The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 36

Friday 7 July 2017

Contents

U.S. lottery rigged, then payout used for offshore tax scam
Jose Maria Mateos
"In touching tribute to Samsung Note 7, fidget spinners burst in flames"
Shaun Nichols
Security of US nukes now an official secret
Robert Burns
IoT goes nuclear: creating a ZigBee chain reaction
Ronen
Volvo admits its self-driving cars are confused by kangaroos
The Guardian
Data glitch sets tech company stock prices at $123.47
The Verge
Cyberattackers Find Fertile Proving Grounds
Sheera Frenkel
Researchers Found They Could Hack Entire Wind Farms
WiReD
Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled
Ars Technica
CopyCat malware infected 14 million outdated Android devices
CNET
Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows
The New York Times
NHS doctors use Snapchat to send patients' scans
The Telegraph via Chris Drewe
Happy 4th of July! Show Us Your Papers: Comm. on Election Integrity
The New York Times
Staying humble is key to staying safe, says Israel's cyber chief; electoral system is secure!
Times of Israel
CCC Russia-Proofing Germany's Elections
Bloomberg via PGN
Re: Government meddling, election hacks and sundry items
EyeOnCanada
Trump's attempt to obtain and make public California voter records
Lauren Weinstein
Science division of White House office no longer staffed: report
Brandon Carter
Republicans want to open U.S. roads for testing self-driving cars
Recode
"This Burger King Ad Forces Your Google Home Device To Tell You About Whoppers"
Mary Beth Quirk
AT&T is reinstating their plan to spy on you unless you pay extra
PrivateInternetAccess
Vindicated: I am not the memory hog
Dan Jacobson
Re: Western tech firms bow to Russian demands to share cyber secrets
Martin Ward
Re: Y2K problem causes earthquake aftershock 92 years later
Lothar Kimmeringer
Info on RISKS (comp.risks)

U.S. lottery rigged, then payout used for offshore tax scam

Jose Maria Mateos <chema@rinzewind.org>
Wed, 5 Jul 2017 22:24:05 -0400
Software used to rig outcome in Wisconsin, Colorado, Kansas and Oklahoma

Investigators say Tipton installed software that let the computers work as
they should on all but three days of the year—May 27, Nov. 22 and Dec. 29
-- when they would produce predictable numbers if the drawings occurred on
Wednesdays or Saturdays after 8 p.m.
http://www.cbc.ca/news/world/u-s-lottery-rigged-then-payout-used-for-offshore-tax-scam-1.4192281



"In touching tribute to Samsung Note 7, fidget spinners burst in flames" (Shaun Nichols)

Gene Wirchenko <genew@telus.net>
Wed, 05 Jul 2017 20:09:15 -0700
Shaun Nichols, *The Register*, 29 Jun 2017
Hang on, there's a tech angle in here somewhere... IoT, right?
https://www.theregister.co.uk/2017/06/29/fidget_spinners_catch_fire/

opening text:

Fad-crazed parents have something new to worry about, as reports suggest
that fidget spinners can pose a fire risk.

A family in the US says one of the smash-hit toys caught fire as it was
charging its Bluetooth speaker in their home, and it only narrowly avoided
becoming a much larger blaze.


Security of US nukes now an official secret (Robert Burns)

Gabe Goldberg <gabe@gabegold.com>
Mon, 3 Jul 2017 14:50:30 -0400
Robert Burns, AP Exclusive via WRAL, 3 Jul 2017

WASHINGTON—The Pentagon has thrown a cloak of secrecy over assessments of
the safety and security of its nuclear weapons operations, a part of the
military with a history of periodic inspection failures and lapses in
morale.

Overall results of routine inspections at nuclear weapons bases, such as a
"pass-fail" grade, had previously been publicly available. They are now
off-limits. The change goes beyond the standard practice of withholding
detailed information on the inspections.

The stated reason for the change is to prevent adversaries from learning too
much about U.S. nuclear weapons vulnerabilities. Navy Capt. Greg Hicks,
spokesman for the Joint Chiefs of Staff, said the added layer of secrecy was
deemed necessary.

