The RISKS Digest
Volume 30 Issue 30

Monday, 5th June 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Remote Air Traffic Control
BBC News via Steve Lamont
Robot Copilot Lands 737
Mary Grady via Gabe Goldberg
"Catastrophic" IT failure grounds British Airways
Wendy M. Grossman
Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless?
SMH via Gabe Goldberg
Berkeley duo's plan to solve traffic jams: hyper-fast lanes for self-driving cars
The Guardian via Dave Crocker
Starbucks store registers down in widespread outage
Pacemaker device security audit finds 8,600 flaws, some potentially deadly
Gabe Goldberg
Red Light Cameras May Issue Some Tickets Using the Wrong Formula
Chipotle Credit-Card Hack
Don Gilman
MasterCard Serbia asked ladies to share FB photos of, among other things, their credit card
Svedic via Gabe Goldberg
This 11-Year-Old Just Schooled Cybersecurity Experts By `Weaponizing' a Teddy Bear
"Digital signature service DocuSign hacked and email addresses stolen"
John Ribeiro
Russian Hackers Are Using Google's Own Infrastructure to Hack Gmail Users
How Twitter Is Being Gamed to Feed Misinformation
The New York Times
Is China Outsmarting America in A.I.?
The New York Times
Internet of Things: Status and implications of an increasingly connected world
GAO-17-75 via Diego Latella
"Yahoobleed" flaw that festered for years leaked private Yahoo Mail data
Ars Technica
OneLogin admits recent breach is pretty dang serious
Software is forever..., Re: WannaCry
Wendy M. Grossman
What Happens When Your Car Gets Hacked?
The New York Times
Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
Michael Marking
Ransomware: FBI says pay up!
Alister Wm Macintyre
Alister William Macintyre, 8 Feb 1944—17 May 17
Re: Bobby Tables ... SQL injection
Gene Wirchenko
Re: Malware and The Cloud
Peter Houppermans
Re: UK Telecomms Service Stopped by Bureaucracy
Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence
Gabe Goldberg
Info on RISKS (comp.risks)

Remote Air Traffic Control (BBC News)

Steve Lamont
Fri, 19 May 2017 16:50:45 -0700
London City first in UK to get remote air traffic control
BBC, 19 May 2017

London City is to become the first UK airport to replace its air traffic
control tower with a remotely operated digital system.
Instead of sitting in a tower overlooking the runway, controllers will be
120 miles away, watching live footage from high-definition cameras.

The new system, due to be completed in 2018, will be tested for a year
before becoming fully operational in 2019.  It has already been tested in
Australia, Sweden, Norway and Ireland.

The technology has been developed by Saab, the Swedish defence and security
company, and will be introduced as part of a UKP350m development programme
to upgrade London City Airport.

    [Perhaps next we will have blind controllers playing it by ear?]

Robot Copilot Lands 737 (Mary Grady)

Gabe Goldberg <>
Sun, 21 May 2017 10:58:42 -0400
Mary Grady

Aurora Flight Sciences has successfully tested a robotic copilot in a Boeing
737 simulator, demonstrating that it can safely land the airplane on its
own, the company said this week. The system is designed to function as a
second pilot in a two-crew aircraft, enabling reduced crew operations while
ensuring that aircraft performance and mission success are maintained or
improved. Aurora is working with the Defense Advanced Research Projects
Agency to develop the technology. DARPA has said their goal is to test “a
tailorable, drop-in, removable kit that would promote the addition of high
levels of automation into existing aircraft.” Aurora has previously tested
the system in a Diamond DA42, Cessna 208 Caravan, UH-1 Iroquois and DHC-2

