The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 10

Friday 25 July 2014


Something ... wrong with US Passport computers
danny burstein
How Big Telecom came to fear one Tennessee town
Lauren Lyster via geoff goodfellow
Smart grid hack worries to raise insurance rates?
Suzanne Johnson via Dave Farber
How Hackers Hid a Money-Mining Botnet in Amazon's Cloud
Andy Greenberg via Dewayne Hendricks
Re: How Hackers Hid a Money-Mining Botnet in Amazon's Cloud
Ross Stapleton-Gray
Black Hat conference Tor presentation canceled
Clay Wells via Dave Farber
Russian government offers huge reward for help unmasking anonymous Tor users
Lauren Weinstein
iOS devices are still safe—from everybody except Apple and NSA
Serdar Yegulalp via Gene Wirchenko
When is a fire not a fire?
Michael Bacon
Re: Unix "*" wildcards considered harmful
John Levine
Re: Disk-sniffing dogs find thumb drives, DVDs?
Scott Miller
Info on RISKS (comp.risks)

Something ... wrong with US Passport computers

danny burstein <>
Thu, 24 Jul 2014 22:03:13 -0400 (EDT)
  [No one seems to be making any public explanations, except for this
  writeup at the Voice of America:]

Computer Crash Halts US Visa, Passport Operation

The U.S. State Department says a computer glitch will delay passports and
visas being issued from its embassies around the world.  Officials in
Washington say the computer glitch discovered on Saturday (the VOA report
was Thursday/ed) potentially could leave millions of people waiting for
U.S. travel documents.  State Department spokeswoman Marie Harf said the
problem is worldwide, and not specific to any country, documents or visa
category. She says it will stall the issuance of U.S. passports, visas and
reports of Americans born abroad.


How Big Telecom came to fear one Tennessee town (Lauren Lyster)

the keyboard of geoff goodfellow <>
Thu, 24 Jul 2014 07:19:55 -1000
Lauren Lyster, Yahoo Finance, 23 Jul 2014

A Tennessee city with fewer than 200,000 residents has arguably become
private cable companies' worst nightmare. How? The city of Chattanooga's
public electric utility provides super-fast broadband Internet service to
residents at competitive prices. Now, the utility—the EPB—is trying to
expand its reach beyond city limits. Private sector telecom companies are
fighting this effort and appear worried other cities will follow
Chattanooga's lead.

To expand to more residents in a state where one in five are without
Internet access, the EPB needs the Federal Communications Commission to
preempt a statute that prohibits the utility from competing with private
telecom companies outside its current market. David Sirota, senior writer at
International Business Times, tells us in the video above telecom companies
are trying to get the FCC to not to preempt this law.

As for why this issue exists, Sirota argues "private cable companies don't
like publicly-owned municipalities to compete with them," and so have
successfully lobbied for passage of laws in 20 states that ban or restrict
local governments from offering Internet service.

Check out the video to see how Chattanooga, known as "Gig City," has been
able to offer what analysts say is the fastest Internet in the country—50
times the average speed for homes in the rest of the U.S.—for $70 a month.

Meanwhile, hundreds of municipalities are reportedly laying their own fiber
networks, and more than 100 have started offering Internet access
already. Sirota thinks cities and towns will use what limited power they
have to continue doing this, saying the "fight will be can they move this
from successful model places like Chattanooga outwards." Sirota anticipates
a renewed round of lobbying from big telecom companies. ...

Smart grid hack worries to raise insurance rates?

*Suzanne Johnson* <>
Wednesday, July 23, 2014
  [Via Dave Farber]

Apparently the insurance industry and the utility folks are beginning to
look at the security issues around "smart grids", and realizing the

Quick Take:

As an industry, we've done a lot of thinking about the smart meter
cost/benefit equation. But I wonder if we've adequately considered what
would happen if smart meters made insurance rates go up? Two recent articles
in the Insurance Journal suggest that the insurance industry is waking up to
this new concern.  Jesse Berst

and, from The Insurance Journal....

Last November, Felix Lindner came very close to shutting down the power
supply of Ettlingen, a town of almost 40,000 people in the south of Germany.
“We could have switched off everything: power, water, gas,'' Lindner, head
of Berlin-based Recurity Labs, an IT security company, said.

