The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 07

Sunday 8 January 2017


Russia meddled in 2016 election through hacking and spreading of propaganda
Ellen Nakashima, Karoun Demirjian and Philip Rucker
Evidence for Russian Hacks
Putin Ordered `Influence Campaign' Aimed at U.S. Election
David E. Sanger
WikiLeaks opposes leaking of CIA report
The Hill
WikiLeaks threatens to publish Twitter users' personal info
USA Today
Gee whiz, elections are part of our critical infrastructures!
Donald Trump's Twitter Account Is A Security Disaster Waiting To Happen
Intel Chiefs Say Trump's Twitter Account Was Hacked by Four-Year-Old
Andy Borowitz in *The New Yorker*
The Lauded Russian Hacker Whose Company Landed on the U.S. Blacklist
Andrew E. Kramer
India's Call-Center Talents Put to a Criminal Use: Swindling Americans
Ellen Barry
Fake Academe, Looking Much Like the Real Thing
Kevin Carey
KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
Bleeping Computer
TV anchor says live on-air 'Alexa, order me a dollhouse'—guess what happens next
Shaun Nichols via geoff goodfellow
Fridges and washing machines could be vital witnesses in murder plots
The Telegraph
Feds Accuse D-Link Of Failing To Properly Secure Routers & Webcams
The Health Data Conundrum
Kathryn Haun and Eric J. Topoljan
2017: Search and Social Media
Lauren Weinstein
Psychiatric patient accesses confidential social service data
HIPAA via Mark Trumpler
"Information Warfare" via Jim Forster
Singapore to ban Internet-connected government computers
Straits Times via Mark Thorson
Smart meters: Frauds, Explosions & Fires, Oh No!
The Guardian via Henry Baker
The Binge Breaker
The Atlantic
Cloudflare explains the leap second bug
Toshiba expands recall of laptop battery packs due to burn/fire risk
Bob Brown
"The Real Name Fallacy"
Lauren Weinstein
Re: Name-collision risks—again!
Burt Kaliski
Re: 'Special' Powers Corrupt Especially!!
Chris Drewe
Info on RISKS (comp.risks)

Russia meddled in 2016 election through hacking and spreading of propaganda (The Washington Post on testimony by James R. Clapper, Jr.)

Lauren Weinstein <>
Thu, 5 Jan 2017 08:35:58 -0800
Ellen Nakashima, Karoun Demirjian and Philip Rucker, *The Washington Post, 5
Jan 2017, via NNSquad

  The country's top intelligence official said Thursday that Russia's
  meddling in the 2016 election consisted of hacking, as well as the
  spreading of traditional propaganda and "fake news."  "That's classical
  tradecraft that the Russians have long used," said Director of National
  Intelligence James R. Clapper Jr, testifying before the Senate Armed
  Services Committee on foreign cyber threats, and especially Russian
  hacking and interference in the election ...  A classified report on
  Russian intelligence interference in the election has been prepared for
  President Obama, who is due to receive it Thursday.  Clapper said that
  intelligence officials "plan to brief the congress and release an
  unclassified version of this report to the public early next week."

  [The original unclassified FBI-DHS Summary Technical Report on Russian
  Hacking is here:

Evidence for Russian Hacks

"Peter G. Neumann" <>
Fri, 6 Jan 2017 13:46:59 PST
Here's the unclassified backup report.

Background to "Assessing Russian Activities and Intentions in Recent US
Elections": The Analytic Process and Cyber-Incident Attribution

Putin Ordered `Influence Campaign' Aimed at U.S. Election (David E. Sanger)

"Peter G. Neumann" <>
Fri, 6 Jan 2017 14:41:26 PST
David E. Sanger, *The New York Times*, 6 Jan 2017

Intelligence Report on Russian Hacking

WikiLeaks opposes leaking of CIA report

Lauren Weinstein <>
Fri, 6 Jan 2017 09:13:34 -0800
via NNSquad

  An NBC report last night touted "An exclusive, inside look" at the report
  connecting the Russian government to breaches of Democratic National
  Convention and other servers during election season sourced to two
  intelligence community sources.  The NBC broadcast included claims that
  Russia attacked the White House and that Russian had dual motives in the
  attack of disrupting the campaign and revenge on the Obama administration
  for delegitimizing Russian President Vladimir Putin throughout his

WikiLeaks threatens to publish Twitter users' personal info (USA Today)

Lauren Weinstein <>
Fri, 6 Jan 2017 16:14:21 -0800
*USA Today* via NNSquad

  WikiLeaks is taking heat for saying it wants to publish the private
  information of hundreds of thousands of verified Twitter users.  A Twitter
  account associated with the group said an online database would include
  such sensitive details as family relationships and finances.

