The RISKS Digest
Volume 29 Issue 82

Saturday, 8th October 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


J&J warns of vulnerability in insulin pump
Jeremy Epstein
Samsung device ignites during SW flight
Wave 3
U.S. government officially accuses Russia of hacking campaign to interfere with elections
Ellen Nakashima
Undetectable election hacking?
Gene Spafford: Many hurdles preventing emergence of online voting
Bruce Schneier: Economics of security and the IoT
Alex Stamos: Yahoo's scanning program
"Yahoo's email snooping: It's all legal"
Caroline Craig
Yahoo scanned customer e-mails for U.S. Intelligence
Michael Marking
Apple, Google, Microsoft: We Have No Government Email Scanning Program Like Yahoo's
National Cyber Security Awareness Month (NCSAM)—supported by he Mozilla Project
Werner U
"IoT botnet highlights the dangers of default passwords"
Michael Kan
Re: Source code for IoT botnet Mirai Released Krebs 1 Oct
Chiaki Ishikawa
Windows 10 update traps some systems in a boot loop, Microsoft promises fix
Extreme Tech
NSA Contractor Arrested in Possible New Theft of Secrets
How hard is it to hack the average DVR? Sadly, not hard at all
Ars Technica
Info on RISKS (comp.risks)

J&J warns of vulnerability in insulin pump

Jeremy Epstein <>
Thu, 6 Oct 2016 10:02:11 -0400
"Johnson & Johnson on Tuesday issued a warning about a possible
cybersecurity issue with its Animas OneTouch Ping Insulin Infusion Pump.
[...]  Computer security firm Rapid 7 discovered that it might be possible
to take control of the pump via its an unencrypted radio frequency
communication system that allows it to send commands and information via a
wireless remote control. The company alerted Johnson & Johnson, which issued
the warning.  [...] There have been no instances of the pumps being hacked,
Johnson & Johnson said."

  [See also
Johnson & Johnson Discloses That Its Insulin Pump Is Hackable

Samsung device ignites during SW flight

"Peter G. Neumann" <>
Fri, 7 Oct 2016 6:57:16 PDT
LOUISVILLE, KY TV-station Wave 3, 5 Oct 2016
and The Verge <>, in

LOUISVILLE, KY (WAVE) - Louisville Metro Arson investigators confirmed
Wednesday that the smoke that caused a Southwest Airlines flight to be
evacuated came from an overheated Samsung device.  Southwest flight 994, a
Boeing 737, was scheduled to depart SDF for Baltimore at 9:30 a.m., but the
smoke was discovered at about 9:20 a.m., SDF spokeswoman Natalie Chaudoin

Passenger Misty Whitaker told WAVE 3 News what the scene was like inside the
plane.  "I was sitting at the front of the plane and I noticed a flight
attendant coming quickly down the aisle saying, 'There's smoke on the
plane,'" she said. "(They said), 'Leave all of your bags on the plane and
come forward in an orderly fashion.' They said it was a Samsung Galaxy. The
last they told us while we were waiting was that the fire had burned through
the carpet.  I know it was toward the back of the plane but I don't know if
it was in an overhead bin or under a seat or what. ...  Control tower audio
just released indicated that one pilot said "there's smoke in the cockpit."
Whitaker said passengers with connections from Baltimore were being
re-routed, but that flight 994 itself had been canceled shortly after 11

The U.S. Consumer Products Safety Commission issued a warning last month to
Samsung Galaxy Note 7 users to stop using the phones due to the risk of
explosions and fires. The consumer warning came after at least 35 reports of
the lithium-ion batteries in the devices overheating and bursting, resulting
in fires.  Samsung announced a recall affecting all of the 2.5 million
Galaxy Note 7 phones worldwide.  <>

All 75 people aboard the plane were evacuated without incident. No injuries
were reported.

