The RISKS Digest
Volume 28 Issue 04

Tuesday, 24th June 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Bloomberg News index of stories on health RISKS
Ed Ravin
Badly engineered missile defense systems deployed “because there was a rush''
Gabe Goldberg
Various aircraft disappeared from controllers' purview
Reuters via PGN
Pervasive drone failures
Craig Whitlock via PGN
Is There a Crisis in Computer-Science Education?
Jonah Newman
Shortage of Cybersecurity Professionals: Risk to National Security
Hong Kong electronic voting system cyber-attacked
SCMP via Lauren Weinstein
Gordon Peterson via Dave Farber
Wrong e-mail address: 35,000 student records misaddressed
danny burstein
London transport authority acknowledges contactless technology risk
"Murder in the Amazon cloud"
Paul Venezia via Gene Wirchenko
PKI Compromised on Blackberry 9900 Series Devices
Alan Boritz
Poorly anonymized logs reveal NYC cab drivers' detailed whereabouts
Ars Technica via Lauren Weinstein
Stingrays nab cellular activities
dan farmer
Free Wi-Fi from Xfinity and AT&T also frees you to be hacked
Sean Gallagher via Henry Baker
Hong Kong electronic voting system cyber-attacked
Christian Huitema via Dave Farber
Bank online banking garbles outgoing payments
danny burstein
Re: Trouble with firefox updates
Joe Durusau
Info on RISKS (comp.risks)

Bloomberg News index of stories on health RISKS

Ed Ravin <>
Sat, 21 Jun 2014 13:29:03 -0400
Bloomberg News has a nice index page of stories about hacking pacemakers and
insulin pumps, electronic health records privacy/security issues, and so on.
There's also articles on "Who's buying medical records" and one on deaths
blamed on electronic health record systems.  In short, it reads like a RISKS
digest special issue on computers and health care:

One interesting thing noted from the article "UnitedHealth recalls Digital
Health Record Software"—medical devices that have software bugs that kill
people have to be reported to the FDA, but health record software that has
bugs that can kill people doesn't.

And special mention for the graphic on re-identifying allegedly anonymous
medical records:

Badly engineered missile defense systems deployed “because there was a rush''

Gabe Goldberg <>
Thu, 19 Jun 2014 22:32:45 -0400
A *Los Angeles Times* investigation found that many former and current
Pentagon officials familiar with the U.S. missile defense program consider
it a failed program. The U.S. Missile Defense Agency (MDA), tasked with
developing and testing missile defense systems, has spent over $40 billion
to develop the Ground-based Midcourse Defense system (GMD), a system many
industry observers call unreliable and requiring complete redesign.

Various aircraft disappeared from controllers' purview

"Peter G. Neumann" <>
Fri, 20 Jun 2014 14:38:58 PDT
Source: Reuters, *The Guardian*, 14 Jun 2014 (Thanks to Peter Ladkin;
  slightly PGN-ed)

Dozens of aircraft briefly vanished from air-traffic control radars in
nAustria, Germany, the Czech Republic and Slovakia over the last two weeks in
incidents that Slovak authorities blamed on military electronic warfare
exercises.  Air-traffic controllers in Austria and Germany said data about
the planes—position, direction, height or speed—went missing on 5 and
10 June 2014, but the outages posed no serious danger. Their Czech and
Slovak counterparts also encountered cases of vanishing aircraft on the same

The disappearance of objects on radar screens was connected with a planned
military exercise that took place in various parts of Europe, whose goal was
the interruption of radio communication frequencies, according to the Slovak
air traffic services.  “Immediately after the identification of the problem
with the displays, the side organising the exercises was contacted and the
exercise was stopped.''  It did not identify the military force, but
Austrian media said it was NATO.  NATO declined to comment.

Pervasive drone failures (Craig Whitlock)

"Peter G. Neumann" <>
Fri, 20 Jun 2014 14:38:58 PDT
Craig Whitlock, *The Washington Post*, 20 Jun 2014 [PGN-ed]
More than 400 drones have crashed since 2011, due to mechanical breakdowns,
human error, bad weather, and other reasons.  The cited report is certainly
a warning for future private drones.

