The RISKS Digest
Volume 29 Issue 04

Saturday, 17th October 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Flight MH17 downed by Russian-built missile
ACARS pen-tester reports vulnerabilities according to EASA
U.S. Navy teaching celestial navigation in case computers infected
Mark Thorson
Lessons from Ten Years of IT Failure
Robert Charette
How the NSA can break trillions of encrypted Web and VPN connections
Ars Technica quoting Alex Halderman and Nadia Heninger
Reducing risks in national elections?
Tesla Adds High-Speed Autonomous Driving to Its Bag of Tricks
Software fault causes UK drivers to be banned from driving
The Guardian
Robber uses Uber as getaway car
Mark Thorson
UltraDNS Server Problem Pulls Down Websites, Including Netflix, for 90 Minutes
Compulsive Texting Takes Toll on Teenagers
The Deception Behind Illegal Bets
Art Forgers Beware: DNA Could Thwart Fakes
Apple Is Said to Deactivate Its News App in China
Majority of ISPs not ready for metadata laws that come into force
Australian ABC
If you're not Flash Player "free" by now, you REALLY oughta be...
AppleInsider via Geoff Goodfellow
Credit Rules
US gov via AlMac
Video Explainer: How Criminals Can Easily Hack Your Chip & PIN Card
FBI's statement on microchip-enabled credit cards
Armando Stettner
FBI takes down alert on chip credit cards after bankers complain
John Levine
Social Media Abuse Stories to Shrivel Your Soul
Re: Undercover New Hampshire police nab cellphone ban violators
Bob Frankston
Apple removes Been Choice and other ad blockers from its app store
Monty Solomon
Info on RISKS (comp.risks)

Flight MH17 downed by Russian-built missile

"Peter G. Neumann" <>
Tue, 13 Oct 2015 17:11:51 PDT
Seemingly conclusive Dutch report via *The Guardian*

ACARS pen-tester reports vulnerabilities according to EASA

"Peter G. Neumann" <>
Tue, 13 Oct 2015 16:24:49 PDT
The following article argues that a penetration tester was able to access
aircraft control systems through ACARS.

U.S. Navy teaching celestial navigation in case computers infected

Mark Thorson <>
Wed, 14 Oct 2015 15:59:31 -0700
Computer-based systems are not trusted, so the stars
are your backup.  Better keep a lodestone in your pocket.

Lessons from Ten Years of IT Failure

"Robert Charette" <>
Sat, 17 Oct 2015 12:39:43 -0400
Back in September 2005, IEEE Spectrum magazine published my article "Why
Software Fails," that examined the underlying causes of notable IT project
failures. Then, in June 2007, I started writing the Risk Factor blog for the
magazine, with the goal of tracking information technology development and
operational failures/ooftas both large and small.  Since the beginning of
the year, my Spectrum colleague Josh Romero and I have been working quite
hard organizing, verifying and analyzing the data collected from over 1,750
Risk Factor blog posts (as well as other public information) and figuring
out a convenient way to display the most significant/interesting failures
that have happened since my 2005 article.  The project (somewhat ironically)
turned out to be a bit more complex and time consuming than planned, but we
are now finally done.

The landing page for our effort is now available here: More
links will be posted over the next few weeks. I hope you enjoy them.

How the NSA can break trillions of encrypted Web and VPN connections

Lauren Weinstein <>
Thu, 15 Oct 2015 10:02:48 -0700

  "Since a handful of primes are so widely reused, the payoff, in terms of
  connections they could decrypt, would be enormous," researchers Alex
  Halderman and Nadia Heninger wrote in a blog post published Wednesday.
  "Breaking a single, common 1024-bit prime would allow NSA to passively
  decrypt connections to two-thirds of VPNs and a quarter of all SSH servers
  globally.  Breaking a second 1024-bit prime would allow passive
  eavesdropping on connections to nearly 20% of the top million HTTPS
  websites.  In other words, a one-time investment in massive computation
  would make it possible to eavesdrop on trillions of encrypted

Not just NSA. Also all the other major powers East and West as well,
especially working in tandem.

Reducing risks in national elections? (NYTimes)

"Peter G. Neumann" <>
Mon, 12 Oct 2015 19:05:10 PDT

The federal government should play a big role in making national elections
run more smoothly.   [Amen!  PGN]

Tesla Adds High-Speed Autonomous Driving to Its Bag of Tricks (NYTimes)

Monty Solomon <>
Sat, 17 Oct 2015 09:44:11 -0400
After a $2,500 software download, Model S drivers can let the car take over
on the Interstate, the first car sold to consumers with such capabilities.

