The RISKS Digest
Volume 27 Issue 79

Thursday, 6th March 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


95% of bank ATMs face XP end of security support
Henry Baker
"7 hidden dangers of wearable computers"
Jaikumar Vijayan via Gene Wirchenko
"Techies: Take a congressman and a cop to work with you"
Bill Snyder via Gene Wirchenko
"Two more Bitcoin exchanges fall prey to alleged hacker theft"
Kevin Lee via Gene Wirchenko
"What Disney World teaches us about mobile payments"
Galen Gruman via Gene Wirchenko
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
Ars Technica via Lauren Weinstein
Linksys E1000, E1200, and E2400 routers reportedly have exploitable vulnerability
Bob Gezelter
Re: Apple Rolls Out CarPlay
Bob Frankston
TrustyCon and the RSA con NSA poll
Scott Miller
Re: Smarter caller-id spoofing
Chris Drewe
Apple security rules leave inherited iPad useless
Amos Shapir
Author Anne Rice has it dead wrong on comments and anonymity
Lauren Weinstein
Race To Stop 'Revenge Porn' Raises Free Speech Worries
Lauren Weinstein
Medtronic Carelink User Guide on passwords
Shawn Merdinger
Book review: Adam Shostack, Threat Modeling: Designing for Security
Ben Rothke
Info on RISKS (comp.risks)

95% of bank ATMs face XP end of security support

Henry Baker <>
Tue, 04 Mar 2014 06:34:04 -0800
FYI—"Banks everywhere are in a race against time to upgrade their ATMs
_before_ they become hot targets for hackers."  "Before" ???

I can't wait for the security popup window (see link below) to show up on
the 8th of each month on my bank's XP ATM machine.

Of course, the cure may be worse than the disease: "Modern technology allows
companies to push software updates via their networks instead of paying each
ATM a physical visit."  What could possibly go wrong with this plan,
especially when these same banks have yet to upgrade to TLS1.2 on their own
websites ?  --- Published on Dec 29, 2013 Electronic Bank Robberies:
Stealing Money from ATMs with Malware:08EYv4N5A

BTW, these US banks are subsidized by US taxpayers through below-market
interest rates from the Fed, so US taxpayers are paying for this folly, not
bank management.

"Yes, Microsoft will use a popup to push users off of Windows XP"

95% of bank ATMs face end of security support
By Jose Pagliery  @Jose_Pagliery March 4, 2014: 6:59 AM ET

Nearly all ATMs run on Windows XP, and that'll soon be a problem.

Banks everywhere are in a race against time to upgrade their ATMs before
they become hot targets for hackers.

An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is
killing off tech support for that operating system on April 8. That means
Microsoft (MSFT, Fortune 500) will no longer issue security updates to patch
holes in Windows XP, leaving those ATMs exposed to new kinds of

"This isn't a Y2K thing, where we're expecting the financial system to shut
down.  But it's fairly serious," said Kurtis Johnson, an ATM expert with
U.S. manufacturer Triton.

If banks fail to upgrade their ATMs to a newer version of Windows by April,
customers might be at risk.  If hackers discover new flaws in Windows XP,
those bugs will go unaddressed, leaving attackers free to exploit them.

It can't yet be known what hackers could do with a Windows XP ATM after
April 8.  But the prospect of providing a potentially compromised machine
with your account and PIN information is unsettling.

Major banks are now cutting special deals with Microsoft to extend life
support for their Windows XP machines while they replace their fleet of
ATMs.  JPMorgan (JPM, Fortune 500) bought a one-year extension of service
and plans to start upgrading ATMs to Windows 7 at Chase banks in July.
Citibank (C, Fortune 500) and Wells Fargo (WFC, Fortune 500) said they're
also upgrading ATMs, but they wouldn't provide details about their plans.
Bank of America (BAC, Fortune 500) did not respond to requests for comment.

Replacing the operating systems on ATMs is a major undertaking.  In the
United States, there are 210,500 bank ATMs, about 200,000 of which run on
Windows XP, according to Retail Banking Research in London.  In most cases,
banks must upgrade the software one ATM at a time, and some will need the
entire computer inside replaced too.  Labor included, it's a process that
experts in the ATM industry say could cost anywhere between $1,000 and
$3,500 apiece.