"We are comfortable with the secrecy," Hicks said Monday, adding that it
helps ensure that "as long as nuclear weapons exist, the U.S. will maintain
a safe, secure, and effective nuclear stockpile."

Critics question the lockdown of information.

"The whole thing smells bad," said Steven Aftergood, a government secrecy
expert with the Federation of American Scientists. "They're acting like they
have something to hide, and it's not national security secrets."

"I think the new policy fails to distinguish between protecting valid
secrets and shielding incompetence," he added. "Clearly, nuclear weapons
technology secrets should be protected. But negligence or misconduct in
handling nuclear weapons should not be insulated from public
accountability."

http://www.wral.com/ap-exclusive-security-of-us-nukes-now-an-official-secret/16799565/


IoT goes nuclear: creating a ZigBee chain reaction (Ronen)

Gabe Goldberg <gabe@gabegold.com>
Sun, 2 Jul 2017 01:16:06 -0400
Ronen et al., /IEEE Security and Privacy 2017/
<https://eprint.iacr.org/2016/1047.pdf>

You probably don't need another reminder about the woeful state of security
in IoT, but today's paper choice may well give you further pause for thought
about the implications. The opening paragraph sounds like something out of
science fiction—except that it's a demonstrated reality today:

  Within the next few years, billions of IoT devices will densely populate
  our cities. In this paper, we describe a new type of threat in which
  adjacent IoT devices will infect each other with a worm that will rapidly
  spread over large areas, provided that the density of compatible IoT
  devices exceeds a certain critical mass.

https://blog.acolyer.org/2017/06/22/iot-goes-nuclear-creating-a-zigbee-chain-reaction/


Volvo admits its self-driving cars are confused by kangaroos (The Guardian)

Susan Landau <susan.landau@privacyink.org>
Sat, 1 Jul 2017 07:01:55 -0400
Volvo's self-driving car's animal detection system can identify and avoid
deer, elk and caribou, but is yet to work against the marsupial movements
of kangaroos— because hopping confounds its systems.

https://www.theguardian.com/technology/self-driving-cars
https://www.theguardian.com/technology/2017/jul/01/volvo-admits-its-self-driving-cars-are-confused-by-kangaroos

  [You would certainly roo the night when your self-driving car plows into a
  whopper of a hopper.  PGN]


Data glitch sets tech company stock prices at $123.47 (The Verge)

Gabe Goldberg <gabe@gabegold.com>
Tue, 4 Jul 2017 01:17:05 -0400
Amazon went down 87 percent, and Zynga was up 3,292 percent

A stock market data error this evening set an undetermined number of
companies listed on the Nasdaq exchange to a share price of $123.47, sending
some tech companies' stock prices crashing and others' soaring.  In a
statement obtained by the Financial Times, Nasdaq said the culprit was
“improper use of test data'' that was picked up by third party financial
data providers. The exchange said it was “working with third party vendors
to resolve this matter.''

https://www.theverge.com/2017/7/3/15917950/nasdaq-nyse-stock-market-data-error
The risk? Computers.


Cyberattackers Find Fertile Proving Grounds (Sheera Frenkel)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 3 Jul 2017 9:29:34 PDT
Sheera Frenkel, *The New York Times*, Business Day, 3 Jul 2017

Subcaption: Hackers target developing countries to hone their skills with
malware that learns as it intrudes.

  Allan Liska [senior threat intelligence analyst] said, "We see a pattern
  among the attackers.  They test something, make improvements, and then six
  weeks later test again before launching it at their true targets."

  Chris Rock [Australian security researcher] said, "Doing tests in a
  country that presumably has fewer defenses is a double-edged sword.  On
  one hand, attackers can hone their skills.  On the other hand, they risk
  being discovered.  Once a cybersecurity firm has the signature of an
  attack, it can build defenses against it, and spread those defenses among
  its clients."

