The RISKS Digest
Volume 29 Issue 41

Tuesday, 29th March 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


MedStar Washington Health turning away patients because computers shut down
Japanese space agency loses track of $265 million satellite
Dangerous drone incidents up to 100 per month
FBI Unlocks San Bernardino Attacker's iPhone Without Apple;s Help, Ending Court Case
Various sources
Law enforcement investigators seek out private DNA databases
Beating Ransomware with backup restore
Alister Wm Macintyre
Driverless delivery robots could be hitting D.C. sidewalks soon
Gabe Goldberg
American Tech Giants Face Fight in Europe Over Encrypted Data
Cyber Edge CTDR
Data Breach Today
Why Doesn't AT&T Require Email Verification Before Sending Sensitive Account Information?
Consumerist via Gabe Goldberg
US gov annual cyber security report
Al Mac
Netflix Is No Net-Neutrality Hypocrite for Slowing Down Video
Microsoft keeps Google search terms
Erling Kristiansen
We're More Honest With Our Phones Than With Our Doctors
Amazon Echo's next frontier is banking—yes, banking
Business Insider
Hacker Says He Printed Anti-Semitic and Racist Fliers at Colleges Across U.S.
Cybersecurity vendor statistics
Stiennon's Security Scorecard
Re: NAND mirroring
Harlan Rosenthal
Re: France demands right to be *global* Google censor
Chris Drewe
Re: "How one yanked JavaScript package wreaked havoc"
Michael Kohne
Re: Andy Grove's Warning to Silicon Valley
Teresa Tritch
Info on RISKS (comp.risks)

MedStar Washington Health turning away patients because computers shut down

Jeremy Epstein <>
Tue, 29 Mar 2016 13:10:38 -0400
On Monday, *The WashPost* reported that MedStar had "shut down its email and
vast records database" after a virus got into their systems.  Reports were
that medical staff were going back to paper & pencil medical charts.

On Tuesday, they reported that MedStar is still without their computer
systems, and is turning away patients.

The risks are obvious - reliance on vulnerable systems without adequate
backup/recovery processes.

Whether this was a deliberate or accidental case is unclear to me.  But the
fact that it's Washington DC area hospitals being affected seems to
emphasize the risk - although I'm biased, being a Washingtonian (well,
actually a suburbanite).

Japanese space agency loses track of $265 million satellite

Monty Solomon <>
Tue, 29 Mar 2016 08:40:21 -0400

Dangerous drone incidents up to 100 per month (FAA)

"Alister Wm Macintyre \(Wow\)" <>
Sun, 27 Mar 2016 16:43:10 -0500
US regulation strategy is wait until they catch someone violating a
regulation, then punish violators severely, expecting news coverage to put a
chilling impact to discourage others.  That approach does not work in many
cases, especially when there are new regulations coming out all the time,
not well covered by the news media.  At what age do children start watching
the news?  There is no minimum age to operate a drone, they are getting
cheaper, dangerous incidents are growing.

We are now up to 100 reports / month to the FAA, about drones flying
illegally close to manned flight.

Before long we can expect to read about 100+ people killed in an airline
crash caused by illegal and irresponsible drone usage.

The FAA just released a report of dangerous drone incidents from Aug-22,
2015 thru Jan 31, 2016, in the USA.
Reported UAS Sightings (August 2015-January 2016) (MS Excel)
Reported UAS Sightings (November 2014-August 2015) (MS Excel)

I believe the authorities should attempt to get outfits, which are selling
drones, to include a heads up to purchasers that:

* There are federal registration requirements for various drone sizes, uses,
  and locations.

* Flying drones in violation of federal regulations can result in fines of $
  10,000 per day of violation, and prison time for some offenses.

* There are also laws governing drone use, in most every state in the USA.

* Here's where to go, to learn what the rules are, so you can stay out of

Under current US laws, regulations, and court precedents, drones are
considered to be aircraft, and it is illegal to interfere with an aircraft
in flight, by any means, with penalty being many years in prison.  I hope
that Congress can change that law, to lower penalties for interfering with a
drone whose activity is violating people's privacy, or engaged in other
illegal or dangerous activity.

