The RISKS Digest
Volume 29 Issue 02

Tuesday, 6th October 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Your MRI machine has already been pwned
Scott Erven and Mark Collao via Henry Baker
European court of Justice bans "Safe Harbor" decision
Thomas Koenig
Top EU court says US privacy protections are inadequate in landmark ruling
Amar Toor
How Many Deaths Did Volkswagen's Deception Cause in the U.S.?
Engine Shortfall Pushed Volkswagen to Evade Emissions Testing
Peeple Risks
Rob Slade
The Athens Affair shows why we need encryption without backdoors
Trevor Timm
Dorothy Denning
Grady Booch
Got 'Em! Researchers Steal Crypto Keys From Amazon Cloud
Fahmida Y. Rashid
Identifying Problems With National Identifiers: Supposedly Encrypted Numbers Can Be Easily Decrypted
Study Rates UW CSE ... Most Practically Relevant
US Customs collecting info on every Amtrak passenger
Al Mac
Scottrade had no idea about data breach until the feds showed up
Sherry Turkle's Reclaiming Conversation
Business Technology Starts to Get Personal
Re: Open Office on Ubuntu
Henry Crun
Re: How to make the Internet worse for everyone except the slimeballs
David Canzi
Putting Mobile Ad Blockers to the Test
Re: Adblock sells out—refuses to identify the buyer
Alan Ralph
Info on RISKS (comp.risks)

Your MRI machine has already been pwned

Henry Baker <>
Tue, 06 Oct 2015 09:32:51 -0700
FYI—The next time you're lying on a gurney waiting to get an X-ray or MRI
scan, contemplate the probability that your X-ray or MRI machine has
*already been compromised*.  Scott Erven & Mark Collao set up similarly
configured honeypots & found them constantly under successful attack due to
massive numbers of unpatched vulnerabilities and hardwired credentials.

Scott & Mark think that many of these attackers didn't even realize the
types of machines that they had successfully attacked; these attacks are
apparently large-scale automated attacks on *every* Internet address looking
for vulnerable computers.  This means that *every* vulnerable machine
attached to the Internet will eventually be pwned because every known
exploit will eventually be tried on all of them.

X-ray and MRI machines have service technician screens including
"calibration" interfaces which could be used to override some of the
built-in safety mechanisms.

I shudder to even think about pwned Lasik machines...

 - - - -

Break Me14 Medical Devices Pwnage and Honeypots Scott Erven Mark Collao
IronGeek, 27 Sep 2015

These are the videos from Derbycon 2015:

Jeff Goldman, Thousands of Critical Medical Devices Exposed Online, 1 Oct 2015

'These devices are getting owned repeatedly,' security researcher Mark
Collao said.

At the DerbyCon security conference in Louisville, Kentucky, security
researchers Scott Erven and Mark Collao recently stated that thousands of
critical medical devices are connected to the Internet and vulnerable to
attack, The Register reports.

At one unnamed U.S. healthcare organization with 12,000 staff and 3,000
physicians, Erven and Collao said, more than 68,000 devices are exposed
online, including 21 anaesthesia systems, 488 cardiology systems, 67 nuclear
medical systems, 133 infusion systems, 31 pacemakers, 97 MRI scanners, and
323 picture archiving and communications devices.

The researchers discovered the linked devices through the Shodan device
search engine.  "Once we [started] changing [search terms] to target
speciality clinics like radiology or podiatry or pediatrics, we ended up
with thousands with misconfiguration and direct attack vectors," Erven said.

MRI and defibrillator machine honeypots placed by Erven and Collao attracted
55,416 successful SSH and Web logins and 299 malware payloads.  As a result,
they said, it's reasonable to assume that there are infected medical devices
connecting to command and control servers on a regular basis.

"These devices are getting owned repeatedly, and now that more devices and
hospitals are Wi-Fi enabled, it's pretty prevalent," Collao said, SC
Magazinereports.  "Next time you're in a hospital and you're getting hooked
up to a machine and you see Ethernet going into a wall, it makes you think
twice—is this connected to a command and control server somewhere?"

"The Internet of Things is already here, and some of its denizens are
already in critical condition," Tripwire director of IT security and risk
strategy Tim Erlin told eSecurity Planet by email.  "Embedded devices are
nothing new, and the expansion of Internet connectivity has turned networked
embedded devices, from energy to healthcare, into internetworked embedded
devices.  As the forward end of the industry works to bring the 'things' to
the Internet, the Internet has already been brought to the 'things' that
were out there."