    [The person responsible for titling this article apparently needed to
    save a line space on on page B1.  My Subject: above is actually the
    caption on the *continuation* page, which is more explicit and less
    ambiguous than the front-page caption in a VERY LARGE font across the
    entire page:

                 Cyberattack Proving Grounds

      Cyberattack Proving [coffee] grounds [are undrinkable?]
        [proving = gerundive]

      Cyberattack proving Grounds [itself in risks?]
        [proving = noun, grounds = verb]


Researchers Found They Could Hack Entire Wind Farms

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Jul 2017 14:31:06 -0400
On a sunny day last summer, in the middle of a vast cornfield somewhere in
the large, windy middle of America, two researchers from the University of
Tulsa stepped into an oven-hot, elevator-sized chamber within the base of a
300-foot-tall wind turbine. They'd picked the simple pin-and-tumbler lock on
the turbine's metal door in less than a minute and opened the unsecured
server closet inside.

Jason Staggs, a tall 28-year-old Oklahoman, quickly unplugged a network
cable and inserted it into a Raspberry Pi minicomputer, the size of a deck
of cards, that had been fitted with a Wi-Fi antenna. He switched on the Pi
and attached another Ethernet cable from the minicomputer into an open port
on a programmable automation controller, a microwave-sized computer that
controlled the turbine. The two men then closed the door behind them and
walked back to the white van they'd driven down a gravel path that ran
through the field.

Staggs sat in the front seat and opened a MacBook Pro while the researchers
looked up at the towering machine. Like the dozens of other turbines in the
field, its white blades—each longer than a wing of a Boeing 747—turned
hypnotically. Staggs typed into his laptop's command line and soon saw a
list of IP addresses representing every networked turbine in the field. A
few minutes later he typed another command, and the hackers watched as the
single turbine above them emitted a muted screech like the brakes of an
aging 18-wheel truck, slowed, and came to a stop.

https://www.wired.com/story/wind-turbine-hack/


Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled (Ars Technica)

Monty Solomon <monty@roscom.com>
Wed, 28 Jun 2017 09:34:14 -0400
https://arstechnica.com/information-technology/2017/06/skylake-kaby-lake-chips-have-a-crash-bug-with-hyperthreading-enabled/


CopyCat malware infected 14 million outdated Android devices (CNET)

Monty Solomon <monty@roscom.com>
Thu, 6 Jul 2017 10:30:34 -0400
https://www.cnet.com/news/android-hack-copycat-malware-device-outdated-14-million/


Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows (The New York Times)

Monty Solomon <monty@roscom.com>
Wed, 28 Jun 2017 23:36:33 -0400
https://www.nytimes.com/2017/06/28/world/europe/ukraine-ransomware-cyberbomb-accountants-russia.html


NHS doctors use Snapchat to send patients' scans (The Telegraph)

Chris Drewe <e767pmk@yahoo.co.uk>
Wed, 05 Jul 2017 17:50:26 +0100
Interesting article in today's newspaper: context is a report on the UK
National Health Service's links with DeepMind Health (owned by Alphabet,
parent company of Google), but the report also has more-general comments on
the NHS's IT, or lack it (but no mention of Windows XP).

http://www.telegraph.co.uk/news/2017/07/04/nhs-doctors-use-snapchatto-send-patients-scans-report-says/

Summary:

 > The panel commissioned a series of independent experts to examine
 > elements of DeepMind's work - including employing data security
 > analysts. They identified 11 "relatively minor" technical
 > vulnerabilities but overall the panel commended DeepMind Health for its
 > "high level of data security".
 >
 > They were not so favourable about the NHS, writing: "The digital
 > revolution has largely bypassed the NHS, which, in 2017, still retains
 > the dubious title of being the world's largest purchaser of fax machines.
 > "Many records are insecure paper-based systems which are unwieldy and
 > difficult to use.
 > "Seeing the difference that technology makes in their own lives,
 > clinicians are already manufacturing their own technical fixes. They may
 > use SnapChat to send scans from one clinician to another or camera apps
 > to record particular details of patient information in a convenient format.
 > "It is difficult to criticise these individuals, given that this makes
 > their job possible. However, this is clearly an insecure, risky, and
 > non-auditable way of operating, and cannot continue."
 >
 > The authors also add that the average NHS trust has 160 different
 > computer systems in operation.