"Once they start using an operating system, they'll ride it as long and as
hard as they can," said Wes Dunn, a sales executive at ATM manufacturer

Microsoft CEO: "Mobile first, cloud first"

It might sound odd that ATMs are running on aging software better suited to
a home PC.  In fact, security experts have chastised the financial industry
for putting ATMs on a PC operating system in the first place.  They argue
ATMs should be using software that is scaled down and less buggy, such as

But banks long ago decided that Microsoft's familiar way of displaying
windows and text would sit well with customers.

Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that
resembles the latest apps on tablets and smartphones, said Jeff Dudash, a
spokesman for ATM manufacturer NCR.

One ATM manufacturer, Diebold (DBD), says banks are using this opportunity
to add newer card readers to their ATMs that accept more secure chip-and-PIN
cards.  Those cards have already been adopted worldwide but have yet to grow
popular in the United States.

Banks that retrofit their ATMs with new hardware will, in the future, be
able to upgrade their entire fleets of ATMs with a click of a button.
Modern technology allows companies to push software updates via their
networks instead of paying each ATM a physical visit.

Ironically, bank customers have less to worry about from those nondescript
ATMs found in malls, bars and tiny convenience stores.  Those 208,000
independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung,
make up the other half of the nation's ATMs.  And nearly all of them run on
an even older, simpler operating system called Windows CE—which Microsoft
still supports.

First Published: March 4, 2014: 6:59 AM ET

"7 hidden dangers of wearable computers" (Jaikumar Vijayan)

Gene Wirchenko <>
Tue, 04 Mar 2014 09:15:44 -0800
Jaikumar Vijayan, Computerworld, March 4, 2014 (via InfoWorld)
Wearable computers like smart watches offer myriad benefits, but they
also raise security concerns.

"Techies: Take a congressman and a cop to work with you" (Bill Snyder)

Gene Wirchenko <>
Thu, 06 Mar 2014 09:34:42 -0800
Bill Snyder, InfoWorld, 6 Mar 2014
From distracted driving to virtual money, the law and lawmakers can't keep
up with technological change.  Let's clue them in.

selected text:

As we all know, technology moves at a lightning pace. But the law moves
much, much slower. A glance at some of the events that have made news
recently shows why we need to periodically get policy makers and enforcers
into the tech trenches.

"Two more Bitcoin exchanges fall prey to alleged hacker theft" (Kevin Lee)

Gene Wirchenko <>
Wed, 05 Mar 2014 08:28:23 -0800
Kevin Lee, *Tech Radar*, 4 Mar 2014
Bitcoin taking the one-two punch

selected text:

A pair of Bitcoin exchanges have gone down after a bout of hacking attacks.

Flexcoin announced that its virtual vault was emptied by Internet thieves
and that it will be shutting down immediately.

The second bad news for Bitcoin came from Poloniex, which admitted it lost
12.3% of its cryptocurrency funds in an estimated $50,000.

"What Disney World teaches us about mobile payments" (Galen Gruman)

Gene Wirchenko <>
Tue, 04 Mar 2014 09:12:23 -0800
Galen Gruman, InfoWorld, 04 Mar 2014
Even in a highly controlled environment, the popular notion struggles
to work as needed.

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Lauren Weinstein <>
Tue, 4 Mar 2014 12:17:02 -0800
  "Hundreds of open source packages, including the Red Hat, Ubuntu, and
  Debian distributions of Linux, are susceptible to attacks that circumvent
  the most widely used technology to prevent eavesdropping on the Internet,
  thanks to an extremely critical vulnerability in a widely used
  cryptographic code library.  The bug in the GnuTLS library makes it
  trivial for attackers to bypass secure sockets layer (SSL) and Transport
  Layer Security (TLS) protections available on websites that depend on the
  open source package. Initial estimates included in Internet discussions
  such as this one indicate that more than 200 different operating systems
  or applications rely on GnuTLS to implement crucial SSL and TLS
  operations, but it wouldn't be surprising if the actual number is much
  higher. Web applications, e-mail programs, and other code that use the
  library are vulnerable to exploits that allow attackers monitoring
  connections to silently decode encrypted traffic passing between end users
  and servers.  The bug is the result of commands in a section of the GnuTLS
  code that verify the authenticity of TLS certificates, which are often
  known simply as X509 certificates."  (Ars Technica via NNSquad

