The RISKS Digest
Volume 29 Issue 52

Tuesday, 10th May 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Italian Mathematician escorted off flight for doing mathematics
David Millward
Whistleblowing is overshadowed when SQL injection gives way to unauthorized access
Dan Goodin
Exclusive: Big data breaches found at major email services
Eric Auchard
UAE Bank Suffers Massive Data Breach
Russian spies using steganography?
The Guardian via IanG
George Sadowsky
IBM is making a quantum computer available for anyone to play with
The Economist
"Mystery solved: KB 3150513 is another Windows 10 update-enabling patch"
Woody Leonhard
ADP clients breached, including 5th largest U.S. Bank
Re: The last non-Internet Generation
Chuck Petras
Re: RF-emission-based device identification
Lyndon Nerenberg
Re: Security Analysis of Emerging Smart Home Applications
Mark Kramer
Info on RISKS (comp.risks)

Italian Mathematician escorted off flight for doing mathematics (David Millward)

"Peter G. Neumann" <>
Mon, 9 May 2016 14:35:14 PDT
David Millward, *The Telegraph*, 9 May 2016

An Italian mathematics professor at the University of Pennsylvania was
escorted off an American Airlines flight after a fellow passenger feared
that his mysterious scribbling on a notepad was evidence that he was a
terrorist.  In fact Guido Menzio was working on an [differential] equation
connected with a presentation on price-setting.

But the sight of a slightly swarthy curly-haired individual scrawling odd
symbols on a notepad was enough to alarm the woman who was sitting next to
him on the flight from Philadelphia to Syracuse.  She thought the mysterious
writing was evidence that he had nefarious intent. The woman decided to
feign illness and passed a note to a member of the cabin crew.  The note
contained detail of her suspicions and the plane sat on the tarmac. ...

  [After Menzio convinced authorities of his legitimate mathematics,
  he was permitted to board the plane—after a two-hour delay.  His
  accuser was not on board.  One of my colleagues suggests that
  perhaps partial differential equations might need to be added to the
  no-fly list.  PGN-ed]

    [Story by Catherine Rampell in *The Washington Post*, 7 May 2016, on the
    flight from Philly to Syracuse, with lots more detail, noted by Henry
    Baker.  PGN]

Whistleblowing is overshadowed when SQL injection gives way to unauthorized access (Dan Goodin)

"Peter G. Neumann" <>
Tue, 10 May 2016 11:38:03 PDT
Dan Goodin, Ars Technica, 9 May 2016

A Florida man has been slapped with felony criminal hacking charges after
gaining unauthorized access to poorly secured computer systems belonging to
a Florida county elections supervisor.

David Michael Levin, 31, of Estero, Florida, was charged with three counts
of unauthorized access to a computer, network, or electronic device and
released on $15,000 bond, officials with the Florida Department of Law
Enforcement said.  According to a court document filed last week in
Florida's Lee County and a video it cited as evidence, Levin logged in to
the Lee County Elections Office website using the pilfered credentials of
Sharon Harrington, the county's supervisor of elections.  Levin, who
authorities said is the owner of a security firm called Vanguard
Cybersecurity, also allegedly gained access to the website of Florida's
Office of Elections.

Levin posted a YouTube video in late January that showed him entering the
supervisor's username and password to gain control of a content management
system used to control, which at the time was the official
website for the elections office. At no time did anyone from the county
authorize Levin to access the site, officials said.

Lee County supervisor of elections server security issues.

"Based on the evidence obtained regarding the SQL injections attack Levin
performed against the Lee County Office of Elections on December 19, 2015,
probable cause does exist to charge Levin with unauthorized access of any
computer, computer system, computer network, or electronic device, a
violation of Florida Statute 815.06(2)(a), a third degree felony,"
prosecutors wrote.