Happy 4th of July! Show Us Your Papers: Comm. on Election Integrity (The New York Times)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 3 Jul 2017 20:54:22 PDT
*The New York Times*, Editorial, 4 July 2017

  [The Commission on "Election Integrity" is demanding everything that
  would undermine election integrity?  PGN-ed]

The reviews of President Trump's new commission on election integrity
are rolling in, and they're not good!
https://mobile.nytimes.com/2017/07/03/opinion/voter-fraud-data-kris-kobach.html

Disingenuous.
<http://news.delaware.gov/2017/07/03/delaware-will-not-provide-voter-information-white-house-commission/>
Repugnant.
<http://www.baltimoresun.com/news/maryland/politics/bs-md-frosh-trump-voter-fraud-20170703-story.html>
At best a waste of taxpayer money.
<https://www.facebook.com/kysecretaryofstate/photos/a.10150156414242247.338791.44487052246/10155195098437247/?type=3&theater>
A tool to commit large-scale voter suppression.
<https://governor.virginia.gov/newsroom/newsarticle?articleId=20595>

State officials across the country responded to the commission's slapdash
request last week for detailed voter data in the manner previously reserved
for emailed pleas from a Nigerian prince.

Delete, said secretaries of state in Kentucky, Minnesota, Tennessee,
California—more than 20 states refused to comply, red and blue and every
hue in between.  “They can go jump in the Gulf of Mexico,'' Mississippi's
secretary of state, Delbert Hosemann, a Republican, responded.

What triggered the bipartisan backlash? A letter from the commission --
whose ostensible goal is to restore Americans' confidence in their elections
-- asked states to turn over by July 14 all publicly available information
about their voters, including names, addresses, dates of birth, political
party and voting history, criminal record, military status and the last four
digits of their Social Security number.

<https://www.brennancenter.org/sites/default/files/analysis/06.28.17_Kobach_Letter_to_States.pdf>
<https://www.nytimes.com/interactive/2015/09/08/opinion/100000003889944.embedded.html>


Staying humble is key to staying safe, says Israel's cyber chief: electoral system is secure! (Times of Israel)

Gabe Goldberg <gabe@gabegold.com>
Mon, 3 Jul 2017 14:56:26 -0400
Last week's hospital cyber-attack was no big deal and the electoral system
is secure, according to Cyber Bureau head Eviatar Matania, who's both
worried and confident.

http://www.timesofisrael.com/staying-humble-is-key-to-staying-safe-says-israels-cyber-chief/


CCC Russia-Proofing Germany's Elections

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 2 Jul 2017 14:12:11 PDT
Germany's Chaos Computer Club, a multigenerational army of activists, has
made the country's democracy a lot tougher to undermine.
https://www.bloomberg.com/news/features/2017-06-27/the-chaos-computer-club-is-fighting-to-save-democracy


Re: Government meddling, election hacks and sundry items (EyeOnCanada)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Thu, 29 Jun 2017 19:17:14 -0400 (EDT)
The Canadian TV Documentary Series Cyberwar has an international perspective
and often airs video recorded in Russia (beyond those places in Alaska) and
in other countries beyond the borders of Canada and the USA.

http://www.eyeoncanada.ca/television/details/cyberwar

One recent episode dealing with 2016 USA election meddling, pointed out that
the USA and probably other governments have been heavily involved in Russian
Election meddling since at least as far back as the 1996 election of
"western" favourite Boris Yeltsin. Pot, Kettle, Black as they say.

Points made by one of the USA folks interviewed was to identify the risk as
primarily a Russian Problem, not as a Digital Device or Network problem and
to distinguish between Retaliation and Response, since Response to a Russian
Problem can take a number of forms other than a cyber warfare or election
hack attempt against Russia or other meddlers.

It is a bad situation, but it is hard to claim the moral high ground when
your adversaries use computers and networks with effect, to do the same
thing you have both been doing for decades. If talking to someone seems like
looking in a mirror, and you don't like what you see, then perhaps it is
time to make some changes.

Russian Disinformation tactics go back a long time, as do similar campaigns
by other governments.