Linksys E1000, E1200, and E2400 routers reportedly have exploitable vulnerability

"Bob Gezelter" <>
Wed, 05 Mar 2014 00:58:40 -0700
There is reportedly another vulnerability in a SOHO router product, this
time affecting a family of Linksys products.  Apparently, the vulnerability
affects the Home Network Administration Protocol (HNAP) used for remote
management of routers and firewalls.  From the report, it appears to be
another case of weak authentication.  The ARS Technica report can be found
The SANS blog post is at:
Bob Gezelter,

Re: Apple Rolls Out CarPlay (RISKS-27.78)

"Bob Frankston" <>
3 Mar 2014 20:21:30 -0500
It's hard to tell how open the interface is from these announcements.
According to it is a factory feature. Given it's 2014
why not make this a generic network connection? Do others on the list have
more details?

There's a risk here in locking cars into Apple's silo instead of a more open
protocol. laments automobile manufacturers understand
these new technologies.

What would be nice is more of an open BYOD (Bring Your Own Device) attitude
with a place for mounting devices and access to screens but then we get into
regulations, liability, the business model of the automobile industry and
more risks.

TrustyCon and the RSA con NSA poll (Re: RISKS-27.78)

"Scott Miller" <>
Tue, 4 Mar 2014 07:41:51 -0500
On the other paw, there is this article stating that a poll taken at the RSA
conference to which TrustyCon is the intended counterpoint has 52% of
respondents disagreeing that NSA surveillance went too far. Which, if
accurate and representative, suggests that the enemies of privacy are not
only the NSA and companies such as RSA that depend on the MIC and the Wars
On Everything, but a very large number of individual information security
practitioners, as well. Perhaps a case should be made to restructure
organizations for infosec professionals to reflect who is on which side here
(I do think that at this point in the debate, "sides" is an appropriate

Re: Smarter caller-id spoofing (RISKS-27.75)

"Chris Drewe" <>
Wed, 05 Mar 2014 19:10:40 +0000
This may be old news now, but I just spotted this on *The Telegraph* web site.

Jessica Winch, *The Telegraph*, 5 Mar 2014

Caller ID shows your bank's number—but it's actually a fraudster

Conmen are using fake 'caller ID' numbers to persuade victims that the call
is from their bank; Watch out for phony e-commerce sites looking to steal
your money and personal data.

Fraudsters are targeting bank customers with a new scam using fake caller ID

The conmen call the customer and pretend to be a representative from their
bank or credit card company.  They convince customers the call is from their
bank because the caller ID matches a legitimate bank number, often the one
printed on the back of a bank card.  The scammers then persuade the customer
to hand over sensitive personal and financial information.

The scam, known as "number spoofing", has been widespread in the United
States for at least a year and is now becoming common in Britain.  According
to Ofcom, the phone regulator, the fraudsters use software to manipulate the
caller ID number. [...]

Apple security rules leave inherited iPad useless

Amos Shapir <>
Wed, 5 Mar 2014 17:58:18 +0200
Inherited iPad cannot be used because Apple does not know how to deal with
wills.  Full story at:

Beside the technical points, there is an interesting point of principle
here: Do rules set up by a multi-national company trump the law of the land?

Author Anne Rice has it dead wrong on comments and anonymity

Lauren Weinstein <>
Wed, 5 Mar 2014 16:56:24 -0800
"Anne Rice signs petition to protest bullying of authors on Amazon"

  "The Interview with the Vampire author is a signatory to a new petition,
  which is rapidly gathering steam, calling on Amazon to remove anonymity
  from its reviewers in order to prevent the "bullying and harassment" it
  says is rife on the site."  (*The Guardian* via NNSquad)

Anne Rice apparently only wants good reviews. Because the problem with
removing anonymity in book (or app!) reviews is that it skews reviews toward
the positive. It creates a "fan boy" atmosphere were anyone who dares to
speak out against a book or app (or whatever) is set upon by the fan
boys. And it discourages people who may have special knowledge about
sensitive topics from reviewing at all. Think of a parent who has a child
with a disease that carries stigma—afraid to comment non-anonymously for
fear of the impact on that child. Sorry, Anne, you're missing the
point. Bullying is bad, but trying to kill anonymity is even worse.

