The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 74

Saturday 15 February 2014


RAF Voyager Grounded
Andy Cole
NSF: 1/4 of Americans think sun goes 'round the earth...
Paul Saffo
Your Air Traffic Controller May No Longer Be Required to Have a High School Diploma
via Glenn S. Tenney
Iron Mountain fire in Argentina destroys bank archives
AP via Jim Reisert
Heat System Called Door to Target for Hackers via Bob Frankston
Auto battery death by improper charging
Monty Solomon
Israeli combat pilots stored top-secret info on smartphones
Steven J Klein
FBI Checks Wrong Box, Places Student on No-Fly List
David Kravets with comments from Chris Beck
EU has secret plan for police to 'remote stop' cars
Henry Baker
When teaching, you should know your subject
Paul Robinson
Bad Domain Registrar Security Leads to Loss of Valuable Twitter Handle
Chuck Weinstock
Altcoins will DESTROY the IT industry and spawn an infosec NIGHTMARE
Matthew Kruk
GPS pioneer warns on network's security
Jones/Hoyos via Henry Baker
"NSA-GCHQ Allegedly Hack Cryptographer Quisquater"
Jean-Jacques Quisquater
Book announcement: "Threat Modeling: Designing for Security"
Adam Shostack
Info on RISKS (comp.risks)

RAF Voyager Grounded

Andy Cole <>
Fri, 14 Feb 2014 16:27:01 +0000
It has been reported that the RAF have grounded their fleet of Voyager
aircraft after an 'in flight issue' that caused it to suddenly lose altitude
on a flight from Afghanistan. This rather bland description appears to
understate the actual events. The aircraft lost altitude very rapidly
leading to serious injuries. The crew were unable to stop this descent until
they 'pulled the fuse' on the autopilot.

NSF: 1/4 of Americans think sun goes 'round the earth...

Paul Saffo <>
Sat, 15 Feb 2014 03:02:06 -0800
26% of Americans think Sun revolves around the Earth, according to a
National Science Foundation survey.

Your Air Traffic Controller May No Longer Be Required to Have a High School Diploma (via Dave Farber)

*Glenn S. Tenney* <>
Monday, February 10, 2014

The FAA has considered itself to be highly budget-constrained for years, and
in 1997 found a way to reduce its training costs—encouraging college air
traffic control programs so that they could hire new controllers that were
effectively already trained.

There's a wait list of over 3000 air traffic control college graduates in
line for FAA positions.

The FAA is killing off that wait list and, according to transportation
researcher Bob Poole in the February Air Traffic Control Reform News will be
announcing plans to 'hire off the street' with a requirement only of a high
school degree or three years of work experience.

This is apparently a move driven by the FAA's HR department to improve

But it would mean less qualified candidates, it would mean higher training
costs, and it would mean that students who invested in degrees that had been
encouraged by the FAA will find those investments devalued.

Air traffic control graduates will still be able to re-apply for these
positions, of course, alongside folks without a high school diploma or
specialized training.

  [For more detailed information, and the source of the above:]

    [Perhaps the qualifications also include conviction that the Sun
    revolves around the Earth, and that global warming and evolution are
    only would-be theories.  Belief in Gravity and the Second Law of
    Thermodynamics would clearly be optional.  PGN]

Iron Mountain fire in Argentina destroys bank archives (AP)

Jim Reisert AD1C <>
Wed, 5 Feb 2014 18:05:01 -0700
By Associated Press, Updated: Wednesday, February 5, 12:17 PM

Buenos Aires, Argentina—Nine first-responders were killed and seven
others injured as they battled a fire of unknown origin that destroyed an
archive of corporate and banking industry documents in Argentina's capital
on Wednesday.

Heat System Called Door to Target for Hackers (

"Bob Frankston" <>
6 Feb 2014 14:23:20 -0500
A reminder of the risks of perimeter security

If I understand this right the real problem is perimeter security as in
"hackers used a vendor's stolen credentials to get inside its corporate
network". The idea of a "corporate network" is the pipe meme for networks.
The HVAC system may use the wires in a building as a means of exchanging
packets but that shouldn't mean it's in the corporate network any more than
two people on the same sidewalks are in the same social network.

