The RISKS Digest
Volume 29 Issue 91

Sunday, 13th November 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Why Light Bulbs May Be the Next Hacker Target
John Markoff
DDoS on a Finnish water distribution system
Gadi Evron
Researchers just demonstrated how to hack the official vote count with a $30 card
geoff goodfellow
How to block the ultrasonic signals you didn't know were tracking you
Lily Hay Newman via Werner U
Fake shopping apps are invading the iPhone
James Covert
GCHQ wants Internet providers to rewrite systems to block hackers
The Telegraph via Chris Drewe
Tesco Banks halts online transactions after theft from 20,000 accounts
Kelly Fiveash
Offensive Words Filter Data Blocked By Offensive Words Filter
Chris Drewe
"Executive dilemma: Approve the cloud, get a pay cut"
David Linthicum
Browsers nix add-on after Web of Trust is caught selling users' browsing histories
The Register
Department of Chromeland Security to the rescue...
Andy Greenberg via Werner U
How to get Google to come out of their hole and say something
Dan Jacobson
How the Internet Is Loosening Our Grip on the Truth
The New York Times
Two ambulances speeding toward the same crossroads
Google via Dan Jacobson
This evil office printer hijacks your cellphone connection
Ars Technica
Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, PINs
Bleeping Computer
Oauth 2.0 hack exposed 1 billion mobile apps to account hijacking
Russian Hackers Launch Targeted Cyberattacks Hours After Trump's Win
Motherboard via Suzanne Johnson
$0.02 due to Daylight Savings Time
Dan Jacobson
Re: "Your WiFi-connected thermostat can take down the whole Internet...
Stanley Chow
Info on RISKS (comp.risks)

Why Light Bulbs May Be the Next Hacker Target (John Markoff)

"Alister Wm Macintyre \(Wow\)" <>
Sat, 5 Nov 2016 11:33:48 -0500
John Markoff, *The New York Times*, 3 Nov 2016

Researchers report in a paper <> that they have
uncovered a flaw in a wireless technology that is often included in smart
home devices like lights, switches, locks, thermostats and many of the
components of the much-ballyhooed "smart home" of the future.  The
researchers focused on the Philips Hue smart light bulb and found that the
wireless flaw could allow hackers to take control of the light bulbs,
according to researchers at the Weizmann Institute of Science near Tel Aviv
and Dalhousie University in Halifax, Canada.

  [I wonder how many other brand names are at similar risk.]

Imagine thousands or even hundreds of thousands of Internet-connected
devices in close proximity. Malware created by hackers could be spread like
a pathogen among the devices by compromising just one of them.  [There is
video, in the research paper, showing tests.  For example, a drone hovers
next to a high rise building, and you see it taking over control of all the
lights of the building. Before the test, they had switched one light bulb on
ground floor, with one they already could hack.]

The new risk comes from a little-known radio protocol called ZigBee.

The researcher said they had notified Philips of the potential vulnerability
and the company had asked the researchers not to go public with the research
paper until it had been corrected. Philips fixed the vulnerability in a
patch issued on 4 Oct and recommended that customers install it through a
smart phone application.  Still, it played down the significance of the

[I wonder how many customers learned about this, and implemented the patch.]

The full results technical paper can be downloaded from this link:
IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF, 6.7MB]

Risks identified by the research:
* Brick the lights so they cannot be fixed vs. whatever nuisance the
  malware has inflicted.
* City-wide wireless jamming.
* Attack electric grid via manipulating power consumption demands.
* Induce epileptic seizures in photosensitive people on a large scale.

[Risks thought about by Al Mac:

* Kill street lights, and stairwell lights, after dark, then set off
  fire alarms, sirens, so people can have a hard time exiting safely.
* Airport runway lights go out, when most needed for safe landing.]
* You know those highway signs, using letters spelling out key words
  for warnings to drivers, where each letter is combination of lights on &
  off?  The phrases could be altered.
* Do emergency responders use the same radio frequencies that can be
  jammed by this hack?]

DDoS on a Finnish water distribution system

Gadi Evron <>
Tue, 8 Nov 2016 14:25:42 -0800
In some countries such as Finland, if the underground water pipes freeze,
parts of the country can remain without water until summer.