Gee whiz, elections are part of our critical infrastructures!

"Peter G. Neumann" <>
Sat, 7 Jan 2017 13:41:07 PST

  [RISKS goes back to volume 1 number 1 on this topic!]

Donald Trump's Twitter Account Is A Security Disaster Waiting To Happen (Buzzfeed)

Lauren Weinstein <>
Thu, 5 Jan 2017 15:37:02 -0800
Buzzfeed via NNSquad

  The most powerful publication in the world today is Donald Trump's
  personal Twitter account. In the past six weeks, it has moved markets,
  conducted shadow foreign policy, and reshaped the focus of media around
  the world. Just today, it caused Toyota's stock to drop. It is also
  shockingly insecure.  That insecurity was acceptable when @realDonaldTrump
  concerned itself with Kristen Stewart cheating on Robert Pattinson and how
  thin people don't drink Diet Coke. And yet Trump's newfound influence --
  combined with the unpredictability of his tweets—makes the
  president-elect's account a particularly tempting target for hackers.
  That's especially true because there is a large fortune that could be made
  in a single 140-character message.  If someone were able to gain access to
  Trump's Twitter, they could tweet approvingly or disapprovingly about a
  company (as Trump has done) and play the stock market accordingly—or
  cause others to do so. A market-tracking app called Trigger has already
  set up an alert that responds whenever Trump tweets about publicly traded

Intel Chiefs Say Trump's Twitter Account Was Hacked by Four-Year-Old (Andy Borowitz in *The New Yorker*)

"Peter G. Neumann" <>
Fri, 6 Jan 2017 13:24:19 PST

  [This is not "Fake News", as it is clearly designated as "humor".  PGN]

The Lauded Russian Hacker Whose Company Landed on the U.S. Blacklist (Andrew E. Kramer)

Monty Solomon <>
Sat, 31 Dec 2016 13:20:17 -0500
Andrew E. Kramer, *The New York Times*, 31 Dec 2016

The United States' sanctions list includes the company of a minor celebrity
hacker who was once recognized by the American government for her work
helping companies fight cybercrime.

India's Call-Center Talents Put to a Criminal Use: Swindling Americans (Ellen Barry)

Gabe Goldberg <>
Tue, 3 Jan 2017 14:15:19 -0500
  [Third world, meet first world...]

Ellen Barry, *The New York Times*, 3 Jan 2017

Thane, India—Betsy Broder, who tracks international fraud at the Federal
Trade Commission, was in her office in Washington last summer when she got a
call from two Indian teenagers.

Calling from a high-rise building in a suburb of Mumbai, they told her, in
tones that were alternately earnest and melodramatic, that they wanted to
share the details of a sprawling criminal operation targeting Americans.
Ms. Broder, who was no stranger to whistle-blowers, pressed the young men
for details.

“He said his name was Adam,'' she said, referring to one of the pair.  I
said, “Your name is not Adam. What does your grandmother call you?''  He
said, “Babu.''

Babu was Jayesh Dubey, a skinny 19-year-old with hair gelled into vertical
bristles, a little like a chimney brush. He told her that he was working in
a seven-story building and that everyone there was engaged in the same
activity: impersonating Internal Revenue Service officials and threatening
Americans, demanding immediate payment to cover back taxes.

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

Fake Academe, Looking Much Like the Real Thing (Kevin Carey)

"Peter G. Neumann" <>
Fri, 30 Dec 2016 11:59:15 PST
Kevin Carey, *The New York Times*, 29 Dec 2016

  OMICS is also in the less well-known business of what might be called
  conference fraud, which is what led to the call from John. Both schemes
  exploit a fundamental weakness of modern higher education: Academics need
  to publish in order to advance professionally, get better jobs or secure
  tenure.  Even within the halls of respectable academia, the difference
  between legitimate and fake publications and conferences is far blurrier
  than scholars would like to admit.

KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption

Lauren Weinstein <>
Fri, 6 Jan 2017 23:35:02 -0800

  According to the ESET researchers, the way the KillDisk ransomware version
  work on Windows and Linux is completely different, with the biggest issue
  being that on Linux, KillDisk doesn't save the encryption key anywhere on
  disk or online.  Normally, this would mean that victims would never be
  able to recover files since the encryption key would be lost immediately
  after the encryption process ends.  The good news is that ESET researchers
  say they've uncovered a flaw in the Linux variant that permits them to
  recover the encrypted files. The same weakness does not exist in the
  version that targets Windows PCs.

    [Various sources indicate that ransomware took a huge leap in 2016,
    perhaps quadrupling in frequency, with estimated profits on the order
    of a billion dollars.  For example, see

TV anchor says live on-air 'Alexa, order me a dollhouse'—guess what happens next (Shaun Nichols)

geoff goodfellow <>
Fri, 6 Jan 2017 19:47:45 -1000
[but of course... AWESOME!]

Shaun Nichols, *The Register*, 7 Jan 2017
TV anchor says live on-air 'Alexa, order me a dollhouse'—guess what
happens next?
Story on accidental order begets story on accidental order begets
accidental order

Jan 7 2017

A San Diego TV station sparked complaints this week—after an on-air
report about a girl who ordered a dollhouse via her parents' Amazon Echo
caused Echoes in viewers' homes to also attempt to order dollhouses.

Telly station CW-6 said the blunder happened during a Thursday morning news
package about a Texan six-year-old who racked up big charges while talking
to an Echo gadget in her home. According to her parents' Amazon account,
their daughter said: "Can you play dollhouse with me and get me a
dollhouse?" Next thing they knew, a $160 KidKraft Sparkle Mansion dollhouse
and four pounds of sugar cookies arrived on their doorstep.

During that story's segment, a CW-6 news presenter remarked: "I love the
little girl, saying 'Alexa ordered me a dollhouse'."

That, apparently, was enough to set off Alexa-powered Echo boxes around San
Diego on their own shopping sprees. The California station admitted plenty
of viewers complained that the TV broadcast caused their voice-controlled
personal assistants to try to place orders for dollhouses on Amazon.

We'll take this opportunity to point out that voice-command purchasing is
enabled by default on Alexa devices. [...]

  [Also noted by Gabe Goldberg. PGN]

  [We have had numerous items on the risks of spurious or malicious voice
  inputs (such as what might happen if someone in my office were to ask "I
  wonder what would happen if someone says `rm *'") over the past years
  (even before an item on risks of voice input to Word in RISKS-19.25 from
  20 years ago).  Here's an interesting website that seems to have had
  similar interests in collecting incidents and problems:
  Also, see for a decade-old item.

Fridges and washing machines could be vital witnesses in murder plots (The Telegraph)

Monty Solomon <>
Mon, 2 Jan 2017 22:23:14 -0500

Feds Accuse D-Link Of Failing To Properly Secure Routers & Webcams (Consumerist)

Gabe Goldberg <>
Fri, 6 Jan 2017 10:13:49 -0500
Federal regulators have accused D-Link, a manufacturer of popular networking
and smart-home products, of leaving its routers and webcam devices
vulnerable to hackers.

A lawsuit, filed this morning in a U.S. District Court in San Francisco by
the Federal Trade Commission, alleges that China-based D-Link and its
U.S. partner “failed to take reasonable steps to protect their routers and
IP cameras from widely known and reasonably foreseeable risks of
unauthorized access.''

The FTC contends that D-Link chose to not secure these devices against flaws
that have been considered critical for nearly a decade. These
vulnerabilities, alleges the complaint, are easily preventable but can also
be easily taken advantage of if left unfixed.

In addition to leaving devices open to hacking, the lawsuit claims that
D-Link elected to not secure users' mobile app login credentials, but
“instead have stored those credentials in clear, readable text on a user's
mobile device.''