Auto battery death by improper charging

Monty Solomon <>
Wed, 29 Jan 2014 11:08:04 -0500
The battery died prematurely in our vehicle and it appears that the charging
mode programming had an error.

According to Honda Service Bulletin 12-041:

Possible Cause

The vehicle's battery sensor monitors battery condition and the PCM
determines charging mode. Based on the sulfation of the battery and customer
driving habits, the PCM may not select the correct charge mode.

Corrective Action

Update the PGM-FI software.

Israeli combat pilots stored top-secret info on smartphones

Steven J Klein <>
Wed, 5 Feb 2014 16:13:42 -0500
Two Israeli Air Force combat pilots were were jailed for five days and 12 others were disciplined after it was learned they stored maps, documents and other sensitive material on their smartphones.

"The security breach came to light after one of the pilots lost his cellphone and reported what was contained on it to the military. The phone was found."


FBI Checks Wrong Box, Places Student on No-Fly List

*Chris Beck* <>
Thursday, February 6, 2014
  [Via Dave Farber]

Obviously people make mistakes. Seems to me that the cover up and
obfuscation need to be tried as well, and costs awarded to the pro bono
lawyers. Seems to me that anyone who tries to invoke state secrets on such
an obvious ploy to conceal incompetence ... anyone - lawyers, agents, or
any employee - needs to have their clearance revoked, all of their
assertions revisited and obviously their permission to classify or invoke

> Date: February 6, 2014 at 5:46:31 PM EST
> From: Dewayne Hendricks>
> Subject: [Dewayne-Net] FBI Checks Wrong Box, Places Student on No-Fly List

> FBI Checks Wrong Box, Places Student on No-Fly List
> 02.06.14
> <>
> The government contested a former Stanford University student's assertion
> that she was wrongly placed on a no-fly list for seven years in court
> despite knowing an FBI official put her on the list by mistake because he
> checked the "wrong boxes" on a form, a federal judge wrote today.
> The agent, Michael Kelly, based in San Jose, misunderstood the directions
> on the form and "erroneously nominated" Rahinah Ibrahim to the list in
> 2004, the judge wrote.
> "He checked the wrong boxes, filling out the form exactly the opposite way
> from the instructions on the form," U.S. District Judge William Alsup wrote
> (.pdf) today.
> The decision makes Ibrahim, 48, the first person to successfully
> challenge placement on a government watch list.
> Much of the federal court trial, in which the woman sought only to clear
> her name, was conducted in secret after U.S. officials repeatedly invoked
> the state secrets privilege and sought to have the case dismissed.
> Attorneys working pro bono spent as much as $300,000 litigating the case.
> The judge issued a brief ruling last month declaring that the Malaysian
> woman was a victim of a bureaucratic "mistake." The judge's full opinion
> was released today.
> Ibrahim's saga began in December 2005 when she was a visiting doctoral
> student in architecture and design from Malaysia. On her way to Kona,
> Hawaii to present a paper on affordable housing, Ibrahim was told she was
> on a watch list, detained, handcuffed and questioned for two hours at San
> Francisco International Airport.
> She sued and federal authorities fought her all the way.
> The December 5-day trial was shrouded in extraordinary secrecy, with
> closed court hearings and non-public classified exhibits.
> The agent testified to his bungle in closed court.
> Dewayne-Net RSS Feed: <>

EU has secret plan for police to 'remote stop' cars

Henry Baker <>
Thu, 30 Jan 2014 07:27:40 -0800
FYI—What could possibly go wrong with this technology?

* Once this technology is installed in EU cars, it will likely be in _all_
  cars world-wide, but merely 'disabled', so that it still provides
  additional attack surface even _outside the EU_.

* Hackers/criminals can disable your car remotely—e.g., to rob or kidnap.

* Governments can disable cars of the press, dissidents, activists, etc.

* Governments can disable cars during 'emergencies' to allow 'prioritized'
  traffic.  (Remember US air traffic control after 911, when certain special
  civilian flights were still allowed ?)

* Govt employees can disable cars of ex-spouses, ex-lovers, etc.

* Together with real-time GPS tracking, selected cars can have an
  "electronic fence" like your dog's electronic fence.

The potential for mischief is unbounded.