Researchers just demonstrated how to hack the official vote count with a $30 card

the keyboard of geoff goodfellow <>
Sun, 6 Nov 2016 15:29:30 -1000

How to block the ultrasonic signals you didn't know were tracking you (Lily Hay Newman)

Werner U <>
Thu, 10 Nov 2016 10:28:02 +0100
Lily Hay Newman, in Ars Technica, 3 Nov 2016
How to block the ultrasonic signals you didn't know were tracking you: Your
phone can talk to advertisers behind your back, beyond your audible spectrum


Dystopian corporate surveillance threats today come at us from all
directions. Companies offer *always-on* devices
that listen for our voice commands, and marketers follow us around the web
to create personalized user profiles so they can (maybe) show us ads we'll
actually click. Now marketers have been experimenting with combining those
web-based and audio approaches to track consumers in another disturbingly
science fictional way: with audio signals your phone can hear, but you
can't. And though you probably have no idea that dog whistle marketing is
going on, researchers are already offering ways to protect yourself.

The technology, called ultrasonic cross-device tracking, embeds
high-frequency tones that are inaudible to humans in advertisements, web
pages, and even physical locations like retail stores. These ultrasound
beacons emit their audio sequences with speakers, and almost any device
microphone—like those accessed by an app on a smartphone or tablet—can
detect the signal and start to put together a picture of what ads you've
seen, what sites you've perused, and even where you've been. Now that you're
sufficiently concerned, the good news is that at the Black Hat Europe
security conference on Thursday, a group based at University of California,
Santa Barbara will present an Android patch and a Chrome extension that give
consumers more control over the transmission and receipt of ultrasonic
pitches on their devices.

Beyond the abstract creep factor of ultrasonic tracking, the larger worry
about the technology is that it requires giving an app the ability to listen
to everything around you, says Vasilios Mavroudis, a privacy and security
researcher at University College London who worked on the research being
presented at Black Hat. “The bad thing is that if you're a company that
wants to provide ultrasound tracking there is no other way to do it
currently, you have to use the microphone.  So you will be what we call
*over-privileged*, because you don't need access to audible sounds but you
have to get them.''

This type of tracking, offered by companies like Tapad and 4Info, has hardly
exploded in adoption. But it's persisted as more third party companies
develop ultrasonic tools for a range of uses, like data transmission without
Wi-Fi or other connectivity. The more the technology evolves, the easier it
is to use in marketing. As a result, the researchers say that their goal is
to help protect users from inadvertently leaking their personal information.
“There are certain serious security shortcomings that need to be addressed
before the technology becomes more widely used, And there is a lack of
transparency. Users are basically clueless about what's going on.''

Currently, when Android or iOS do require apps to request permission to use
a phone's microphone. But most users likely aren't aware that by granting
that permission, apps that use ultrasonic tracking could access their
microphone—and everything it's picking up, not just ultrasonic
frequencies—all the time, even while they're running in the background.

The researchers' patch adjusts Android's permission system so that apps have
to make it clear that they're asking for permission to receive inaudible
inputs. It also allows users to choose to block anything the microphone
picks up on the ultrasound spectrum. The patch isn't an official Google
release, but represents the researchers' recommendations for a step mobile
operating systems can take to offer more transparency.

To block the other end of those high-pitched audio communications, the
group's Chrome extension preemptively screens websites' audio components as
they load to keep the ones that emit ultrasounds from executing, thus
blocking pages from emitting them. There are a few old services that the
extension can't screen, like Flash, but overall the extension works much
like an ad-blocker for ultrasonic tracking. The researchers plan to post
their patch and their extension available for download after their Black Hat

Ultrasonic tracking has been evolving for the last couple of years, and it
is relatively easy to deploy since it relies on basic speakers and
microphones instead of specialized equipment. But from the start, the
technology has encountered pushback about its privacy and security
limitations. Currently there are no industry standards for legitimizing
beacons or allowing them to interoperate the way there are with a protocol
like Bluetooth. And ultrasonic tracking transmissions are difficult to
secure because they need to happen quickly for the technology to
work. Ideally the beacons would authenticate with the receiving apps each
time they interact to reduce the possibility that a hacker could create
phony beacons by manipulating the tones before sending them. But the beacons
need to complete their transmissions in the time it takes someone to briefly
check a website or pass a store, and it's difficult to fit an authentication
process into those few seconds. The researchers say they've already observed
one type of real-world attack in which hackers replay a beacon over and over
to skew analytics data or alter the reported behavior of a user. The team
also developed other types of theoretical attacks that take advantage of the
lack of encryption and authentication on beacons.  The Federal Trade
Commission evaluated ultrasonic tracking technology at the end of 2015, and
the privacy-focused non-profit Center for Democracy and Technology wrote to
the agency at the time
<> that
“the best solution is increased transparency and a robust and meaningful
opt-out system. If cross-device tracking companies cannot give users these
types of notice and control, they should not engage in cross-device
tracking.''  By March the FTC had drafted a warning letter to developers
about a certain brand of audio beacon that could potentially track all of a
users' television viewing without their knowledge. That company, called
Silverpush, has since ceased working on ultrasonic tracking in the United
States, though the firm said at the time that its decision to drop the tech
wasn't related to the FTC probe.