Southwest issued a statement at 11:21 a.m. Wednesday 5 Oct 2016 in response
to the incident:

  Before Southwest Airlines Flight 994 departed from Louisville for
  Baltimore, a customer's electronic device, believed to be a Samsung, began
  emitting smoke.  All customers and crew deplaned safely via the main cabin
  door.  Customers will be accommodated on other Southwest flights to their
  final destinations.  Safety is always our top priority at Southwest and we
  encourage our customers to comply with the FAA Pack Safe guidelines.

    [See also:
    Replaced Galaxy Note 7 explodes on a Southwest flight

U.S. government officially accuses Russia of hacking campaign to interfere with elections (Ellen Nakashima)

"Peter G. Neumann" <>
Fri, 7 Oct 2016 20:50:33 PDT
Ellen Nakashima, *The Washington Post*, 7 Oct 2016

The Obama administration on Friday officially accused Russia of attempting
to interfere in the 2016 elections, including by hacking the computers of
the Democratic National Committee and other political organizations.  The
denunciation, made by the Office of the Director of National Intelligence
and the Department of Homeland Security, came as pressure was growing from
within the administration and some lawmakers to publicly name Moscow and
hold it accountable for actions apparently aimed at sowing discord around
the election.

“The U.S. Intelligence Community is confident that the Russian Government
directed the recent compromises of e-mails from U.S.  persons and
institutions, including from U.S. political organizations,'' said a joint
statement from the two agencies.  “These thefts and disclosures are
intended to interfere with the U.S.  election process.''

The public finger-pointing was welcomed by senior Democratic and Republican
lawmakers, who also said they now expect the administration to move to
punish the Kremlin as part of an effort to deter further acts by its

  [See also
  U.S. Says Russia Directed Hacks to Influence Elections,

Undetectable election hacking?

"Peter G. Neumann" <>
Wed, 5 Oct 2016 9:47:21 PDT

Gene Spafford: Many hurdles preventing emergence of online voting

"Peter G. Neumann" <>
Fri, 7 Oct 2016 6:53:53 PDT

The search for solutions to increase voter numbers on Election Day continues
as states have underwhelming turnouts in both presidential and
non-presidential election years.

But Eugene Spafford, computer science professor at Purdue, says online
voting is not one of those solutions.

The most important aspects of an election are privacy and accuracy for
citizens and, from the standpoint of candidates, the vote total

However, current online technology available to the average citizen dictates
that you can't have it all, says Spafford, the executive director of
Purdue's Center for Education and Research in Information Assurance and
Security <>.

"Voting by Internet sounds attractive, but either we have to give up the
anonymity of the ballot, which is not a good practice, or we have to give up
the ability to confirm that the count is correct," he said in a release.

The question of online voting comes up because many day-to-day activities
are handled online. But comparing voting via the Internet to activities such
as banking online falls short because, with banking, an account is used to
track of transactions.

"A record kept of the account—that's not anonymous," Spafford said.
"That removes the privacy of the voting booth from voters."

For the areas of accuracy and accountability, the potential for election
problems go back to two well-known headaches: computer viruses and bugs.  A
virus or hidden code designed to disrupt vote counts cast online wouldn't be
difficult to write, Spafford said, adding such software is expensive and
difficult to prevent.

"Elections matter," he said. "If one virus or error is detected, it could
invalidate the vote, and that's not something we want to do. It would cast
enough doubt that the election would be thrown into disarray."

Voters need to trust that what they see on their computer screen ballot is
what is actually tabulated in the election. A computer virus or hidden,
malicious code could be written to change an online ballot after it is cast.

Spafford said the level of security in personal computers is safe for a lot
of things, but that security still fails regularly—too often to trust
with an election. Beyond local computer security is the issue of users
falling prey to phishing or fake election websites.

The reality is online voting could occur but with a hefty price tag. It is
possible that a highly classified, strongly controlled computer system
similar to those used by intelligence agencies could be used for online

"But it would possibly cut away some of the privacy for voters and it would
require people to spend a few hundred thousand dollars on their home
computers," he said. "It is much more cost-efficient to spend those
resources on verifiable voting systems at monitored election centers, and to
encourage voters to use them."

