The RISKS Digest
Volume 29 Issue 85

Saturday, 15th October 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Hacking elections? Merrilly we loll along!??
Hacking elections, the CIA, Russians, Chinese, and more
Sean Gallagher on Jack Goldsmith
Re: Undetectable election hacking?
Mark E. Smith
San Francisco Muni to replace malfunctioning buses after computer error led to crash
Steve Brack
5,761 Online Stores Currently Infected with Card-Data-Stealing Malware
Catalin Cimpanu
Old SSH-Bug resurrected for IoT botnets
Catalin Cimpanu
Android Banking Trojan Acecard - Submit a Selfie Holding ID Card
Catalin Cimpanu
Google: Building on Surveillance Reform
via Lauren Weinstein
GlobalSign screw-up cancels top websites' HTTPS certificates
The Register
Police Use Surveillance Tool to Scan Social Media
U.S. Athletes Reassured After New Russian Hack
More on Samsung
Re: Samsung discontinues Galaxy Note 7 after battery debacle
Erling Kristiansen
Info on RISKS (comp.risks)

Hacking elections? Merrilly we loll along!??

"Peter G. Neumann" <>
Sat, 15 Oct 2016 10:30:48 PDT
"I think it probably is the least likely [to] see something be rigged
because I can't even imagine how you could do that."

  [This person clearly needs to be reading RISKS!  PGN]

Hacking elections, the CIA, Russians, Chinese, and more (Sean Gallagher on Jack Goldsmith)

Werner U <>
Thu, 13 Oct 2016 17:21:52 +0200
  [Quoted misspelling of Ramsey Clark fixed.  PGN]

Electoral warfare, Sean Gallagher, ArsTechnica, 21 Sept 2016
Thanks, Internet! Messing with elections not just for the CIA anymore.

Former Justice official: U.S.'s own electoral meddling leaves little room
for complaint.

Even if the Russian government was behind the hack of the Democratic
National Committee (DNC) and various other political organizations and
figures according to Jack Goldsmith, a Harvard law professor and former US
assistant attorney general.

Goldsmith, who served at the Justice Department during the administration of
George W. Bush and resigned after a dispute over the legal justifications
for "enhanced interrogation" techniques, spoke on Tuesday about the DNC hack
during a Yale University panel.

"Assuming that the attribution is accurate," Goldsmith said, "the US has
very little basis for a principled objection." In regard to the theft of
data from the DNC and others, Goldsmith said that "it's hard to say that it
violates international law, and the US acknowledges that it engages in the
theft of foreign political data all the time."

Goldsmith pointed out that when Director of the Office of National
Intelligence James Clapper testified before Congress about a data breach at
the Office of Personnel Management, which collected sensitive information on
millions of individuals who had worked for or done business with the
government, "He said, 'I'm really impressed with what they did, and I would
have done the same thing if I could have.'"

As far as the publication of the stolen data in a way intended to interfere
with the US presidential election, Goldsmith noted that the US has a long
history of interference in other countries' politics. "Misinformation
campaigns are a core element of what the [Central Intelligence Agency] has
done" since it was created, he said.

Goldsmith cited a study published in August by Dov H. Levin of the Institute
for Politics and Strategy at Carnegie Mellon University. The data= set for
the study details all 117 known times the US and the USSR (later Russia)
attempted to manipulate the outcome of elections in other countries. "This
was either supporting one side, or taking actions to denigrate or harm the
other side," explained Goldsmith. "And 69 percent of this was the US."  Bad

In 1989, as a young Navy officer, I got a front-row seat to one of the more
overt efforts by the US government to influence the results of a foreign
election. I was in Panama, and the outskirts of Panama City were plastered
with campaign signs for Guillermo Endara, the presidential candidate of the
Democratic Alliance of Civic Opposition (ADOC), the opposition party
challenging General Manuel Noriega's Democratic Revolutionary Party.

The CIA funded Endara's campaign, giving him $10 million—a huge sum for a
country of 2.4 million people. As an independent commission led by former
Attorney General Ramsey Clark found in a report, "It is the per-capita
equivalent of a foreign government spending over $1 billion to influence a
US national election (five times the amount spent by George Bush and Michael
Dukakis combined in the 1988 presidential election)."