EU has secret plan for police to 'remote stop' cars

The EU is developing a secret plan to give the police the power to control
cars by switching the engine off remotely

Bruno Waterfield and Matthew Day, 29 Jan 2014

The European Union is secretly developing a "remote stopping" device to be
fitted to all cars that would allow the police to disable vehicles at the
flick of a switch from a control room.

Confidential documents from a committee of senior EU police officers, who
hold their meetings in secret, have set out a plan entitled "remote stopping
vehicles" as part of wider law enforcement surveillance and tracking

"The project will work on a technological solution that can be a 'build in
standard' for all cars that enter the European market," said a restricted

The devices, which could be in all new cars by the end of the decade, would
be activated by a police officer working from a computer screen in a central

Once enabled the engine of a car used by a fugitive or other suspect would
stop, the supply of fuel would be cut and the ignition switched off.

The technology, scheduled for a six-year development timetable, is aimed at
bringing dangerous high-speed car chases to an end and to make redundant
current stopping techniques such as spiking a vehicle's tyres.

The proposal was outlined as part of the "key objectives" for the "European
Network of Law Enforcement Technologies", or Enlets, a secretive off-shoot
of a European "working party" aimed at enhancing police cooperation across
the EU.

Statewatch, a watchdog monitoring police powers, state surveillance and
civil liberties in the EU, have leaked the documents amid concerns the
technology poses a serious threat to civil liberties

"We all know about the problems surrounding police stop and searches, so why
will be these cars stopped in the first place," said Tony Bunyan, director
of Statewatch.

"We also need to know if there is any evidence that this is a widespread
problem. Let's have some evidence that this is a problem, and then let's
have some guidelines on how this would be used."

The remote stopping and other surveillance plans have been signed off by the
EU's Standing Committee on Operational Cooperation on Internal Security,
known as Cosi, meaning that the project has the support of senior British
Home Office civil servants and police officers.

Cosi, which also meets in secret, was set up by the Lisbon EU Treaty in 2010
to develop and implement what has emerged as a European internal security
policy without the oversight of MPs in the House of Commons.

Douglas Carswell, the Conservative MP for Clacton, attacked the plan for
threatening civil liberties and for bypassing the parliament.

"The price we pay for surrendering our democratic sovereignty is that we are
governed by an unaccountable secretive clique," he said.

Nigel Farage, the leader of Ukip, described the measure as "incredible" and
a "draconian imposition".

"It is appalling they are even thinking of it," he said. "People must
protest against this attack on their liberty and vote against an EU big
Brother state during the Euro election in May."

In 2012, Enlets received a 484,000 grant from the European Commission
for its declared mission to "support front line policing and the fight
against serious and organised crime by gathering user requirements, scanning
and raising awareness of new technology and best practices, benchmarking and
giving advice".

The six-year work programme for Enlets also includes improving automatic
number plate recognition technology and intelligence sharing. Although the
technology for police to stop a vehicle by remote control has still to be
developed, Enlets argues the merits of developing such a system.

"Cars on the run can be dangerous for citizens," said a document. "Criminal
offenders will take risks to escape after a crime. In most cases the police
are unable to chase the criminal due to a lack of efficient means to stop
the vehicle safely."

The introduction of stopping devices has raised questions of road
safety. David Davis, the Conservative MP for Haltemprice and Howden, warned
that the technology could pose a danger to all road users.

"I would be fascinated to know what the state's liability will be if they
put these devices in all vehicles and one went off by accident whilst a car
was doing 70mph on a motorway with a truck behind it resulting in loss of
life," he said.

"It is time legislators stopped believing technology is a form of magic and
realised that is fallible, and those failures do real harm."

  [Also noted by Gideon Yuval.  PGN]

When teaching, you should know your subject

Paul Robinson <>
Tue, 11 Feb 2014 15:03:53 -0800 (PST)
This is one of those "technology gone bad" stories I found very funny.
Washington DC Cable TV News Channel 8 reported Monday that one of the
members of a Mideast terrorist group was teaching how to correctly build
pipe bombs in a safe manner when one of the completed bombs blew up, setting
off the rest, killing the instructor and 24 members of the group, and
injuring several others who were caught trying to escape by police.  The ri
sk here is that if you're going to teach people how to commit terrorist
acts, you should at least know how to handle explosives, and if you're
trying to commit them - even if you're planning to be a suicide bomber - you
have a better chance of injuring or killing people if you at least live long
enough to survive the training class.

