0800
  "The malicious program used to compromise Target and other companies was
  part of a widespread operation using a Trojan tool known as Trojan.POSRAM,
  according to a new report released Thursday about an operation that
  investigators have dubbed Kaptoxa."  [literally more like Kartocha, PGN]  (Wired via NNSquad)

    [Late count seems to be 110 million customers' records implicated.  The
    identity of the alleged culprit(s) remains unclear, despite some initial
    reports.  PGN]

Target Hackers Wrote Partly in Russian, Displayed High Skill (Danny Yadron Connect)

Monty Solomon <>
Tue, 21 Jan 2014 20:56:36 -0500
Danny Yadron Connect, *Wall Street Journal*, 16 Jan 2014
Hacking Campaign Appears Broad, Sophisticated and Against Many Retailers

The holiday data breach at Target Corp. appeared to be part of a broad and
highly sophisticated international hacking campaign against multiple
retailers, according to a report prepared by federal and private
investigators that was sent to financial-services companies and retailers.

The report offers some of the first details to emerge about the source of
the attack that compromised 40 million credit- and debit-card accounts and
personal data for 70 million people. It also provided further evidence the
attack on Target during peak holiday shopping was part of a concerted effort
by skilled hackers.

Parts of the malicious computer code used against Target's credit-card
readers had been on the Internet's black market since last spring and were
partly written in Russian, people familiar with the report said. Both
details suggest the attack may have ties to organized crime in the former
Soviet Union, former U.S. officials said. ...

Neiman Marcus stores reportedly hacked

"Bob Gezelter" <>
Sat, 11 Jan 2014 10:22:29 -0700
There has been a reported surge in fraudulent credit card activity connected
with cards used at Neiman Marcus stores in the Dallas, Texas area. According
to a company spokesperson, a forensics firm and the Secret Service are
presently investigating.  Reportedly, the breach has been confirmed, but
details remain undisclosed.  The original report can be found at:

Bob Gezelter,

White hat hacker says he found 70,000 records on through a Google search (Adrianne Jeffries)

Monty Solomon <>
Tue, 21 Jan 2014 23:42:45 -0500
White hat hacker says he found 70,000 records on through a
Google search

Adrianne Jeffries, *The Verge*, 21 Jan 2014

The federal health insurance marketplace at still has major
security issues according to some experts, including a flaw that allows user
records to show up in Google results.

At least 70,000 records with personal identifying information including
first and last names, addresses, and user names are accessible by using an
advanced Google search and then tweaking the resulting URLs, according to
David Kennedy, founder of the security firm TrustedSec. Kennedy notes that
he never modified any URLs, just that he noticed that it was possible.

Kennedy first testified about the issue before a Congressional committee in
November, he says, but it still hasn't been resolved.  It's just one of
several issues he's identified with the site, and it's actually one of the
easier ones to fix: Kennedy estimates it would take just a few days to hide
the records. ...

"NSA Devises Radio Pathway Into Computers" (Sanger/Shanker)

"ACM TechNews" <>
Wed, 15 Jan 2014 11:49:12 -0500 (EST)
David E. Sanger, Thom Shanker, *The New York Times*, 14 Jan 2014
  [via ACM TechNews, 15 Jan 2014]

The U.S. National Security Agency (NSA) has embedded software within nearly
100,000 computers worldwide, enabling the United States to monitor those
machines and set up a digital pathway for launching cyberattacks.  The
software uses technology that employs a covert channel of radio waves that
can be sent from tiny circuit boards and USB cards inserted secretly into
the computers.  The transceivers can share information with an NSA field
station or hidden relay station up to eight miles away, which communicates
back to the agency's Remote Operations Center.  The transceiver also is
capable of malware transmission.  The system addresses the challenge of
infiltrating computers that adversaries have tried to render invulnerable to
surveillance or cyberattack by keeping them disconnected from the Internet.
"What's new here is the scale and the sophistication of the intelligence
agency's ability to get into computers and networks to which no one has ever
had access before," says the Center for Strategic and International Studies'
James Lewis.  Officials and experts stress that the bulk of these software
implants are defensive, used solely for surveillance and as an early warning
system for cyberattacks targeting the United States.

And this time it was real SPAM? from Fridge!

Steve Lamont
Mon, 20 Jan 2014 17:36:06 -0800
Fridge sends spam emails as attack hits smart gadgets

A fridge has been discovered sending out spam after a web attack managed to
compromise smart gadgets.  The fridge was one of more than 100,000 devices
used to take part in the spam campaign.  Uncovered by security firm
Proofpoint, the attack compromised computers, home routers, media PCs and
smart TV sets.  The attack is believed to be one of the first to exploit the
lax security on devices that are part of the "Internet of things".

The spam attack took place between 23 Dec 2013 and 6 Jan 2014, said
Proofpoint in a statement. In total, it said, about 750,000 messages were
sent as part of the junk mail campaign. The emails were routed through the
compromised gadgets.

About 25% of the messages seen by Proofpoint researchers did not pass
through laptops, desktops or smartphones, it said. [...]

See also

Risks of the Internet of Things

Robert Schaefer <>
Thu, 16 Jan 2014 09:24:07 -0500
Trust Me (I'm a kettle) by Charlie Stross
The kettle of doom by Matthew Squair

These two links are by way of the critical safety mailing list (highly
recommended) and are about the risks of the Internet of things.

The original article on kettles as a trojan horse bearing malware comes
from an October 2013 report in *The Register*.