I left the country just before the election, which Endara apparently won
based on exit polls—though that result wouldn't stand because of vote
fraud by Noriega's supporters. A "dignity battalion" attacked Endara and his
running mate with clubs.

I returned in December to do a security inspection at Rodman Naval Station,
only to find myself being ushered into a van to the nearby Air Force base in
the early morning hours of December 20 to evacuate as the US "corrected" the
election results with Operation Just Cause.

There are many other examples, some of them less direct—such as US
support for a 1973 coup in Chile that overthrew the elected government of
socialist President Salvador Allende.

Other US efforts to affect politics—even those within the Soviet Union --
were more subtle. Goldsmith cited an example in the early 1950s, when
"[Nikita] Khrushchev trashed Stalin in a party meeting. The CIA got a
recording of it and leaked it to newspapers in an attempt to harm

"No piece of [the DNC hack] is different functionally" from what both the US
and Russia have done in the past, Goldsmith said. What's different is that
it's happening *to* the United States—and that doesn't feel good.

Thanks to the Internet and the powerful asymmetric capabilities it provides,
events like these are likely to continue. Cyber-disinformation campaigns can
happen "with an ease and scale that dwarfs everything that happened before,"
Goldsmith noted. The threat of interference in politics through hacking and
data manipulation might render all past precedents set by intelligence
organizations moot.

"Theft and publication of truthful information is small beans—what about
theft and publication of *faked* information, which is hard to verify, or
tampering with the vote itself?" Goldsmith said. "That could have huge
consequences, the number of actors who could do this are many, and our
ability to defend against it is uncertain."

The Russian government has been preparing for this game for some
time. Individuals aligned with the Russian government have used social media
disinformation, denial of service attacks, and hacking campaigns to shape
the political landscape in former Soviet states and elsewhere in Europe
frequently over the last decade. China also has shown a willingness to use
information operations to influence US politics—apparently hacking the
networks of both Barack Obama and John McCain during the 2008 presidential
election campaign, using information obtained about McCain's interactions
with Taiwan to further its own political objectives.

Echoing comments made by Edward Snowden last year Goldsmith concluded, "The
US has the most powerful cybercapabilities in the world... but we are very
much also the most vulnerable, and we're going to be more and more on the
losing end of the stick.  I think this is just the beginning."

Guest editorial: The DNC hack and dump is what cyberwar looks like.

Cybergeddon: Why the Internet could be the next *failed state*

Re: Undetectable election hacking? (Smith, RISKS-29.84)

"3daygoaty ." <>
Thu, 13 Oct 2016 13:15:07 +1100
This is of course a divergent rant that takes us away from cyberrisks.

> To vote is to declare yourself incompetent to manage your own affairs, and
> to appoint whoever takes office as your guardian with a full power of
> attorney to spend your money and dictate your choices.

I hope I can apply some salve by the idea that voting is rather like
evolution.  The individual plays no role in evolution.  It's the
circumstances of thousands of individuals that leads to the emergence of
selective qualities being selected.  You don't vote for your own good, you
vote for the good of everyone else.

I suspect many people in the US would be outraged that voting might be made
compulsory as it is here in Australia.   Now while too many Australians try
to avoid voting by not registering to vote, the vast majority of us vote -
and the ballots are far more complex than just about everywhere else in the
world.  The election losers are mostly satisfied with the results and the
process is free of voter obstruction, special interest effects and multiple

There are second-order effects from voting as well.  Even if I live in a
safe left wing seat and right wing votes appear to be for naught, the
number of right wing votes conveys information and this affects how
audacious the left wing government of this seat behaves.

Re: Undetectable election hacking? (Replying to John Sebes, Mark Kramer, Michael Kohne)

"Mark E. Smith" <>
Wed, 12 Oct 2016 17:41:50 -0700
John Sebes wrote, "....if you don't try to vote, you have 0% chance of
being counted; while if you do vote you do have a chance of being counted."

Would you use an ATM if there was only a chance that you'd get your money or
that your deposit would be credited to your account? Is democracy less
important to you than your bank account?

Sebes: "If everyone who had the same type of doubts that Mark has (and/or
others that I and other election folks have) were to not vote, then we would
not have an effective democracy."