Bad Domain Registrar Security Leads to Loss of Valuable Twitter Handle

Chuck Weinstock <>
Wed, 29 Jan 2014 15:30:20 +0000

Hero has a single character twitter handle (N). Villain wants it. Through
(mostly) social engineering villain is able to get control of the hero's
domain name. He changes the name servers and tries to get a password reset
email from twitter. Because of propagation delays the hero receives the
email and is able to stop the hijack by changing his email address on
twitter. But GoDaddy won't give him his domain back because he is not the
registrant according to their records. Villain threatens to destroy hero's
websites, etc. and successfully (for now) extorts the twitter handle from

Altcoins will DESTROY the IT industry and spawn an infosec NIGHTMARE

"Matthew Kruk" <>
Wed, 29 Jan 2014 01:18:40 -0700

GPS pioneer warns on network's security (Jones/Hoyos)

Henry Baker <>
Thu, 13 Feb 2014 14:27:45 -0800
Sam Jones and Carola Hoyos, *Financial Times*, 13 Feb 2014,

The Global Positioning System helps power everything from in-car satnavs and
smart bombs to bank security and flight control, but its founder has warned
that it is more vulnerable to sabotage or disruption than ever before --
and politicians and security chiefs are ignoring the risk.

Impairment of the system by hostile foreign governments, cyber criminals --
or even regular citizens—has become “a matter of national security,''
according to Colonel Bradford Parkinson, who is hailed as the architect of
modern navigation.

“If we don't watch out and we aren't prepared,'' then countries could be
denied everything from navigation to precision weapon delivery, Mr Parkinson
warned.  “We have to make it more robust ... our cellphone towers are timed
with GPS. If they lose that time, they lose sync and pretty soon they don't
operate.  Our power grid is synchronised with GPS [and] our banking

Western governments are “in their infancy in recognising the problem,''
Mr Parkinson told the *Financial Times* in an interview on the fringes of a
conference for government officials, academics and defence contractors at
the UK's National Physical Laboratory.

He said: “[In the US] I don't know anyone that is really in charge of it.
The Department of Homeland Security should be [but] ... they don't have any
people that understand it very well.  They've got one person without any
budget to speak of.''

Mr Parkinson, now a professor at Stanford University, created GPS in the
1970s on behalf of the US military—who still control the system of
satellites today.

Use of the system for civilian purposes has exploded with the development of
mobile technologies.

Though the US military has in place protection that could give its
navigation systems a high-degree of robustness, most civilian GPS systems
have none, Mr Parkinson said.  He also warned that the EU's new 5bn
Galileo satellite system, created as an alternative to the US-controlled
GPS, was equally at risk.

Richard Peckham, who helped develop the Galileo system, said that although
its public service was encrypted, making it more difficult to hack and more
secure for users such as the emergency services and public utilities, it was
still vulnerable to jamming and interference.

The US, which initially opposed the European satellite constellation, has
come around to supporting it, in part because Washington has realised it
needs a GPS back-up system that is neither Russian nor Chinese.

A report compiled for the UK government and released this week warned that
“the conditions are present for a catastrophic `Black Swan' event'' that
would knock out one or more critical GPS systems.  The report identified
thousands of instances of GPS jamming occurring annually.

Disruption of satellite navigation systems has so far remained a relatively
low-level problem for governments. Small-range jamming devices can be
acquired easily via the Internet.  However, more powerful jamming equipment
is becoming increasingly easy to acquire.

Over the past few years South Korea has witnessed huge jamming attacks
against its GPS systems, launched by North Korea.  The areas affected
stretch 100km into South Korean territory, and include major airports and
shipping lanes. More than 1,000 ships and 250 planes had their travel
disrupted by North Korean jamming attacks in 2012.

Seoul has responded by ordering the construction of a land-based antenna
array over more than 40 sites to provide a back-up system.