“Having successfully demonstrated on a variety of aircraft, ALIAS (Aircrew
Labor In-Cockpit Automation System) has proven its versatile automated
flight capabilities,” said John Wissler, Aurora's vice president of research
and development. “As we move towards fully automated flight from takeoff to
landing, we can reliably say that we have developed an automation system
that enables significant reduction of crew workload.” Aurora's technology
includes the use of in-cockpit machine vision, robotic components to actuate
the flight controls, an advanced tablet-based user interface, speech
recognition and synthesis, and a knowledge-acquisition process that
facilitates transition of the automation system to another aircraft within a
30-day period. Aurora is also working on a version of the system without
robotic actuation that instead aims to support the pilot by tracking
aircraft physical, procedural and mission states, increasing safety by
actively updating pilot situational awareness.  Video:

The risk? Second Officer Robo Pilot not having been programmed for an
unusual and very bad situation. Say, a bird strike on both engines leaving
NYC's LaGuardia Airport or an incapacitated human pilot. Nice corporate
goal, "reduced crew operations while ensuring that aircraft performance and
mission success are maintained or improved"—and it does mention safety --
but I wonder about handling those occasional oddities where human experience
shines.experience. Aren't some aircraft designated two-crew for good

"Catastrophic" IT failure grounds British Airways

"Wendy M. Grossman" <>
Sat, 27 May 2017 15:06:43 +0100

BA has canceled all flights from Britain's two largest airports, Heathrow
and Gatwick, until 6pm Saturday on one of the busiest flying days of the
year - as in the US, Monday is a holiday. Arriving planes, particularly at
LHR T5, were left sitting on the tarmac.

It appears that BA off-shores its IT systems, and not long ago cut a
number of IT jobs to Tata:


All fights now canceled for the rest of today. The scenes at LHR shown
on Twitter look awful.

More discussion of the IT system at PPrune (the pilots' rumors network):

As Edward Hasbrouck ( always advises: have a printed
copy of your ticket and boarding pass.

Untold story of QF72: What happens when 'psycho' automation leaves pilots powerless?

Gabe Goldberg <>
Sun, 28 May 2017 20:59:01 -0400
Returning from the toilet, second officer Ross Hales straps into the
right-hand-side seat beside Captain Kevin Sullivan in the Qantas jet's
cockpit. "No change," Sullivan tells him in his American accent. He is
referring to the Airbus A330-300's autopilot and altitude as it cruises at
37,000 feet above the Indian Ocean on a blue-sky day.

Within a minute, the plane's autopilot disconnects. It forces Sullivan to
take manual control of Qantas Flight 72, carrying 303 passengers and 12 crew
from Singapore to Perth. Five seconds later, stall and over-speed warnings
begin blaring. St-aaa-ll, st-aaa-ll, they screech.  The over-speed warnings
are louder, sounding like a fire bell. Ding, ding, ding, ding. Caution
messages light up the instrument panel.

"That's not right," Sullivan exclaims to Hales, who he met for the first
time earlier in the day on a bus taking crew from a Singapore hotel to
Changi Airport. His reasoning is simple: how can the plane stall and
over-speed at the same time? The aircraft is telling him it is flying at
both maximum and minimum speeds. Barely 30 seconds earlier, nothing was
untoward. He can see the horizon through the cockpit windows and cross-check
instruments to determine that the plane is flying as it should.

"You'd better get Peter back," Sullivan says, urgency in his voice.  Minutes
earlier, first officer Peter Lipsett, a former Navy Seahawk pilot, left for
his scheduled break. Hales picks up the plane's interphone to call the
customer service manager to track down the first officer.

Berkeley duo's plan to solve traffic jams: hyper-fast lanes for self-driving cars

Dave Crocker <>
June 3, 2017 at 5:01:24 PM EDT

  "Barrs and Chen said vehicles would travel at speeds up to 120mph, and
  that the centralized computer control—which would be in constant
  communication with each vehicle using emerging 5G technology—would
  allow for a more tightly-packed traffic pattern."

Hmmm.  Single, centralized computer with fulltime, real-time reliance on
perfect, metropolitan area wireless communication between that computer and
every vehicle under its control?

This proposal might need a bit of deeper thinking about the design of the
command and control architecture.