"With embedded devices, it's often not as simple as applying the latest
updates," Erlin added.  "When those devices interact directly with a human
being in a therapeutic task, it's even more complicated to make changes.
This isn't a challenge that's likely to go away.  It's likely to get worse,
and make headlines, when someone hacks a medical device to make a point."

European court of Justice bans "Safe Harbor" decision

Thomas Koenig <>
Wed, 7 Oct 2015 00:00:28 +0200
The European Court of Justice has declared the "Safe Harbor" decision, under
which personal data of EU citizens could be handed over to US companies
provided these companies bound themselves to certain rules, illegal.  The
indiscriminate access of US authorities to this data is held to contradict
fundamental human rights to privacy and to judicial protection.

The court's arguments are very strongly worded, and are quite familiar to
anybody who has read RISKS for any length of time since 2013.  In the
argument given prior to the decision, the Advocate General specifically
cited PRISM as a reason why US privacy provisions were inadequate.  The US
government tried to counter this with a statement, but to no avail.

Apart from the human rights aspects, this is likely to have a severe impact
on Internet commerce.  Around 4500 companies transfer personal data of EU
citizens to the US for processing under the "Safe Harbor".  This legal basis
for this has now been removed.  Some companies have tried to use other legal
grounds for transferring data, but it is at the moment quite unclear which
of these are, in fact, legal.

Companies operating in Europe might be obliged to state in their conditions
of service that may be handed over to US intelligence indiscriminately.  Of
course, this might put them into the quandry that US law prohibits such
revelations.  The only way out might be for US Internet companies to move
their data centers to Europe, or to stop doing business with EU citizens

As an aside, the negotiations about TTIP are also likely to be held up.

So, the NSA scandal is finally going to cost the US (and possibly other)
economies a *lot* of money.

The strategy of just ignoring the NSA scandal and hoping that it will all go
away if all participants simply close their eyes hard enough has not worked.

Today might also be remembered as a big step towards the break-up of the
Internet into regional networks, which is now a very real possibility
following the NSA scandal.

The press release itself can be found at

Some key sentences (stressed parts marked with asterisks are from the

  United States public authorities are not themselves subject to it
  [the agreement]. Furthermore, national security, public interest and
  law enforcement requirements of the United States prevail over the
  safe harbour scheme, so that United States undertakings are bound *to
  disregard, without limitation, the protective rules laid down by tha
  scheme where they conflict with such requirements.* The United States
  safe harbour scheme thus enables interference, by United States
  public authorities, with the fundamental rights of persons.

  [...] legislation permitting the public authorities to have access on
  a generalised basis to the content of electronic communications must
  be regarded as *compromising the essence of the fundamental right to
  respect for private life*.

  [...] legislation not providing for any possibility for an individual
  to pursue legal remedies in order to have access to personal data
  relating to him, or to obtain the rectification or erasure of such
  data, *compromises the essence of the fundamental right to effective
  judicial protection,* the existence of such a possibility being
  inherent in the existence of *the rule of law.*

Top EU court says US privacy protections are inadequate in landmark ruling (Amar Toor)

Dewayne Hendricks <>
Tuesday, October 6, 2015
Amar Toor, The Verge, 6 Oct 2015
Decision to invalidate data-transfer agreement could have far-reaching
implications for U.S. tech companies in Europe

Europe's highest court today ruled that Facebook cannot send personal
information on European users to data centers in the US, invalidating a
15-year trans-Atlantic data transfer agreement. In a decision that could
have far-reaching implications for many US tech companies, the European
Court of Justice said that the EU's Safe Harbor agreement with the US is
"invalid" because the country does not guarantee adequate privacy
protections. The agreement allows technology companies to transfer data from
Europe to the US, provided that certain privacy requirements are met.
According to *The Wall Street Journal* today's ruling could impact around
4,500 companies that currently rely on the laws to transfer data to the US.

The case was brought before Ireland's high court by Max Schrems, an Austrian
activist who argued that Facebook had violated his privacy by processing his
personal data in the US, citing recent revelations about the NSA's
surveillance programs. The Irish court rejected Schrems' complaint, pointing
to the European Commission's Safe Harbor decision, but the European court
today ruled that the agreement is invalid, and that EU regulators should be
able to restrict data flows as they see fit.

In a statement, the court said that Irish authorities are now "required to
examine Mr. Schrems' complaint with all due diligence," and can decide
whether "transfer of the data of Facebook's European subscribers to the
United States should be suspended on the ground that that country does not
afford an adequate level of protection of personal data."

A Facebook spokesperson did not immediately respond to a request for

How Many Deaths Did Volkswagen's Deception Cause in the U.S.?

