The RISKS Digest
Volume 27 Issue 75

Friday, 21st February 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


United Airlines Can't Seem to Keep Its Computers and Systems Running
Jonathan B Spira
Oregon voter registration database hacked, then offline for 10 days
Michael Lloyd and Yuxing Zheng
Legend EMR
Richard I Cook
The Snowden privacy panic has spread to medical research
Tom Gray
Spy Chief Says Snowden Took Advantage of Perfect Storm ...
David E. Sanger and Eric Schmitt
'TheMoon' worm infects Linksys routers
Lucian Constantin via Gene Wirchenko loses customer credit card data in security breach"
Candice So
New Silk Road hit with $2.6 million heist due to known Bitcoin flaw
Cyrus Farivar
The furniture is watching you
Mark Thorson
Smarter caller-id spoofing
Tony Luck
Cryptography Breakthrough Could Make Software Unhackable
Venezuela's Internet Crackdown Escalates into Regional Blackout
Bing censoring Chinese language search results for users in the US
*The Guardian*
Israel Electric Opens Cyber-War Room to Defend Against Power-Grid Hacks
Gwen Ackerman
DARPA Thinks the Future of Surveillance Looks Like Siri
Patrick Tucker via ACM TechNews
Because of DRM, The Entire Copyright Monopoly Legislation is a Lie
Rick Falkvinge via Dewayne Hendricks
Why is the US a decade behind Europe on 'chip & pin' cards?
Jeremy Ardley
Re: NSF: 1/4 of Americans think sun goes 'round the earth...
Andy Walker
American science education
Rich Schroeppel
Re: High School educated Air Traffic Controllers
Steve Lamont
David Cole: "Can Privacy Be Saved?"
Bruce Schneier
GPS / GNSS vulnerabilities
Martyn Thomas
Re: GPS pioneer warns on network's security
Bob Frankston
UK is expanding their screwed up mandated porn filters to include more topics they can screw up
Lauren Weinstein
Info on RISKS (comp.risks)

United Airlines Can't Seem to Keep Its Computers and Systems Running

*Jonathan B Spira* <>
Wednesday, February 19, 2014
  [Via Dave Farber]

*United Airlines Reservation System Crashes (Again)

"United Airlines' computer systems failed Wednesday [19 Feb 2014] morning
and the problem caused significant disruptions for passengers who had
planned travel on the airline.

A spokesman for the airline said that its Shares passenger service system
failed at 9 a.m. Eastern Time.  The disruption lasted approximately 30
minutes but it was followed by sporadic failures that continued throughout
the morning., ..."

Oregon voter registration database hacked, then offline for 10 days (Michael Lloyd and Yuxing Zheng)

"Peter G. Neumann" <>
Mon, 17 Feb 2014 13:07:14 PST
Michael Lloyd and Yuxing Zheng, *The Oregonian*
Oregon Secretary of State Kate Brown warned businesses Thursday about a
fraudulent invoice making the rounds.

Frustrations are mounting more than a week after a breach of the Oregon
secretary of state's website caused elections and business databases to go
offline. State officials say they're still investigating how the intrusion
from a foreign entity occurred and don't know when the databases will

The attack "appears to be an orchestrated intrusion from a foreign entity
and not the result of any employee activities," the agency reported on its
website this week.

The department's Central Business Registry and ORESTAR, the state's online
campaign finance reporting system, were temporarily taken offline as a
precaution after officials detected "an intrusion" around 4 Feb. Since
then, business attorneys haven't been able to look up existing business
names, and campaign finance officials have not been able to report

The outage could lead to missed deadlines and increased costs for businesses
as attorneys spend extra time filing documents, said Shawn Lindsay, a
business attorney and a Republican former state representative.

The breach also raises questions about the security of the agency's other
databases, including the voters database, which contains personal
information that isn't publicly available, Lindsay said.

The voters database is on a separate server and was not affected by last
week's breach, state officials say. Credit card data is also safe.