The UK has already begun to build a similar system, primarily to help
shipping in the event of GPS disruption.  The stretch of water between
Britain and France is one of the busiest shipping lanes in the world, but
navigation throughout it could be disrupted by a single portable jamming

“When a ship loses GPS, it isn't like a car satnav,'' said Professor
David Last, a consultant to the UK's General Lighthouse Authority.
“Multiple systems fail simultaneously.''

Prof Last cited a report into navigation vulnerabilities from the Royal
Academy of Engineering that found “there was barely a single area of
commerce or industry in the UK that wasn't dependent on GPS in some way.''

"NSA-GCHQ Allegedly Hack Cryptographer Quisquater"

Jean-Jacques Quisquater - UCL Crypto Group <>
Thu, 06 Feb 2014 18:43:05 +0100
Comments about "NSA-GCHQ Allegedly Hack Cryptographer Quisquater"
More info written by Jean-Jacques Quisquater.
This text was updated on February 8, 2014 in the morning (Belgian time).

Since 1 Feb 2014, many papers appeared in the newspapers and on Internet
concerning the hack of the personal portable computer of Jean-Jacques
Quisquater (JJQ). See

Unfortunately many of these papers suffer from approximations and
extrapolations and some of them are wrong.

The following text is intended to clarify the context of the attack as much
as possible as the investigations are not complete at this stage.

In short:

Facts: Yes, this portable computer was attacked. We don't know for sure the
vector of the attack in use. According to the Belgian Federal Police the
attack of this computer is strongly related to the attack of Belgacom in
Belgium allegedly hacked by NSA-GCHQ.

The only found vector of attack is related to an e-mail spoofing a linkedin
e-mail mentioning a name close to a name known by JJQ. From this e-mail, JJQ
opened a link to a profile of the mentioned person and JJQ immediately
understood it was a spoof and closed his computer in one second.  The
computer was later extensively scanned by several malware detectors without
result. Possibly another vector of attack was used but there is no trace of

* Data available on the computer: There was no sensitive data on the
computer.  The main part of the JJQ's work is the design of (formal) methods
related to cryptography and computer security and this activity is twofold:

  - Methods related to the academic world finally anyway published in
    conferences, journals, patents and standards. Privacy concerning reviews
    of scientific papers is important to write these reviews without
    external pressure, the content is nevertheless not critical.

  - Activities related to sensitive data of companies always follow a very
    strict procedure which lead to a very strong level of security (the use
    of safes, only in company rooms, dedicated computers without connection,
    destruction of all the data at the end of the study).  Therefore no
    sensitive information related to companies is available on this personal

Companies are only using the practical ideas of JJQ in the spirit of the
main principles of Kerckhoffs (“Only the key is secret.'') and Shannon
(“The enemy knows the system.'').

* The purpose of the attack: we don't know. Maybe the cryptography research
is under surveillance, maybe some people hope to find some interesting
information or contact, maybe there is another goal we will never know. [...]

  [PGN-truncated for RISKS.  Full text at
  Quite an item!  PGN]

Book announcement: "Threat Modeling: Designing for Security"

Adam Shostack <>
Sat, 15 Feb 2014 12:31:45 -0500
One of the the biggest threats to threat modeling is to believe it's a
mystical rite, or inborn skill which can never be taught.  Everyone
can threat model, and everyone should.  (If threat modeling is harder
than using git, whose fault is that?)  That requires recasting threat
modeling as a set of tasks which can be taught and integrated into the
engineering processes which deliver products or services.

Adam Shostack's Threat Modeling: Designing For Security (Wiley, 2014), is
focused on actionable threat modeling for everyone involved in building and
operating complex technology, in particular, developers, systems managers
and security professionals.  The book starts with a simple introduction
focused on four questions: (1) What are you building (2) What can go wrong?
(3) What are you going to do about it (4) Are you doing 1-3 sufficiently
well for your project?  From there, it covers finding threats (Part II),
processing and managing threats (Part III), threat modeling for specific
technologies and tricky areas (Part IV), and taking threat modeling to the
next level (Part V).

RISKS readers (especially those in security and other trustworthiness
issues) will particularly benefit from framing threat modeling as a deeply
practical, teachable discipline, and from having prescriptive guidance to
help experts in other domains better interface with security.

More information at, and available
wherever fine books are sold.

Please report problems with the web pages to the maintainer