Bruce Schneier: Economics of security and the IoT

"Peter G. Neumann" <>
Fri, 7 Oct 2016 6:53:16 PDT
Bruce Schneier, We Need to Save the Internet from the Internet of Things
Motherboard Vice, 6 Oct 2016

Brian Krebs is a popular reporter on the cybersecurity beat. He regularly
exposes cybercriminals and their tactics, and consequently is regularly a
target of their ire. Last month, he wrote about an online attack-for-hire
service that resulted in the arrest of the two proprietors. In the
aftermath, his site was taken down by a massive DDoS attack.

In many ways, this is nothing new. Distributed denial-of-service attacks are
a family of attacks that cause websites and other Internet-connected systems
to crash by overloading them with traffic. The "distributed" part means that
other insecure computers on the Internet—sometimes in the millions—are
recruited to a botnet to unwittingly participate in the attack. The tactics
are decades old; DDoS attacks are perpetrated by lone hackers trying to be
annoying, criminals trying to extort money, and governments testing their
tactics. There are defenses, and there are companies that offer DDoS
mitigation services for hire.

Basically, it's a size vs. size game. If the attackers can cobble together a
fire hose of data bigger than the defender's capability to cope with, they
win.  If the defenders can increase their capability in the face of attack,
they win.

What was new about the Krebs attack was both the massive scale and the
particular devices the attackers recruited. Instead of using traditional
computers for their botnet, they used CCTV cameras, digital video recorders,
home routers, and other embedded computers attached to the Internet as part
of the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the
software used to attack Krebs was simple and amateurish. What this attack
demonstrates is that the economics of the IoT mean that it will remain
insecure unless government steps in to fix the problem. This is a market
failure that can't get fixed on its own.

The IoT will remain insecure unless government steps in and fixes the problem.

Our computers and smartphones are as secure as they are because there are
teams of security engineers working on the problem. Companies like
Microsoft, Apple, and Google spend a lot of time testing their code before
it's released, and quickly patch vulnerabilities when they're discovered.
Those companies can support such teams because those companies make a huge
amount of money, either directly or indirectly, from their software—and,
in part, compete on its security. This isn't true of embedded systems like
digital video recorders or home routers. Those systems are sold at a much
lower margin, and are often built by offshore third parties. The companies
involved simply don't have the expertise to make them secure.

Even worse, most of these devices don't have any way to be patched. Even
though the source code to the botnet that attacked Krebs has been made
public, we can't update the affected devices. Microsoft delivers security
patches to your computer once a month. Apple does it just as regularly, but
not on a fixed schedule. But the only way for you to update the firmware in
your home router is to throw it away and buy a new one.

The security of our computers and phones also comes from the fact that we
replace them regularly. We buy new laptops every few years. We get new
phones even more frequently. This isn't true for all of the embedded IoT
systems. They last for years, even decades. We might buy a new DVR every
five or ten years. We replace our refrigerator every 25 years. We replace
our thermostat approximately never. Already the banking industry is dealing
with the security problems of Windows 95 embedded in ATMs. This same problem
is going to occur all over the Internet of Things.

The market can't fix this because neither the buyer nor the seller cares.
Think of all the CCTV cameras and DVRs used in the attack against Brian
Krebs. The owners of those devices don't care. Their devices were cheap to
buy, they still work, and they don't even know Brian. The sellers of those
devices don't care: they're now selling newer and better models, and the
original buyers only cared about price and features. There is no market
solution because the insecurity is what economists call an externality: it's
an effect of the purchasing decision that affects other people. Think of it
kind of like invisible pollution.

What this all means is that the IoT will remain insecure unless government
steps in and fixes the problem. When we have market failures, government is
the only solution. The government could impose security regulations on IoT
manufacturers, forcing them to make their devices secure even though their
customers don't care. They could impose liabilities on manufacturers,
allowing people like Brian Krebs to sue them. Any of these would raise the
cost of insecurity and give companies incentives to spend money making their
devices secure.