"The possibilities are endless: it's the dark side of the Internet of
things. If you'll excuse me now, I've got to go wallpaper my apartment in
tinfoil ..."

robert schaefer
Atmospheric Sciences Group
MIT Haystack Observatory
Westford, MA 01886

voice:  781-981-5767

Mobile apps store credentials in the clear

"Bob Gezelter" <>
Fri, 17 Jan 2014 03:06:41 -0700
Reportedly, version 2.6.1 of the Starbucks iOS app stores the user's
Starbucks loyalty credentials en clair in the device file system.  This
exposes the credentials to theft if the device is imaged, lost (or if the
computing device being used to backup the device is compromised).
Generically, it is a poor practice to save login credentials in forms that
can be compromised. Mobile developers should take care, this class of
vulnerability often is implemented as a "feature" to enable easier use, it
is a serious vulnerability on many fronts and should not be done. More care
is needed to protect information that can be translated into real money. For
that matter, with the increasing forensic use of digital footprints, the
ability to effectively steal someone's digital identifier provides the
ability to create a trail of someone being where they have not been.  The
original report can be found at:

Bob Gezelter,

Software licensing as information leak?

Stuart Levy <>
Fri, 10 Jan 2014 18:02:33 -0600
Our group uses several kinds of commercial software, under license control.
"Floating" licensing is convenient—some number of licenses are made
available, and a central server parcels them out, ensuring that at-most-N
are in use at once, but possibly by a larger set of machines.  The server
knows when & where an instance of the licensed program is started and
finishes, but not more than that.

We're now looking at some software which chose a different vendor's scheme.
For their floating licensing, they hooked up with a company that distributes
an across-the-board software management solution.  The design is for
enterprise system administrators to be able to track *all* software
installed on *any* monitored machine—and select some subset of packages
as "interesting".  Interesting software can be usage-tracked, and optionally
flagged as being under a variety of kinds of license control.  It seems to
be a well-designed system.


In order to do this, when you install the software on any client machine, it
scans the entire machine for any sort of graphical app, and reports the full
list of programs to the central server.  A server administrator can see the
list of programs installed on any client computer.  My Mac had 536 (!)

Also: whenever you invoke any app—not just one that's under license
control, but anything—the central server is notified (in clear text over
the network) of what app you ran, where, by whom, and for how long.  It logs
the invocation in a database, even if the app isn't listed as "interesting",
presumably for future reference in case it becomes interesting later.

This bugs me.  I hope it bugs you.  We'd been considering getting this
floating-license setup for some software that students would use, to allow
them to put it on their own laptops and develop freely.  If it worked like
other licensing systems, that'd be fine.  But if it's going to reveal
everything they've installed on their personal machines and when they run
it, then—even if we trust the people running the server (us)—maybe we
shouldn't use this vendor's floating license scheme after all.

That's easy for me to say.  If I were a student, I wouldn't be given that

What happens when your car comes pre-equipped with monitoring

"Bob Gezelter" <>
Sat, 11 Jan 2014 10:35:30 -0700
An interesting question. What happens when your car comes pre-equipped with
monitoring? Who has access to the data and for what purposes?  New
generation cars are being equipped with instrumentation and audio-visual
recording technologies. The "goal" is to improve the car and better
understand what was happening prior to an accident. However, the information
will be recorded regardless. Who has access to this information and under
what safeguards is a serious question.  Consider audio recording. Should a
manufacturer be able to download audio contents from a vehicle at any time?
What is privacy?  Your mumblings while in transit? Conversations with your
business colleagues? Your spouse? Your date? Even in the context of accident
reconstruction, safeguards are needed. What about the legal question (e.g.,
recording people without their consent and without notice).  A complex
topic, to be sure.

*The NY Times* article can be found at:

I previously discussed some of these issues in a blog article on the use of
GPS data entitled "GPS Recorders and Law Enforcement Accountability" (August
2010) at

Bob Gezelter,

Warning: I recommend removing your credit/debit cards from NSI

Lauren Weinstein <>
Wed, 22 Jan 2014 09:13:30 -0800
Warning: I recommend removing your credit/debit cards from all Network
Solutions/ accounts  (Google+ via NNS)

I am attempting to verify this rather incredible story. In the meantime, if
you have any credit or debit cards on file with Network Solutions or any
other company, I recommend immediately removing them from your
account profiles. In fact, even if this particular story turns out not to be
true, I'd make the same recommendation given their ongoing shady practices
that are already confirmed.

Reference: "Network Solutions Auto-Enroll: $1,850":  (inessential)

  "To help recapture the costs of maintaining this extra level of security
  for your account, your credit card will be billed $1,850 for the first
  year of service on the date your program goes live. After that you will be
  billed $1,350 on every subsequent year from that date. If you wish to opt
  out of this program you may do so by calling us at 1-888-642-0265."

    [Apparently public outrage has led NSI to reverse this policy to be
    opt-in, not opt-out.  PGN]

Re: Backdoor in popular wireless routers/DSL modems (Baker, RISKS-27.70)

Martin Ward <>
Wed, 22 Jan 2014 17:39:48 +0000
If the bad guys have physical access to the router in your home, then you
have bigger things to worry about than them plugging a USB stick into your

Dr Martin Ward STRL Principal Lecturer and Reader in Software Engineering

USENIX Security submissions due 27 Feb 2014

Kevin Fu <>
Tue, 21 Jan 2014 22:57:18 -0500
A reminder that the submission deadline for USENIX Security is Feb 27th,
2014.  Don't be late!  I've added some new topics such as the "public good"
category while keeping traditional technical topics as the continues to

Kevin Fu, Associate Professor, EECS Department, The University of Michigan,, 616-594-0385

Please report problems with the web pages to the maintainer