The RISKS Digest
Volume 30 Issue 59

Saturday, 17th March 2018

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Hacking critical infrastructures
Nicole Perlroth et al. via PGN
Lessons for RISKS from the Florida bridge collapse
The Controversial CLOUD Act: Privacy Plus or Minus?
Lauren Weinstein
Cybercriminals spotted hiding cryptocurrency mining malware in forked projects on GitHub
Danny Palmer
Linus Torvalds slams CTS Labs over AMD vulnerability report
Steven J. Vaughan-Nichols
FCC Accuses Stealthy Startup of Launching Rogue Satellites
Gabe Goldberg
FCC Accuses Stealthy Startup of Launching Rogue Satellites
danny burstein
How social media spread a historical lie
How Trump Consultants Exploited the Facebook Data of Millions
Microsoft still doesn't get it
Phil Smith III
Meet the Scarlett Johansson PostgreSQL malware attack
Steven J. Vaughan-Nichols
New system to help commuters avoid crowds at MRT stations
Richard M. Stein
Australia warns South-east Asia of high-tech terror threat
Straits Times
Vancouver BC Transit system says tap your card, not your wallet
Kelly Bert Manning
Re: Usual infile-outfile clobber accident
B. Elijah Griffin
Re: British Teen Accessed U.S. Middle East Intelligence Ops
Nick Sizemore
Re: AI-Aided Cameras Mean No More Car Mirrors, No More Blind Spots
Michael Bacon
Info on RISKS (comp.risks)

Hacking critical infrastructures (Nicole Perlroth et al.)

"Peter G. Neumann" <>
Fri, 16 Mar 2018 11:54:49 PDT
  [Nicole Perlroth had a bi-fecta on this general topic today, with two
  different articles.  The first article below apparently broke late, after
  the second one.  Given that critical-infrastructure systems are evidently
  riddled with security flaws and potential reliability problems, this
  should not be a surprise to RISKS readers.  PGN]

U.S. Says Hacks Left Russia Able to Shut Utilities
Nicole Perlroth and David E. Sanger
*The New York Times*, 16 Mar 2018, front page [PGNed]

Russia is now accused of having engineered a series of cyberattacks that
targeted American and European nuclear power plants as well as water and
electrical systems “that could have sabotaged or shut power plants off at
will.''  This activity began at least in late 2015, and has now escalated to
hacking critical control systems.  Eric Chien (Symantec) is quoted: “We now
have evidence that they are sitting on the machines, connected to industrial
control infrastructure that allow them to effectively turn the power of or
effect sabotage.''

How Hackers Lit a Fuse
Nicole Perlroth and Clifford Krauss
*The New York Times*, 16 Mar 2018, front page of Business Day  [PGNed]

Captions: Attacks on Saudi petrochemical companies look to wreak digital
havoc that's deadly, too. ... Sadara Chemical Company is a joint venture
between Saudi Aramco and Dow Chemical.  Its computer systems were hit by one
in a string of cyberattacks last year.

  “The only thing that prevented an explosion was a mistake in the
  attackers' computer code,'' the investigators said.

After considering some of the details, the article suggests that Iran might
be the most likely culprit.  PGN

Lessons for RISKS from the Florida bridge collapse

"Peter G. Neumann" <>
Sat, 17 Mar 2018 11:00:34 PDT
This item is particularly for newer readers of RISKS who might never have
heard some of this before, and another reminder for our long-time readers.

Although this bridge collapse might seem unrelated to computer-related
risks, the lessons of Roger Boisjoly (who urged that the Challenger not be
launched in subfreezing temperatures because the O-rings would not hold, and
who was then fired by Morton Thiokol—RISKS-5.78), Matt Jafee (who wrote
the code for the Aegis system that shot down the Iranian Air Airbus from the
Vincennes, and had reported that the operator would have no operational
indication of the rate of climb or descent of an incoming object --
RISKS-8.74), and others noted in the RISKS archives who had warned about
critical problems.

One positive case where remedial action was actually taken involved the
brand-new Millennium footbridge over the Thames, which was closed after
opening-day throngs caused critical resonant-frequency instabilities at
walking speeds (RISKS-20.93 and 95).