Unsettling concerns

As ill-advised as it was for Levin to log in to the website CMS, the video
raises some unsettling concerns about the security of the Lee County
elections website, which is used to display voting results, verify
registration status, and provide ballots for upcoming elections.  In the
video, Levin shows how he was able to use a SQL injection attack
<> to obtain the user names and
plain-text passwords belonging to Harrington and at least 10 other account
holders. He then shows how the password for Harrington's account allowed him
to enter the CMS and move through various application menus.

According to Dan Sinclair, a Lee County resident who is a candidate running
against Harrington for the elections supervisor post, Levin used a separate
SQL injection attack to obtain plain-text passwords for the state's Office
of Elections website but never used them to log in.  Sinclair told Ars that
Levin discovered the vulnerabilities on his own and then notified Sinclair
of the findings. Sinclair said Levin is declining to speak to reporters
pending the outcome of the case filed against him. Ars was unable to reach
Levin directly.

Officials at the Lee County Elections Office told Ars that, contrary to the
claims of Levin and Sinclair, the security of all of the election systems --
including voter registration, vote tabulations, and website—were never at
risk.  The server that was vulnerable to Levin's SQL injection attack, they
said, had been retired in October. At the time of Levin's attack, at least
two months later, it no longer stored sensitive data and had been replaced
by a new server that wasn't vulnerable to the attack, they said. Similarly,
the CMS Levin logged in to had also been retired and replaced with one that
ran WordPress. While the older CMS was allowed to continue running during a
transition period, its functionality was limited to storing only historical
data, the officials said. People logging in to it didn't have the ability to
post new pages to the site or to access voter data or tabulation systems,
they said.

Ultimately, the picture that emerges from the hack and the resulting arrest
provides cautionary tales for the entire cast of characters. An elected
official charged with ensuring the security of her department's computer
systems allowed servers operated by her office to remain vulnerable to hacks
that are so common that even unskilled script kiddies can carry them out
with aplomb. As anyone with even a passing familiarity with network security
knows, hackers are often able to pivot from low-level systems to more
sensitive ones. And even if the unauthorized access in this case couldn't be
escalated, the hacks can give rise to the appearance of insecurity, which is
never good for democracy, especially in a state like Florida, where
confidence in voting systems is already lacking.

But it's equally problematic for Levin to have posted a video showing him
using pilfered credentials to log in to a system he had no authorization to
access. Levin's commendable deed in blowing the whistle on lax security
practices in Lee County's Elections Office has been overshadowed by actions
of his own doing and very well may result in him having a criminal record
for the rest of his life.

Exclusive: Big data breaches found at major email services (Eric Auchard)

Gene Wirchenko <>
Mon, 09 May 2016 10:51:40 -0700
Exclusive: Big data breaches found at major email services - expert
Eric Auchard, Technology, 5 May 2016

opening text:

Hundreds of millions of hacked user names and passwords for email accounts
and other websites are being traded in Russia's criminal underworld, a
security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users
of (MAILRq.L), Russia's most popular email service, and smaller
fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email
users, said Alex Holden, founder and chief information security officer of
Hold Security.

UAE Bank Suffers Massive Data Breach (SlashDot)

Werner U <>
Mon, 9 May 2016 20:48:48 +0200

Two weeks ago, Qatar's National Bank suffered a massive data breach at the
hands of Turkish hackers. That data included details about Qatar's royal
family and Al Jazeera reporters...

Now it appears that the same hacker group has dumped data from a UAE bank.
The data appears to be the same data stolen by a hacker last year, who tried
to blackmail the bank for $3 million.

An analysis of the data can be found here.

Russian spies using steganography? (IanG in Cryptography)

"Dave Farber" <>
Sun, 8 May 2016 16:59:39 -0400
> Date: May 8, 2016 at 8:24:44 AM EDT
> From: ianG <>
> To: Cryptography Mailing List <>
> Subject: [Cryptography] Russian spies using steganography?