Monty Solomon <>
Sat, 3 Oct 2015 21:01:25 -0400

Public health researchers have formulas to calculate the lives lost from excess pollution.

Engine Shortfall Pushed Volkswagen to Evade Emissions Testing

Monty Solomon <>
Sun, 4 Oct 2015 12:26:46 -0400

The carmaker installed emissions-cheating software in 2008 after realizing
that a new diesel motor could not meet pollution standards, people familiar
with an internal inquiry said.

Peeple Risks

Rob Slade <>
Sat, 3 Oct 2015 12:06:22 -0700
  [Rob might become the Enemy-of-(the-)Peeple? PGN]

I am Rob not-of-Peeple.  But resistance is futile.  I will be assimilated,
whether I like it or not, if anyone knows my phone number.

As long as I don't sign up, I will remain in ignorance-is-blissful ignorance
of any negative "reviews," or other cyberbullying, taking place on the
system.  (At the moment I'd have to sign up through Facebook, which is
off-putting in any case.)

If any troll or malcontent does post anything negative about me, I have 48
hours to ask them nicely to rescind it.  If, for any reason, they decide not
to, there is absolutely nothing I can do about it.

Peeple. When you care enough to post the very worst.

Inquiring minds want to know:

Do they do any checking on the phone numbers?  Can I create an "account" for
someone just by putting in a random phone number?  Can you use someone's
work number?  Do they do any sanity checking?  Can I create someone with a
555 number?  Do they accept international phone numbers?  How do they deal
with Americans who know nothing about international phone number formats?

How hard would it be to mount a major cyberbullying campaign against the
founders of the system?

So far they are pushing babysitting and teaching, but how hard would it be
to create other categories on the system?  Could you create a
"generally-really-nasty- person" category and then rate people highly on
that?  Do they have any checks that would prevent you from using "bad words"
to create new categories?

Can you post pictures?  Video?  Fake ones?  Are they checking for copyright

The Athens Affair shows why we need encryption without backdoors (Trevor Timm)

Dewayne Hendricks <>
4 Oct 2015 08:43
The Athens Affair shows why we need encryption without backdoors.
Revelations about the hack that allowed Greek politicians to be spied on in
2004 come at a time when the White House is set to announce its encryption

Trevor Timm, *The Guardian*, 30 Sep 2015

Just as it seems the White House is close to finally announcing its policy
on encryption—the FBI has been pushing for tech companies like Apple and
Google to insert backdoors into their phones so the US government can always
access users' data—new Snowden revelations and an investigation by a
legendary journalist show exactly why the FBI's plans are so dangerous.

One of the biggest arguments against mandating backdoors in encryption is
the fact that, even if you trust the United States government never to abuse
that power (and who does?), other criminal hackers and foreign governments
will be able to exploit the backdoor to use it themselves. A backdoor is an
inherent vulnerability that other actors will attempt to find and try to use
it for their own nefarious purposes as soon as they know it exists, putting
all of our cybersecurity at risk.

In a meticulous investigation, longtime NSA reporter James Bamford reported
at the Intercept Tuesday that the NSA was behind the notorious Athens
Affair.  In surveillance circles, the Athens Affair is stuff of legend:
after the 2004 Olympics, the Greek government discovered that an unknown
attacker had hacked into Vodafone's “lawful intercept'' system, the phone
company's mechanism of wiretapping phone calls. The attacker spied on phone
calls of the president, other Greek politicians and journalists before it
was discovered.

According to Bamford's story, all this happened after the US spy agency
cooperated with Greek law enforcement to keep an eye on potential terrorist
attacks for the Olympics. Instead of packing up their surveillance gear,
they covertly pointed it towards the Greek government and its people. But
that's not all: according to Snowden documents that Bamford cited, this is
a common tactic of the NSA. They often attack the “lawful intercept''
systems in other countries to spy on government and citizens without their

Exploiting the weaknesses associated with lawful intercept programs was a
common trick for NSA. According to a previously unreleased top-secret
PowerPoint presentation from 2012, titled “Exploiting Foreign Lawful
Intercept Roundtable'', the agency's “countries of interest'' for this work
included, at that time, Mexico, Indonesia, Egypt and others. The
presentation also notes that NSA had about 60 “Fingerprints''—ways to
identify data—from telecom companies and industry groups that develop
lawful intercept systems, including Ericsson, as well as Motorola, Nokia and

It's the exact nightmare scenario security experts have warned about
when it comes to backdoors: they are not only available to those that
operate them `legally', but also to those who can hack into
them to spy without anyone's knowledge. If the NSA can do it, so can
China, Russia and a host of other malicious actors. [...]