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

The Health Data Conundrum (Haun and Topoljan)

Monty Solomon <>
Mon, 2 Jan 2017 22:23:55 -0500
Kathryn Haun and Eric J. Topoljan. *The New York Times*, 2 Dec 2017

We can't access our records. But hackers can get to them easily.

2017: Search and Social Media

Lauren Weinstein <>
Sun, 1 Jan 2017 10:13:08 -0800
via NNSquad

2017 will be the year that major search engines and social media firms take
serious responsibility for appropriately dealing with fake news and false
propaganda leveraging their systems for monetization and political
purposes. Otherwise, 2017 will go down in history as the year that these
firms effectively began committing suicide by leaving themselves vulnerable
to draconian government censorship efforts.

Their choice, and ours.

Psychiatric patient accesses confidential social service data

Mark Trumpler <>
Fri, 30 Dec 2016 15:58:31 -0500
An individual gained access to confidential information (name/address/SSN)
on as many as 15,000 recipients of state social services, using a computer
in the library of the state psychiatric hospital, while he was a patient
there.  This information (which did not include information from the
hospital's own files) was later posted online.  News reports do not indicate
the mechanisms of access, but security was tightened on the "public" library
computers after the patient was observed accessing non-confidential hospital

New Hampshire IT officials describe the computer skills used to access the
data as "average", and note that it was due to a subtly misconfigured

HIPAA Journal story:

NH1 story:

"Information Warfare" (

Jim Forster <>
January 4, 2017 at 11:46:18 AM EST
  [via Dave Farber]

Here's a fascinating article about "Information Warfare"—in this case as
practiced and analyzed in Serbia, but I think the principles apply more
widely.  [...]

Politics of Hidden Internet Interventionism

As framed by the media theorist Manuel Castells, we should not overlook the
oldest and most direct form of media politics: propaganda and control. This
is: (a) the fabrication and diffusion of messages that distort facts and
induce misinformation for the purpose of advancing government interests; and
(b) the censorship of any message deemed to undermine these interests, if
necessary by criminalizing unhindered communication and prosecuting the
messenger.  [...]

Singapore to ban Internet-connected government computers

Mark Thorson <>
Tue, 3 Jan 2017 14:01:41 -0800
Security measure to be implemented starting in May.

Smart meters: Frauds, Explosions & Fires, Oh No!

Henry Baker <>
Sat, 31 Dec 2016 08:58:46 -0800
Why must everything be "smart"—aka "spying"—aka "hackable" ?

What really galls me is the fact that the Public Utilities Commissions
(PUC's) can force us all to pay for this crap, so these dimwits at the
electric utilities can put another notch in their LinkedIn resume belts
(i.e., something else that I have failed at: "cybersecurity").

I'd much rather have the money spent on *rooftop solar* and *distributed
battery systems*, which would vastly improve resilience over the existing
centralized single-point-of-failure grid system.

Smart electricity meters can be dangerously insecure, warns expert

Hackers can cause fraud, explosions and house fires, and utility companies
should do more to protect consumers, conference told

Alex Hern in Hamburg, 29 Dec 2016 (modified 30 Dec 2016)

Smart electricity meters, of which there are more than 100m installed around
the world, are frequently "dangerously insecure", a security expert has

The lack of security in the smart utilities raises the prospect of a single
line of malicious code cutting power to a home or even causing a
catastrophic overload leading to exploding meters or house fires, according
to Netanel Rubin, co-founder of the security firm Vaultra.

"Reclaim your home," Rubin told a conference of hackers and security
experts, "or someone else will."

If a hacker took control of a smart meter they would be able to know
"exactly when and how much electricity you're using", Rubin told the 33rd
Chaos Communications Congress in Hamburg.  An attacker could also see
whether a home had any expensive electronics.

"He can do billing fraud, setting your bill to whatever he likes ...  The
scary thing is if you think about the power they have over your electricity.
He will have power over all of your smart devices connected to the
electricity.  This will have more severe consequences: imagine you woke up
to find you'd been robbed by a burglar who didn't have to break in.

"But even if you don't have smart devices, you are still at risk.  An
attacker who controls the meter also controls the meter's software, allowing
him to cause it to literally explode."

