The RISKS Digest
Volume 29 Issue 16

Monday, 14th December 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Tablet computer zoom error lets plane fly 13 hours with 46cm hole

*The Register*

Boston Red Line train leaves station without operator

*The Boston Globe*

VW Says Emissions Cheating Was Not a One-Time Error

*NYTimes*

The Moral Failure of Computer Scientists

Phillip Rogaway
*The Atlantic*

Twitter says it was target of state-sponsored hack

*The Boston Globe*

"Europe Could Kick Majority of Teens Off Social Media, and That Would Be Tragic"

HuffPost

Maine General Health Breach

Gov Info Sec

Medical privacy: small scale violations

Propublica via Suzanne Johnson

Cloud Lock inspects security by industry

Help Net via Al Mac

Malvertising: these advertisers *really* want your business

*WiReD*

AT&T Fools Entire Media With Giant Gigabit Fiber Bluff

DSLreports via Lauren Weinstein

New York State Health Insurance site implemented with elementary security flaws, blames the whistleblower

Gothamist

Massive DDoS attack on core Internet servers was 'zombie army' botnet from popular smartphone app

*IBTimes* via Bob Frankston

Microsoft pulls botched patch KB 3114409 that triggered problems with Outlook 2010

Woody Leonhard

"Microsoft Edge has inherited many of Internet Explorer's security holes"

Woody Leonhard

Discrimination by Airbnb Hosts Is Widespread, Report Says

*NYTimes*

Your iPhone Is Ruining Your Posture—and Your Mood

*NYTimes*

America's secret cyberarsenal

*NYTimes* via Henry Baker

Re: "I gave my students iPads—then wished I could take them back

Gene Wirchenko

Re: Voter Privacy in the Age of Big Data

Mark E. Smith

Re: Working on Cheaper Sensors, Deeper Learnings

Amos Shapir

Re: Your child is a CYBER-CRIMINAL!

Amos Shapir
Simon Wright
Henry Baker

Info on RISKS (comp.risks)

Tablet computer zoom error saw plane fly 13 hours with 46-cm hole

A Qatar Airways Boeing 777 traveling from Miami to Doha struck airport
lights during takeoff and suffered a 46-cm tear in the fuselage, thanks in
part to a pilot zooming in too far on a tablet computer.

Flight QR778 left Miami on September 15th but as it took off, hit airport
landing lights. On arrival the plane was found to have suffered "a 46 cm
tear in the fuselage behind the rear cargo door which breached the pressure
vessel... numerous dents and scratches in the external airframe with 18
square meters of damaged skin." Inspection also found "90 external
individual areas of damage requiring assessment and rectification [and] some
damage to a metal guard on the left landing gear."

A Qatar Civil Aviation Authority (QCAA) report on the incident suggests the
crew were not familiar with the airport, so when the First Officer decided
to take off from a point 411m down the runway the choice was queried but
"The commander made a hand gesture and said something which he thought was
seeking reassurance from the crew that everything was OK."

http://www.theregister.co.uk/2015/12/11/tablet_computer_zoom_snafu_saw_plane_fly_13_hours_with_46cm_hole/

Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

Boston Red Line train leaves station without operator (Mark Arsenault and Eric Moskowitz via PGN)

An MBTA train from Braintree ran through the next four stops after the
driver got out to attend to a signal problem.  It was stopped just after the
North Quincy station, when power to the third rail was cut off.   [PGN]
https://www.bostonglobe.com/metro/2015/12/10/red-line-train-leaves-station-without-operator/L5NzTcDEX8dMQCQLvC7UBN/story.html

The story is actually much more complicated.  Controllers had to manually
get trains that were ahead of the runaway to express out of the
Braintree section onto the Red Line section, so that power could be shut off
on the entire Braintree section.  This is a fascinating hands-on dynamic
systemic solution to an apparently unplanned event.  My guess is that it
might even suggest some systemic changes!  [PGN]

Eric Moskowitz, LATER: A call, then a scramble to stop runaway train
https://www.bostonglobe.com/metro/2015/12/11/call-then-scramble-stop-runaway-train/3HvcszljJaLlANPPX5b6wN/story.html

VW Says Emissions Cheating Was Not a One-Time Error (Jack Ewing)

Jack Ewing, *The New York Times*, 11 Dec 2015
http://www.nytimes.com/2015/12/11/business/international/vw-emissions-scandal.html

In its most detailed explanation of what led to the scandal, the German
automaker cited a chain of errors that were allowed to happen.