More recently, two lawsuits filed this fall—each about the Android app of
an NBA team—allege that the apps activated user microphones improperly to
listen for beacons, capturing lots of other audio in the process without
user knowledge. Two defendants in those lawsuits, YinzCam and Signal360,
both told WIRED that they aren't beacon developers themselves and don't
collect or store any audio in the spectrum that's audible to humans.

But the researchers presenting at Black Hat argue that controversy over just
how much audio ultrasonic tracking tools collect is all the more reason to
create industry standards, so that consumers don't need to rely on companies
to make privacy-minded choices independently. Mavroudis says, “I don't
believe that companies are malicious, but currently the way this whole thing
is implemented seems very shady to users.  Once there are standards in
place, the researchers propose that mobile operating systems like Android
and iOS could provide application program interfaces that restrict
microphone access so ultrasonic tracking apps can only receive relevant
data, instead of everything the microphone is picking up.  Then we get rid
of this overprivileged problem where apps need to have access to the
microphone, because they will just need to have access to this API.''

For anyone who's not waiting for companies to rein in what kinds of audio
they collect to track us, however, the UCSB and UCL researchers software
offers a temporary fix.  And that may be more appealing than the notion of
your phone talking to advertisers behind your back—or beyond your audible

Fake shopping apps are invading the iPhone (James Covert)

Jim Reisert AD1C <>
Mon, 7 Nov 2016 12:29:10 -0700
James Covert, *New York Post*, October 30, 2016 | 10:37pm

For tech-focused scammers, knocking off sneakers and handbags is so last

Thieves in the digital age are slamming consumers right in the app.

A slew of knockoff shopping apps have quietly infiltrated Apple's App Store
in recent months, looking to lure unsuspecting iPhone owners with bogus
deals on everything from jewelry to designer duds.

The fake apps mimic the look of legit apps—and have proliferated since
this summer, experts said.

It didn't help that earlier this month, Apple introduced search ads in its
App Store. The fake apps are buying search terms, it would appear, to
increase their exposure to consumers.

GCHQ wants Internet providers to rewrite systems to block hackers

Chris Drewe <>
Mon, 07 Nov 2016 22:32:12 +0000

*The Telegraph*, Nov 5 2016

GCHQ is urging Internet providers to change long-standing protocols to stop
computers from being used to set off large-scale cyber attacks.  The plan
would involve changes to the Border Gateway Protocol (BGP) and Signalling
System 7 (SS7) standards that have been in place for decades, and are widely
used for routing traffic. GCHQ wants providers to stop the trivial
re-routing of UK traffic and help prevent text message scams.

The announcement followed the launch of the Government's five-year
cybersecurity strategy this week, which includes 1.9bn pounds for bolstering
computer security, including provisions to create a national firewall.

Tesco Banks halts online transactions after theft from 20,000 accounts (Kelly Fiveash)

Werner U <>
Tue, 8 Nov 2016 18:16:48 +0100
(Nove 7+8, ArsTechnica)

Kelly Fiveash, Ars Technica, 7 Nov 2016

Tesco Banks promises to issue refunds, track down culprits.

Tesco Bank has been forced to suspend its online transactions after
fraudulent criminal activity was spotted on thousands of its customer
accounts over the weekend.  A total of 40,000 current accounts were hit by
suspicious transactions. Money was pinched from 20,000 of the affected
current accounts, Tesco Bank said on Monday morning.......<more>......

Updated, November 8: Tesco Bank customers remain locked out from making
current account transactions, two days after it was revealed that money had
been stolen from 20,000 accounts over the weekend.