Rubin said many of the warnings were not hypothetical.  In 2009 Puerto Rican
smart meters were hacked en masse, leading to widespread billing fraud, and
in 2015 a house fire in Ontario was traced back to a faulty smart meter,
although hacking was not implicated in that.

The problems at the heart of the insecurity stem from outdated protocols,
half-hearted implementations and weak design principles.  While the physical
security of smart meters is strong—"trust me, I tried" to hack in that
way, Rubin said—the wireless protocols many of them use are problematic.

To communicate with the utility company, most smart meters use GSM, the 2G
mobile standard.  That has a fairly well-known weakness whereby an attacker
with a fake mobile tower can cause devices to "hand over" to the fake
version from the real tower, simply by providing a strong signal.  In GSM,
devices have to authenticate with towers, but not the other way round,
allowing the fake mast to send its own commands to the meter.

Worse still, said Rubin, all the meters from one utility used the same
hardcoded credentials.  "If an attacker gains access to one meter, it gains
access to them all.  It is the one key to rule them all."

Inside the home, too, the communications are rendered insecure by outdated
standards and bad implementation.  Almost all smart meters use the Zigbee
standard to speak to other smart devices in the home.

Zigbee, which dates from 2003, is a popular home automation standard, used
for controlling everything from lightbulbs to air conditioners.  But it is
so convoluted, due to the vast array of devices supported, that it is almost
better to think of it as 15 different standards, each of which vendors can
choose to implement as they see fit.

"This unique situation is so difficult to implement, vendors actually choose
what they want to implement.  And when they choose what to support, they
more often than not skip security," Rubin said.

Other weak security decisions made by vendors include:

* Encryption keys derived from short (often just six-character) device names.

* Pairing standards with no authentication required, allowing an attacker to
  simply ask the smart meter to join the network and receive keys in return.

* Hardcoded credentials, allowing administrator access with passwords as
  simple and guessable as the vendor's name.

* Code simplified to work on low-power devices skipping important checks,
  allowing nothing more than a long communication to crash the device.

"These security problems are not going to just go away," Rubin said.  "On
the contrary, we are going to see a sharp increase in hacking attempts.  Yet
most utilities are not even monitoring their network, let alone the smart
meters.  Utilities have to understand that with great power comes great

Smart meters come with benefits, allowing utilities to more efficiently
allocate energy production, and enabling micro-generation that can boost the
uptake of renewable energy.  For those reasons and more, the European Union
has a goal of replacing 80% of meters with smart meters by 2020.

A spokesperson for the UK government's department of Business, Energy and
Industrial Strategy said: "Robust security controls are in place across the
end to end smart metering system and all devices must be independently
assessed by an expert security organisation, irrespective of their country
of origin."

The Binge Breaker (The Atlantic)

Monty Solomon <>
Mon, 2 Jan 2017 12:21:27 -0500
Tristan Harris believes Silicon Valley is addicting us to our phones.
He's determined to make it stop.

Cloudflare explains the leap second bug

Debora Weber-Wulff <>
Mon, 2 Jan 2017 23:33:59 +0100
If you don't have this yet, you need it:

  [The Cloudflare item was also noted by Chuck Weinstock.  Goodness
  Gracious!  Leap-seconds continue to prompt RISKS items.  See Alan
  Wexelblat's note in RISKS-6.7 in Jan 1988, a bunch of items in volume 17,
  Rob Seaman on abolishing leap-seconds (RISKS-17.71), and many subsequent
  items.  PGN]

Toshiba expands recall of laptop battery packs due to burn/fire risk (Bob Brown)

Gene Wirchenko <>
Thu, 05 Jan 2017 09:54:45 -0800
Laptops are da bomb!  Again.

Bob Brown, Network World, 5 Jan 2017
U.S. Consumer Product Safety Commission issued an alert warning of laptop
battery packs that can overheat, melt

opening text:

The U.S. Consumer Product Safety Commission has issued an alert that Toshiba
on Wednesday has greatly expanded its recall of laptop computer battery
packs due to burn and fire hazards.

More specifically, these are Panasonic lithium-ion battery packs that have
been found susceptible to overheating in 41 models of the Toshiba Satellite
laptop, which runs Windows. The firm has received five reports of the
battery pack overheating and melting, including one additional report since
the first recall announcement; no injuries have been reported.