Of course, this would only be a domestic solution to an international
problem. The Internet is global, and attackers can just as easily build a
botnet out of IoT devices from Asia as from the United States. Long term, we
need to build an[other] internet that is resilient against attacks like
this. But that's a long time coming. In the meantime, you can expect more
attacks that leverage insecure IoT devices.

  [This is verbatim from Bruce, except for the up-casing of the Internet
  in all cases (!) except the one in the last paragraph, which is obviously
  not The Internet as we know it.  PGN]

Alex Stamos: Yahoo's scanning program

"Peter G. Neumann" <>
Sat, 8 Oct 2016 10:55:42 PDT

Contrary to a denial by Yahoo and a report by *The New York Times*, the
company's scanning program, revealed earlier this week by Reuters, provided
the government with a custom-built back door into the company's mail service
-- and it was so sloppily installed that it posed a privacy hazard for
hundreds of millions of users, according to a former Yahoo employee with
knowledge of the company's security practices.

Alex Stamos, Yahoo's former information security chief who Reuters reported
left the company after finding out about its cooperation with the U.S.
government's scanning mandate, is said to have taken particular issue with
how poorly the scanning tool was installed. "He was especially offended that
he was not looped in on the decision," said the ex-Yahoo source. "The
program that was installed for interception was very carelessly implemented,
in a way that if someone like an outside hacker got control of it, they
could have basically read everyone's Yahoo mail," something the source
attributed to "the fact that it was installed without any security review."

To people whose entire job it is to prevent something like this from
happening, the discovery was a shock, and they immediately did what was done
for any other uncovered vulnerability, filing a complaint so the problem
could be tracked and corrected. "Standard protocol on the security team,"
the ex-Yahoo source explained, "is to open a security issue and assign it to
the team responsible for that component, in this case Mail, saying you have
to fix this within 24-48 hours," due to its severity. "At that point [Yahoo
Mail] would have had to explain to [them] why they didn't have to fix this,
which was because they had installed it." But the source says that after the
security team raised an alarm over the email scanning, still thinking it was
the work of an outside hacker and not their coworkers, the complaint
suddenly went missing from Yahoo's internal tracker: "I looked for the issue
and I couldn't find it," said the Yahoo alum. "I assume it was deleted."

Eventually, several months after the tool was first installed, some members
of Yahoo's security team were filled in about the truth of scanning project,
though they were unable to alter it by that point - a decision that left
many frustrated or worse. "It was detected early enough that we could have
made things better," the ex-Yahoo source said. "I was very upset."

"Yahoo's email snooping: It's all legal" (Caroline Craig)

Gene Wirchenko <>
Fri, 07 Oct 2016 10:22:10 -0700
Caroline Craig, InfoWorld, 7 Oct 2016
Yahoo is only the latest tech company to be caught up in a system of
secret surveillance and government gag orders
InfoWorld Tech Watch

opening text:

The revelation this week that Yahoo scanned the incoming emails of hundreds
of millions of Yahoo users set off a storm of condemnation.  The real
outrage is that this kind of government surveillance, frequently abetted by
the collaboration of telecom and tech companies, is pervasive and has little
or no oversight.

As told by Reuters and the New York Times, Yahoo received a secret order
last year from a judge of the Foreign Intelligence Surveillance Court (FISC)
that compelled the company to customize an existing scanning system (used to
find and report child pornography and malware) to search emails for a
computer "signature" tied to the communications of a state-sponsored
terrorist organization. Emails containing the signature were turned over to
the NSA or FBI—and Yahoo was barred from disclosing the matter.

In other words, Yahoo was destined to be the fall guy, left to twist in the
wind by a system of secret courts and government gag orders.  Its terse
statement—"Yahoo is a law-abiding company, and complies with the laws of
the United States"—did nothing to defend it against the torrent of calls
for users to ditch Yahoo services. But legally, the company could disclose
nothing more about what data it did or did not turn over—and why.