Rule by the rich is not called democracy, it is called plutocracy.  That is
the system we have and that is the system to which I do not wish to lend
legitimacy by voting.

To you a broken election might be a nightmare, but to me endless wars,
military expansionism at the expense of domestic needs, trillions of dollars
unaccounted for by the Pentagon, trillions more to bail out banks that
knowingly and deliberately wrecked our economy, homeless people sleeping on
the streets of every city in the country, unarmed citizens being killed by
the police every day, the widespread use of prison labor (something we used
to condemn when China did it), decreasing longevity rates, people lacking
access to clean drinking water, a quarter of U.S. citizens diagnosed as
mentally ill, and a total lack of accountability at the highest levels of
government, is a nightmare from which I'd very much like to awaken.

Mark Kramer wrote, "If your candidate concedes prior to the votes being
counted, that's the fault of your candidate and not the system."

A system that allows a single person to decide an election, is not a
democratic system. In some systems, if the winning candidate withdraws,
dies, or becomes unable to hold office, a new election would be held rather
than allowing someone who was not elected to take office. The problem indeed
is with the system.

Michael Kohne wrote, "Staying home just gives anyone monkeying around with
the system that much more leverage to work with."

Elections officials have the same leverage to work with whether people vote
or stay home. A central tabulator can be programmed to give a certain
proportion of the votes to a specific candidate without regard to how many
ballots were cast. Whether 90% vote, 50% vote, or only 10% vote, the
leverage for monkey-wrenching remains the same.

Kohne: "...But I can't respect just sitting there whining without even
trying to vote, let alone FIX it."

Yes, that's the old argument that doing something is better than doing
nothing, and that not voting is doing nothing. So the person whose
carburetor is flooded should keep stepping on the gas rather than just
sitting there and doing nothing. The person who realizes that they're about
to drive over a cliff, should keep driving rather than stopping and just
sitting there doing nothing.

Quoting my own August 2011 article, "You've Got to Stop Voting" :

"If you're doing something wrong, or something that is self-destructive or
hurting others, stopping might be a good idea. If delegating your power to
people you can't hold accountable has resulted in the devastation of your
economy, do you really want to keep doing it? If granting your authority to
people you can't hold accountable has resulted in wars based on lies that
have killed over a million innocent people, do you really want to keep doing
it? If granting your consent of the governed to people you can't hold
accountable has resulted in government operating on behalf of big
corporations and the wealthy instead of on behalf of the people, do you
really want to keep doing it?"

Kohne: "And no, 'protesting' by not voting isn't fixing anything. It's a
cop-out. It accomplishes NOTHING."

When Ireland tried to introduce electronic voting machines, voters refused
to use them and eventually the government had to scrap them.  Protesting by
not voting was proven to be an effective tactic.

Perhaps I'm wrong, but I was under the impression that most computer
professionals, on becoming aware that their system was infested with some
sort of malware that infested any other computers they communicated with,
would stop using the system until it was cleaned and safe to use. I've never
heard of anyone saying, "Well, just keep using it because we don't want
people to lose faith in our computer system." But judging from the responses
I've been getting, maybe I haven't been reading RISKS closely enough and it
is a common attitude that I somehow failed to notice.

San Francisco Muni to replace malfunctioning buses after computer error led to crash

Steve Brack <>
Fri, 14 Oct 2016 02:12:57 -0400
"A computer error—a circuit failure that affected the brakes—was found
to be the cause of a Muni bus crash into the back of a delivery truck, city
officials said, raising questions about the condition of a group of older
buses that are being replaced."

Apparently, the driver taking his foot off the accelerator, hitting the
brake pedal, or applying the emergency brake didn't disengage the traction
motors of the electric trolleybus, in part due to a communications failure.
This doesn't sound like a fail-safe design.

Muni instructed drivers to either press the "Poles Down" button (to cut off
current), press the emergency stop switch, or select "Off" on the master
controller in such a situation.  The brakes were working, but the powerful
traction motors continued pushing the bus forward anyway.