Bezrukov and Vavilova communicated with the SVR using digital steganography:
they would post images online that contained messages hidden in the pixels,
encoded using an algorithm written for them by the SVR. A message the FBI
believes was sent in 2007 to Bezrukov by SVR headquarters was decoded as
follows: “Got your note and signal. No info in our files about E.F., BT,
DK, RR. Agree with your proposal to use 'Farmer' to start building network
of students in DC. Your relationship with 'Parrot' looks very promising as a
valid source of info from US power circles. To start working on him
professionally we need all available details on his background, current
position, habits, contacts, opportunities, etc.''

Re: Russian spies using steganography?

George Sadowsky <>
May 8, 2016 at 5:37:09 PM EDT
> It is certainly well understood how to do this.  I believe that currently
> a lot of digital images are steganographically watermarked to be able to
> detect IPR violations.  And using digital media is a lot faster than much
> earlier, when secret messengers purportedly had their heads shaved and the
> messages written on their scalp, and then had to wait until their hair
> grew back before they could leave to deliver their message.

IBM is making a quantum computer available for anyone to play with

Hendricks Dewayne <>
May 8, 2016 at 8:59:15 AM EDT
*The Economist* 7 May 2016

USING the rules of quantum mechanics to carry out computations far faster
than any conventional machine can manage is an idea that goes back
decades. It was proposed in the early 1980s, but was confined to the
blackboards of theoreticians until the late 1990s, when experimentalists
gave it life by building simple machines which proved that the equations on
those blackboards worked in practice. Now it has bloomed into a corporate
project. Google, Microsoft, Hewlett-Packard and IBM each have dedicated
quantum-computing research groups.

What quantum computing has not done, though, is make much impact on the
outside world. And in some part that is because those quantum computers
which do exist are still confined to laboratories. Only researchers have
been able to tinker with them. Until now. For, on May 4th, IBM announced
that it would connect one of its quantum computers to the Internet and make
it available for anyone to play with.

Quantum computing is exciting because it offers the promise of computers
that can crunch through some kinds of mathematics (though not all) far
faster than any classical computer that could ever be built could
manage. This power comes from two counterintuitive phenomena: superposition
and entanglement.

Superposition turns the fundamental unit of classical computing, the bit,
into the qubit. A bit represents the smallest possible dollop of
information: on or off; yes or no; 1 or 0. A qubit, though, is a mixture of
both, superimposed upon each other. A classical computer with, for example,
four bits can represent 16 different states. This machine can, however,
exist in only one of those states at any given time. Its quantum equivalent,
by contrast, can exist in a superposition of all 16 states at once.

But it is entanglement, which binds the fates of particles together, that
really makes quantum computers sing. Entanglement makes it possible to
manipulate groups of qubits all at once=E2=80=94so, as the number of qubits
grows, the number of states a machine can occupy rises, quite literally,
exponentially. A 300-qubit computer would have more possible states than
there are atoms in the universe.

The result could manipulate prodigious amounts of information with ease.  It
could thus crunch through many tricky problems, from cracking cryptographic
codes to simulating chemical reactions accurately at the molecular
level. That is something ordinary computers find intractable, but which
would prove useful for all manner of industrial processes.

A 300-qubit machine is far in the future. IBM's current offering is a
five-qubit processor built on a chip from loops of superconducting metal
(see picture). It is suspended at the bottom of a large helium fridge at the
firm's research centre in Yorktown Heights, New York. This chills it to
within a whisker of absolute zero—the lowest temperature possible—so
that the chip's delicate innards remain undisturbed by any stray puffs of
heat. The chip is programmed by squirting carefully calibrated doses of
microwaves into the fridge, with each qubit responding to a different

"Mystery solved: KB 3150513 is another Windows 10 update-enabling patch" (Woody Leonhard)

Gene Wirchenko <>
Mon, 09 May 2016 10:05:39 -0700
Woody Leonhard, InfoWorld, 4 May 2016
Released by Microsoft without documentation, it's safe to hide this
patch if you don't want Windows 10 or its related updates