FBI Unlocks San Bernardino Attacker's iPhone Without Apple;s Help, Ending Court Case

Lauren Weinstein <>
Mon, 28 Mar 2016 15:13:53 -0700

  The U.S. government said Monday afternoon it has unlocked the iPhone owned
  by one of the terrorists involved in the San Bernardino massacre, ending
  the legal battle pitting Apple against the government over whether the
  tech giant should be required to help the FBI unlock the device.

 - - -

Nobody is saying outright, but reading between the lines it sounds like
nothing of major significance was found on there.

  [See also Danny Yadron, US ends case against Apple after pulling data from
  San Bernadino iPhone, *The Guardian*, 28 Mar 2016

  Joel Rubin and James Queally, *L.A. Times*, 28 Mar 2016

  Also, see Bruce Schneier's *WashP* Op-ed today.  Bruce makes a nice
  distinction between Apple's handling of the iMessage flaw (which was
  detected by Matt Green's team and reported privately to Apple for
  remediation—see RISKS-29.37) and the San Bernadino phone situation
  (where the FBI is apparently trying to keep the successful technique
  secret so that it can be reused as needed).

Law enforcement investigators seek out private DNA databases

Lauren Weinstein <>
Sat, 26 Mar 2016 08:57:12 -0700

  Investigators are broadening their DNA searches beyond government
  databases and demanding genetic information from companies that do
  ancestry research for their customers.  Two major companies that research
  family lineage for fees around $200 say that over the last two years, they
  have received law enforcement demands for individual's genetic information
  stored in their DNA databases.

 - - -

Also see: (3 seconds).

Beating Ransomware with backup restore

"Alister Wm Macintyre \(Wow\)" <>
Sun, 27 Mar 2016 12:30:55 -0500
Amid stories of many institutions faced with ransomware demands, and having
to pay to stay in business, here is a story of a place which could stay in
business without paying, because they had competent backup.  Before
restoring to backup, they had to wipe their hard drives.  I don't know how
they know no data was taken in the attack.

Driverless delivery robots could be hitting D.C. sidewalks soon

Gabe Goldberg <>
Mon, 28 Mar 2016 11:34:41 -0400
Ground drones have fewer security implications than flying ones, which have
been touted as a potential delivery breakthrough. There are some concerns an
airborne delivery could potentially "go over the White House fence," she
said. But "this would stop at the fence. It seems so much more benign and
easy to control."

As for run-of-the-mill thieves and vandals, Martinson said he's not
worried. A hitchhiking robot was destroyed in Philadelphia last year,
bumming out the Canadian researchers who built it. But Starship's machines
have 9 cameras, stream live video back to their base, and can easily call
for police, or other, backup, Martinson said.

"We can send other robots in the area. They would come to help the robot in
distress," Martinson said.

What could go wrong? There's nothing about them being weaponized so who's
afraid of a posse of 4 MPH robots? How many will go missing how soon?
They're autonomous but can be remotely guided—how will they authenticate
intended recipient? Are they hackable? Can they open doors, climb stoops,
summon elevators, ring doorbells, tip doormen? Plenty fun to be had.

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

American Tech Giants Face Fight in Europe Over Encrypted Data

Lauren Weinstein <>
Sun, 27 Mar 2016 12:56:50 -0700
NYTimes via NNSquad

  This week, French lawmakers are expected to debate proposals to toughen
  laws, giving intelligence services greater power to get access to personal
  data.  The battle has pitted Europe's fears about the potential for
  further attacks against concerns from Apple and other American technology
  giants like Google and Facebook that weakening encryption technologies may
  create so-called back doors to people's digital information that could be
  misused by European law enforcement officials, or even intelligence
  agencies of unfriendly countries.  The recent attacks have pushed many
  Europeans to favor greater powers for law enforcement over privacy. But
  opponents say such measures should not undermine the region's tough data
  protection rules that enshrine privacy on par with other rights like
  freedom of expression.  This balance between national security and privacy
  has put major countries in the region on opposite sides of the debate,
  with Germany and the Netherlands dismissing new encryption laws being
  considered by Britain and France.

Cyber Edge CTDR (Data Breach Today)

"Alister Wm Macintyre \(Wow\)" <>
Mon, 28 Mar 2016 01:53:14 -0500
Various outfits come out with annual reports on various aspects of cyber

We can download the 2016 Cyber Threat Defense Report (CTDR) from Cyber Edge
Research. (1.5 Meg PDF 36 page)

This includes: (some highlights I found)

* Results of a survey of what threats are being faced by 1,000 people
  working in IT cyber security, at companies with 500 or more employees
  in 19 industries across 10 nations.