Muni to replace malfunctioning buses after computer error led to crash -
The San Francisco Examiner

5,761 Online Stores Currently Infected with Card-Data-Stealing Malware (Catalin Cimpanu)

Werner U <>
Thu, 13 Oct 2016 19:04:43 +0200
Catalin Cimpanu, softpedia, 13 Oct 2016
Online skimming malware is about to become a big problem

In spite of the fact that WordPress continues to be the most hacked CMS
platform, compromising online shopping platforms such as Magento, OpenCart,
and others is by far more lucrative for online crooks.

According to Willem de Groot, security analyst for, the number of
online shops infected with malware has skyrocketed in the past year, as
crooks found that online skimming presents a greater target and more
anonymity than real-world ATM skimming.

The recent surge in online skimming has fueled a growth in carding sites who
now often sell payment card data stolen via compromised online store payment
pages and PoS malware, rather than data acquired from ATM skimmers.  Online
skimming has gone up 69% in 10 months.

De Groot, who is also one of the people behind, a Magento
site security scanner, has been keeping track of online stores infected with
malware, ever since November 2015, when he first saw an up-tick in such
cases.  <>

A general Internet scan of 255,000 online stores has revealed the presence
of various malware variants on 3,501 shops.

When he repeated the scan in March 2016, he found 4,476 infected stores, up
by 28 percent. Ten months later, in September 2016, de Groot found 5,925
infected sites, up by 69 percent from November 2015.

With the recent discovery of the *MageCart malware*, de Groot repeated his
scan again, and on October 10, when he found 5,911 infected stores. The good
news is that the MageCart report scared enough webmasters, and on October
12, the number had gone down to 5,761, with 334 admins cleaning up their
stores, while 170 new stores were infected.

Some high-profile sites are infected

You might be tempted to think that only old and niche websites suffer such
infections. It's not true. De Groot highlights some pretty high-profile
sites on his most recent infection lists.

He mentions the online store of Icelandic singer Bjork, the store of Audi
South Africa, and the website of the NRSC (National Republican Senatorial
Committee).  Some webmasters don't understand the problem, or just don't

Cleaning up these stores is not a simple job, since updating some online
platforms such as Magento requires some level of technical skills, and it's
not a one-click button job.

But de Groot doesn't have a problem with the technical side of updating
online stores, since all online platforms provide very good documentation
to get this done. His problem is with the human factor. Here are some of
the replies he received from store admins whom he notified:

  We don't care, our payments are handled by a 3rd-party payment provider.

  Thanks for your suggestion, but our shop is totally safe. There is
  just an annoying javascript error.

  Our shop is safe because we use https.  Online skimming malware is now
  more complex.

And if the ignorance of online store owners wasn't enough, De Groot, who's
been keeping track of different malware families says he's seen a rise in
sophistication for the malware's code.

He mentions that in its first variations, the malware, usually a JavaScript
file secretly loaded on the online store, would wait until the user would
access a page with the "checkout" term in the URL. Nowadays, malware has
support for various types of checkout and payment extensions and uses very
complex code obfuscation.

Besides getting harder to detect, the number of online skimming malware has
gone through the roof as well. De Groot says that in almost a year, online
skimming malware has gone from one single threat to nine varieties and three
distinct malware families.

Google, Visa, and Mastercard should intervene

"Companies such as Visa or Mastercard could revoke the payment license of
sloppy merchants," de Groot proposes.  "But it would be way more efficient
if Google would add the compromised sites to its Chrome Safe Browsing
blacklist. Visitors would be greeted with a fat red warning screen and
induce the store owner to quickly resolve the situation."

De Groot says that he's been sending the Safe Browsing team reports about
his findings, but currently, only a handful of these sites are blacklisted.

Old SSH-Bug resurrected for IoT botnets (Catalin Cimpanu)

Werner U <>
Thu, 13 Oct 2016 19:15:44 +0200
Catalin Cimpanu, Softpedia, 12 Oct 2016

12-Year-Old SSH Bug Used to Relay Malicious Traffic via IoT Devices
IoT devices used as proxies for malicious traffic

Attackers are using IoT devices as proxies for malicious traffic by taking
advantage of a configuration option in SSH daemons, which allows them to
use a 12-year-old OpenSSH flaw to bounce traffic off IoT equipment.*

The flaw is *CVE-2004-1653*, a security issue discovered in 2004 and patched
in early 2005, caused by a default configuration that was shipping at the
time in OpenSSH (sshd).