  ["There was a tolerance for breaking the rules."—Hans-Dieter Pötsch,
  chair of VW's Supervisory Board.]

The Moral Failure of Computer Scientists (Phillip Rogaway)

Phillip Rogaway, The Moral Character of Cryptographic
http://web.cs.ucdavis.edu/~rogaway/papers/moral.html

This essay attempts to ground cryptography within larger political and
ethical contexts to which I am no doubt sure will be of interest to the
general population of RISKS readers.

A side note, Google appears to be (in some instances) not providing users
direct links to articles - Google instead provides links to Google with
search terms.  Have others noticed this? And if so, can anyone speculate as
to why?

The Moral Failure of Computer Scientists (*The Atlantic*)

  "He likened the danger posed by modern governments' growing surveillance
  capabilities to the threat of nuclear warfare in the 1950s, and called
  upon scientists to step up and speak out today, as they did then.  I spoke
  to Rogaway about why cryptographers fail to see their work in moral terms,
  and the emerging link between encryption and terrorism in the national
  conversation.  A transcript of our conversation appears below, lightly
  edited for concision and clarity."
http://www.theatlantic.com/technology/archive/2015/12/the-moral-failure-of-computer-science/420012/

Twitter says it was target of state-sponsored hack

http://www.bostonglobe.com/business/2015/12/14/twitter-says-was-target-state-sponsored-hack/aqmmGtUBsOwYDbSePVyChJ/story.html

"Europe Could Kick Majority of Teens Off Social Media, and That Would Be Tragic" (HuffPost)

http://www.huffingtonpost.com/larry-magid/europe-could-kick-majorit_b_8774742.html

  European policymakers are considering a draft of the European Data
  Protection Regulation that would prohibit teens under 16 from
  participating in social media without parental consent. Up until this
  point, the draft Regulation set the age at 13, which is consistent with
  laws and practices around the world.

Maine General Health Breach (Gov Info Sec)

8 Dec 2015: Maine General https://www.mainegeneral.org/Pages/Home.aspx  went
  public about this breach.
13 Nov 2015: the health care provider was notified by the FBI of evidence of
  a breach.
They investigated & confirmed it, but do not have full details yet.

For some patients, info taken includes real identity, address, phone, date
of birth, emergency contact phone.  They do not yet know how many, out of
their approx 180,000 patients, but the info dates back to at least June
2009.

Also some employees were breached, with similar info.

So far, no evidence that credit financial info, social security #, or
driver's license #s taken, Maine General is offering impacted persons access
to one year of free credit monitoring and identity restoration services.
https://www.mainegeneral.org/news/statement-regarding-mainegenerals-recent-cyber-attack
http://www.govinfosecurity.com/fbi-detects-another-healthcare-cyberattack-a-8736

Medical privacy: small scale violations (via Dave Farber)

... Under the federal law known as HIPAA, it's illegal for health care
providers to share patients' treatment information without their permission.
The Office for Civil Rights, the arm of the Department of Health and Human
Services responsible for enforcing the law, receives more than 30,000
reports about privacy violations each year.

The bulk of the government's enforcement—and the public's attention --
has focused on a small number of splashy cases in which hackers or thieves
have accessed the health data of large groups of people. But the damage done
in these mass breaches has been mostly hypothetical, with much information
exposed, but little exploited.

https://www.propublica.org/article/small-scale-violations-of-medical-privacy-often-cause-the-most-harm

Cloud Lock inspects security by industry (Help Net)

Cloud Lock https://www.cloudlock.com/ analyzed 10 million users, 1 billion
files, 91,000 applications to survey risk across multiple industries.

You have to register with them, to download their report.
http://go.cloudlock.com/ebook-q3-2015-cybersecurity-report.html

They found on average, 5% of companies bother with password, and other
credentials, protection.

K-12 is worst, at 1%.