Trump's attempt to obtain and make public California voter records would be illegal

Lauren Weinstein <lauren@vortex.com>
Fri, 30 Jun 2017 19:29:45 -0700
https://plus.google.com/+LaurenWeinstein/posts/Li1MA8ytR5b

Trump's "Voter Fraud" Commission's attempt (wisely refused by the state) to
obtain California voter records and then to make the data public would be in
direct violation of Title 2, Division 7, Article 1 section 19005 of the
California Administrative Code:

  No person who obtains registration information from a source agency shall
  make any such information available under any terms, in any format, or for
  any purpose, to any person without receiving prior written authorization
  from the source agency. The source agency shall issue such authorization
  only after the person to receive such information has executed the written
  agreement set forth in Section 19008.


Science division of White House office no longer staffed: report (Brandon Carter)

Richard Forno <rforno@infowarrior.org>
June 30, 2017 at 7:47:54 PM EDT
Brandon Carter, *The Hill*, 30 Jun 2017

The science division of the White House Office of Science and Technology
Policy reportedly had no staff members as of Friday.  Sources told CBS News
that the last employees in the division, three holdovers from former
President Obama's administration, all left the White House this week.

Under Obama, the science division was staffed with nine employees who
crafted policy on STEM education, crisis response and other key issues,
according to the report.

Eleanor Celeste, the former assistant director for biomedical and forensics
sciences in the division, appeared to tweet about leaving the office this
week.

http://thehill.com/homenews/administration/340328-science-division-of-white-house-office-no-longer-staffed-report


Republicans want to open U.S. roads for testing self-driving cars (Recode)

Gabe Goldberg <gabe@gabegold.com>
Sat, 1 Jul 2017 14:31:52 -0400
One concern for Republicans: Lacking federal standards, 22 states have
imposed some sort of regulations, according to a tally by the National
Conference of State Legislatures, often in an attempt to address safety
concerns with a technology they believe is in its infancy.

To Walden and his GOP colleagues, the flurry of state-level activity marks a
break with a longstanding division of labor, one that sees the federal
government determining national safety and driver standards while leaving
only the logistics, like approving licenses, to the locals.

<OK, perhaps, but this too?>

Another Republican proposal would allow the government to designate as many
as 100,000 self-driving cars to be exempt from existing federal motor safety
rules, even though those guidelines — which govern everything from steering
wheels to airbags — were written many years before that technology existed.

https://www.recode.net/2017/6/27/15880088/republicans-gop-congress-autonomous-self-driving-cars-legislation


"This Burger King Ad Forces Your Google Home Device To Tell You About Whoppers"

Gene Wirchenko <genew@telus.net>
Thu, 29 Jun 2017 20:27:01 -0700
Mary Beth Quirk, *Consumerist*, 12 Apr 2017
https://consumerist.com/2017/04/12/this-burger-king-ad-forces-your-google-home-device-to-tell-you-about-whoppers/

opening text:

You might think you're the master of your own home, controlling all the
Internet-connected devices within it and bending them to your will with the
touch of a button or an uttered command. But Burger King is trying to sneak
into your home through the TV with a new ad that tries to trigger the
voice-activated Google Home.


AT&T is reinstating their plan to spy on you unless you pay extra

Lauren Weinstein <lauren@vortex.com>
Thu, 29 Jun 2017 07:22:09 -0700
via NNSquad
https://www.privateinternetaccess.com/blog/2017/06/att-gigapower-plans-charge-extra-per-month-want-privacy-no-ads/

  AT&T plans to reinstate their GigaPower pay-for-privacy scheme, as
  revealed by AT&T VP Robert Quinn in a recent interview with C-SPAN. In
  2014, AT&T started offering GigaPower 300 Mbps fiber internet in cities
  around the United States. Users signing up had the option of paying $29
  more per month to guarantee that AT&T doesn't snoop on your internet
  traffic and serve you advertisements and offers from their MITM position
  on your Internet. Yes, they actually put a price on privacy and it's
  coming back. GigaOM discovered that $29 a month ($348 per year) isn't even
  the real price of buying your privacy back from AT&T - the total bill
  could run up to $800 per year.

"Nice Internet connection you have there. Be a shame if something
happened to it!"