Software fault causes UK drivers to be banned from driving

Tom Gardner <>
Sat, 17 Oct 2015 16:53:48 +0100
Over 600 drivers have been banned from driving even though the UK Driver
Vehicle Licencing Agency (DVLA) has admitted that equipment used to test
their eyesight between 2010 and 2015 was faulty. Around 80% of those who
agreed to be reassessed have since had their driving licences restored.

The tests in question are mandatory for some medical conditions, and involve
tracking random flashing lights on a screen while focusing on a target
straight ahead. A software fault in the equipment caused the lights to shine
less brightly than they should.

The DVLA denies responsibility because "this software issue originated at
the point of manufacture and not as a result of any action or inaction by
the DVLA".  An exclusive contract with a chain of opticians, Specsavers,
enables them to claim that "It is because we started doing all the official
tests that we had access to enough data to realise there were anomalies".

Using a strange definition of "rectified", Specsavers stated "The software
issue has been rectified and Specsavers has taken the decision to replace
the machine entirely".

  [Also noted by Clive Page at Leicester UK:
    Some of those affected want compensation, but it is hard to sue a
    government agency like the DVLA, and it refuses to say which brand of
    machine was at fault.

Robber uses Uber as getaway car (Mark Thorson)

Mark Thorson <>
Wed, 14 Oct 2015 16:01:16 -0700
He was caught.  Driver and another passenger were let go.

UltraDNS Server Problem Pulls Down Websites, Including Netflix, for 90 Minutes (NYTimes)

Monty Solomon <>
Fri, 16 Oct 2015 08:15:23 -0400
UltraDNS Server Problem Pulls Down Websites, Including Netflix, for 90 Minutes
The problem stemmed from a malfunction in a server on the East Coast that is
part of the system of UltraDNS, a content delivery company.

Compulsive Texting Takes Toll on Teenagers (NYTimes)

Monty Solomon <>
Thu, 15 Oct 2015 19:13:03 -0400
Youngsters who check their phones constantly and snap if you interrupt them
may have a texting problem, a new study found.

The Deception Behind Illegal Bets (NYTimes)

Monty Solomon <>
Thu, 15 Oct 2015 19:12:55 -0400
Cash Drops and Keystrokes: The Dark Reality of Sports Betting and Daily Fantasy Games

Art Forgers Beware: DNA Could Thwart Fakes (NYTimes)

Monty Solomon <>
Fri, 16 Oct 2015 00:06:55 -0400
A new method of authenticating artwork uses manufactured DNA to give each
piece a unique identifier.

Apple Is Said to Deactivate Its News App in China

Monty Solomon <>
Tue, 13 Oct 2015 08:38:14 -0400

The app displays an error message instead of news articles, possibly in an
effort to avoid running afoul of Chinese censorship policies.

Majority of ISPs not ready for metadata laws that come into force

Lauren Weinstein <>
Mon, 12 Oct 2015 21:52:32 -0700
Australia's ABC via NNSquad

  Craig runs a small ISP in regional Australia and his business will not be
  ready to collect metadata.  He said he had begun the lengthy process to
  explain to the Government how the data will be retained, but it was taking
  too much time and was putting the business at risk.  "We've now reached
  400 pages of this document [the DRIP]. It's a very complicated process and
  it's eating into our profitability," he said.  "The amount of time we're
  spending on it is so high that it has become an unviable thing to continue
  on.  "We have to look after our clients, customers and keep working."  He
  said he would be reducing the amount of services he offered clients
  because data retention regulations had made offering them non-profitable.
  "There are already parts of our business that we are going to have to just
  switch off the lights because of the data retention side of things," he
  said.  Mr Stanton said it was possible smaller ISPs would close down
  rather than struggle on.

If you're not Flash Player "free" by now, you REALLY oughta be...

the keyboard of geoff goodfellow <>
Thu, 15 Oct 2015 10:17:15 -1000

Credit Rules (US gov)

"Alister Wm Macintyre \(Wow\)" <>
Tue, 13 Oct 2015 12:04:01 -0500
With the US credit debit card industry switching to chip technology, the US
gov has updated a web site with THE RULES for people doing business with
merchants, and merchants doing business with the gov.  There are more rules
here than I was previously aware of, and some of these rules are a changing.