ADP clients breached, including 5th largest U.S. Bank

"Alister Wm Macintyre \(Wow\)" <>
Fri, 6 May 2016 14:48:59 -0500
ADP is not exclusively a payroll services company.  They also issue economic
statistics, thanks to their access to payroll data of an enormous number of
people in the USA.  For an example of that dimension:

I should mention that, before it ended, just over a year ago, my day used
ADP for payroll services, and that the portal provided for me had, what I
considered to be, very serious flaws, which I complained about but got no
resolution.  I do not know if our portal was like the situation with US
Bank, or if it was an ADP managed portal.  Thus I think I understand some of
what these people are talking about, but lack definitive clarity.

There was also a portal for the 401k, and that portal was screwed up in the
same way as the payroll portal.

Both the ADP and 401 k connections were being run by personnel in the HR
dept whom I did not consider to be computer security savvy.  Past
communications from IT dept regarding breach-friendly activities were
ignored.  Employee PII was exposed for years, before the move to ADP.  One
boss ordered me to stop bothering HR, because for reasons of corporate
security, the IT dept is totally divorced from the HR dept.  I had several
bosses, different ones for different types of activities.  Typically at
least once a year, one of them was replaced.  With each one, I asked if I
could brief them on our capabilities and cyber security weaknesses.  One of
the weaknesses was the exposed PII.  I told over a dozen new bosses about
that, before it was actually fixed.

I do not trust any of these Internet services which expect us to key in PII
info in what appears to be unencrypted interfaces.  Call me a legacy man.

ADP says that it was not ADP which was breached, rather it was incompetent
clients who could not set up their registration with ADP in a secure manner.

Thus all the W-2s now in the hands of fraudsters were because of prior
intruder activities at the clients which made themselves vulnerable to such
attacks, by failing to follow best cyber practices.  None of those clients
named in this article so far, other than US Bank.

News of an alleged "weakness in ADP's customer portal," was first reported
by security blogger Brian Krebs, who said related attacks helped compromise
accounts at more than a dozen firms, including the nation's fifth-largest
bank, U.S. Bancorp, a.k.a.  U.S. Bank.

Reading between the lines, I think each employee of a client of ADP, has a
unique ADP account # composed of:

* ADP code for the particular client.
* PII info on the employee

Thus, if you know the ADP code for a client, and have the PII for one person
(yourself), you can deduce the account number for any other person for whom
you have PII info.  You might find that PII, if the client involved has a
lack of best cyber security practices in maintaining PII confidentiality.
The feds have strict rules for banks on protecting PII of bank customers.  I
wonder if fed regulations have overlooked that nuance for employee PII?

If you know or even just suspect that your ID has been stolen, the IRS
recommends you send it <> Form
14039, Identity Theft Affidavit. This puts the agency on alert for your
Social Security number and other information that could show up on a fake

If a criminal does file a fake return pretending to be you, file your real
tax return on paper, attaching a copy of the Form 14039 with your legitimate
filing. Also watch for any follow-up correspondence from the IRS about your
real or possible fake returns and respond immediately.

I knew ADP was probably the largest provider of payroll services in the USA.
Krebs says it is 640,000 US companies.

When I visited the Krebs article, it had 41 comments, reflecting a good
typical cross-section of people aware of various problems, and clueless.
Here are some comments I consider informative:

* Some years ago my employer selected ADP+SAP as a Payroll solution, without
going through the usual *Due Diligence* process (which I was then in charge
of).  When live, we discovered that more than one person could logon to the
same Employee account simultaneously : a colleague and I tested it together.
When we reported it (along with 20+ other *bugs*), the Payroll Manager
rejected the complaint(s) as *irrelevant*.