There is also the fundamental problem of secondary causes, such as when one
fault is detected but considered noncritical and not remediated, until
another seemingly unrelated fault results in a devastating failure.  And
then long ago we reported on the Handley Page Victor fighter plane, which
had undergone three independent assurance tests (wind tunnel, simulation,
and mathematical analysis of the aerodynamics) that the wings would survive
supersonic flight.  All three tests were wrong, and the first test run
resulted in the loss of the plane and the pilot.

So, here are two messages reported by Lauren Weinstein on this subject,
where problems had been diagnosed but either not considered or considered
not relevant (respectively):

  Engineer of Florida Bridge Reported Cracks Days Before Collapse

  An engineer reported cracks on a newly installed pedestrian bridge two
  days before it collapsed on a busy roadway here, killing at least six
  people, state officials said on Friday.  The report, by the lead engineer
  with the company in charge of the bridge's design, was made in a voice
  mail message left for a Florida Department of Transportation
  employee. That employee was out of the office, however, and did not
  receive it until Friday, a day after the collapse.
  Crack on Florida Bridge Was Discussed in Meeting Hours Before Collapse

  Crack on Florida Bridge Was Discussed in Meeting Hours Before Collapse

  Hours before the collapse of a pedestrian bridge at Florida International
  University on Thursday, the engineering company for the bridge met with
  the construction manager and representatives from the university and the
  Florida Department of Transportation to discuss a crack on the structure,
  according to a statement from the university released early Saturday.  The
  engineering company, Figg Bridge Engineers, delivered a technical
  presentation on the crack, the statement said, and “concluded there were
  no safety concerns and the crack did not compromise the structural
  integrity of the bridge.''

The Controversial CLOUD Act: Privacy Plus or Minus?

Lauren Weinstein <>
Thu, 15 Mar 2018 10:18:59 -0700
Lauren's Blog

Over the last few days you may have seen a bunch of articles about the
CLOUD Act—recently introduced U.S. bipartisan legislation that would
overhaul key aspects of how foreign government requests for the data of
foreign persons held on the servers of U.S. companies would be handled.

I'm being frequently asked for my position on this, and frankly the analysis
has not been a simple one.

Opponents, including EFF, the ACLU, and a variety of other privacy and civil
right groups, are opposing the legislation, arguing that it eases access to
such data by foreign governments and represents a dangerous erosion of
privacy rights.

Proponents, including Apple, Facebook, Google, Microsoft, and Oath
(Yahoo/Verizon) argue that the CLOUD Act provides much needed clarity to the
technically and legally confused mess regarding transborder data requests,
and introduces new privacy and transparency protections of its own.

One thing is for sure—the current situation IS a mess and completely
unsustainable going forward, with ever escalating complicated legal
entanglements (e.g. the ongoing Microsoft Ireland case, with a pending
Supreme Court decision likely to go against Microsoft's attempts at
promoting transborder privacy) and ever more related headaches in the

Cutting to the chase, I view the CLOUD Act as flawed and imperfect, but
still on balance a useful effort at this time to move the ball forward in an
exceedingly volatile global environment.

This is particularly true given my concerns about foreign governments'
increasing demands for *data localization*—where their citizens' data
would be stored under conditions that would frequently be subject to far
fewer privacy protections than would be available under either current
U.S. law or the clarified provisions of the CLOUD Act. In the absence of the
CLOUD Act, such demands are certain to rapidly accelerate.

One of the more salient discussions of the CLOUD Act that I've seen
lately is: “Why the CLOUD Act is Good for Privacy and Human Rights''.


Regardless of how you feel about these issues, the article is well worth

Let's face it—nothing about the Net is simple.

Cybercriminals spotted hiding cryptocurrency mining malware in forked projects on GitHub (Danny Palmer)

Gene Wirchenko <>
Thu, 15 Mar 2018 08:50:52 -0700

Danny Palmer, ZDNet 15 Mar 2018

Those behind the campaign are tailoring the Monero cryptojacking malware to
use a limited amount of CPU power in order to evade infections being

opening text:

Cybercriminals have found another way to spread their malware: uploading
cryptocurrency mining code to GitHub, according to security researchers at
security company Avast.

Developers 'fork' projects on GitHub, which means making a copy of someone
else's project in order to build on it. In this case, the cybercriminals
fork random projects and then hide malicious executables in the directory
structure of these new projects, the researchers said.