Is There a Crisis in Computer-Science Education?

"ACM TechNews" <>
Mon, 23 Jun 2014 11:41:01 -0400 (EDT)
Is There a Crisis in Computer-Science Education?
The Chronicle of Higher Education (06/23/14) Jonah Newman
via ACM TechNews, Monday, June 30, 2014

Mother Jones editor Tasneem Raja recently wrote a report on computer science
education trends in the United States and found the country graduated
proportionally fewer computer science majors in 2011-12 than in 1985-86.  In
1985-86, 4.3 percent of college graduates received computer science degrees,
compared to just 2.6 percent of graduates in 2011-12.  However, the report
also found a steady fluctuation in interest among undergraduates and
graduates in computer science.  For example, in the 1970s and 1980s, many
elementary, middle, and high schools taught computer science programming to
students, according to University of Oregon professor Joanna Goode.
However, "as the PC revolution took place, the introduction to the CD-ROMs
and other prepackaged software, and then the Internet, changed the typical
school curriculum from a programming approach to a 'computer literacy'
skill-building course about 'how to use the computer,'" Goode says.  In
addition, fluctuations in college-degree attainment are often connected to
changes in the job market in certain industries.  The peak in computer
science degrees came in 1985, about four years after the introduction of
IBM's first personal computer and the Apple II.  Similarly, a second wave of
computer science graduates came in the early 2000s, about four years after
the dot-com bubble.  The latest data indicates the U.S. currently is in the
middle of another rise in interest in computer science at the college level,
according to Raja.

Shortage of Cybersecurity Professionals: Risk to National Security

"ACM TechNews" <>
Mon, 23 Jun 2014 11:41:01 -0400 (EDT)
Shortage of Cybersecurity Professionals Poses Risk to National Security (18 Jun 2014) via ACM TechNews, Monday, June 30, 2014

The nationwide shortage of cybersecurity professionals is posing risks for
national and homeland security, according to a new RAND Corporation study.
The demand for trained cybersecurity professionals is particularly severe in
the federal government, which offers lower salaries than the public sector.
"As cyberattacks have increased and there is increased awareness of
vulnerabilities, there is more demand for the professionals who can stop
such attacks," says RAND scientist and lead study author Martin Libicki.
"But educating, recruiting, training, and hiring these cybersecurity
professionals takes time."  Libicki says the demand for cybersecurity
professionals began to overtake supply in 2007, largely due to increased
reports of large-scale hacking attacks.  The manpower shortage is primarily
at the high end of the capability scale, where cybersecurity professionals
command salaries of more than $200,000 to $250,000, according to Libicki.
Many organizations are trying to deal with the shortage by focusing on
internal promotion and educational efforts.

Hong Kong electronic voting system cyber-attacked

Lauren Weinstein <> <>
June 19, 2014 at 12:54:09 AM EDT
  (South China Morning Post via NNSquad)

  Organizers of Occupy Central say they will extend voting on electoral
  reform from three days to 10 days after its electronic system was targeted
  by hackers.  The system, set up to accept advance registrations, has been
  hit by more than 10 billion cyberattacks since it was launched last week.

As Gomer Pyle used to say, "Surprise, surprise, surprise!"

Re: Hong Kong electronic voting system cyber-attacked

"Gordon Peterson" <>
Jun 19, 2014 2:13 PM
   [Via Dave Farber's ip]

The FATAL flaw of online voting systems (and one for which there is *no*
technological solution whatsoever) isn't DDoS, identification, or
communications security.  it's very simply that there is *no* way to ensure
that the voter isn't voting under duress... with a gun held to their head
(figuratively, or even literally).  No way to be sure there isn't someone
watching over their shoulder to make sure they're voting the "right" way.
No way to make sure the voter isn't selling their vote (drugs, sex, alcohol,
money...).  Anyone in a position of power over the voter.  Employer,
landlord, union shop steward, nursing home attendant, parent, health care
giver, social worker, gang lord, .... could be almost anybody.