The 'Athens Affair' shows why we need encryption without backdoors

Dorothy Denning <>
October 5, 2015 at 1:42:05 PM EDT
There was a good article about this in 2007 in IEEE Spectrum. At the time,
they didn't know who did it.

Vassilis Prevelakis and Diomidis Spinellis, The Athens Affair, IEEE
Spectrum, July 2007,

The Athens Affair shows why we need encryption without backdoors

Grady Booch <>
Oct 4, 2015 2:09 PM
We did something similar at the end of World War II: having broken the
Enigma code, the US and the UK rounded up all the Enigma machines we could
find, and gave/sold them to many of our allies (but neglecting to tell them
the fact that Bletchly had broken the encryption).

Got 'Em! Researchers Steal Crypto Keys From Amazon Cloud

"ACM TechNews" <>
Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
Fahmida Y. Rashid, InfoWorld, 30 Sep 2015, via ACM TechNews, 5 Oct 2015

Worchester Polytechnic Institute (WPI) researchers have demonstrated how to
use one instance of Amazon EC2 to recover the full 2,048-bit RSA key from a
separate Amazon instance.  "We exploit the [last-level cache (LLC)] to
recover the secret key of a modern sliding-window exponentiation-based
implementation of RSA, across cores and without relying on deduplication,"
the researchers say.  They note malicious hackers could use this strategy to
intercept the targeted entity's encrypted communications and extract
potentially valuable information.  For this attack to work, both the
attacker's Amazon account and the target Amazon account containing the
private RSA key must be on the same hardware chip or chip set.  "Everything
must work in concert together and it is highly difficult to pull off," notes
Comodo's Robin Alden.  The researchers say their technique highlights the
need for deploying stronger isolation techniques in public clouds.  Experts
recommend providers patch the weaknesses that make these types of attacks
possible, and smarter cache management policies for hardware and software
could prevent side-channel leakages and future exploits.  "A more random
placement policy would make it tougher for attackers to land on the same
[central processing unit] or hardware as that of the intended target," says
Ciphercloud's Sundaram Lakshmanan.

Identifying Problems With National Identifiers: Supposedly Encrypted Numbers Can Be Easily Decrypted

"ACM TechNews" <>
Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
Harvard University, 29 Sep 2015, via ACM TechNews, Monday, October 5, 2015

Harvard University researchers have used a pair of experiments to show
Resident Registration Numbers (RRNs) used in South Korea can be decrypted to
reveal a range of personal information.  In the experiments, the researchers
were able to decrypt more than 23,000 RRNs using both computation and
logical reasoning.  The findings suggest that although such identifiers are
encrypted to protect privacy, they remain vulnerable to attack and must be
designed to avoid such weaknesses.  The researchers showed each number in
the RRN could be replaced with a letter in a recognizable pattern, which
could then be used to decrypt thousands of RRNs, which could reveal personal
information about their users.  They also found the final RRN digit is a
weighted sum of prior digits, meaning it is possible to decrypt the numbers
and then use arithmetic to confirm the accuracy of the information.  "Our
study shows that weak encoding systems, which refer to the very design of
the number, render encryptions as poor methods of protecting privacy," the
researchers note.  The findings are timely, because South Korea is currently
debating a redesign of RRNs and other nations, including the U.S., have
discussed the use of a single identifier for medical records, according to
Harvard professor Latanya Sweeney.

Study Rates UW CSE ... Most Practically Relevant (U.Wash)

"ACM TechNews" <>
Mon, 5 Oct 2015 12:12:30 -0400 (EDT)
U.Wash via ACM TechNews, Monday, October 5, 2051

Study Rates UW CSE Software and Engineering Research Most Practically
Relevant of the Past Five Years, University of Washington News and
Information, 1 Oct 2015

A tool developed by University of Washington (UW) researchers to improve
collaboration between software developers has been judged the most
practically relevant software engineering research of the last five years.
The recognition comes from an industrial relevance study conducted by
Microsoft Research and Singapore Management University, which asked more
than 500 software developers to rate the relevance to their daily work of
571 research papers.  The greatest number of respondents rated the UW
project, which generated the Crystal collaboration tool, as an "essential"
addition to the practice of software development.  The UW research team, led
by professors Michael Ernst and the late David Notkin, developed Crystal as
a way to help developers who are working on a team in parallel avoid making
changes that might be in conflict with each other.  Crystal does this by
continuously merging every developer's changes into the software so
conflicts become apparent and can be quickly addressed.  Crystal prevents
wasting time returning to the code to rectify conflicts and problems after
the fact.  The paper on proactive conflict detection was part of the
speculative analysis project, led by Ernst at UW's Programming Languages &
Software Engineering group.