Users don't need to download the malicious executables directly from
GitHub. Instead, the malware is spread via a phishing ad campaign.  When a
user visits a site that displays the phishing ads and clicks on one, the
executable downloads, the researchers said.

If the user clicks on one of these adverts, they're told their Flash Player
is out of date and provided with a fake update which, if downloaded, will
infect them with the malware. This update is provided via a redirect to
GitHub, where the code is hosted, hidden in forked projects.

Linus Torvalds slams CTS Labs over AMD vulnerability report (Steven J. Vaughan-Nichols)

Gene Wirchenko <>
Thu, 15 Mar 2018 08:58:01 -0700
Steven J. Vaughan-Nichols for Linux and Open Source, 15 Mar 2018
Linux's creator said he thinks CTS Labs' AMD chip security report “looks
more like stock manipulation than a security advisory'' and questions an

Who knows if Mr. Torvalds is right in his speculation?  It is yet another
risk though.

FCC Accuses Stealthy Startup of Launching Rogue Satellites (IEEE Spectrum)

Gabe Goldberg <>
Thu, 15 Mar 2018 12:31:34 -0400
The U.S. communications agency says tiny Internet of Things satellites from
Swarm Technologies could endanger other spacecraft

FCC Accuses Stealthy Startup of Launching Rogue Satellites

danny burstein <>
Thu, 15 Mar 2018 13:20:58 -0400
I, for one, welcome our new Skynet overlords (Re: [IEEE Spectrum)

The U.S. communications agency says tiny Internet of Things satellites from
Swarm Technologies could endanger other spacecraft

rest, which is basically a complaint by the FCC that a California based
company piggybacked a bunch of satellites on an Indian rocket launcher and
didn't tell anyone, and isn't talking about them...

The RISKS are as obvious as having a house fall on you.  Don't wear any ruby

How social media spread a historical lie (WashPo)

Lauren Weinstein <>
Thu, 15 Mar 2018 21:15:38 -0700
via NNSquad

  The truth about the complicated racial legacies of both parties—and the
  Klan's influence on them in 1924—has been perniciously contorted by
  activists deploying digital tricks, abetted (often unwittingly) by
  good-faith actors such as academics, journalists and volunteer Wikipedia
  editors.  What's left is a fake historical *fact* that has been *verified*
  by powerful digital properties such as Google, Facebook, Wikipedia and
  various online publishers without being true. Which reflects one actual
  truth: Now, not only can partisans and malicious actors manufacture fake
  news, but they can falsify history as well.

How Trump Consultants Exploited the Facebook Data of Millions (NYTimes)

Lauren Weinstein <>
Sat, 17 Mar 2018 10:15:51 -0700
NYTimes via NNSquad

  So the firm harvested private information from the Facebook profiles of
  more than 50 million users without their permission, according to former
  Cambridge employees, associates and documents, making it one of the
  largest data leaks in the social network's history. The breach allowed the
  company to exploit the private social media activity of a huge swath of
  the American electorate, developing techniques that underpinned its work
  on President Trump's campaign in 2016.  An examination by The New York
  Times and The Observer of London reveals how Cambridge Analytica's drive
  to bring to market a potentially powerful new weapon put the firm—and
  wealthy conservative investors seeking to reshape politics—under
  scrutiny from investigators and lawmakers on both sides of the Atlantic.

It's really quite fascinating. Over time Google has gotten better and
better, and Facebook has gotten worse and worse. This all comes from the

Microsoft still doesn't get it

Phil Smith III <>
Thu, 15 Mar 2018 13:48:51 -0400
A Microsoft diagnostic tool download displays a nice dialog titled
“Application Install - Security Warning'' and advises us that it's from:

It does say `Publisher: Microsoft Corporation', and I got there from a
Microsoft page, so I'm sure it's legit. But it's a decade or so late to be
asking people to trust random-looking domains, nu?

  [Later response from Phil:]

Cool. I've seen similar from American Express, who used a DST domain for a
mailing. I happen to know who DST are, but the average bear won't. And when
I contacted AmEx about it, their customer service just assured me that the
email was legit, without understanding the issue.

This gets to a meta-issue that's been really bothering me, and represents a
significant risk: companies no longer have the coherence to allow problems
like this to be fixed. Even if you get to a CS rep who understands and cares
about the issue, (s)he has no way to report it up any kind of chain to
anyone who might be able to fix it. This is as true in technology companies
as in any others, and represents a significant threat to competitiveness and
security. But nobody cares.