Something more distributed, and with more modest assumptions about lane
occupancy percentages will likely produce a far more robust (and safer)
service with surprisingly similar level of utility.

Dave Crocker, Brandenburg InternetWorking,

Starbucks store registers down in widespread outage

Gabe Goldberg <>
Sat, 20 May 2017 10:52:12 -0400
  [Epic First-World #fail!!!]

A Starbucks spokesperson said the problem came about as a result of a
"technology update" to store registers and that a limited number of the
country's 14,000 North American locations are affected.

The risk? Technology, technology updates, and cash registers lacking
old-school mechanical push buttons and large crank handles.

Pacemaker device security audit finds 8,600 flaws, some potentially deadly

Gabe Goldberg <>
Tue, 30 May 2017 23:36:15 -0400
Lack of encryption and authentication, simple bugs in the code and poor
design can put patient lives at risk.

A recent report from security firm WhiteScope describes more than 8,600
flaws in pacemaker systems and the third-party libraries that power various
components of the devices.

The broad list of flaws includes a lack of encryption and authentication,
simple bugs in the code and poor design that can put patient lives at
risk. These vulnerabilities were associated with outdated libraries used in
pacemaker programmer software.

No real clue given regarding what they counted in that broad list to reach

Red Light Cameras May Issue Some Tickets Using the Wrong Formula

Gabe Goldberg <>
Mon, 29 May 2017 01:42:52 -0400
America needs a hero, and though Mats Järlström hails from Sweden, he might
be it. He won't reverse climate change or close the wealth gap, but he may
help unmake another injustice: that of the ticket-slinging red light camera.

Chipotle Credit-Card Hack

Don Gilman <>
Mon, 29 May 2017 09:41:41 -0500
Chipotle Mexican Grill, Inc. (Chipotle) is providing further information
about the payment card security incident that Chipotle previously reported
on 25 Apr 2017. The information comes at the completion of an investigation
that involved leading cyber security firms, law enforcement, and the payment
card networks.

The investigation identified the operation of malware designed to access
payment card data from cards used on point-of-sale (POS) devices at certain
Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware
searched for track data (which sometimes has cardholder name in addition to
card number, expiration date, and internal verification code) read from the
magnetic stripe of a payment card as it was being routed through the POS
device. There is no indication that other customer information was
affected. A list of affected Chipotle restaurant locations and specific time
frames is available here <>.  Not
all locations were involved, and the specific time frames vary by location.

It is always advisable to remain vigilant to the possibility of fraud by
reviewing your payment card statements for any unauthorized activity. You
should immediately report any unauthorized charges to your card issuer
because payment card rules generally provide that cardholders are not
responsible for unauthorized charges reported in a timely manner.  The phone
number to call is usually on the back of your payment card.  Please see the
section that follows this notice for additional steps you may take.

During the investigation we removed the malware, and we continue to work
with cyber security firms to evaluate ways to enhance our security
measures. In addition, we continue to support law enforcement's
investigation and are working with the payment card networks so that the
banks that issue payment cards can be made aware and initiate heightened

Don Gilman

MasterCard Serbia asked ladies to share FB photos of, among other things, their credit card

Gabe Goldberg <>
Sat, 20 May 2017 10:49:28 -0400
MasterCard Serbia asked ladies to share FB photos of, among other things,
their credit card

Credit card companies should know all about phishing, right? McCann should
know all about marketing, right? Combine the two in Serbia and you will get
a marketing campaign that just went viral, although for the wrong reasons.

Mastercard Serbia organised a prize contest that asks female customers to
share contents of their purse on Facebook. Their announcement post clearly
shows the credit card details of a fictive customer.

The risk? Quoting article:

In my modest opinion, the lesson of this story is to be careful how you
hire. I am biased because I run an employee assessment company, but smiling
people with lovely résumés can still be bozos. And when you have incompetent
people in the company, it doesn't matter what formal company procedures you
have in place.