* These people think Mobile devices and social media applications are IT
  security's weakest links (2015), which is rather different from what was
  found via the latest Verizon DBIR.

* [Garbled] of them suffered one or more successful cyber attacks in the
  past 12 months.

* Pessimism, about their company's ability to resist the next
  attacks, is rising.

* Only 1/3 have the tools they need to protect their companies.

* Cyber Security defense expenditures are on the increase.

* An assessment of the respondents' perception of the effectiveness of
  their investments and strategies relative to the prevailing threat

* The types and sources of cyber threats that concern today's organizations
  the most.

* Tactics to help organizations reduce their attack surface.

* The network, endpoint, mobile, and application security technologies
  planned for acquisition in 2016,

* What % of the companies are doing various protection measures are graphed.
  For example 80% of companies, in health care, regularly backup laptops of
  mobile users—that's the highest score.  One of the lowest is 10% in
  France do regular backups of mobile user=92s laptops, and then only 80% of

Data Breach Today supplies links to many such downloadable cyber security

That's where I found the link to download the above.

Why Doesn't AT&T Require Email Verification Before Sending Sensitive Account Information?

Gabe Goldberg <>
Fri, 25 Mar 2016 18:41:06 -0400
There's a reason why companies that handle sensitive billing information may
ask customers to verify their email addresses before sending any
communications. It's to prevent customers from seeing things they
shouldn't. So why doesn't AT&T have such a safeguard in place for its

The risks? Described in nice detail.

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

US gov annual cyber security report

"Alister Wm Macintyre \(Wow\)" <>
Mon, 28 Mar 2016 10:52:21 -0500
The White House says US gov agencies reported 77,183 cyber incidents in
fiscal 2015, up 10% from 2014.

Section 3553 of the Federal Information Security Modernization Act (FISMA)
of 2014 (P.L. 113-283), requires the Office of Management and Budget (OMB)
to submit an annual report to Congress on the effectiveness of information
security policies and practices during the preceding fiscal year and a
summary of the evaluations conducted by agency Inspectors General.

Here is that report:

(95 page PDF 3.5 Meg) The US gov fiscal year runs from Oct to Sept.

There's a lot of data here to digest, complicated by the phenomena of high
acronym density common with many gov reports.

Several appendixes spell out agency names in full, then what is the
abbreviation or acronym used for them, sequenced by the text name.

Appendix 7 has other stuff alphabetized by acronym.

Figure 2 shows 363 known active critical vulnerabilities on Federal systems,
reduced to 3 by Dec 2015.

As impressive as that progress is, later charts in the report, show progress
various agencies have made in providing cyber security defense against
various threats.  As the GAO would say "Progress has been made, but there is
room for improvement" massive improvement for some agencies.

Table 2 provides definitions for 11 different categories of cyber incident,
then Table 3 has a bar chart with how many of each of them occurred, color
coded for the fiscal years 2013-grey 2014-green 2015-red.

The highest bar for 2015 is 25,765 "Other" or 34% of FY 2015 incidents, 77%
increase over 2014. scans, probes and attempted access, incidents under
investigation, and incidents categorized as miscellaneous. Approximately 59%
of 'Other' incidents fall within the attempted access subcategory due to the
high volume of scans and probes.

Second highest bar is Non-Cyber, which includes incidents involving the
mishandling of sensitive information without a cyber security component,
such as the loss of hard copy PII records. This category represented 12,217,
or 16% of reported incidents.

The third most reported category was Policy Violations, which represent
10,408 reported incidents, or 14% of total incidents reported.

The report also breaks this down by gov agency, with very different graph

* Dept of Agriculture is dominated by malware and equipment challenges.
* Dept of Defense biggest problem is policy violations.
* Many have problems all over the place.

Some of the incidents were classified secret.  Here is where we may find
info on the unclassified ones.

Every new technology brings with it new cyber security challenges.  The US
gov recognizes that this is the case with smart phones, so during FY 2015,
NIST published Special Publication (SP) 800-163, "Vetting the Security of
Mobile Applications," along with open source test code and guidance for
constructing a mobile application-testing program. These guidelines describe
vulnerabilities and poor programming practices for both Android and iOS
devices, which entities can mitigate through other described security
technologies.  NIST also addressed the issue of Strong Authentication with
mobile devices through the release of SP 800-157, "Guidelines for Derived
Personal Identity Verification Credentials."