On Tuesday morning, the chief exec of the Financial Conduct Authority told
parliamentarians sitting on the treasury committee that "I thought this
looked unprecedented in the UK."

Andrew Bailey added that it was "too early to give a comprehensive account
of what the root causes are."

It's now a race against time for Tesco Bank: it has until the end of Tuesday
to reimburse its customers—some of whom say that hundreds of pounds was
removed from their accounts.

The National Crime Agency is leading a criminal investigation into the
attack on Tesco Bank's systems along with GCHQ's National Cyber Security
Centre, which opened its doors last month.

Further ReadingCybercrime: 4 million Brits are victims of hacking, viruses,
online fraud

Offensive Words Filter Data Blocked By Offensive Words Filter

Chris Drewe <>
Wed, 09 Nov 2016 22:20:14 +0000
RISKS occasionally features less-serious computing problems, so here's one:
I just went to a talk on the history of platform train describers on the
London Underground railway (subway) system—those displays showing "next
train to [wherever] in [x] mins".  Historically, these had simple signs on
each platform listing the regular destinations for trains from that
platform, with an indicator light against each one to show where the next
train was going (and "special" or "see front of train" for non-standard

Nowadays they have conventional LED dot-matrix panels controlled by
software, with the big advantage that station staff can type in custom
messages when needed.  The guy giving the talk commented on the Offensive
Words Filter in the software (don't know if this was found to be necessary
or just enabled as a precaution); he said that there was some discussion
within the management team as to which actual words should be blocked, but
he then found that his e-mail system also had an offensive words filter, so
compiling the list was somewhat difficult...

  [Recursively unsolvable by exchanging e-mail!!?  PGN]

"Executive dilemma: Approve the cloud, get a pay cut" (David Linthicum)

Gene Wirchenko <>
Tue, 08 Nov 2016 10:04:48 -0800
David Linthicum, InfoWorld, 8 Nov 2016
The common EBITDA metric that financial analysts follow—and which affects
executive pay—is biased against operational expenses such as cloud

opening text:

EBITDA is defined as a company's earnings before interest, taxes,
depreciation, and amortization. Although you likely have heard the term
before, few people outside the executive suite (other than accountants)
really know what it means. It's widely used as a measurement of a company's
current operating profitability.

But as a company moves to the cloud, your EBITDA numbers could look
worse. That's because EBITDA isn't adjusted for operating expenses like
cloud services—but is adjusted for the depreciation of capital expenses,
which decreases under the use of the cloud.

The cloud's effect on EBITDA will matter greatly to publicly traded
companies, where senior executives' bonuses and stock grants are determined
by EBITDA performance. In some cases, 50 to 75 percent of their total
compensation is affected.

By moving many workloads to the cloud, your company avoids hardware and
software purchases, saving money, but the EBITDA doesn't credit you for
those savings. Instead, it penalizes you because it comes from an era where
capital-expense depreciation was a common method to boost perceived

Browsers nix add-on after Web of Trust is caught selling users' browsing histories

Lauren Weinstein <>
Tue, 8 Nov 2016 11:43:48 -0800
  [via NNSquad]

  A browser extension which was found to be harvesting users' browsing
  histories and selling them to third parties has had its availability
  pulled from a number of web browsers' add-on repositories.  Last week, an
  investigative report by journalists at the Hamburg-based German television
  broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust
  Services (WoT) had been harvesting netizens' web browsing histories
  through its browser add-on and then selling them to third parties.  While
  WoT claimed it anonymised the data that it sold, the journalists were able
  to identify more than 50 users from the sample data it acquired from an
  intermediary.  The journalists added that the browsing histories they
  obtained also identified information about ongoing police investigations,
  businesses' sensitive financial details and information which suggested
  the sexual orientation of a judge.  NDR quoted the data protection
  commissioner of Hamburg, Johannes Caspar, criticising WoT for not
  adequately establishing whether users consented to the tracking and
  selling of their browsing data.  Those consent issues have resulted in the
  browser add-on being pulled from the add-on repositories of both Mozilla
  Firefox and Google Chrome, although those who have already installed the
  extension in their browsers will need to manually uninstall it to stop
  their browsing being tracked.