Fortunately for residents, Lindner's cyber attack on its energy utility,
Stadtwerke Ettlingen, was simulated. But he revealed how easy it was to hack
into the utility's network through its IT grid, which gave him access to its
control room.

“The experiment has shown that sensitive, critical infrastructure is not
sufficiently protected,'' said Eberhard Oehler, managing director of the
utility, Stadtwerke Ettlingen.

Cyber attacks on infrastructure have become a major worry for utilities
following the 2010 Stuxnet computer virus, which experts believe was used by
Israel and the United States to make some of Iran's nuclear centrifuges tear
themselves apart. [...]

How Hackers Hid a Money-Mining Botnet in Amazon's Cloud (Andy Greenberg)

*Dewayne Hendricks* <>
Thursday, July 24, 2014
Andy Greenberg, *WiReD*, 24 Jul 2014 (Via Dave Farber)

Hackers have long used malware to enslave armies of unwitting PCs, but
security researchers Rob Ragan and Oscar Salazar had a different thought:
Why steal computing power from innocent victims when there's so much free
processing power out there for the taking?

At the Black Hat conference in Las Vegas next month Ragan and Salazar plan
to reveal how they built a botnet using only free trials and freemium
accounts on online application-hosting services—the kind coders use for
development and testing to avoid having to buy their own servers and
storage. The hacker duo used an automated process to generate unique e-mail
addresses and sign up for those free accounts en masse, assembling a
cloud-based botnet of around a thousand computers.

That online zombie horde was capable of launching coordinated cyberattacks,
cracking passwords, or mining hundreds of dollars a day worth of
cryptocurrency. And by assembling that botnet from cloud accounts rather
than hijacked computers, Ragan and Salazar believe their creation may have
even been legal.

“We essentially built a supercomputer for free,'' says Ragan, who along
with Salazar works as a researcher for the security consultancy Bishop Fox.
“We're definitely going to see more malicious activity coming out of these

Imagine a distributed denial-of-service attack where the incoming IP
addresses are all from Google and Amazon

Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more offer
developers the ability to host their applications on servers in faraway data
centers, often reselling computing resources owned by companies like Amazon
and Rackspace. Ragan and Salazar tested the account creation process for
more than 150 of those services. Only a third of them required any
credentials beyond an e-mail address—additional information like a credit
card, phone number, or filling out a captcha. Choosing among the easy
two-thirds, they targeted about 15 services that let them sign up for a free
account or a free trial. The researchers won't name those vulnerable
services, to avoid helping malicious hackers follow in their footsteps. “A
lot of these companies are startups trying to get as many users as quickly
as possible.  They're not really thinking about defending against these
kinds of attacks.'' ...

Re: How Hackers Hid a Money-Mining Botnet in Amazon's Cloud

*Ross Stapleton-Gray* <>
Thursday, July 24, 2014
We need to recognize we're in the last days of the "people-moderated
processes," i.e., where things can't happen so fast, as they depend on
individuals' actions. We're well into an age where the right tail of "smart
software" has overlapped the left tail of "humans," in terms of ability to
respond to various tests, e.g., captchas, or even carrying on a simple
conversation... given the keyhole of "text over the Internet," it's getting
easier and easier for bots to pass. (And yet, tests can't be made harder,
lest more and more average humans fail in false negatives.)

Any system that depends on mapping obligations to individuals, and doesn't
account for the problem that bots can masquerade as individuals, is asking
for trouble. The trouble is, here, that the trouble they get ends up having
its greatest impact on third parties.

So I think we also ought to pay a good deal more attention to the economics
and liability side of security... I attended the UC Berkeley workshop
organized by Hal Varian, Ross Anderson, and Bruce Schneier, et al., more
than a decade ago ( ), and more
of that would be a good thing. We are seeing lots of problems by start-ups
(and not so young companies, too) wildcatting "undervalued" resources (e.g.,
throwing a bunch of servers into a cloud to dramatically reduce the cost of
cycles) while failing to pay full price for the consequences (e.g.,
suffering the cost of strong authentication).