Legend EMR

Richard I Cook MD <>
Sat, 8 Feb 2014 10:34:51 +0100
In my most recent Velocity talk I made the point that applications gradually
take on safety implications as their use becomes wider and they become more
integrated into work. This is surely true for the Electronic Medical Records
and will become true for many applications now considered `nice' or `useful'
-- i.e., nonessential.  Although not directed towards a safety goal (and
therefore exempt from the usual requirements for devices intended to make or
assure safety) useful artifacts gradually insinuate themselves into
operations that are themselves essentially risky. It is then that their
safety-ness becomes apparent.

Unfortunately, the shift in use is not accompanied by reliability
improvements. It is the same COTS stuff at the end as the beginning.

The reaction of those responsible to accomplish the tasks that the apps do
will be to develop low-cost and easily-deployed means to accomplish the
functions when the IT doesn't work. Much of this is in the form of paper:
Copies of schedules, copies of availability, printed versions of planning
guides are easy to maintain and cost very little.

The Snowden privacy panic has spread to medical research

Tom Gray <>
February 7, 2014 at 7:56:56 PM EST
  [Via Dave Farber's IP list]

The Snowden privacy panic has spread to medical research. This is a problem.
*The Daily Telegraph*

Since the Snowden revelations everyone has been panicking about privacy.
Google, Twitter, Facebook and Yahoo are racing to show users how well they
can protect their data. Government contractors are double-scrutinising new
hires and encrypting everything in sight. But there's about to be one
cautious move too many, and it's a serious threat to medical research.

The European Parliament is proposing a new law which will effectively
illegalise a NHS database of patient records, along with many large research
projects. The idea had been kicking around for a while, but progress ground
to a halt last year. After Snowden though, the kicking enthusiastically

Spy Chief Says Snowden Took Advantage of Perfect Storm ... (David E. Sanger and Eric Schmitt)

David Farber <>
Wed, 12 Feb 2014 03:39:30 -0500
David E. Sanger and Eric Schmitt, *The New York Times, 11 Feb 2014

WASHINGTON—The director of national intelligence acknowledged Tuesday
that nearly a year after the contractor Edward J. Snowden `scraped' highly
classified documents from the National Security Agency's networks, the
technology was not yet fully in place to prevent another insider from
stealing top-secret data on a similarly large scale.

The director, James R. Clapper Jr., testifying before the Senate Armed
Services Committee, said Mr. Snowden had taken advantage of a `perfect
storm' of security lapses. He also suggested that as a highly trained
systems administrator working for Booz Allen Hamilton, which provides
computer services to the agency, Mr. Snowden knew how to evade the
protections in place.

“He knew exactly what he was doing,'' Mr. Clapper said. “And he was
pretty skilled at staying below the radar, so what he was doing wasn't

But Mr. Clapper confirmed the outlines of a New York Times report that the
former N.S.A. contractor had used a web crawler, a commonly available piece
of software, to sweep up a huge trove of documents.

Mr. Clapper also said, for the first time, that some of the information
Mr. Snowden is believed to possess could expose the identities of undercover
American operatives as well as foreigners who have been recruited by United
States spy agencies. The information Mr. Snowden has released so far through
several newspapers and a new digital news organization that began publishing
on Monday has not revealed the names of agents or operatives, and it is
unclear how much of that information he took with him when he fled the
United States.  [Truncated for RISKS...]

"'TheMoon' worm infects Linksys routers" (Lucian Constantin)

Gene Wirchenko <>
Tue, 18 Feb 2014 09:43:38 -0800
Lucian Constantin, InfoWorld, 18 Feb 2014
A self-replicating program infects Linksys routers by exploiting an
authentication bypass vulnerability

" loses customer credit card data in security breach" (Candice So)

Gene Wirchenko <>
Wed, 19 Feb 2014 09:50:23 -0800
Candice So, *IT Business*. 18 Feb 2014

selected text:

In an e-mail to its customers today, said one of its service
providers was "illegally compromised" between 22 Dec 2013 and 7 Jan 2014.
...  The service provider then informed about two weeks ago [a delay
of about one month], and got further confirmation about the breach
from its credit card provider less than a week ago.