Video Explainer: How Criminals Can Easily Hack Your Chip & PIN Card

"Peter G. Neumann" <>
Thu, 15 Oct 2015 11:50:09 PDT

  In this video explainer from Computerphile, Professor Ross Anderson from
  the Computer Laboratory at the University of Cambridge explains how
  criminals can compromise the Chip & PIN system. At first glance it seems
  much harder to overcome than the humble old magnetic strip but, as he
  explains, crooks are smart and have found plenty of ways to circumnavigate
  the difficulties.

FBI's statement on microchip-enabled credit cards

"Armando Stettner" <>
Oct 13, 2015 1:17 PM
  [via Dave Farber]

The FBI statement on microchips, before it disappears again.

October 13, 2015
Alert Number

Questions regarding this PSA should be directed to your local *FBI Field

Local Field Office Locations:


By October 2015, many U.S. banks will have replaced hundreds of millions of
traditional credit and debit cards, which rely on data stored on magnetic
strips, with new payment cards containing a microchip known as an EMV chip.
While EMV cards offer enhanced security, the FBI is warning law enforcement,
merchants, and the general public that no one technology eliminates fraud
and cybercriminals will continue to look for opportunities to steal payment


*What is an EMV credit card?* [image: EMV Chip] The small gold chip found in
many credit cards is most often referred to as an EMV chip. Cards containing
this chip are known as EMV cards, as well as chip-and-signature,
chip-and-pin, or smart cards. The name EMV refers to the three originators
of chip-enabled cards: Europay, MasterCard, and Visa. EMV chips are now the
global standard for credit card security.

With traditional credit cards, the magnetic strip on the back of the card
contains static personal information about the cardholder. This information
is used to authenticate the card at the point of sale (PoS) terminal, before
the purchase is authorized. When a consumer uses an EMV card at a chip PoS
terminal, that transaction is protected using the technology in the
microchip. Additionally, consumers will be able to continue to use the
magnetic strip on the EMV card at retailers who have not yet implemented
chip PoS terminals. When the card is equipped with a personal identification
number (PIN), which is known only to the cardholder and the issuing
financial institution, issuers will be able to verify the user's
identity. Currently, not all EMV cards are issued to consumers with the PIN
capability and not all merchant PoS terminals can accept PIN entry. EMV
transactions at chip PoS terminals provide more security of consumers'
personal data than magnetic strip PoS transactions. In addition, EMV card
transactions transmit data between the merchant and the issuing bank with a
special code that is unique to each individual transaction. This provides
the cardholder greater security and makes the EMV card less vulnerable to
criminal activity while the data is transmitted from the chip enabled PoS to
the issuing bank.


Although EMV cards provide greater security than traditional magnetic strip
cards, an EMV chip does not stop lost and stolen cards from being used in
stores, or for online or telephone purchases when the chip is not
physically provided to the merchant, referred to as a card-not-present
transaction. Additionally, the data on the magnetic strip of an EMV card
can still be stolen if the merchant has not upgraded to an EMV terminal and
it becomes infected with data-capturing malware. Consumers are urged to use
the EMV feature of their new card wherever merchants accept it to limit the
exposure of their sensitive payment data.


Consumers should closely safeguard the security of their EMV cards and
PINs. This includes being vigilant in handling, signing, and activating a
card as soon as it arrives in the mail, reviewing statements for
irregularities, and promptly reporting lost or stolen credit cards to the
issuing bank. Consumers should also shield the keypad from bystanders when
entering a PIN, as PINs are vulnerable to cybercriminals who work to steal
these numbers to commit ATM and cash-back crimes.

The FBI encourages merchants to handle the EMV card and its data with the
same security precautions they use for standard credit cards. Merchants
handling sales over the telephone or via the Internet are encouraged to
adopt additional security measures to ensure the authenticity of cards used
for transactions. At a minimum, merchants should use secure servers and
payment links for all Internet transactions with credit and debit cards, and
information should be encrypted, if possible, to avert hackers from
compromising card information provided by consumers. Credit card information
taken over the telephone or through online means should be protected by the
retailer to include encrypting digital information and securely disposing
written credit card information.

If you believe you have been a victim of credit card fraud, reach out to
your local law enforcement or FBI field office, and file a complaint with
the Internet Crime Complaint Center (IC3) at

FBI takes down alert on chip credit cards after bankers complain

John Levine <>
Monday, October 12, 2015
[In case people are still interested in chip cards ...]