We *must* not allow online voting, or even generalized mail-in balloting,
for that reason.

  [That is hardly the ONLY FATAL FLAW.  The entire concept is fundamentally
  fatally flawed, given the total lack of trustworthiness throughout the
  entire process.  This is the ultimate Whack-a-Mole game, and Gordon is
  DRAMATICALLY oversimplifying.  PGN]

Wrong e-mail address: 35,000 student records misaddressed

danny burstein <>
Tue, 17 Jun 2014 21:11:03 -0400 (EDT)
  [Press Enterprise, California]

Confidential records for 35,212 Riverside Community College District
students were mistakenly e-mailed to an unknown account in a security breach,
officials said Monday, June 16.

Students were being notified that some of their confidential information --
including Social Security numbers, birth dates, addresses and phone numbers
-- may be at risk.  ...

The employee used a personal e-mail account to send the data to the
researcher's personal e-mail address because the data file was too large to
go through the district's secure, encrypted e-mail server, district Interim
Chancellor Irving Hendrick said. The employee incorrectly typed the address,
he said.

The data contains students' names, addresses, birth dates, student e-mail
addresses, preferred telephone numbers, some academic records, student ID
numbers and Social Security numbers for 97 percent of students, district
officials said.


London transport authority acknowledges contactless technology risk

Wm <>
Wed, 18 Jun 2014 19:41:13 +0100
How many organisations have warned users of their cards about the risks vs
how many have been discovered and reported ?

I was checking the balance on my Oyster card [1] on-line and noticed this:

 = = =
Card clash

Keeping your Oyster card in your wallet or purse with other cards could
cause card clash.

If you keep your Oyster card in your wallet or purse with your bank cards,
you might occasionally see a red light when you touch it on a card reader at
stations and on buses. The red light means you haven't paid for your journey
and if you are at a ticket gate, it may not open.  This can happen even if
you've got enough pay as you go credit or a valid Travelcard on your Oyster
card because you could be experiencing 'card clash'.

Many cards are now issued with contactless technology - the same as Oyster

* Most bank, credit and charge card companies are issuing new cards
  ready for contactless payments
* Many companies, educational establishments now issue contactless
  cards for cashless catering or as building entry passes

If you touch your Oyster card on a yellow card reader when it's in the same
wallet or purse as another contactless card, the reader may detect more than
one card. When this happens, the card reader doesn't know which one to read
so rejects them and you could experience any of the following:

* The ticket gate does not open.

* You get a red light when you touch in on a yellow card reader on a bus,
  ticket gate or free-standing yellow card reader.

* On buses, where contactless payment cards are accepted, your fare could be
  charged to a card that you did not intend to pay with.

To avoid card clash:

* Don't touch a wallet or purse with multiple cards on the yellow card

* Keep your Oyster card separate from your contactless payment cards only
  touch the card you want to use on the reader when touching in and out.

Later in 2014, when contactless payment cards are accepted for travel on
Tube, tram, DLR, London Overground and most National Rail services in
London, one of the following could also happen:

* Your fare could be charged to a card you didn't intend to pay with.

* You could be charged two maximum fares if the card reader reads one card
  when you touch in at the start of your journey and a different card at the
  end when you touch out.

* Remember to separate your Oyster card from other contactless cards when
  touching in and out.

[1] Oyster is a plastic smartcard which can hold pay as you go credit,
Travelcards and Bus & Tram season tickets. You can use an Oyster card to
travel on bus, Tube, tram, DLR, London Overground and most National Rail
services in London.