Black Hat conference Tor presentation canceled

"Clay Wells" <>
Jul 24, 2014 8:16 AM
  [From SECURITY-SIG via Dave Farber]

Notice from Black Hat

PC World article

  Maybe Tor anonymity is *more* easily subverted than we might think?

Russian government offers huge reward for help unmasking anonymous Tor users

Lauren Weinstein <>
Fri, 25 Jul 2014 09:51:20 -0700
  "The Scientific Production Association for Special-Purpose Equipment and
  Communications of the Russian Interior Ministry is offering a contract for
  researching methods of obtaining technical information about users and
  user equipment on the Tor anonymous network, according to an entry on the
  Russian government's procurement portal. It's not clear what Tor
  de-anonymization would be used for, but the fact that the tender comes
  from the Russian Ministry of Interior suggests that it could serve law
  enforcement investigations."

(PC World):

iOS devices are still safe—from everybody except Apple and NSA (Serdar Yegulalp)

Gene Wirchenko <>
Tue, 22 Jul 2014 10:46:42 -0700
Serdar Yegulalp | InfoWorld, 21 Jul 2014
Security researcher says undocumented services allow Apple and law
enforcement to access the contents of any iOS device

When is a fire not a fire?

Michael Bacon <>
Tue, 22 Jul 2014 16:27:05 +0100
A driver on a British motorway was startled when the digital driver
information display showed "Fire", and they rapidly pulled on to the hard
shoulder and abandoned the car for safety.

However, when the police arrived it turned out that it was simply part of
the name of the Adele track they were listening to.

Very possibly a risk occasioned by some people becoming reliant on
technology and failing to engage brain.

Shouting Fire!' generates a visceral reaction in Jo Public, but in other
situations can effect the wrong response.  Some years ago, in a joint
European naval exercise, officers were exchanged between vessels.  A Belgian
Gunnery Officer found himself on the bridge of a British warship, manning
the torpedo control.  As part of a separate test, a rating screamed: "Fire!"
'Guns' immediately pressed the button and a torpedo arched from its tube and
hit the water running, straight towards another ship.  Fortunately it had a
dummy warhead.  The captain took the Belgian officer to one side and
explained that, to avoid such mistakes, the Royal Navy used the word "Shoot!".

Re: Unix "*" wildcards considered harmful (Harris, RISKS-28.09)

"John Levine" <>
22 Jul 2014 23:22:56 -0000
> But then, how do you delete a file called -rf, for instance?

Aw, come on.  This is one of the questions that's been asked and answered on
unix mailing lists and BBSes about once a week since the 1970s.  (There are
many answers but one of the simplest is "rm ./-rf".)

If you want to force a command to take subsequent arguments as file names,
the typical approach is to use a "--" argument that says it's the end of the
flags, but there are other ways, too.

It is true that if you don't know what you're doing, you can shoot yourself
in the foot in Unix shell scripts.  Is this really news?  Is it that
different from any other programming language?  I'm not sure what to call
the risk of people who don't do their homework and blame everyone but
themselves when they screw up.

  [Also noted by R A Lichtensteiger, who adds:
    "This sort of file appears every time someone writes a shell script
    that directs data into a file named ${FOO}-${BAR}-something and fails
    to initialize $FOO, $BAR, or both.
    So, this is the sort of question I would ask an entry-level candidate
    for a sysadmin position, as a filter."

Re: Disk-sniffing dogs find thumb drives, DVDs? (RISKS-28.09)

"Scott Miller" <>
Wed, 23 Jul 2014 12:29:28 -0400
Frankly, both scenarios (dogs positively identifying DVDs or portable memory
devices) fail my sniff test (sorry PGN, you had your chance :).  Can a dog
detect the smell of microelectronics with its nose? Plausibly. Can a dog
distinguish between different types of electronic devices by smell?  Highly
unlikely, in my estimation. I anticipate that evidence found via warrants
issued with this premise as justification will be ultimately ruled
inadmissible. My speculation is that with Richard Nixon's War On (Some)
Drugs on its last lame leg, the cops are desperately seeking additional
funding sources, and willing to stoop to fraud to obtain it (shocking,
that).  A little ground beef smeared on the search objects beforehand would
easily duplicate these results.

  [Perhaps the dog had one leg up on the situation?  PGN]

Please report problems with the web pages to the maintainer