This 11-Year-Old Just Schooled Cybersecurity Experts By `Weaponizing' a Teddy Bear

Gabe Goldberg <>
Tue, 30 May 2017 23:32:59 -0400
Cybersecurity experts were shocked Tuesday when a sixth grader showed them
just how easy it would be to hack their mobile devices and weaponize a
seemingly innocuous item—in this case, his smart teddy bear.

At a cyber safety conference in the Hague, Netherlands, 11-year-old prodigy
Reuben Paul used a small computer called a "raspberry pi" to hack into
audience members' Bluetooth devices and download phone numbers, Agence
France-Presse reports.

Paul then reportedly used one of the numbers to hack into the teddy bear,
which connects to the Internet via Bluetooth or WiFi, and used the toy to
record a message from the audience by using a computer language program
called Python.

"Digital signature service DocuSign hacked and email addresses stolen" (John Ribeiro)

Gene Wirchenko <>
Wed, 24 May 2017 10:46:45 -0700
John Ribeiro, InfoWorld, 16 May 2017
Digital signature service DocuSign hacked and email addresses stolen
DocuSign had last week warned of phishing emails that spoofed its brand

opening text:

Digital signature service DocuSign said Monday that an unnamed third-party
had got access to email addresses of its users after hacking into its

The hackers gained temporary access to a peripheral sub-system for
communicating service-related announcements to users through email, the
company said. It confirmed after what it described as a complete forensic
analysis that only email addresses were accessed, and not other details such
as names, physical addresses, passwords, social security numbers, credit
card data, or other information.

Russian Hackers Are Using Google's Own Infrastructure to Hack Gmail Users (Motherboard)

Lauren Weinstein <>
Thu, 1 Jun 2017 07:24:47 -0700
via NNSquad

  Russian government hackers seem to have figured out that sometimes the
  best way to hack into people's Gmail accounts is be to abuse Google's own

Not really new, but always worthy of note.

How Twitter Is Being Gamed to Feed Misinformation (The New York Times)

Lauren Weinstein <>
Sat, 3 Jun 2017 08:20:29 -0700
via NNSquad

  Though the 140-character network favored by President Trump is far smaller
  than Facebook, it is used heavily by people in media and thus exerts
  perhaps an even greater sway on the news business.  That's an issue
  because Twitter is making the news dumber. The service is insidery and
  clubby. It exacerbates groupthink. It prizes pundit-ready quips over
  substantive debate, and it tends to elevate the silly over the serious --
  for several sleepless hours this week it was captivated by "covfefe,"
  which was essentially a brouhaha over a typo.  But the biggest problem
  with Twitter's place in the news is its role in the production and
  dissemination of propaganda and misinformation. It keeps pushing
  conspiracy theories—and because lots of people in the media, not to
  mention many news consumers, don't quite understand how it works, the
  precise mechanism is worth digging into.

Is China Outsmarting America in A.I.? (The New York Times)

Lauren Weinstein <>
Sun, 28 May 2017 21:21:32 -0700
via NNSquad

  The balance of power in technology is shifting. China, which for years
  watched enviously as the West invented the software and the chips powering
  today's digital age, has become a major player in artificial intelligence,
  what some think may be the most important technology of the future.
  Experts widely believe China is only a step behind the United States.
  China's ambitions mingle the most far-out sci-fi ideas with the needs of
  an authoritarian state: Philip K. Dick meets George Orwell. There are
  plans to use it to predict crimes, lend money, track people on the
  country's ubiquitous closed-circuit cameras, alleviate traffic jams,
  create self-guided missiles and censor the Internet.

Internet of Things: Status and implications of an increasingly connected world (GAO-17-75)

Diego Latella <>
Mon, 22 May 2017 14:59:08 +0200
You might be interested in the following GAO report:

Technology Assessment:
Internet of Things: Status and implications of an increasingly connected =

GAO-17-75: Published: May 15, 2017. Publicly Released: May 15, 2017.