"Murder in the Amazon cloud" (Paul Venezia)

Gene Wirchenko <>
Mon, 23 Jun 2014 19:19:26 -0700
Paul Venezia, InfoWorld, 23 Jun 2014
The demise of Code Spaces at the hands of an attacker shows that, in
the cloud, off-site backups and separation of services could be key to survival

PKI Compromised on Blackberry 9900 Series Devices

"Alan Boritz" <>
Fri, 20 Jun 2014 18:33:00 -0400
This might not come as a surprise to what's left of traditional Blackberry
device users, but it appears that the 9900 and 9930 Blackberry devices do
not have a fully functional PKI security environment "out of the box." I
first discovered this when testing Steve Gibson's "revoked" web site
( I opened up a trouble ticket at Research in
Motion through T-Mobile and after an hour on the phone with a RIM tech
support person, finally got him to understand that a web site security
certificate that has been revoked should NOT show "stale chain status" and
"implicitly trusted." I also convinced him that a legitimate secure web site
(in this case should NOT display the same status as one with
a deliberately revoked security certificate. The implications of a
completely insecure web browser (in this case RIM's) are only the tip of the
iceberg with this particular device, since Blackberry Enterprise Server
(BES), and the less often used Blackberry Desktop Redirector, both use an
exchange of keys to implement point-to-point Triple-DES encryption.

The suspicious aspect of this security breach is that two models of
Blackberry devices from two different wireless carriers, and potentially
different parts of the world, have been compromised. I own both a Verizon
9930 and a T-Mobile 9900 (US frequencies, but may have originated out of the
US), and after wiping and re-initializing with both factory defaults
Apploader reformat, IT policies wiped (only one had one previously), both
devices show the exact same "stale chain status" and "implicitly trusted"
status for about half the root certificates in the devices.

For Steve's "revoked" web site, the Blackberry devices consistently show
"stale chain status," "unknown chain status," revocation status reads
"unknown," and trust status reads "implicitly trusted." But I also see the
same status message for "" and

RIM has published many papers on how PKI security works with their devices
and BES products, and I thought that the certificate synch, OSCP, and CRL
functions were pretty good. As of this moment, although the desktop
certificate sync sort of works (only adds, won't delete), nothing else
does. Both the desktop and devices ignore the OCSP and CRL URL's, and none
are not sync'ing into any device or from the device to the desktop. Even if
I enter the OSCP and CRL URL's directly in the devices, the devices are not
reaching out to any of them.

The last RIM customer service person was trying to prompt me through
manually "trusting" the questionable certificates (including a revoked
certificate), and tried to convince me that this is how security is supposed
to work on Blackberry devices. I asked him if he had heard about the
Heartbleed bug, and how secure web site operators were revoking their
security certificates so that people surfing the web couldn't be tricked
into viewing a fraudulent site using one of the old certificates (now
revoked), but he wasn't getting it. RIM insists that "unknown chain status"
doesn't mean a secure connection isn't secure, since the device is always
supposed to load any web page I select. I asked the RIM tech how can a
connection be "secure" if the device couldn't validate the certificate? He
wouldn't answer. I asked the RIM tech how can a Blackberry device on a
Blackberry Enterprise Server (BES) detect if it's reaching a bogus BES
system, and he wouldn't answer that, either.

Previously, after I brought this to RIM's attention, all they did was to
attempt to quickly close out the trouble ticket and record it as "closed."
whether I responded or not. Each time, they close the ticket quicker. This
time the RIM tech refused to escalate the problem to anyone, just insisted
this is the way the device is supposed to work and that's it.

It's obvious at this point that the PKI system compromise was intentional,
and that RIM has no intention of changing it. It's also obvious that if
Blackberry devices can't detect deliberately revoked security certificates,
and the devices have been rigged to NOT warn users when their devices cannot
determine the validity of any certificate, I have to wonder whether or not
the devices could detect a bogus Blackberry Enterprise Server at the other
end of a secure channel.

Poorly anonymized logs reveal NYC cab drivers' detailed whereabouts

Lauren Weinstein <>
Mon, 23 Jun 2014 15:19:03 -0700
Ars Technica via NNSquad

  "Botched attempt to scrub data reveals driver details for 173 million taxi

Stingrays nab cellular activities

dan farmer <>
Sat, 21 Jun 2014 21:47:10 -0700
The lengths that police and government folks will go to lie, cheat, steal,
is still amazing to me. Do they have any moral compass that's recognizable
anymore to anyone but themselves?