* We are a small law Firm in Southern Ca and we too have fallen to ADP's
weak security and inability to take responsibility for their shortcomings.
Someone logged into their portal as our administrator. This hacker setup
bogus direct deposit accounts for a number of our users, if our Finance
director would not have seen these bogus accounts we would of lost over half
of our payroll to these criminals. ADP refuses to share the logs showing the
IP address linked to this attack and said the changes were made from our
organization. We have checked our network and did a forensic examination of
our Finance directors computer, the attack did not come from our network and
we are 100% sure. We have made multiple requests for their log information
and the last response indicated the logs were property of ADP.

One of the replies to the above comment read:

* Did you check your Finance Director's emails? Likely they were victim to a
phishing attack and provided the credentials the hackers used—that could
be why ADP is saying the login was legitimate.

Here is a blog, about how a fake job recruiter collects PII of job hunters.

Do my e-pals see a pattern here?  I do.

e-banking; SWIFT; ADP; what next I wonder =96 401 k.

The pattern is that financial services are offered electronically, with the
assumption that the customers will have the cyber know-how to conduct their
affairs in a secure manner, but that is a bad assumption.  Just as
individual employees of many companies lack the training and will power to
resist phishing, similarly the employees tasked with setting up electronic
financial arrangements lack the computer training to know whether secure
practices are doable for their company infrastructure, which includes
whatever ma bell service they are using for Internet connections.

We connect through many Internet and phone services, to many companies
providing essential quality of life services.

They ALL say “trust us, we have state-of-art security, we protect your
PII.''  But many of them get breached, and they sing the same song.

One thing we have needed for decades is a standard where there is proof of
the song's chorus delivered to people who do business with them.

In theory, a computer professional can examine the hardware and software
that is in some building & declare that it is seup with good security, but
the ordinary customer cannot get at that info from their phone company, ISP,
bank, public utilities, etc.  Similarly an employee cannot get that
assurance from their employers.

Gone are the days when a SWIFT or ADP will visit customer site for the
purpose of setting up the connection service where THEY guarantee that it
will work right, or they suffer the financial losses.  Gone are the days
when a small business can have a contract with a service provider which has
clarity, and judicial appeal if anything goes wrong.

I predict that some of the victim companies will be run by people in denial
that it is their fault, as ADP claims.  They will make statements to the
news media which will then help us see the sizes of companies, and if there
were other breaches to confirm ADP story, assuming these customers are not
in one of the US states which does not require breaches to be made public
via the combination of must tell Attorney General of the state, and that
state have FOIA.

I find it incredible that such alleged incompetence would be true for an
outfit the size of US Bank. US Bank says this did not impact their
customers.  It impacted about 2 percent of their employees.  How many is
that? According to U.S. Bank's first-quarter earnings release for 2016, the
company has about 67,000 employees, meaning that about 1,350 of those
employees were the victims of tax fraud, or attempted tax fraud.

US Bank blames “a weakness in ADP customer portal.''  They describe a
process where a person, armed with an employee's PII, could create an
account, in the name of an employee, to get at that employee's W-2 info.

ADP says no, the breached portal was one setup by the client, such as US
Bank, where it was the client which screwed up, not ADP.  Employees who
access the ADP portal need to know: the unique ADP link for their employer,
the code for their employer, and their own PII.  That is not how it worked
when my day job was one of the companies.

The problem, ADP speculates, seems to stem from ADP customers that both
deferred the signup process for some or all of their employees and at the
same time inadvertently published online the link and the company code.  As
a result, for users who never registered, criminals were able to register as
them with fairly basic personal info, and access W-2 data on those

U.S. Bank acknowledged that the bank published the link and company code to
an employee resource online, but said ADP had never told them that the data
itself was privileged.  I speculate that, like my day job, stuff gets setup
by personnel who themselves lack cyber security training, so they are
oblivious to nuances which the service provider's Plug & Play system has a
fiduciary responsibility to spell out sufficiently clearly to be understood
by people who lack cyber security literacy.