New Silk Road hit with $2.6 million heist due to known Bitcoin flaw (Cyrus Farivar)

Gene Wirchenko <>
Sun, 16 Feb 2014 18:51:29 -0800
Cyrus Farivar, Ars Technica, 14 Feb 2014
"Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again.

The furniture is watching you

Mark Thorson <>
Wed, 19 Feb 2014 14:57:50 -0800
Another company, Steelcase, which puts sensors in office furniture and
buildings to see how workers interact, thinks the real opportunity for
workplace monitoring is far from the call-centre floor—in opaque
creative departments and even boardrooms, where time is especially precious.

David Lathrop, its director of research and strategy, says the sensors are
now so cheap they can be put "practically everywhere", arguing that
employees could benefit by tracking their own performance.  Improving the
productivity of top executives "has a disproportionate effect on the
company", he adds.

Smarter caller-id spoofing

"Luck, Tony" <>
Thu, 20 Feb 2014 18:20:35 +0000
My cell phone just rang with caller-id announcing that it was my teenage
daughter. I answered in a rush because being a typical teenager she would
rather use any other method of communication rather than a voice call - so I
figured it must be urgent.

It wasn't. It wasn't even her. It was the "Card Holder Services" spammers
saying they wanted to reduce my interest rates.

But the question is - How did they decide spoof her number when calling me?

Possibly they managed to scrape her "contacts" from her phone using some
rogue application?

Perhaps they have scraped the caller-id database and noticed that we have
phone numbers close together and the same last name?

However they did it - the value of caller-id when deciding whether to take a
call just hit zero.

Cryptography Breakthrough Could Make Software Unhackable

Lauren Weinstein <>
Mon, 3 Feb 2014 15:10:39 -0800
  "Secure program obfuscation would be useful for many applications, such as
  protecting software patches, obscuring the workings of the chips that read
  encrypted DVDs, or encrypting the software controlling military
  drones. More futuristically, it would allow people to create autonomous
  virtual agents that they could send out into the computing "cloud" to act
  on their behalf. If, for example, you were heading to a remote cabin in
  the woods for a vacation, you could create and then obfuscate a computer
  program that would inform your boss about e-mails you received from an
  important client, or alert your sister if your bank balance dropped too
  low. Your passwords and other secrets inside the program would be safe."  (*WiRed*)

 - - -

And so handy to hide viruses, spies, and other evil in, too!

Venezuela's Internet Crackdown Escalates into Regional Blackout

Lauren Weinstein <>
Thu, 20 Feb 2014 20:04:38 -0800  (EFF via NNSquad)

  "For the last month, Venezuela has been caught up in widespread protests
  against its government. The Maduro administration has responded by
  cracking down on what it claims as being foreign interference online. As
  that social unrest has escalated, the state's censorship has widened: from
  the removal of television stations from cable networks, to the targeted
  blocking of social networking services, and the announcement of new
  government powers to censor and monitor online. Last night, EFF received
  reports from Venezuelans of the shutdown of the state Internet provider in
  San Cristbal, a regional capital in the west of the country."

Bing censoring Chinese language search results for users in the US

Lauren Weinstein <>
Tue, 11 Feb 2014 15:53:04 -0800  (*The Guardian* via NNSquad)

  "Microsoft's search engine Bing appears to be censoring information for
  Chinese language users in the US in the same way it filters results in
  mainland China.  Searches first conducted by anti-censorship campaigners
  at FreeWeibo, a tool that allows uncensored search of Chinese blogs, found
  that Bing returns radically different results in the US for English and
  Chinese language searches on a series of controversial terms.  These
  include Dalai Lama, June 4 incident (how the Chinese refer to the
  Tiananmen Square protests of 1989), Falun Gong and FreeGate, a popular
  Internet workaround for government censorship."