In this episode of our long-running drama, US marshalls and cops use
Stingrays (and presumably other things they simply haven't been caught with
yet) that nab cell location and activity and then collude to lie to judges,
defendants, just about everyone but themselves, and take outrageous actions
to hide their activities (well, no surprise, even they know they're beyond
the pale.)  The ACLU even seems taken aback.

Free Wi-Fi from Xfinity and AT&T also frees you to be hacked (Sean Gallagher)

Henry Baker <>
Mon, 23 Jun 2014 08:04:29 -0700
Sean Gallagher, Ars Technica, 22 Jun 2014
Ars tests how easy it is to spoof big broadband providers to grab data.

Welcome to a way for hackers to fool you into connecting to malicious
networks and give up your personal data: a spoofed Xfinity login page.


If you've traveled and tried to get on the Internet, you've probably seen
some pretty suspicious looking Wi-Fi networks with names like "Free Wi-Fi"
and "Totally Free Internet."  Those are likely access points you'd best
avoid.  But there's a much bigger threat to your security than somebody
randomly fishing for you to connect to them—the networks you've already
connected to and trusted, like AT&T and Xfinity.

Enlarge / The default settings for the AT&T Wi-Fi network on my iPhone, before I got paranoid.

Mobile broadband providers are eager to get you to connect to their
Wi-Fi-based networks while you're away from home.  AT&T has built a network
of free hotspots for customers at thousands of places—including train
stations, as well as Starbucks and McDonald's locations across the country.
Comcast has spread its Xfinity wireless network far and wide as well,
turning customers' cable modems into public Wi-Fi hotspots accessible with
an Xfinity account login.

These free Wi-Fi connections are popular, for good reason—they help
reduce the amount of broadband cellular data you consume, and they often
provide better network speeds than what you can manage over a 4G connection.
But they also offer a really easy way for someone to surreptitiously tap
into your Internet traffic and capture your account information for
less-than-friendly purposes.  Millions of AT&T and Xfinity customers could
be leaving themselves exposed to surreptitious hacking of their Internet
traffic, exposing their personal data as a result.

As we reported in our joint experiment with NPR, AT&T sets smartphones to
recognize and connect to attwifi hotspots automatically.  This can be
switched off in iPhones by setting the phone to ask the user before
connecting to networks when Wi-Fi is turned on but not associated with a
hotspot.  But that isn't an option on many Android devices.  (Update: as
readers point out, the latest AT&T Android settings allow for auto-connect
to be disabled.)

To demonstrate this, I set up my laptop as a Wi-Fi hotspot broadcasting the
network name (SSID) attwifi (after alerting my neighbors, of course).  After
killing off the settings for my preferred networks on my iPhone, I turned on
the Wi-Fi, and it connected to the fake attwifi hotspot without prompting.

Enlarge / The captured traffic from my iPhone as it finds the fake "attwifi"
hotspot and starts looking for things.

When I killed the attwifi network after a few seconds, my iPhone promptly
demonstrated the further risks of auto-connecting—it automatically
reconnected with another network in the list of trusted networks on my
phone: a hotspot called xfinitywifi.  I had used an Xfinity hotspot while
waiting for an appointment a few days earlier, and suddenly I was logged
into a hotspot running on my neighbor's cable modem.

Enlarge / When the fake AT&T network went away, a real Xfinity network
connected me right away.

Comcast's Xfinity wireless hotspots present a Web page for login that
requests a customer's account ID and password, and each time you connect to
a new hotspot it re-authenticates you.  But if you've connected once during
the day, the hotspot remembers your device and reconnects you without

That means that if someone were to set up a malicious Wi-Fi access point
called xfinitywifi, devices that have connected to Xfinity's network before
could automatically connect without alerting the user or asking for the
password.  Alternatively, using a honeypot tool such as PwnStar, an attacker
could spoof both the xfinitywifi SSID and the Xfinity login page—stealing
their Xfinity credentials in the process.