Chip+pin isn't for you, it's for the bank.

If you're evaluating the risk of something, you need a security model.  From
everything I've heard, the main risk that chip+whatever defends against is
card skimming, copying enough information from the card to make a usable
clone card.  All chip cards defeat this, even the contactless ones you just
tap, by replacing the card info on the magstripe with a transaction-specific
packet of information computed by the chip.

Chip+pin is resistant against fraud where the physical card has been stolen,
but that turns out to be quite rare, perhaps 5% of all card fraud, so it's
not a big deal.  European banks love chip+pin because, as others have noted,
they have persuaded the regulators that a transaction that their system
claims was PIN validated (which turns out not to be the same as actually
having entered the PIN) is presumed to be real and it's up to prove to the
customer that it wasn't him, which he usually can't do.

In the US, the fraud rules haven't changed, if you challenge a transaction
it's still up to the bank to prove it was you, so there's no incentive to go
to the significant cost of upgrading the banks' cruddy old systems to handle

Social Media Abuse Stories to Shrivel Your Soul

Lauren Weinstein <>
Tue, 13 Oct 2015 10:26:49 -0700

Recently in "Research Request: Seeking Facebook or Other 'Real Name'
Identity Policy Abuse Stories"
I requested that readers send me examples of social media abuses that have
targeted themselves or persons they know, with an emphasis on "identity"
issues such as those triggered by Facebook's "real name" policies.

These are continuing to pour in—and please keep sending them—but I
wanted to provide a quick interim report.

Executive summary: Awful. Sickening. I knew some of these would be bad,
but many are far worse than I had anticipated anyone being willing to
send me. It seems very likely—though obviously I couldn't swear to
this under oath—that these abuses have resulted in both suicides and

And if we as an industry don't get a handle on these issues, we
ultimately risk draconian government crackdowns that will simply enable
more government censorship and create even more problems.

Here are some of the more obvious observations I can derive from the
messages I'm being sent (not in any particular order for now):

There is no longer any realistic dividing line between the online and
offline worlds. Abuse taking place online can quickly spill offline,
affecting targeted persons' physical lives directly and devastatingly.

Most forms of social media abuse are interconnected. That is, we cannot
realistically demarcate between "identity policy" abuses (e.g.,
Facebook's "real name" requirements), and other forms of social media
abuse (such as comment trolling, Gamergate, and far more).

Women are disproportionately targeted by social media abuse (as a male I
find this fact to be personally offensive), but yes, many men are also
attacked as well.

A lack of realistically useful and advanced moderation and abuse
report/flagging tools, and/or insufficient surfacing of these tools to
users, combined with "lackadaisical" (that's the most polite term I can
use) attention to these reports in many cases, exacerbates existing

Social media systems with strict "real name" requirements are especially
problematic and can be extremely dangerous. This particularly relates to
the 800-pound gorilla of Facebook in this context (Google+ wisely
dropped its real name requirements quite a ways back).

Facebook's identity "real name" policies have been effectively
"weaponized" by abusers. Many FB users who are already targeted and
marginalized in their offline lives (domestic violence victims, LGBT,
racial and religious minorities, and so many more) still need to use FB
to stay in contact, but (in an attempt to protect themselves) are using
"real appearing" pseudonyms instead of their real names. If one of their
protagonists discovers their FB identity, it is not uncommon for the
abuser to report the victim to FB (for example, as a twisted form of
"revenge") in an attempt to expose them online and offline, and to
destroy their ability to be safely online.

Social media firm reactions to flagging and abuse complaints --
particularly in the case of Facebook—can be erratic and seemingly
arbitrary. Complaints that in one instance might target an innocent
person might cause an account suspension, but one targeting a guilty
person may be ignored. Innocent parties may be required by FB to jump
through a series of humiliating and embarrassing hoops to try regain
access, including persons whose protective pseudonyms have been exposed
and persons whose actual, real names have been falsely flagged as fakes.
In some cases, Facebook actually suggests to affected users that they go
to court and change their name legally to match FB's rules!

Governments in general (which tend to see censorship as a solution
rather than the problem it actually is) and law enforcement in
particular, usually make these matters worse, not better. The police
tend to be clueless at best, and often explicitly "stop wasting our
time" antagonistic. Victims of bullying and online threats to their
offline lives who go to the police are usually informed that there's
nothing to be done to help them, or victims are told to just "stop using
the Internet" as a proposed (inane) solution.