Ok, I feel better now :)

Meet the Scarlett Johansson PostgreSQL malware attack (Steven J. Vaughan-Nichols)

Gene Wirchenko <>
Fri, 16 Mar 2018 10:01:19 -0700
Steven J. Vaughan-Nichols for Linux and Open Source, 15 Mar 2018
An image of the popular actress is being used as a malware attack
vector on the open-source DBMS PostgreSQL.

selected text:

If it is successful, the first thing you'll know about it is when your
monthly cloud bill is far higher than expected. According to Impervia, most
antivirus programs fail to detect this attack.

New system to help commuters avoid crowds at MRT stations (Straits Times)

Richard M Stein <>
Sat, 17 Mar 2018 11:10:24 +0800

  “An advanced crowd-sensing system - to be put in place at SMRT stations
  later this year - uses data from various sources such as closedcircuit
  television cameras and Wi-Fi signals from mobile devices to monitor how
  crowded platforms are, and how long commuters might have to wait for a

  “The information will be linked to the SMRTConnect app to allow commuters
  to better plan their journeys. Currently, station managers estimate how
  busy stations are from their own observations and inform commuters about
  crowds using signs and announcements.

  “The new system is part of a digitalisation programme SMRT has been
  developing in its efforts to prevent disruptions and to respond quickly if
  they occur.''

Unknown what kind of cookies or location tracking will be deployed for this
stack of bits. The article also identifies fault frequency benchmarks and
future reliability objectives to assess the *success or failure* of this
integrated tracking toolset.

  “The Circle Line clocked 523,000km between faults, up from 228,000km in
  2016. The North-South and East-West lines - the two oldest MRT lines -
  clocked 336,000km and 278,000km, up from 156,000km and 145,000km,

  “The adoption of these technologies will enable our people to work
  smarter, more productively and effectively," said SMRT chief executive
  officer Desmond Kuek.

  “He was optimistic that SMRT would be able to hit the reliability target
  of 1,000,000km between delays of more than five minutes ahead of the 2020
  deadline that Transport Minister Khaw Boon Wan set last year.''

When a train fault arises in Singapore, and protracted delay materializes,
alternate transport is quickly arranged—a line of buses stretching from
*Hell to breakfast* appears at MRT stations to mule folks from point A to B.
SMRT is generally recognized for effective customer support under fault
conditions—they've had a lot of practice to refine these workarounds.

Crowd density sensing and surveillance is routine in Singapore, where this
panoptic insight helps optimize allocation from transit faults.  Unknown
whether or not the underlying surveillance foundation attempts facial
recognition matching. Mobile device mac address and SIM registration linked
to authenticated ids (passports, etc.) is a requirement for purchase
approval. Device possession and real-time pixel recognition linkage, however
imperfect, is a likely by product. —Richard M. Stein

Australia warns South-east Asia of high-tech terror threat (Straits Times)

Richard M Stein <>
Sat, 17 Mar 2018 19:50:07 +0800

  Australia on Saturday (March 17) warned the use of encrypted messaging
  apps to plan terrorist attacks was the greatest threat faced by
  intelligence agencies in modern times and urged a 'united and cohesive'

  Home Affairs Minister Peter Dutton told an Asian-Australia special summit
  in Sydney that the use of the 'dark web' by extremists and other criminals
  was a spiraling problem.  “The use of encrypted messaging apps by
  terrorists and criminals is potentially the most significant degradation
  of intelligence capability in modern times,'' he said.

Does technological integration or terrorism represent the greatest risk
today?  Dutton's cautionary harbinger argues that it is technology, not
terror.  Technological integration intensifies risk profiles and failure
vulnerabilities. The convenience that technology offers amplifies the
fragility of resilience that institutions, government services, and
industries must possess to mitigate catastrophes arising from terrorist
incidents. Technological over-dependence compounds hazards that undermine
essential resilience.

Deadly acts against the innocent are despicable. With terrorism, many
governments routinely apply extra-judicial processes—drone strikes,
special forces ops, or cyberwar engagement—to deliver justice ("settling
the score") and eliminate recurrence potential, save for the rare capture,
public trial, and conviction. 