I have never worked in that interface between what ADP really tells the
client's HR dept, and how HR interprets the fine print, so I do not know on
which side of the conversation is the most blame.  We can see from the KREBS
article that the IRS has been using cyber security illiterates in a manner
similar to at US Bank.  I had occasion to buy a CD not so long ago.  Many
banks are still asking for mother=92s maiden name for their security check.
Anyone who is on Facebook, or other social media with extended families,
will realize what a joke that security is.

ADP says it has developed systems to monitor the Web for any other customers
that may inadvertently publish their signup link and code. When they find
such foolish clients, they turn off the service, to protect the employees
from crooks taking advantage of their employer incompetence.

Re: The last non-Internet Generation (Russell, RISKS-29.51)

Wols Lists <>
Sat, 7 May 2016 00:12:01 +0100
On the BBC News yesterday, we had an article about how BT is spending
millions of pounds upgrading to "superfast broadband". But the same article
pointed out that about 2.5M households (that's maybe 1 in 10) don't have ANY
broadband, and there are no plans to improve that situation. "To those that
have, more will be given. But to those that have not, even the little they
do have will be taken away from them".  Several people from these
broadband-free areas were interviewed, and the general gist was that the
modern Internet was unusable over a 33.6K modem. And BT scrapped ISDN some
ten years ago, so even that option of 64K/128K no longer exists. (That's why
we moved over to broadband.)

Re: The last non-Internet Generation (RISKS-29.50)

Fri, 6 May 2016 14:43:16 -0700
I concur with Mr Russell's comments.

I wrote an article on Expanding the Role of Rural Electric Cooperatives to
Provide Broadband to their Members:
My electrical coop was established in the 1930's to electrify rural parts of
Idaho. To quote from their history,

  "Bringing electrical power to the 10,000 homes and businesses ... was like
  most movements - hard fought and slow in coming. Putting in over 2,800
  miles of line over some of the nation's most rugged terrain, on behalf of
  sometimes only 3 customers per mile of expensive line, was hard and took a
  commitment only a neighbor-owned cooperative was willing to provide."

Unfortunately the movement has stopped and taken deep roots. I approached
the general manager of the coop with my idea and the response was
underwhelming. He commented that it would take money and easements to do

Sigh... I suppose if it was easy everyone would be doing it.

Chuck Petras, Schweitzer Engineering Laboratories, Inc., Pullman, WA  99163

Re: RF-emission-based device identification (Phys.Org, RISKS-29.51)

Lyndon Nerenberg <>
Sat, 7 May 2016 16:23:17 -0700
 From the quoted article:

> "Our researchers were able not only to discover this phenomenon, but to
> develop a means of using it to identify devices right out of the box."

Disney has discovered nothing.  Forensic fingerprinting of RF transmitters
has been in play for decades.  I recall this being used in the 80s to
identify rogue transmitters in the Amateur Radio service, but the concept
and technology predates that (and was lifted from commercial and government
applications).  A quick DuckDuckGo search on "rf transmitter fingerprinting"
turns up plenty of prior art.

Re: Security Analysis of Emerging Smart Home Applications

Mark Kramer <>
Mon, 9 May 2016 14:24:39 -0400
"...  we found that SmartApps can be overprivileged."

All "apps" can be, and usually are, overprivileged. For example, I wanted to
download the Android United Airlines app. One of the privileges it demanded
was access to my camera. Why does an app that tells me about flight status
need access to a camera?

I've found many many such apps. It's either laziness on the part of the
programmer, lack of fine grain permissions (an app needs one tiny bit of
information but can't get it without full access to a large number of
things), or malware.

This has never been considered a major problem for programs, since regular
OS take either an all or nothing (root or user) view of privileges. Those
with finer grain (SElinux, e.g.) seem to have less of an issue, but perhaps
that's because the user is never told what privileges the program is getting
as explicitly as for apps?

Please report problems with the web pages to the maintainer