Retail "best" at 8%.

For break down on others, see help net link.

http://www.net-security.org/secworld.php?id214

99% of files in the financial services industry, which can be found by
anyone who can find a link, or locate them via search engines, can be
attributed to exposure by 1% of their users.  The overall average of
industries, in the article, is 74%.  Health Care is most secure in that
dept.

Manufacturing shows the least concern for protecting PII, like social
security #s. IDs, dates of birth, etc.

Al Mac comments: Someone had to be in last place.

I would have liked Critical Infrastructure to be a category, since I am now
reading "Lights Out" by Ted Koppel.

We have known for decades that security for our electric grid—cyber
security and physical security, are both pretty dismal.

Mainstream news media is now giving more attention to this topic thanks to
Ted Koppel's reputation as a first class messenger.

The electric grid can be taken down for all of USA, and take years for
repair.  An enormous volume of our civilization is dependent upon it --
water, transportation, communication, restocking groceries, hospitals.
Millions will die.  It is not *if* ISIS can do it, but when they will do it.

Malvertising: these advertisers *really* want your business (*WiReD*)

FYI—This is why you should *turn Javascript off* by default & remove all
*add-ons* & *plug-ins*, including Java, Flash, video players, etc.  With
Javascript turned off, you don't even need an ad-blocker.

Leaving Javascript turned on in your browser is the equivalent of leaving
all of your power tools outside your house, so that a burglar doesn't even
need to bring his/her own when attacking your house.  It's actually even
worse than that; you've left a remote-controlled *robot* outside your home
that the burglar can take over and use to attack your home while he/she is
sitting in the comfort of his/her home.

http://www.wired.com/2015/12/hacker-lexicon-malvertising-the-hack-that-infects-computers-without-a-click/

Joseph Cox, *WiReD*, 9 Dec2015
Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click

Malvertising is when hackers buy ad space on a legitimate website, and, as
the name suggests, upload malicious advertisements designed to hack site
visitor's computers.

The news page looked perfectly innocent.  Apart from the reams of celebrity
gossip stories and throw-away magazine layout, nothing about the the website
for UK news site *The Daily Mail* seemed particularly malicious.  But, if
you visited the site in October, you might have fallen victim to a
sophisticated hacking campaign without even realizing it.

In the background of *The Daily Mail*, third-party advertisements were
surreptitiously and automatically redirecting readers to powerful exploit
kits, designed to install malware on their computers.

This is the booming trade of malvertising: where cybercriminals rent out ads
on sketchy corners of the Internet and popular sites alike, in order to
infect the computers of as many people as possible.

  Plenty of Popular Sites Have Been Targeted [...]
  How Malvertising Works [...]
  How Can Malvertising Be Stopped? [...]

AT&T Fools Entire Media With Giant Gigabit Fiber Bluff

NNSquad
http://www.dslreports.com/shownews/ATT-Fools-Entire-Media-With-Giant-Gigabit-Fiber-Bluff-135848

  In reality, AT&T has consistently been cutting back its fixed-line
  investment budget and CAPEX to focus on more profitable wireless (read:
  usage capped) broadband. There's no budget for the kind of "real" fiber
  build AT&T's press release implies. In fact, while AT&T pats itself on the
  back for this latest build, it has been consistently trying to figure out
  how it can gut regulations in order to hang up on millions of DSL users it
  doesn't want to upgrade.  And while AT&T this week promised its over-hyped
  fiber build will someday reach 14 million residential and commercial
  locations, they didn't give a timeline for this accomplishment. That means
  AT&T technically could be winding up this not-particularly ambitious
  attempt to cherry pick the nation's high-end development communities and
  university student condos—by 2030 or so.  We're potentially talking
  about only a few hundred thousand lines per year, many at universities.

Exactly. U-verse is fiber to the terminal, with the final leg almost
always provided over copper and using DSL-technologies. What AT&T is
doing is claiming a massive "fiber build-out" when in practice all
they're mostly doing is providing a relatively few direct fiber
connections to those terminals in special cases. But are they really
planning to spend a pile of money deploying fiber (on poles and buried)
to replace all that copper that serves most homes and businesses in
their service areas? If you think so, there's a bridge across the East
River in New York you might be interested in buying.