The ability to transmit and receive intercept-free communications is often
the only safeguard to enable private, confidential conversations between
parties. The tools will not disappear given their quotidian appeal. The
 same tools sponsor terrorists to engage their illicit and nefarious
actions, a paradox with no apparent solution. The inability to intercept a
terrorist's communications and thwart their implementation is problematic
for intelligence gathering. 

Technology magnifies public risk while terrorism remains constant.
Technology that unintentionally runs amuck can render a result as deadly as
any act of terrorism. Unfortunately, the administration of justice to
redress outrageous wound is more difficult to achieve for terrorism.

Vancouver BC Transit system says tap your card, not your wallet

Kelly Bert Manning <>
Sat, 17 Mar 2018 12:45:44 -0400
TV is full of ads touting the supposed benefits of using a mobile device or
card to pay for something. In some cases it is even presented as a
competition to see who can pay first.

Clash is a known problem with changes to the electronic payment system used
by Vancouver BC TransLink. Now bank cards or wallet apps can be used, in
addition to TransLink Compass Cards.

Previous implementations from the same vendor elsewhere have led to problems
such as multiple billing for the same ride.

TransLink promises not to multi-bill, but different payment modes have
different billing rates.

Another problem is that some rides are costed based on distance traveled.
If you don't tap out as expected the charge is higher. If an unintended tap
in starts the meter running on an unintended card or device you may not be
aware of the need to tap out with that specific card or device at your
destination to avoid being billed the maximum charge.

The system is supposed to be more convenient for tourists, but those are the
transit riders who would be least aware of the Clash risk.

Old advice to tourists was to buy a sheet of paper transit tickets at the
Vancouver Airport Drugstore. The original contactless payment system began
applying a $5 surcharge for departing from the Airport.

You also can't tap a Compass card twice in a row for a second rider, even if
the balance on the card would cover a second fare, you need a second
card. Compass Day Pass Cards expire at midnight. Sheets of paper tickets did
not expire.

Exit Rate charges are a long standing complication for transit riders.

Re: Usual infile-outfile clobber accident (Jacobson, R 30.58)

"B. Elijah Griffin" <>
Thu, 15 Mar 2018 23:33:14 -0400
Reminds me of another one, that happens when using non-vi extensions in
two different vi clones:

In vim, the "-o" opens each of the several files on the command line in
a separate editing "window". But while elvis has the same sort of (text
based) windows, in that program the "-o" option has a different purpose:

       elvis - a clone of the ex/vi text editor

       elvis [-V...] [-a] [-r] [-e] [-i] [-s|-] [-b] [-R] [-S|-SS] [-f
       session] [-o logfile] [-G gui] [-c command|+command] [-t tag] [-w
       scroll] [-B blksize] [file]...

Elvis is the default vi clone in Slackware, while vim is the default in
most other Linux distributions.

Re: British Teen Accessed U.S. Middle East Intelligence Ops by Pretending to be CIA Director (R 30.54)

Nick Sizemore <>
Fri, 16 Mar 2018 02:17:07 -0700
Article seems to ignore the real story, i.e.: What's a CIA Director, and a
former one at that, doing with "...sensitive U.S. plans about intelligence
operations in different Middle East countries..." in his email and/or cloud
accounts.  [Your "Article" grammatically needs an "article": "The"]

Article does have a correction, saying "A previous version of this story
said the plans in question were `top secret.'  It's not clear what level of
classification they were."

If they were in fact classified, or even 'sensitive but unclassified', they
certainly shouldn't have been in his personal account.  If they were in an
official account to which access was extended to allow consultation, that
should not have been accessible through the open Internet, but rather on a
separate, possibly TCP/IP, network running on government controlled

Whichever was the case, there appears to be a much more serious problem, one
with both legal and security implications.

Re: AI-Aided Cameras Mean No More Car Mirrors, No More Blind Spots (R 30.59)

Michael Bacon - Grimbaldus <>
Fri, 16 Mar 2018 07:23:42 +0000
Gabe Goldberg write that the World Health Organisation has said that 1.25
million people die in road traffic accidents each year, then goes on to
relate Mitsubishi Electric's development of mirrorless car technology, with
AI replacing the interior and wing mirrors.

One has to wonder how many of those 1.25 million deaths were caused by
reversing vehicles, and how many would be prevented by such technology
... the risks he listed notwithstanding.

Please report problems with the web pages to the maintainer