Israel Electric Opens Cyber-War Room to Defend Against Power-Grid Hacks (Gwen Ackerman)

"Peter G. Neumann" <>
Fri, 21 Feb 2014 11:57:22 PST
Gwen Ackerman, Bloomberg, 19 Feb 2014

Israel's main power company opened a cyber "war room" this week to defend
its systems around the clock from hackers. Technicians at Israel Electric
will monitor as many as 400 million cyber-attacks and hacking attempts a

"There are hundreds of thousands of attempts to infiltrate Israel Electric's
networks every day," Israel Electric Chairman Yiftach Ron-Tal said in an
e-mailed statement yesterday. "We are talking here about a threat on a
national level."

Prime Minister Benjamin Netanyahu has said that one goal of his government
is to turn Israel into a world leader in cyber-technologies.  In 2012,
Netanyahu formed the National Cyber Bureau, which said last month that it
plans to establish an emergency-response team for cyber-attacks. President
Shimon Peres has spent the last month making public appearances to promote
Israeli technology, including cyber-security.

In the past three years, the country's cyber-security industry has grown
from a few dozen companies to about 220 that have raised more than $400
million, according to the Tel Aviv-based IVC Research Center. Twenty
multinational companies now operate online-security development centers in
Israel. [...]

DARPA Thinks the Future of Surveillance Looks Like Siri

"ACM TechNews" <>
Mon, 10 Feb 2014 11:47:01 -0500 (EST)
Patrick Tucker, *Defense One*, 6 Feb 2014

U.S. Defense Advanced Research Projects Agency (DARPA) Information
Innovation Office director Dan Kaufman says an innovation gap exists as the
private sector advances in areas in which the government was once primarily
responsible for research breakthroughs.  Kaufman hopes to close that gap,
and notes that DARPA has made its most recent big data research effort part
of the DARPA Open Catalog, which aims to open more of the agency's software
and science research to the public.  For example, he says improved
encryption can help provide both privacy and security.  "What if there was a
way to collect the data but encrypt it so that people couldn't use it in a
way that wasn't approved?" Kaufman asks.  In the future, spying on data will
be more difficult even as data proliferates across multiple channels, says
Kaufman, pointing to DARPA's PROCEED program, which successfully
demonstrated fully homomorphic encryption for cloud environments, previously
thought to be impossible.  DARPA also will use advanced machine learning to
help the Defense Department manage threats, enabling security experts to
interact with an algorithm that learns what to look for and improves results
through continued interaction.

Because of DRM, The Entire Copyright Monopoly Legislation is a Lie (Rick Falkvinge)

*Dewayne Hendricks* <>
Wednesday, February 12, 2014
Rick Falkvinge, *Torrent Freak*, 9 Feb 2014 [via Dave Farber]>

Cory Doctorow had a brilliant column in The Guardian, which was very long
and went into quite a bit of legislative history, but the key takeaway hit
the nail right on the head.

The entire copyright legislation is a lie, a facade, a mirage. There are no
exceptions, there are no expirations, there is no fair use. The reason the
situation has been allowed to degrade to this point is a small but important
detail called DRM (Digital Restriction Measures).

Since the turn of the century publishers are allowed to embed technical
obstacles called Digital Restriction Measures in anything they publish, and
these measures set and enforce a vastly expanded set of restrictions over
and above ordinary copyright monopoly law. The original law loses its
effect in the clause that says that any disabling of such Digital
Restriction Measures is illegal in the US and EU.

The net effect of this is that the DRM portion of copyright law, as it
stands today, is permitting publishers to dictate whatever terms they like
and call it `copyright', overriding the rest of that law.

Ordinary copyright monopoly law says that the monopoly eventually expires.
That's just not true, because mostly everything published today has
DRM, which says the monopoly does not expire.

Ordinary copyright monopoly law says you have a right to enjoy your
purchased works in various formats, places, and ways (in your car, in your
home, on your bike, when you like). DRM has made sure that's not in
the lawbooks anymore, because publishers didn't want it that way.