According to MITRE
<> and security
experts Jordan Sissel <>
and Joey Hess <>, older
versions of the OpenSSH client allowed TCP forwarding in default setups,
which then allowed remote authenticated users to perform a port bounce.

The flaw was not severe since attackers needed SSH access to the device, but
after an attacker brute-forced his way into systems using unsecured SSH
credentials, he could monetize those machines as part of for-hire proxy
services sold online.  Bug resurrected for IoT botnets

While OpenSSH hasn't featured that default configuration option for years,
OpenSSH has been embedded in billions of IoT devices spread all over the

As we know by now, most of these devices are the victims of *Telnet and SSH
brute-force attacks* on a regular basis and are being added to DDoS botnets
every day.

Because IoT devices lack the hardware capabilities to support complex
operations, the only good things an IoT botnet can be used for is to launch
other brute-force attacks, launch DDoS attacks, and relay malicious traffic.

IoT devices used as relays for other malicious traffic.

According to a threat advisory released by Akamai today, the company's
security team says it detected large amounts of malicious traffic
originating from IoT devices.

A further investigation of the issue has revealed that crooks have been
brute-forcing IoT devices, altering their SSH configurations by enabling the
"AllowTcpForwarding" option, and then using these devices as proxies for all
sorts of malicious traffic.

This allows attackers to mask the true origin of their attacks, may it be
DDoS attacks, regular Web traffic, other brute-force attacks, or any other
kind of Internet packet that can be relayed by the IoT device.

In order to prevent these attacks, which Akamai tracks under the SSHowDowN
Proxy codename, the company recommends the following defensive measures.
for How to Protect Yourself (Device Vendors and/or End Users) see article

Android Banking Trojan Acecard - Submit a Selfie Holding ID Card (Catalin Cimpanu)

Werner U <>
Sat, 15 Oct 2016 12:17:05 +0200
Catalin Cimpanu, Softpedia, Oct 14 2016

Social engineering tactics hit a new level
Untrained and gullible Android users are now the target of an Android
banking trojan that asks them to send a selfie holding their ID card.

The trojan's name is Acecard and is considered one of the *most dangerous
and intrusive Android banking trojans known today* according to a Kaspersky
analysis from last February.

To stay ahead of security researchers, all malware must constantly evolve,
either with changes to their underlying code or in their mode of operation.
New version of Acecard trojan found in targeting Singapore and Hong Kong

A previous version of the Acecard trojan hid *inside a Black Jack game*
delivered via the official Google Play Store. In the most recent version of
this threat, security experts from McAfee
have found a new version of the Acecard trojan hidden inside all sorts of
apps that pose as Adobe Flash Player, pornographic apps, or video codecs.

All of these apps are distributed outside of the Play Store and constantly
pester users with permission requirement screens until they get what they
want, which is administrator rights.

Once this step is achieved, the trojan lays in hiding until the user opens
a specific app. McAfee experts found that when the user opens the Google
Play app, the trojan springs a new social engineering trap.
Acecard tricks the user in providing payment card and real ID details

First, it prompts the user for his payment card number. Then, in separate
popups, it asks the user for his card details, such as name and expiration
date, but also asks the user to enter his real ID details. At the time of
writing, versions of this trojan have been seen asking for ID details
specific to users living in Singapore and Hong Kong.

After this, the trojan uses new prompts to ask the user to take a picture
of the front and back side of his ID card. During a third step, the trojan
then asks the user to hold the ID in his hand, underneath his face, and
take a selfie.
ID photo can be used to confirm illegal transfers, take over accounts

"[This is] very useful for a cybercriminal to confirm a victim's identity
and access not only to banking accounts, but probably also even social
networks," says Carlos Castillo, McAfee researchers, of the reasons why
Acecard is using this new kink.

With photos of the victim's ID in hand, the attacker can verify illegal
banking transactions, or confirm to tech support that he's the real owner
of hijacked social media accounts.