New York State Health Insurance site implemented with elementary security flaws, blames the whistleblower (Gothamist)

Oopsy: NY State Health Insurance Website Let You Download Other Users'
Private Info (Gothamist via NNSquad)
http://gothamist.com/2015/12/10/thanks_obama.php

  For an unknown period of time, anyone who logged onto the New York State
  health plan website had the ability to download a range of sensitive,
  private information belonging to other users. The incredible glitch was
  discovered by Robert Parks, a cofounder of Oyster, after he received an
  email last Saturday notifying him that he had a message from the New York
  State of Health website.

... I'll add a "don't be a jerk" message to the author of that article,
because a security flaw in a NY State site is not the responsibility of
Obamacare/ACA, but of idiots in New York.

Massive DDoS attack on core Internet servers was 'zombie army' botnet from popular smartphone app

I haven't seen any mention of this before so would like to learn more.

There is a risk of the supposedly decentralized Internet relying on
hierarchical naming, addressing and certificates. But that's a deeper topic.
http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-app-1532993

Microsoft pulls botched patch KB 3114409 that triggered problems with Outlook 2010 (Woody Leonhard)

For the second month in a row, a Patch Tuesday Outlook update raises havoc
Woody Leonhard, InfoWorld, 9 Dec 2015
http://www.infoworld.com/article/3013219/microsoft-windows/microsoft-pulls-botched-patch-kb-3114409-that-triggered-problems-with-outlook-2010.html

selected text:

Microsoft's Patch Tuesday update KB 3114409, intended to help admins keep
Outlook 2010 from starting in safe mode, has in fact done the opposite.
Many Outlook 2010 customers report that installing KB 3114409 forces Outlook
to start in safe mode.

And you should reflect on how a patch this destructive ever made it through
internal testing.

"Microsoft Edge has inherited many of Internet Explorer's security holes" (Woody Leonhard)

Woody Leonhard, InfoWorld, 9 Dec 2015
A look at recent patch lists for IE and Edge hints that many of IE's
warts will continue to haunt us
http://www.infoworld.com/article/3012987/microsoft-windows/microsoft-edge-has-inherited-many-of-internet-explorers-security-holes.html

selected text:

We're all anxiously awaiting the day that Windows 10's new Edge browser
becomes usable. That hasn't happened yet, but it will some day next year.

But looking at yesterday's Patch Tuesday announcement and the one for
November has me wondering how much of this improved security is new bananas
-- and how much is built on a rotten old foundation.

The reason for my skepticism: Common Vulnerabilities and Exposures
(CVEs). Each CVE entry is supposed to identify a unique security hole. The
overlap between Internet Explorer CVEs and Edge CVEs shows that many
security problems in IE have been inherited by Edge.

Discrimination by Airbnb Hosts Is Widespread, Report Says

A hotel cannot examine names of potential guests and reject them based on
race, the authors say, but that is common with short-term home rentals.
http://www.nytimes.com/2015/12/12/business/discrimination-by-airbnb-hosts-is-widespread-report-says.html

Your iPhone Is Ruining Your Posture—and Your Mood (NYTimes)

Stop slouching over that tiny screen. It's bad for your self-esteem.
http://www.nytimes.com/2015/12/13/opinion/sunday/your-iphone-is-ruining-your-posture-and-your-mood.html

America's secret cyberarsenal

FYI—We've got the kids playing with matches in the barn again—H. Baker
"Mommy, please tell me again, how did World War I begin?"
http://www.nytimes.com/2015/11/27/opinion/world-war-iii.html

"Anything that has a computer anywhere on earth can be stopped or taken
over"  "Stuxnet was a game changer.  The Internet became a much more
dangerous place after that, because almost literally everybody started to
say the gloves are off now."

"If we are under attack, you can't just try to catch every arrow.  You have
to take care of the person shooting the arrows at you."  [Assuming that you
know or can find out who's shooting at you.]

"Part of the problem is that there are so many senior people in the
government, especially coming out of the political world, that just don't
understand enough about the technology.  They really are remarkably
uninformed."