Department of Chromeland Security to the rescue... (Andy Greenberg)

Werner U <>
Thu, 10 Nov 2016 19:59:27 +0100
Andy Greenberg, *WiReD*, 3 Nov 2016
Google's Chrome Hackers Are About to Upend Your Idea of Web Security

How to get Google to come out of their hole and say something (Re: Gene Wirchenko, RISKS-29.90)

Dan Jacobson <>
Thu, 10 Nov 2016 18:54:58 +0800
GW> I have had the issue of not being able to report a problem in other areas.
GW> Goggle Maps was one.  It was confusing NE (Northeast) and SE (Southeast)
GW> streets in Salmon Arm, British Columbia, Canada.  I could not find a way to
GW> report the problem.  Then, there are full voice mailboxes and the like.

Ah yes, reminds me of "why hasn't Taiwan's cities' imagery been updated
in nine years?" Had to get on national TV to get Google to finally come
out of their hole and say something...
And wouldn't you know it now it is ten years...

How the Internet Is Loosening Our Grip on the Truth

Monty Solomon <>
Wed, 2 Nov 2016 09:49:22 -0400

A wider variety of news sources was supposed to be the bulwark of a rational
age. Instead, we are roiled by biases, gorging on what confirms our ideas
and shunning what does not.

Two ambulances speeding toward the same crossroads

Dan Jacobson <>
Thu, 10 Nov 2016 21:09:04 +0800
Will they collide?

This evil office printer hijacks your cellphone connection

Monty Solomon <>
Sat, 5 Nov 2016 03:53:46 -0400

Smartphone WiFi Signals Can Leak Your Keystrokes, Passwords, PINs (Bleeping Computer)

Lauren Weinstein <>
Sun, 13 Nov 2016 07:48:11 -0800

  The way users move fingers across a phone's touchscreen alters the WiFi
  signals transmitted by a mobile phone, causing interruptions that an
  attacker can intercept, analyze, and reverse engineer to accurately guess
  what the user has typed on his phone or in password input fields.  This
  type of attack, nicknamed WindTalker, is only possible when the attacker
  controls a rogue WiFi access point to collect WiFi signal disturbances.

Oauth 2.0 hack exposed 1 billion mobile apps to account hijacking (Threatpost)

Lauren Weinstein <>
Sat, 12 Nov 2016 22:05:09 -0800

  Third-party applications that allow single sign-on via Facebook and Google
  and support the OAuth 2.0 protocol, are exposed to account
  hijacking. Three Chinese University of Hong Kong researchers presented at
  Black Hat EU last week a paper called "Signing into One Billion Mobile
  LApp Accounts Effortlessly with OAuth 2.0." The paper describes an attack
  that takes advantage of poor OAuth 2.0 implementations and puts more than
  one billion apps in jeopardy.

Russian Hackers Launch Targeted Cyberattacks Hours After Trump's Win (Motherboard)

Suzanne Johnson <>
November 11, 2016 at 11:09:35 AM EST
  [via Dave Farber.  PGN]

$0.02 due to Daylight Savings Time

Dan Jacobson <>
Wed, 09 Nov 2016 00:41:50 +0800
> Please do not send the user these ($0.02).
> They are due to internal rounding errors.
> They happen about once a year.
> Please fix the errors.


I am sorry for the problems! I've gone ahead and zeroed out the 2 cent

The reason for the charge is because in November, when California ends
Daylight Savings Time, the system registers that there is technically one
extra hour in the billing cycle—one hour of your VPS costs 2 cents. So
it's technically not an error, just an anomaly due to Daylight Savings

Hopefully California will get rid of Daylight Savings Time so this extra
hour will not occur in the future. If it does happen again next year, you
can disregard the requests for payment—or, rather, the notices that
payment has been deferred.

Re: "Your WiFi-connected thermostat can take down the whole Internet. We need new regulations." (Bruce Schneier, RISKS-29.90)

Stanley Chow <>
Wed, 9 Nov 2016 03:42:18 -0500
It seems to me that regulating the IoT is never going to be the complete
solution. Yes, there should be regulation, but the regulations will be slow
and the compliance (if any) will be slower. This means there will be plenty
of time for flaws to be exploited.

It is better for "the network" to defend itself against the easy/common
attacks like DDoS. I refer you to US patent 7331060 (I have no relationship
except I filed a similar idea before it was published.) It has priority date
of Sep 10, 2001 so it should expire in 2021 - around 5 years from now. It
appears to be only patented in the US.

Stanley Chow, Formerly of Nortel, Alcatel, Bell Labs

Please report problems with the web pages to the maintainer