Dott. Diego Latella - Senior Researcher CNR-ISTI, Via Moruzzi 1, 56124 Pisa,

"Yahoobleed" flaw that festered for years leaked private Yahoo Mail data

Lauren Weinstein <>
Mon, 22 May 2017 13:00:10 -0700
via NNSquad

  For years, Yahoo Mail has exposed a wealth of private user data because it
  failed to update widely used image-processing software that contained
  critical vulnerabilities. That's according to a security researcher who
  warned that other popular services are also likely to be leaking sensitive
  subscriber secrets.

OneLogin admits recent breach is pretty dang serious (TechCrunch)

Lauren Weinstein <>
Thu, 1 Jun 2017 18:04:46 -0700
via NNSquad

  OneLogin, a major access management service (think corporate-level
  password manager) alerted its users yesterday of "unauthorized access" to
  the data of its US-based users.  That kind of thing isn't always
  serious... but it turns out this one sure was. An update posted today
  reveals the hacker may have had very deep access indeed.

Software is forever... Re: WannaCry

"Wendy M. Grossman" <>
Fri, 19 May 2017 13:53:21 +0100
The WannaCry outbreak has inspired some particularly poor in-fighting,
but Steve Bellovin has an intelligent blog posting up asking who should
pay for updating outdated software:
He proposes four options:

> We can demand that vendors pay, even many years after the software has
> shipped. We can set up some sort of insurance system, whether run by the
> government or by the private sector. We can pay out of general revenues.
> If none of those work, we'll pay, as a society, for security failures.

...because, as I wrote in 2014, when Microsoft discontinued support for
XP, software is forever:

What Happens When Your Car Gets Hacked? (The New York Times)

Gabe Goldberg <>
Sun, 28 May 2017 20:08:07 -0400
As devastating as the latest widespread ransomware attacks have been, it’s a
problem with a solution. If your copy of Windows is relatively current and
you've kept it updated, your laptop is immune. It's only older unpatched
systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of
rampant internet insecurity. Microsoft, Apple and Google have teams of
engineers who quickly write, test and distribute these patches, updates to
the codes that fix vulnerabilities in software. Most people have set up
their computers and phones to automatically apply these patches, and the
whole thing works seamlessly. It isn't a perfect system, but it’s the best
we have.

But it is a system that's going to fail in the Internet of Things: everyday
devices like smart speakers, household appliances, toys, lighting systems,
even cars, that are connected to the web. Many of the embedded networked
systems in these devices that will pervade our lives don't have engineering
teams on hand to write patches and may well last far longer than the
companies that are supposed to keep the software safe from criminals. Some
of them don't even have the ability to be patched.

Most of our web-connected products don't have a team of engineers working to
make them more secure. That's a problem.

Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors

Michael Marking <>
Sun, 28 May 2017 00:17:02 +0000

  Flashpoint assesses with moderate confidence that the Chinese ransom note
  served as the original source for the English version, which then
  generated machine translated versions of the other notes. The Chinese
  version contains content not in any of the others, though no other notes
  contain content not in the Chinese. The relative familiarity found in the
  Chinese text compared to the others suggests the authors were fluent in
  the language—perhaps comfortable enough to use the language to write
  the initial note.

  Given these facts, it is possible that Chinese is the author(s)’ native
  tongue, though other languages cannot be ruled out. It is also possible
  that the malware author(s)’ intentionally used a machine translation of
  their native tongue to mask their identity.  It is worth noting that
  characteristics marking the Chinese note as authentic are subtle. It is
  thus possible, though unlikely, that they were intentionally included to

WannaCry had ransom notes in 28 different languages.

The analysis was of the ransom notes, not of the code itself.

Ransomware: FBI says pay up!

"Alister Wm Macintyre \(Wow\)" <>
Sun, 14 May 2017 19:11:21 -0500
Is this true, or fake news, or misquoting?