So let's look closer at what the copyright monopoly law really look
like, with DRM in place and protected by law as is today.

Publishers don't want you to buy stories in another country and
enjoy them at home? At odds with ordinary copyright law, but with DRM,
publishers can totally override that.

Publishers want the copyright law to say that purchased books can't even be
shared between family members? Perfectly doable with DRM-fabricated
copyright law, even if the ordinary copyright law would have dropped a ton
of bricks on those publishers.

Publishers want the ability to remotely remove a book you've bought from
your bookshelf, even as you have it in your home? Say, Just fine with DRM.

Digital Restriction Measures were never—never—supposed to prevent
copying.  If you wanted to copy a DRM-ridden work, you could do so without
problem; the DRM would follow along to the copy just fine. DRM is a usage
restriction, not a copy restriction, and most importantly, as Doctorow puts

DRM is the right for publishers to make up their own copyright law. [...]

Why is the US a decade behind Europe on 'chip and pin' cards? (RISKS-27.73)

Jeremy Ardley <>
Tue, 04 Feb 2014 20:38:17 +0800
Chip and PIN doesn't actually increase security. Chip & PIN cards have a
fall-back mode when the chip fails and revert to standard magnetic stripe
operation or even mechanical imprint.

It's trivial to create a card with a broken chip and forged or broken
magnetic stripe.

It gets slightly more complex with the RFID version of Chip and PIN. The
cards have three levels of degradation. Either the RFID fails or the RFID
reader fails - both quite common in my experience. Then the Chip can fail -
again common, and finally the stripe can fail forcing a reversion to
mechanical imprint.

There is also the issue of bank terminal acceptance of cards. In one store I
am obliged to initially present my RFID card which is declined as not
accepted at that terminal. Then I have to insert the card to have the chip
read and it is again declined because the terminal won't accept electronic
AMEX. Finally I am allowed to swipe the card. I must do it in that order
because of the store rules.

There is also the issue of Card-not-present purchases such as telephone or
Internet purchases in which the chip plays no part whatsoever.

What RFID cards do do is decrease security due to various scams involving
portable RFID readers. A second risk is banks have different automatic
authorisation levels depending on the type of verification used. In my case
RFID authentication has a relatively high dollar value for automatic
authorisation, so anyone taking my card can make multiple purchases up to
$100 each with no signature or PIN. If the card reverts to simple chip mode
or swipe mode then a PIN is required for all purchases.

All in all Chip cards and in particular RFID Chip cards are convenient but
overall less secure than ordinary swipe cards—at least from a user

Re: NSF: 1/4 of Americans think sun goes 'round the earth...

Andy Walker <>
Sun, 16 Feb 2014 12:40:38 +0000
The state of education around the world is often a source of innocent
amusement, but this particular item is perhaps not as "bad" as it seems.
Firstly, it is certain that the great majority of humans throughout history
have believed this, if they have thought about the problem at all.
Secondly, it's not a problem that impinges on the daily life of anyone.
Thirdly, if the theory of General Relativity is to be accepted, then
heliocentrism is no better a belief than geocentrism [or galactocentrism or
...]; we should pick co-ordinates for convenience, not dogma.

American science education

Rich Schroeppel <>
Sun, 16 Feb 2014 14:39:54 -0700
> NSF: 1/4 of Americans think sun goes 'round the earth...

This is cherry picking from the NSF report.  (Read it.)  Although the state
of American science knowledge is spotty, this particular example overstates
the problem.  Note also that Americans stack up reasonably well compared
with people in other developed countries.

As an aside, I'll level a couple of other quibbles.

a) "Which goes around which" is science trivia, unimportant to everyday
   life.  Ask people about the freezing temperature for water.
b) I'm allowed to choose my frame of reference.  For practical purposes, the
   earth is stationary and the sun goes around the earth once a day.