Race To Stop 'Revenge Porn' Raises Free Speech Worries

Lauren Weinstein <>
Thu, 6 Mar 2014 09:43:20 -0800
  "This is a delicate issue," says Lee Rowland of the American Civil
  Liberties Union, who says the legislation is "spreading like wildfire."
  "The ACLU is concerned both with the protection of privacy and free speech
  rights."  "But the reality is that revenge porn laws tend to criminalize
  the sharing of nude images that people lawfully own," says Rowland, a
  lawyer with the ACLU's Speech, Privacy and Technology Project. "That
  treads on very thin ice constitutionally."  The compelling constitutional
  questions, however, have not slowed the state-level efforts to criminalize
  the distribution and posting of explicit photos or videos without the
  consent of the subject.  (NPR via NNSquad)

The intersection of privacy and free speech is clearly among the most
complex policy-related Internet areas. No simple answers.

Medtronic Carelink User Guide on passwords

Shawn Merdinger <>
Tue, 4 Mar 2014 14:47:14 -0500
"You may use these stickers to write your username and password and post on
 your computer monitor."

While I can understand the rationale behind this, and in some ways it makes
sense. For a home health monitoring system, the user is likely sick, older,
perhaps mentally not all there, or otherwise incapacitated...and perhaps
relying on a family member or outside caregiver or skilled computer user. So
the time delays in finding or remembering a lost/forgotten password may have
a higher HEALTH risk than the risk of these credentials openly displayed in
the home...and the vendor helpdesk costs of handling customer password
resets were also likely a driver here. That said, there are risks. It's a
matter of who pays the price, wittingly or not.

Book review: Adam Shostack,Threat Modeling: Designing for Security

Ben Rothke <>
Mon, 3 Mar 2014 19:50:16 -0500
When it comes to measuring and communicating threats, the most ineffective
example in recent memory was the Homeland Security Advisory System—which
was a color-coded terrorism threat advisory scale.  The system was rushed
into use and its output of colors was not clear.  What was the difference
between levels such as high, guarded, and elevated?  From a threat
perspective, which color was more severe - yellow or orange?  Former DHS
chairman Janet Napolitano even admitted that the color-coded system
presented “little practical information'' to the public While the DHS has
never really provided meaningful threat levels, in *Threat Modeling:
Designing for Security*, author Adam Shostack (full disclosure: Adam and I
are friends) has done a remarkable job in detailing an approach that is both
achievable and functional.  More importantly, he details a system where
organizations can obtain meaningful and actionable information, rather than
vague color charts.

Full review at:

  [Adam's initial epigram (attributed to George Box) is “All models are
  wrong, some models are useful.''  This is a large book, xxxiii+590 pp.,
  Wiley, 2014.  It distills considerable practically oriented wisdom and
  experience, and should be a very valuable resource for developers of
  would-be more-secure systems.  Indeed, the emphasis is on practicality, as
  Adam eschews higher-end more formally based approaches.

  In contrast to Adam's threat-driven approach, I noted in RISKS-27.73 the
  top-down approach that Nancy Leveson and Bill Young describe in their
  Inside Risks article in the February 2014 issue of the *Communications of
  ACM*, which begins with the enterprise-level emergent properties (e.g.,
  for security and human safety) rather than driven bottom-up from the
  threat models, and implicitly exposes the threat models to encompass
  intentional and accidental threats.

  Perhaps both of these approaches *together* might dramatically improve on
  the state of the art in commercial system developments today.  Adam's
  approach might be limited by the incompleteness of the threat set, and
  Nancy and Bill's by the difficulties in refining the analysis to encompass
  all realistic threats and failure modes.  PGN.]

  The major sections of Adam's book have these titles:

    Part 1: Getting Started
    Part 2: Finding Threats
    Part 3: Managing and Addressing Threats
    Part 4: Threat Modeling in Technologies and Tricky Areas
    Part 5: Taking It To the Next Level
    Appendix A: Helpful Tools
    Appendix B: Threat Trees
    Appendix C: Attacker Lists
    Appendix D: Elevation of Privilege: The Cards
    Appendix E: Case Studies
    Bibliography (24 pages) and index

Please report problems with the web pages to the maintainer