US Customs collecting info on every Amtrak passenger

"Alister Wm Macintyre \(Wow\)" <>
Mon, 5 Oct 2015 15:00:15 -0500
  (Papers Please & Mass Private via Black Listed)

US Customs is collecting the personal information of every Amtrak passenger
29 Sep 2015
Source: Mass Private I

According to Papers Please
ak-reservations/> :

released by Amtrak suggest that since 2012, US Customs and Border Protection
(CBP) has had direct access to Amtrak's reservation system, possibly
including access to reservations for Amtrak passengers traveling entirely
within the USA.

The Amtrak documents

Papers Please received are the fourth in a continuing series of long-overdue
interim responses to a FOIA request they made in October 2014 for records
related to Amtrak's data-sharing and other collaboration with DHS and other
US and foreign law enforcement agencies:
ments/> )

Scottrade had no idea about data breach until the feds showed up

Monty Solomon <>
Sun, 4 Oct 2015 03:29:43 -0400
When an organization gets hacked, ideally they'll realize it promptly and
warn their users right away. Take crowdfunding site Patreon, which was
hacked on Monday and has already informed the world about the problem.
Scottrade, an investment brokerage company, is different, and not in a good

The company announced Friday that it suffered a security breach over a
period of several months from late 2013 to early 2014, affecting
approximately 4.6 million customers. But in a statement, Scottrade said it
had no idea that the breach had occurred until law enforcement officials
told them about it.

Remember: This is a company that is charged with storing real money and
managing investments. Let that sink in for a second.

Sherry Turkle's Reclaiming Conversation

Monty Solomon <>
Sun, 4 Oct 2015 12:28:39 -0400

Jonathan Franzen reviews a new book based on interviews with people who say they feel controlled by new technologies.

Business Technology Starts to Get Personal

Monty Solomon <>
Mon, 5 Oct 2015 01:16:44 -0400

Despite their very different companies, the chief executives of General
Electric and Apple have something in common: They believe businesses will
increasingly rely upon`personalized' technology to run their operations.

Re: Open Office on Ubuntu

Henry Crun <>
Sun, 04 Oct 2015 04:58:59 +0300
the bug report is dated 2008, so the bug is weird, slipped past checks,
but is slightly outdated.  Mike R.

Re: How to make the Internet worse for everyone except the slimeballs

David Canzi <>
Sun, 4 Oct 2015 17:27:44 -0400
Don't blame the ad-blockers or their users.

Attention is the resource from which marketers make their living.  It's a
limited resource.

When the volume of advertising is low, a marketer, by putting one more ad on
a web page, gets an increase in profits.  As the volume of advertising
increases, the profit the marketer gains from one more ad decreases, and the
ad decreases the amount of attention paid to other marketers' ads, reducing
their profits.  At some point the profit a marketer gains by placing one
more ad is less than the total loss that the ad causes to other marketers.
This scenario may sound familiar...

The marketers who will survive are the ones who are willing to use the most
obnoxious tactics to take our attention.  Anybody with any decency will fail
or quit.  Web advertising will be dominated by slimeballs whether or not the
end users use ad-blockers.

Putting Mobile Ad Blockers to the Test

Monty Solomon <>
Mon, 5 Oct 2015 01:16:40 -0400

Two tests were carried out with ad blockers: one to measure how much loading
times were improved, and the second to study battery life.

Re: Adblock sells out—refuses to identify the buyer

Alan Ralph <>
Sat, 3 Oct 2015 20:19:50 +0100
Just to be clear, this is Adblock [1], not AdBlock Plus [2], that is the
subject of the article [3] that Lauren linked to.

Having said that, it's worth noting the following from said article :

What's interesting is six months ago Adblock changed its name suddenly [4]
to BetaFish Adblocker, claiming it was an `experiment'.

BetaFish is the name of Gundlach's holding company that owned Adblock and
around the same time had applied for a US trademark [5] on the word

Support staff claimed five months ago that the company was not being
purchased by someone or preparing for participation acceptable ad program,
but the move may have pre-empted today's deal.

The name was later changed back to simply Adblock, without further explanation.

Does that mean that AdBlock's new owners want to go after Eyeo [6], the
company that makes AdBlock Plus? I guess we'll find out soon enough!


Alan Ralph - Wearer Of Many Hats!

Please report problems with the web pages to the maintainer