"The Real Name Fallacy"

Lauren Weinstein <>
Sat, 7 Jan 2017 09:52:52 -0800

  People often say that online behavior would improve if every comment
  system forced people to use their real names. It sounds like it should be
  true - surely nobody would say mean things if they faced consequences for
  their actions?  Yet the balance of experimental evidence over the past
  thirty years suggests that this is not the case. Not only would removing
  anonymity fail to consistently improve online community behavior - forcing
  real names in online communities could also increase discrimination and
  worsen harassment.  We need to change our entire approach to the
  question. Our concerns about anonymity are overly-simplistic; system
  design can't solve social problems without actual social change.

Re: Name-collision risks—again!

Burt Kaliski <>
Thu, 5 Jan 2017 14:14:26 +0000
Here's a quick update on an item I shared in RISKS-27.72 in Jan 2014 [1].

The risk was about *name collisions* in the Domain Name System (DNS). Name
collisions can occur when a domain name assumed to be reserved for internal
use within a home or corporate network—a name like "printer.corp" --
becomes available for registration and external use within the global
Internet.  When such a collision occurs, an internal system, rather than
sending traffic to an internal resource as intended, may unknowingly send it
instead to a new external resource with the same name. If a malicious user
controls that external resource, the malicious user may be able to acquire
sensitive data and even inject false responses - all without ever breaching
internal network defenses.

The risk of name collisions increased dramatically with the launch of
ICANN's New Generic Top-Level Domains (gTLD) Program, which has just
recently added its 1,000th new top-level domain (TLD) to the global DNS
[2]. As Verisign Labs showed in research reports [3] starting in 2013, many
of the potential new TLDs overlapped with established internal-use
names. This research motivated additional analysis within the New gTLD
Program, as well as further research within the Internet community on both
the prevalence of the problem and potential solutions (including the
workshop I mentioned in my previous post - see IETF RFC 8023 [4] for a

On the positive side, there's now much more awareness of the risk within the
research community. ICANN now requires that a top-level domain pass through
a new risk mitigation process called "controlled interruption" before it can
be added to the global DNS.

But on the negative side, name collisions are indeed occurring. Researchers
at University of Michigan and Verisign Labs showed in an IEEE Security and
Privacy paper [5] that an increasing number of externally registered names
overlap with internal names employed in the Web Proxy Auto-Discovery (WPAD)
protocol. As reported in this forum last May [6], an adversary could
potentially exploit such a collision to launch a Man in the Middle (MiTM)
attack. US-CERT issued an alert [7] with advice on how users and network
administrators can reduce the risk.

It will be interesting to see how all this plays out, especially in terms of


Re: 'Special' Powers Corrupt Especially!! (RISKS-30.05)

Chris Drewe <>
Sat, 07 Jan 2017 22:05:44 +0000
It's not just local authorities, it's also tax collectors, according
to *The Telegraph* today:

  Taxman unleashes its 'snooper computer': what information does it have on

  HM Revenue & Customs has spent years and 100m or more on a
  super-computer designed to identify those who may have paid too little

  The Connect system crunches data from Airbnb, the rental platform, for
  instance, or eBay. It can also access Land Registry records to see houses
  purchased and ensure the correct tax has been paid. From there, further
  sources enable it to determine if properties are being rented out and
  whether that income has been declared.

  It can also determine if someone is likely to be able to afford such
  properties, or whether they are suspected of having used previously
  undeclared income or savings.

  HMRC gains anonymised information on all Visa and Mastercard transactions,
  enabling it to identify areas of likely underpayments which it can then
  target further, seeking details of individuals' transactions where

  HMRC will also be one of the government bodies to gain access to
  information under new laws known commonly as the *snoopers' charter*.  The
  legislation means telecom providers store customers' web browsing and
  email records for at least a year; it can then be accessed by the

Rather obvious RISKS of getting in trouble for routine mistakes and
mess-ups, plus drawing the wrong inferences from multiple data sources.
Looks like us Brits should be prepared to just hand ourselves in...

Please report problems with the web pages to the maintainer