PwnStar includes the ability to redirect devices connecting to a Web page on
the attacking system, record credentials, and then pass the victim on to
Internet access as if nothing had happened—meanwhile launching
man-in-the-middle attacks against the client (as I demonstrated for myself
using an SSID called notxfinity to deter any of my neighbors from trying to
connect to it).

Enlarge / PwnStar in action on my Kali Linux laptop.

By the way, those Xfinity Wi-Fi login credentials?  They're the same set of
credentials used to gain access to Comcast customers' account billing
information, webmail, and other services.

This is not to say that AT&T's and Xfinity's networks are insecure in
themselves.  They are just common enough to give someone with evil in mind a
way to cast a wide net for potential victims over Wi-Fi.  The same tools I
used to spoof Xfinity could be set to automatically respond to a victim's
phone as any Wi-Fi access point they've trusted.  That's because of the
probe requests generated by smartphones and Wi-Fi—when you turn on your
phone's Wi-Fi adapter, it will seek out any network you've ever connected to
that it was not told to forget.  When I set my attack access point (the
laptop) to not connect devices but to respond to all probe requests, my
iPhone attempted in turn to connect to every Wi-Fi network I've connected to
this year.  That in itself can be a privacy concern, since the SSIDs and
other data associated with those probe requests can be used to essentially
map out my movements.

This sort of attack can be played out anywhere you'd normally connect to a
public Wi-Fi network.  Tools like the ones I've tested can be set up to
actively go after a user of a public network, force them to disconnect from
their existing Wi-Fi network, and then pick up that connection themselves.
All of this can be done with something as small as an Android phone as well,
using a broadband cellular connection to provide victims with uninterrupted
Internet access, as we saw with the PwnPhone.

Sean Gallagher / Sean is Ars Technica's IT Editor.  A former Navy officer,
systems administrator, and network systems integrator with 20 years of IT
journalism experience, he lives and works in Baltimore, Maryland.

Re: Hong Kong electronic voting system cyber-attacked

Christian Huitema <>
June 19, 2014 at 7:02:19 PM EDT
  [via Dave Farber]

Uh, maybe. But then, check this:

The first lines on that official website of Washington State read:
"Washington State votes by mail. Vote by mail is convenient and gives you
extra time to learn about the ballot measures and candidates before casting
your vote."

In practice, we do not observe more fraud in Washington State than in other
places that stuck with traditional ballots.

Bank online banking garbles outgoing payments

danny burstein <>
Fri, 20 Jun 2014 17:07:53 -0400 (EDT)
It seems that (and I can confirm [a]) Citibank's online payment system had a

Quoting from the message to account holders when they logged in:

“We discovered that Citibank Online Bill Payment check(s) processed from
your account between 7 Jun and 11 Jun 2014 displayed an incorrect 'Remitted
by' or sender name and address." The msg adds that the rest of the info,
such as send to, account, amount, were correct.

[a] as it turns out, the check I had them print up and mail out
was... to me. And I hadn't yet deposited it.

Looking at it right now, the "remitted by" info on both the tear sheet, and
on the actual check, where it should have _my name and address_, has that of
someone completely unrelated to me with a cross country address.

The "pay to" section, which should have my name and address, was correct.

* Annoyingly enough, Citi's daily summary e-mails (balance info) continued
through the week, but no one thought to send out an e-mail notice about this

Re: Trouble with firefox updates (RISKS, Wirchenko-27.95)

"Joe Durusau" <>
Fri, 20 Jun 2014 19:18:47 -0600
Perhaps the easiest solution is to simply turn updates off. I don't know about all versions, but as of 29.0,you can do this by clicking on the tools menu, selecting options, advanced, then select the update tab. There is an option there to never check for updates.

A more definitive way of customizing Firefox is to simply download the source code from, and change it however you wish. The license allows you to freely change it at your pleasure.

Please report problems with the web pages to the maintainer