Re: "I gave my students iPads—then wished I could take them back" (RISKS-29.15)

With regard to "Students who use computers very frequently at school do a
lot worse in most learning outcomes, even after accounting for social
background and student demographics":

See also my post in 28.57's "Re: As We Age, Smartphones Don't Make Us Stupid
... (LW, RISKS 28.56)" where I detailed my similar experience in a
university course.

Re: Voter Privacy in the Age of Big Data

I stopped voting in 2006 and assumed, because of repeated warnings printed
on sample ballots, that my name would be purged from the voting rolls if I
failed to vote in three consecutive elections.

Three consecutive elections went by and I was still getting election junk
mail, so I phoned the office of the Registrar of Voters, explained that I
hadn't voted in the past three elections, did not intend to vote in future
elections, and requested that my name be removed from the voting rolls. They
assured me they'd take care of it.

Two more elections pass, and despite a few more phone calls, I was still
getting election junk mail. So I took the long bus trip out to the
Registrar's office and they had me fill out a form requesting that my name
be removed from the rolls. Problem solved? Not at all. It took me three more
years of repeated requests before they finally removed my name from the
rolls and the junk mail stopped coming.

I had several reasons for wanting my name off the rolls, including the
reduction of junk mail, a vague suspicion that when elections officials were
caught manufacturing "phantom votes," it would have been relatively easy for
them to have used the names of people who were registered but hadn't voted,
and that I thought it inappropriate for me, as a non-voter and an election
boycott advocate, to remain a registered voter.

Learning about the political dossiers kept on every US voter feels like a
sort of vindication to me—that for privacy issues alone my struggle to
get unregistered was well worth the time and effort it cost.

Re: Working on Cheaper Sensors, Deeper Learnings

It seems that the designers of autonomous vehicles are finally encountering
what every new driver should realize early on: Operating a vehicle, even in
an urban environment, is the easy part; but driving is really about
teamwork.

Re: Your child is a CYBER-CRIMINAL! (RISKS-29.15)

When my daughter was about 8, she used to play a lot in a MRPG which enabled
players to earn "game money" by meeting challenges, and using it to buy
stuff for their avatar.  Game money could also be received at the game's
bank by redeeming coupons which were handed out in some stores when buying
certain children's products - clothes, toys etc.—for real money.

My daughter usually spent all her earnings on shopping sprees, so she never
had more than 1000 game coins.  One day I noticed she suddenly had 32,000
coins; when asked how she got them, she said "from the Bank!".  It seems
that she just got into Google and typed "where can I get coupon codes for
<Game name>"; it brought her into a site of young hackers—actually, they
did not do much hacking, some kids just filmed themselves playing the game
(they did not even know about screen capture) and posted the clips on
YouTube; my daughter simply stopped the video and copied the codes!
Amazingly, the games accepted these.

I'm still waiting for a knock on my door by FBI agents who'd come to
inquire who at this address had broken into the Pentagon...

Re: Your child is a CYBER-CRIMINAL! (RISKS-29.15)

  "Many children will have an active interest in coding, spend a lot of time
  online and have independent learning materials. These are all signs of a
  healthy and positive interest in computing.

  "The UK needs as many people interested in coding as possible. Coding and
  programming are extremely valuable skills and if your child has an
  interest you should actively encourage them to do so - but in a lawful
  way."

I suggest people visit the actual web site; it doesn't say any such thing
[as suggested by Lauren].

Re: Your child is a CYBER-CRIMINAL! (RISKS-29.15)

FYI—And what % of parents can realistically follow this advice:

  "If a young person is showing some of these signs try and have a
  conversation with them about their online activities.  This will allow you
  to assess their computer knowledge proficiency so you can understand what
  they are doing, explain the consequences of cyber crime and help them make
  the right choices."

Perhaps Eric Schmidt's plan to destroy the First Amendment using AI can also
detect/prevent your child's (or your own) cyber "pre-crime":

http://www.nytimes.com/2015/12/07/opinion/eric-schmidt-on-how-to-build-a-better-web.html
http://oomlout.co.uk/blogs/news/79367233-national-crime-agency-lists-daft-cyber-crime-warning-signs

Please report problems with the web pages to the maintainer