We could go on with this list, but I'm sure you get the idea.

I'm forced to add that not all of the reaction to my research request on
these topics has been positive. I've received some responses that
attempt to minimize the entire controversy. They've told me I'm wasting
my time. They've suggested that in a relative sense "so few" people are
actually victimized by these problems (compared with the billions using
these system) that it would be ridiculous for the companies involved to
make significant changes just to cater to to a small group of actual
victims and a much larger group of supposed malcontents.

I can't emphasize how forcefully I categorically reject that entire line
of reasoning.

The inherent suggestions that because "relatively" few persons might be
affected (and that still means vast numbers of warm bodies at these
scales) could somehow excuse the abysmal status quo—are entirely and
completely unacceptable, untenable, and unethical.

It's true that we can't put precise numbers on the victims. After all,
most of these vulnerable persons are already trying to protect
themselves from exposure, being forced into essentially a "shadow"
universe of social media identities. And we'd expect that most would
also be understandably unwilling to discuss their situations with a
stranger such as myself.

But many have been so willing, and I thank them for their trust. And I
believe we can safely extrapolate to the reality that there are one hell
of a lot of people being victimized by these issues.

And in fact, the numbers shouldn't really matter at all. How many deaths
or lives otherwise ruined attributable at least significantly to social
media abuses are tolerable? I would assert that the answer in an ethical
sense at least is zero.

Does this mean we can quickly solve all these problems? Is there a magic

Of course not. But that doesn't mean we shouldn't try. And remember,
once politicians get their claws into these controversies, you can bet
that the kinds of "solutions" they push will aim to further their
agendas more than anything else.

These are problems we must ourselves work toward eliminating.

Obviously, education outreach must be a major part of this effort,
especially to law enforcement and other government agencies.

But we also need to have a much better handle on these situations as an
industry, because the problems are ultimately not isolated to single

There need to be individuals and teams within the involved firms who not
only are working internally on these issues, but who also participate
broadly in related public communications efforts. These companies need
to work together toward understanding the impacts of their ecosystems in
these contexts—a formal or informal industry consortium to
specifically further such interactions would seem a useful concept for

Most of all, it's crucial that we as individuals—not just those of us
who have built and used the Internet for many years, but also users who
have so far only barely gotten their feet wet on the Web—recognize
that it is intolerable for the Net to be turned into a tool for the
destruction of lives, and that it's up to us to pave the path toward
changes that will truly help the Net to flourish for the good of our
societies, rather than allowing the Net (and ourselves) to be shackled
by politically shortsighted restrictions.

Take care, all.

Re: Undercover New Hampshire police nab cellphone ban violators (Solomon, RISKS-29.03)

"Bob Frankston" <>
14 Oct 2015 19:46:42 -0400
The other way to read this is that it's illegal to use any digital device
that may potential run a telephony app even if the car is stopped. Laws that
presume physical objects have one purpose are problematic in a world
(re)defined by software.

In a sense it's like the days when cities wanted to ban bolt cutters because
they could, potentially, be used to steal bicycles. Or banning video
recorders because one use could be to violate copyright.

Apple removes Been Choice and other ad blockers from its app store

Monty Solomon <>
Wed, 14 Oct 2015 20:48:26 -0400
Apple has dumped the ad blocker that blocked in-app ads from the App Store

Apple has removed an ad blocking app from its App Store that block ads in
other apps, as well as a number of other non-ad blocking apps that employ
similar "deep packet inspection" techniques, citing privacy concerns.

Apple's iOS 9 operating system saw the company approve ad blocking apps for
the first time. Most just block ads on the Safari web browser, but some
developers took the idea further by creating apps that installed root
certificates in order to block app-based ads. Apple's problem is that by
doing so, these kinds of apps (ad blockers, and some others) had sight of
everything a user was doing online, from browsing to making purchases.

The Safari team, however, had created a secure way to block content, which
doesn't allow for the ad blockers to track user behavior. Popular ad
blocking apps that block ads on Safari, including Crystal and Purify, are
not affected by Apple's latest move. It only affects apps that installed
root certificates on user's phones, which included some ad blockers and
other apps.

On the face of it, it had seemed bizarre that Apple had approved such ad
blockers in the first place, even aside from the clear privacy concerns.

Please report problems with the web pages to the maintainer