High School educated Air Traffic Controllers

Steve Lamont
Sat, 15 Feb 2014 16:51:39 -0800
Rather than depend upon a biased source ( is an arm of the
Koch Brothers Reason Foundation, which would probably like to abolish
the FAA and allow the invisible hand of the free market to rule the air
spaces), why don't we look at the job posting itself:

  Air Traffic Control Specialist Recruitment: Alert on Upcoming
  Recruitment and Outreach Campaign by FAA

  29 Jan 2014

  The Federal Aviation Administration (FAA) has announced a nation-wide air
  traffic control specialist recruitment, outreach, and education program,
  extending the invitation for the workforce system to share this
  information with its program participants in advance of a public vacancy
  announcement expected on or about 10 Feb 2014. There are air traffic
  control positions available at FAA locations across the country, and the
  FAA encourages all interested individuals who are eligible to apply for
  these positions.

  Some background:

  The Federal Aviation Administration (FAA) has re-opened its Academy for
  training Air Traffic Controllers since it closed in the spring of
  2013. The FAA intends to hire around 3,000 people over the next year for
  these positions across the country. The FAA anticipates that they will be
  hiring in significant numbers over the next several years, given the fact
  that that Air Traffic Controllers must retire by age 56.

  Below are some key points of this new FAA hiring initiative:

  * FAA will post these positions on the USA Jobs website during the 10--21
    Feb period.

  * FAA will recruit nationwide.

  * The pay scale for Air Traffic Controllers ranges from GS-9 to GS-15
    (depending on the local area).

  * Individuals must start the FAA Academy or be conditionally hired by
    their 31st birthday.

  * Individuals must have 3 years of progressively responsible work
    experience, or a Bachelor's degree, or combination of education and work

  * Individuals must meet medical and security requirements of being a
    government employee.

  * Veterans will receive Preference through the normal Federal Hiring

  * FAA is hosting a Virtual Career Fair on 12 Feb.

  Please visit jobs for Employment FAQs, Air Traffic
  Controller Fact Sheets, and promotional videos.

  FAA has also created 'Digital Kits' created for outreach and promotion,
  addressing eligibility for the position, application instructions, and
  other FAA positions in addition to the air traffic control jobs. Please

The FAA is not hiring J Random Dropout off the street and plopping them into
a controller's chair at LAX.  They're simply restarting an already existing
program that has been in hiatus.

David Cole: "Can Privacy Be Saved?"

Bruce Schneier <>
Wed, 19 Feb 2014 11:26:16 -0600

GPS / GNSS vulnerabilities

Martyn Thomas <>
Mon, 17 Feb 2014 10:08:47 +0000
The Royal Academy report that was mentioned in the latest RISKS digest is here:

Re: GPS pioneer warns on network's security (Jones/Hoyos, R-27.74)

"Bob Frankston" <>
15 Feb 2014 21:50:25 -0500
One approach is to harden the system but shouldn't we also be thinking about
a more generalized approach to getting location information that doesn't
depend on line-of-sight to satellites? We already do this using information
from cell towers and other sources but such approaches need to be resilient
and not naively trusting in the information they receive.

UK is expanding their screwed up mandated porn filters to include more topics they can screw up

Lauren Weinstein <>
Sun, 16 Feb 2014 20:18:54 -0800  (Techdirt via NNSquad)

  "The UK government's futile and ham-fisted attempts to purge the Internet
  of all of its rough edges and naughty bits are about to see international
  escalation. The country is only really just kicking off their campaign to
  impose porn filters that not only often don't work, but also have so far
  managed to accidentally block numerous entirely legal and useful websites
  including technology news sites like Slashdot, digital rights groups like
  the EFF, rape counseling websites, and more. David Cameron's government
  has long-stated they want this filtering to eventually extend to websites
  deemed "extremist" by the government, and it appears that new proposals
  being drafted hope to make that a reality sooner rather than later."

Here's a plan. Cameron can just use "*" as his filter block directive and
avoid all the intermediate steps. No Web! No Problem!

Please report problems with the web pages to the maintainer