Vindicated: I am not the memory hog

Dan Jacobson <jidanni@jidanni.org>
Fri, 30 Jun 2017 22:31:42 +0800
Got this mail again:

 Hi Dan!

 Your DreamHost VPS has just exceeded the memory allocation that you've
 established. If left unchecked that behavior could begin to negatively
 impact the VPS services of every other customer on your server.

Ha, but this time I was prepared with an answer:

 Dear Dreamhost, thank you for these occasional reminders these months.
 This time I finally devised a system to find out the culprit. I "set a
 trap", waiting to catch it the next time it happened. And I succeeded!

 $ crontab -l
 # This gives me a whole week (expr 60 \* 60 \* 24 \* 7 : 604800)
 # after reboot to figure out which process was the memory hog:
 * * * * * if test $(sed 's/\..*//' /proc/uptime) -gt 604800; then set
 -e—$(date +\%M); COLUMNS=500 top -b -n 1 -c > TOP.${1#[0-9]}; fi
 # Yes, need to run once a minute, as Dreamhost takes no snapshots of
 # the system before rebooting it.

 Well you will never guess what the culprit is!:
   PID USER	  PR  NI  VIRT	RES  SHR S %CPU %MEM	TIME+  COMMAND
 12295 root	  39  19  319m 276m 4016 R   80 73.7   0:22.92
 /usr/bin/python /usr/sbin/update-apt-xapian-index --quiet

 Face the facts. It is Dreamhost's own process. It has nothing to do
 with me! Kindly do not send users such messages when the fault lies
 100% with Dreamhost. Thank you.

Vindicated!:

 Thanks for contacting us an providing your detailed findings. I spoke
 to a System Admin and he mentioned that what you saw does appear be a
 valid issue. This issue also appears to be related to
 https://bugs.launchpad.net/ubuntu/+source/apt-xapian-index/+bug/363695


Re: Western tech firms bow to Russian demands to share cyber secrets

Martin Ward <martin@gkc.org.uk>
Thu, 29 Jun 2017 11:03:07 +0100
On 25/06/17 00:13, RISKS List Owner wrote:
> * Under pressure, Western tech firms bow to Russian demands to share
>   cybersecrets
> http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB

Quote: "But those inspections also provide the Russians an opportunity to
find vulnerabilities in the products' source code"

Here's a crazy idea: why don't the tech firms do their *own* code reviews
and find the vulnerabilities themselves, before the Russians get to see the
source code?

An even better approach would be to use formal methods to develop
provably-correct code in the first place: this would be guaranteed
to have no vulnerabilities for the Russians to find.


Re: Y2K problem causes earthquake aftershock 92 years later (RISKS-30.35)

Lothar Kimmeringer <lothar@kimmeringer.de>
Fri, 30 Jun 2017 22:04:54 +0200
Amos Shapir wrote:

> More likely it's just a data entry error, e.g. 6/29/25 interpreted as 2025.

I assume that to be the real reason. For instance if you're using Java and
its standard way of parsing a date using a template like mm/dd/yy, there are
specific rules how that's actually interpreted:

https://docs.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html#year

| For parsing with the abbreviated year pattern ("y" or "yy"), SimpleDateFormat
|  must interpret the abbreviated year relative to some century. It does this
|  by adjusting dates to be within 80 years before and 20 years after the time
|  the SimpleDateFormat instance is created. For example, using a pattern of
|  "MM/dd/yy" and a SimpleDateFormat instance created on Jan 1, 1997, the
|  string "01/11/12" would be interpreted as Jan 11, 2012 while the string
|  "05/04/64" would be interpreted as May 4, 1964.

06/29/25 falls into the 20-years-after-current-date rule.

I'm not sure if there was a Java-program being involved but I assume that
other languages provide similar ways of date-parsing mechanisms and should
use similar rules when parsing two-digit years.

The whole thing happened because of multiple failures:

  - The program parsing the date didn't check if the resulting date
    after the parsing is in the past and if not fail with an error
    and demand a full year specification or assume it to be a year of
    the last century and subtract 100 years from it.
  - The alert-processing side obviously didn't do any checks, either
    since it reacted to an earthquake that is still due for 8 years.

Please report problems with the web pages to the maintainer

Top