Besides Google Play, this version of Acecard also collects access
credentials using fake logins for social media apps such as Facebook,
WhatsApp, WeChat, Line, and Viber, but also other apps such as Dropbox,
Google Music, Google Books, and Google Videos.

This trick obviously works only with less technical users, that haven't
used smartphones for long. Any tech-savvy users would quickly understand
that there's no reason for Google to ask for your ID card, and take
measures to find the trojan and remove it from his phone.

Google: Building on Surveillance Reform

Lauren Weinstein <>
Fri, 14 Oct 2016 20:48:07 -0700
via NNSquad

  Today, we've updated our Transparency Report on government requests for
  user data.  Globally, we received 44,943 government requests for
  information regarding 76,713 accounts during the first half of 2016.  We
  provided user information in response to 64% of those requests, which
  remains unchanged from the previous reporting period (i.e. the second half
  of 2015).  We also received our first ever requests from the following
  countries: Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi
  Arabia. In addition, pursuant to the USA Freedom Act, the FBI lifted a gag
  restriction on an NSL issued in the second half of 2015.  To reflect this,
  we have updated the range of NSLs received in that period—July to
  December 2015—from 0-499 to 1-499.  As we have noted in the past, when
  we receive a request for user information, we review it carefully and only
  provide information within the scope and authority of the request.  The
  privacy and security of the data that users store with Google is central
  to our approach.  Before producing data in response to a government
  request, we make sure it strictly follows the law, for example to compel
  us to disclose content in criminal cases we require the government use a
  search warrant, and that it complies with Google's strict policies (to
  prevent overreach that can compromise users' privacy).

GlobalSign screw-up cancels top websites' HTTPS certificates (The Register)

Monty Solomon <>
Fri, 14 Oct 2016 09:16:47 -0400
Many websites big and small have had their HTTPS certificates incorrectly
scrapped, meaning that for some people their browsers no longer trust
websites and refuse or are reluctant to access them.  It appears GlobalSign
inadvertently triggered the revocation of its intermediary certificates
while updating a special cross-certificate. This smashed the chain of trust
and ultimately nullified SSL/TLS certificates issued by GlobalSign to its
customers. It could take days to fix, leaving folks unable to easily read
their favorite webpages.  [PGN-ed]

Police Use Surveillance Tool to Scan Social Media (The NYT)

Monty Solomon <>
Wed, 12 Oct 2016 21:43:13 -0400
According to the ACLU, Geofeedia (a company in Chicago) has used data from
Facebook, Twitter and several other networks to aid law enforcement
officials in monitoring protesters.  [PGN-ed]

U.S. Athletes Reassured After New Russian Hack (The NYT)

Monty Solomon <>
Sat, 15 Oct 2016 10:52:54 -0400
The head of the United States Anti-Doping Agency says the cyberattack
targeting its science director's email account is meant to smear clean

More on Samsung (The NYT)

"Peter G. Neumann" <>
Fri, 14 Oct 2016 22:08:32 PDT
Samsung Estimates $2.3 Billion Loss Over Galaxy Note 7 Troubles

Galaxy Note 7 Is Not Samsung's Only Problematic Product
They are also having safety problems with other goods, including washing
  machines, microwaves, and refrigerators.

Re: Samsung discontinues Galaxy Note 7 after battery debacle

Erling Kristiansen <>
Thu, 13 Oct 2016 22:34:13 +0200
I am wondering whether this is a harbinger of a much broader problem:

When batteries, in particular those containing lithium (and maybe future
technologies we don't yet know), are discarded, on their own or still inside
the device they have been feeding, what happens next?

Hopefully, most batteries will be dismantled and/or recycled in a safe
manner. But it is inevitable that some will end up in places where they
don't really belong: Landfills, incinerators, shredders, or just left or
dropped somewhere.

As time passes, these may eventually corrode or get punctured somehow,
potentially leading to fires, maybe years or decades after the end of their
useful lives.

Note: We are talking not just about the rather small batteries of mobile
phones, but also larger ones for e.g., e-bikes, household and garden
machines, tools, electric cars.

Does anybody have a feel for how real this problem is? Will discarded
batteries remain time bombs forever, or are they likely to degrade
gracefully into something less hazardous after some time?

Please report problems with the web pages to the maintainer