Yahoo scanned customer e-mails for U.S. Intelligence

Michael Marking <>
Wed, 5 Oct 2016 20:51:47 +0000

  Yahoo Inc last year secretly built a custom software program to search all
  of its customers' incoming emails for specific information provided by
  U.S. intelligence officials, according to people familiar with the matter.

  The company complied with a classified U.S. government demand, scanning
  hundreds of millions of Yahoo Mail accounts at the behest of the National
  Security Agency or FBI, said three former employees and a fourth person
  apprised of the events.  [...]

It seems that PGP had it right: encryption was controlled by the
customer. Why can't we have a new standard, designed to work with the major
browsers and e-mail vendors—maybe built on PGP—that would take the
encryption responsibility out of the hands of the e-mail providers, but
allow them to claim, "Complies with independent encryption standard XYZ",
and maybe XYZ vendors or some open source projects could provide the plug-in
so that Google, Yahoo, and the rest couldn't read the mails? Maybe the
e-mail providers might be happy to tell the NSA or FBI or whoever, "we can't
read the mail, there's nothing we can do to help..."  (There's still the
metadata, but it's a start.)

I'm not a UI or JavaScript programmer, but if I had to guess, I'd say that
the place to start would be an encrypting editor of some sort that the
e-mail providers could just plug in to their own e-mail web scripts. It
wouldn't be necessarily straightforward (how do we know that the e-mail
provider didn't modify the editor script? for example), but if we separate
the encryption from the e-mail itself, there might be a fighting chance at

Yes, I know this has probably been suggested before, but it's not going away
until it's fixed.

Apple, Google, Microsoft: We Have No Government Email Scanning Program Like Yahoo's

Werner U <>
Wed, 5 Oct 2016 08:39:57 +0200 via *The Register*
(Posted by BeauHD on Tuesday October 04,)

Apple, Google and Microsoft have each said they don't scan all incoming
messages for the U.S. government
-- which is exactly what Yahoo does.  According to Reuters, Yahoo secretly
built a custom software program
last year to search all of its customers' incoming emails for specific
information provided by U.S. intelligence officials. The company complied
with a classified U.S. government directive, scanning hundreds of millions
of Yahoo Mail accounts at the behest of the National Security Agency or
FBI. Vocativ reports: * In a statement, a Microsoft spokesperson told
Vocativ that "We have never engaged in the secret scanning of email traffic
like what has been reported today about Yahoo." While Apple declined to give
a statement on the record, a representative for the company did, in response
to Vocativ's question, refer to CEO Tim Cook's official letter
<> on consumer privacy, which reads in part:
"I want to be absolutely clear that we have never worked with any government
agency from any country to create a backdoor in any of our products or
services. We have also never allowed access to our servers. And we never
will." The fact that both the companies declined further statement means
it's not yet known if the NSA or FBI approached them to request they build a
program like Yahoo's. * Meanwhile, a spokesperson from Alphabet's Google
issued a statement to CNBC
"We've never received such a request, but if we did, our response would be
simple: 'no way.'" [The spokesperson later clarified that the company has
not received a "directive" or "order" to that effect, either, according to
The Intercept.]

But the question is whether or not you believe them. With Yahoo's case, only
a handful of employees knew about the program. The same could be true with
Apple, Google, Microsoft or any other large tech company. Edward Snowden
tweeted <> not too long
after Reuters' report surfaced: "Heads up: Any major email service not
clearly, categorically denying this tomorrow—without careful phrasing --
is as guilty as Yahoo."