Netflix Is No Net-Neutrality Hypocrite for Slowing Down Video

Monty Solomon <>
Sat, 26 Mar 2016 21:09:56 -0400

Microsoft keeps Google search terms

Erling Kristiansen <>
Sat, 26 Mar 2016 08:24:37 +0100
In a TedTalk about interaction of different medicines, I found this:

We said, well, what do you do?
You're taking a medication, one new medication or two, and you get a funny
What do you do?
You go to Google and type in the two drugs you're taking, or the one drug
  you're taking, and you type in "side effects."
What are you experiencing?
So we said OK, let's ask Google if they will share their search logs with
  us, so that we can look at the search logs and see if patients are doing
  these kinds of searches.
Google, I am sorry to say, denied our request.
So I was bummed.
I was at a dinner with a colleague who works at Microsoft Research
  and I said, "We wanted to do this study,
Google said no, it's kind of a bummer."
He said, "Well, we have the Bing searches."
Yeah. That's great.
Now I felt like I was talking to Nick
  [Nick is the patient discussed in the talk] again.
He works for one of the largest companies in the world,
  and I'm already trying to make him feel better.
But he said, "No, Russ—you might not understand.
We not only have Bing searches, but if you use Internet Explorer
  to do searches at Google, Yahoo, Bing, any ...
Then, for 18 months, we keep that data for research purposes only."
I said, "Now you're talking!"
This was Eric Horvitz, my friend at Microsoft.

    [The remainder of the talk addresses what they did with this data, so it
    is clear that they actually got the Google data from Microsoft]

We're More Honest With Our Phones Than With Our Doctors

Monty Solomon <>
Sun, 27 Mar 2016 22:30:54 -0400
How health-tracking apps reveal new truths about our bodies.

Amazon Echo's next frontier is banking—yes, banking

Monty Solomon <>
Mon, 28 Mar 2016 09:10:01 -0400
Amazon Echo's next frontier is banking

Hacker Says He Printed Anti-Semitic and Racist Fliers at Colleges Across U.S.

Monty Solomon <>
Tue, 29 Mar 2016 09:27:40 -0400

A computer hacker who goes by the name of Weev said he sent the fliers last
week to all publicly accessible printers in North America, but it is not
clear whether he could face charges.

Cybersecurity vendor statistics

"Alister Wm Macintyre \(Wow\)" <>
Tue, 29 Mar 2016 15:02:58 -0500
IT Security Vendor Industry Statistics, are possibly off-topic.
Stiennon's Security Scorecard

.       1,325 of them world wide and growing
.       854 (60%) in USA
.       144 in Israel
.       82 UK
.       48 Canada
.       33 Germany

Of those in USA
.       325 California
.       91 DC area
.       69 Massachusetts
.       52 Texas
.       42 NY

There is no consolidation.  There is an out pouring of start ups.  If this
was a mature industry, there would be 4 big vendors period.

The industry is growing by about 24% per year, estimated to be 6 times as
large in 7 years.

Market size reports <>  available for $ 500 -
1,500.  But a lot of the totals are at the other links here.

How long until market saturation = when every outfit and individual, who
ought to be protected, is protected, or there has been successful effort to
chop down the very successful cyber criminal industry?

Re: NAND mirroring (RISKS-29.40)

Harlan Rosenthal <>
Fri, 25 Mar 2016 21:31:38 -0500 (CDT)
Newer SOC processors have protection that will not allow copying through the
JTAG port, or through code executing in RAM.  The description in the
article is unlikely to work—you can't simply copy the internals that

Perhaps the main storage is an external chip, with a simple SPI port; in
that case, if Apple has encrypted it, even using standard SSL, it can be
cracked in a few centuries ...

From ST Micro:

Flash code protection

The STM32 microcontroller family is provided with the following code
protection features:

1. Global Read-out Protection (RDP)
2. Write protection
3. Proprietary Code Read Out Protection (PCROP)

These features are meant to protect the intellectual property of the
embedded firmware code, which represents an increasing interest for complex
embedded systems.