FBI Gives Hollywood Hacking Victims Surprising Advice: "Pay the Ransom"
Hollywood Reporter, 12 May 2017

This isn't a change in policy.  The FBI has been recommending payment of
ransom since at least October, 2015:

  FBI's Advice on Ransomware? Just Pay The Ransom.
  Security Ledger, 22 Oct 2015

Alister William Macintyre, 8 Feb 1944—17 May 17

"V." <>
Sun, 21 May 2017 16:52:32 -0800
Alister was a close friend, and I had the pleasure of meeting him and
visiting him in his home years ago.  He was unfailingly kind and pleasant,
always giving and hoping for the best for others.  He gave generously of his
time and knowledge and asked for little in return except kindness and an
open mind.  He will be missed by everyone who ever knew him.

  [Al Mac was also a prolific contributor to RISKS since June 2005, with
  his last posting (above) just three days before his passing.  PGN]

An obituary is available here:
That's not a very graceful URL, but it was obtained by going to and searching for Al.  There's a link to
a Guest Book at the site.

Re: Bobby Tables ... SQL injection (Manning, RISKS-30.29)

Gene Wirchenko <>
Sun, 14 May 2017 21:10:04 -0700
> In DB2 the running process would have to be authorised for the DROP Table
> action in that particular named Tablespace.  How common is that? Is Drop
> Table less Restricted in other Relation DB Management Systems? [...]

Yes, it should not happen.  RISKS exists, because such things do happen.

Personally, I would rather be in the situation of saying, "There was a
failed, injected drop table.  You win the bet.  Here is your $20." than
"There was a injected drop table.  I win the bet.  $20, please.  And where
is the backup?"

Re: Malware and The Cloud (RISKS-30.29)

Peter Houppermans <>
Sun, 14 May 2017 11:56:27 +0200
Maybe I have presently too much blood in my caffeine, but I don't really see
the strength of the argument.

Lauren's proposed approach would work only if The Cloud (et al.) would be
able to distinguish between benign access by the user and malicious access
by ransomware with the same privilege levels to encrypt user files.  As far
as I'm aware, nobody has managed that yet.  As for keeping *software* up to
date, nobody executes directly from Cloud facilities, it is always cached
locally for reasons of speed (and offline use) which puts you pretty much in
an identical situation to patching as and when such becomes available.

Re: UK Telecomms Service Stopped by Bureaucracy (Drewe, RISKS-30.29)

Wols Lists <>
Sun, 14 May 2017 10:28:28 +0100
On 14/05/17 06:46, RISKS List Owner wrote:
> Vodafone wanted to transfer its 1,000 users to
> PageOne, but the UK Competition and Markets Authority objected and wanted a
> full investigation

The perils of not learning from experience ... This EXACT SAME scenario
played out in the shoe-polish market recently.  The owners of Cherry and
Kiwi wanted to merge. (Or rather, one of them wanted to get out of the
business and, to save jobs, wanted to sell as a going operation to the
other.) The competition people insisted on doing a full market
investigation, so the company that wanted out just shut the whole lot down.

Re: The Lost Picture Show: Hollywood Archivists Can't Outpace Obsolescence (IEEE Spectrum)

Gabe Goldberg <>
Sun, 14 May 2017 02:05:35 -0400
As if on cue:

IBM wheels out bleedin' big 15TB tape drive
Proprietary tape format bits shrink while capacity bulks up

IBM has brought out a TS1155 tape drive as an update on the existing TS1150,
offering 15TB raw capacity, half as much again. These are proprietary IBM
format tape drives. For comparison the open standard LTO-7 format offers 6TB
raw capacity (15TB compressed at 2.5:1), with the coming LTO-8 reaching 12TB
raw, well below IBM capacity levels. IBM has quoted 3:1 compression rates
for the TS1150, so the same rate applied to the TS1155 gives us a 45TB
compressed capacity, a useful increment over the TS1150's 30TB. archive to these, just keep a few around forever to read the data.

Please report problems with the web pages to the maintainer