National Cyber Security Awareness Month (NCSAM)—supported by he Mozilla Project

Werner U <>
Sat, 8 Oct 2016 17:23:40 +0200

  [As Tom Lehrer might have said, in a totally different context, "Be
  grateful that it doesn't last all year!"  But in this case, it needs to be
  not just an awareness day or month—it needs to be perpetual.  PGN]

"IoT botnet highlights the dangers of default passwords" (Michael Kan)

Gene Wirchenko <>
Fri, 07 Oct 2016 09:57:42 -0700
Michael Kan, InfoWorld, 4 Oct 2016
The Mirai botnet used IoT devices to launch a massive DDoS attack

selected text:

A botnet responsible for a massive DDoS (distributed denial-of-service)
attack was created thanks to weak default usernames and passwords found in
Internet-connected cameras and DVRs.

The Mirai botnet grabbed headlines last month for taking down the website of
cybersecurity reporter Brian Krebs with a huge DDoS attack. Unlike most
botnets, which rely on infected PCs, this one used IoT devices to target its

Re: Source code for IoT botnet Mirai Released Krebs 1 Oct (WernerU)

Chiaki Ishikawa <>
Wed, 5 Oct 2016 15:09:53 +0900
Who is behind the source of of botnet Mirai?
> Source code_for IoT botnet Mirai Released Krebs 1 Oct

Being a Japanese, I could not help but notice that
*Mirai* is a Japanese word for the "future", and
*Anna-senpai* is a way to address a one's senior whose name is Anna
in Japanese, most likely in a school setting or similar closely knit group.

I searched the Japanese web, and sure enough there seems to be a light novel
with this Anna-senpai figure, and an Anime based on it. (Light novel is a
genre of stories that can be read in the small screen of mobile phones
easily. "The crime and punishment" is NOT a light novel definitely.) I found
the English wiki for this anime/novel. CAUTION: the following page may not
be fit for an ordinary office and/or family-oriented environment. For this
reason, I intentionally mistyped a component in the URL. You can figure it
In the URL
the graphics shown as the login logo of the person in the hackerforum screen
must be this "Anna-Senpai" figure in the Anime. Oh well, a lame attempt to
profile the person who published the source code without bothering to trace
IP addresses and stuff. When I grew up watching the original Astro Boy and
other cartoons, I never thought that Japanese anime would have such an
influence all over the world. It would be interesting, to say the least, to
see the eventual damages caused by the large number of these almost orphaned
devices with weak security. If the user/password pairs listed in the source
code is an indicator, there is no security at all.  (There is a link to
github in the comment section in krebsonsecuirty web site. You don't have to
log in to the Hackerforum website to see the source code.) That adagio, that
"History does not repeat itself. Those who cannot remember the past are
condemned to repeat it." comes to my mind. Sigh...

Windows 10 update traps some systems in a boot loop, Microsoft promises fix

Lauren Weinstein <>
Thu, 6 Oct 2016 12:24:04 -0700

  Microsoft insists that this problem only affected people in the Windows
  Insider Program, though it has not explained why others not in that
  program would have been impacted by the latest patch. A fix has been
  pushed out for the issues but the company has provided no details into
  what went wrong or what the patch fixes. The supposed link to a knowledge
  base (KB) article that's supposed to describe the problem is actually dead
  as of this writing.

And herein is the fundamental problem. Unlike the hardware scope of a
Chromebook, or even an Android phone, a PC's hardware mix can be so varied
and complex in terms of driver environments that automatic updates (which
are not necessarily a priori always a bad thing!) can become decidedly
problematic in the Windows ecosystem.

NSA Contractor Arrested in Possible New Theft of Secrets (NYTimes)

Monty Solomon <>
Thu, 6 Oct 2016 00:52:06 -0400
The FBI is investigating whether Harold T. Martin III, a National Security
Agency contractor, stole and disclosed highly classified computer code,
officials said.


The FBI seized papers and digital devices from Harold T. Martin III's home
in Maryland, but found no indication that he had passed classified
information to anyone else.

How hard is it to hack the average DVR? Sadly, not hard at all

Monty Solomon <>
Thu, 6 Oct 2016 02:35:36 -0400

Please report problems with the web pages to the maintainer