Re: France demands right to be *global* Google censor (RISKS-29.40)

Chris Drewe <>
Mon, 28 Mar 2016 22:19:59 +0100
> Google handed EUR100,000 fine by French data regulator
> France wants to censor search results GLOBALLY—not just to users in
> France but for everyone on the planet. And if France gets their way EVERY
> COUNTRY ON THE PLANET will demand the right to remove search results they
> don't like. Imagine what Putin, Chinese leaders, and other tyrants will do
> with such power. I've been predicting this slippery slope all along. IT MUST

Good luck.  In the UK there's been a scandal over last winter in which the
police have been investigating allegations of historic child sexual abuse
(the 'Nick' case) by various senior politicians and other establishment
figures; the authorities have been accused of being too casual about acting
on similar allegations in the past, so this time enquiries have been done in
an aggressive, high-profile way (e.g. house searches with plenty of
publicity), along with the usual feeding frenzy on social networking web
sites of course.  The investigation has reportedly been closed without
finding anything worthwhile, but it's left a lot of collateral damage in
terms of wrecked reputations, lingering suspicions, loss of trust, and so

One of the politicians questioned but not arrested or charged quite
reasonably wants better protection for those in the same position as him,
but wrote in a newspaper last week: "... Google and other Internet providers
should... be regarded as publishers and brought within the the same laws of
defamation.  Free speech is not free if it allows people to defame others
with impunity.  These companies should be 'publishing' within a fair legal

Loads of problems here which have been discussed in RISKS before, e.g. what
about information on other countries' sites (it's called the World Wide Web
for a reason), and why do so many people assume that Google somehow runs the
Internet?  However, if enough irritated politicians get together, it's easy
to see how they could pass laws attempting to regulate what goes on line, or
at least have somebody legally liable who could be sued, and probably
include right-to-be-forgotten measures as well.

Re: "How one yanked JavaScript package wreaked havoc" (Yegulalp, RISKS-29.40)

Michael Kohne <>
Sat, 26 Mar 2016 07:56:56 -0400
> ... it broke dependencies for many other projects ...

I'm sorry, but I have to disagree a little bit—this has NOTHING to do
with any presumed 'fragility' of open source, but rather has to do with the
paucity of thought on the part of the developers in question.

They depended on a package, and instead of insuring that they had their
dependencies under control, they simply referenced it's URL.

The problem here is developers who have no idea how to do development
properly being allowed (by their peers) to handle packages that become

(For the record, I write software for medical monitoring systems. We run on
top of Linux, and pull copies of the relevant distribution repos so that we
can go back to the source packages if things go wrong).

Re: Andy Grove's Warning to Silicon Valley (Teresa Tritch) [Forwarded by Dewayne Hendricks. PGN]

Steven Schear <>
March 28, 2016 at 1:15:39 PM EDT
Beginning in early 2000s, I witnessed first hand what happens when Silicon
Valley tech companies, focused almost exclusively on the near-term
bottom-line, bringing in massive numbers of guest workers as a prelude to
offshoring later development and manufacture.

Cypress Semi was a leader in convincing Congress that there weren't enough
domestic engineers to meet their needs. In fact, there were but many had
families and weren't willing to work, day-in-and-day-out, the often very
long hours some SV companies desired and even for those that were amenable
companies weren't willing to offer adequately compensation. Companies also
weren't willing to adequately encourage education and grooming of domestic
engineers. Instead, they got the H1B visa program greatly expanded at the
same time senior domestic engineers were furloughed many never to work again
in tech.

These foreign engineers, mostly new graduates working (in overtime exempt
positions) through jobs shops, were (as required by law) paid the same as
the domestic engineers they had replaced but they forced to work more hours
(often nearly double). For years I would watch these workers on their way
back to their flats in the East Bay late into the evening on BART. In this
way tech companies were able to stay within the letter of the law (equal pay
to domestic workers) while exacting many more labor hours than they
otherwise could. Many of these foreign engineers would later return (not all
by choice) to their countries where SV companies had set up subsidiaries or
made arrangements with local industry to continue follow-on design,
development or manufacture.

> Andy Grove's Warning to Silicon Valley
> Teresa Tritch, Editorial Observer, *The New York Times*, 25 Mar 2016
> <>

Please report problems with the web pages to the maintainer