The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 37

Monday 19 August 2019


Russian nuclear-powered cruise missile blows up, creating `mini-Chernobyl'
Ars Technica
Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU
Major breach found in biometrics system
The Guardian
Security Database leak reveals: Biometric data, plaintext passwords and much more...
VPN Mentor
"Researchers Use Blockchain to Drive Electric Vehicle Infrastructure"
"Why blockchain-based voting could threaten democracy"
Lucas Mearian
Steam vulnerability reportedly exposes Windows gamers to system hijacking
Charlie Osborne
Critical Windows 10 Warning: Millions Of Users At Risk
Forbes via Gabe Goldberg
Null is Not Nothing
Trend Micro fixes privilege escalation security flaw in Password Manager
Charlie Osborne
Ransomware Attack Hits 20 Local Governments In Texas
Computer Outage Delays International Travelers Arriving at Dulles
NBC4 Washington
London Exchange Is Delayed by Technical Problem
Cascading Effect of putting your data in a single cloud basket
Electric car charging stations may be portals for power grid cyber-attacks
Tech Xplore
How Flat Earthers Nearly Derailed a Space Photo Book
Hack in the box: Hacking into companies with "warshipping"
Ars Technica
Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
Chiaki Ishikawa
Re: Password policy recommendations: Here's what you need to know
R A Lichensteiger
Gabe Goldberg
Re: Climate change: how the jet stream is changing your weather
R. G. Newbury
Info on RISKS (comp.risks)

Russian nuclear-powered cruise missile blows up, creating `mini-Chernobyl' (Ars Technica)

Dave Farber <>
Tue, 13 Aug 2019 11:29:00 +0900
Atomic research agency acknowledges "isotope power source" of "rocket
engine" exploded.

Ars Technica:

Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU (LATimes)

the keyboard of geoff goodfellow <>
August 14, 2019 at 9:45:24 AM GMT+9

Major breach found in biometrics system (The Guardian)

Amos Shapir <>
Wed, 14 Aug 2019 17:59:51 +0300
Israeli security researchers have found that a database belonging to
web-based Biostar 2 biometrics lock system, was unprotected and mostly
unencrypted.  It exposed fingerprints of over 1 million people, as well as
facial recognition information, unencrypted usernames and passwords, and
personal information of employees.

  [Also noted by John Utteridge.  PGN]

Security Database leak reveals: Biometric data, plaintext passwords and much more... (VPN Mentor)

Anthony Thorn <>
Wed, 14 Aug 2019 14:16:39 +0200
A huge data breach in security platform BioStar 2":

If this leak—discovered by Vpnmentor researchers—has been exploited by
criminals the results would be disastrous.

According to Vpnmentor blog, the database contains plaintext—*not* hashed
-- passwords and biometric data for millions of users.

These users are employees of firms using the Biostar 2 access control
application (including administrators).

You can change a compromised password, but your fingerprint is not only
fixed, but shared across all applications which use fingerprint recognition.
What is your contingency plan?

"Researchers Use Blockchain to Drive Electric Vehicle Infrastructure" (U.Waterloo)

ACM TechNews <>
Mon, 19 Aug 2019 11:51:25 -0400
University of Waterloo News (14 Aug 2019) via ACM TechNews, 19 Aug 2019

Researchers in the Cheriton School of Computer Science and the Department of
Management Science of Canada's University of Waterloo have incorporated
blockchain into energy systems, which could expand charging infrastructure
for electric vehicles (EVs). An open blockchain platform will give EV
owners, property owners, and charging service operators access to charging
data, and alert them to tampering; EV owners will be able to see whether
they are being overcharged for charging their vehicles, and property owners
will be alerted to instances of underpayment. Said Waterloo's Christian
Gorenflo, "Mitigating trust issues in EV charging could result in people who
have charging stations and even those who just have an outdoor outlet being
much more willing to team up with an EV charging service provider, resulting
in much better coverage of charging stations."

"Why blockchain-based voting could threaten democracy" (Lucas Mearian)

Gene Wirchenko <>
Tue, 13 Aug 2019 11:34:28 -0700
Lucas Mearian, Computerworld
As the desire to increase voter turnout remains strong and the number of
online voting pilot projects rises in the U.S. and abroad, some security
experts warn any Internet-based election system is wide open to attack,
regardless of the underlying infrastructure.

selected text:

Even as there's been an uptick in pilot projects, security experts warn that
blockchain-based mobile voting technology is innately insecure and
potentially a danger to democracy through "wholesale fraud" or "manipulation

Thirty-two states permit various kinds of online voting—such as via email
-- for some subset of voters. In the 2016 general election, more 100,000
ballots were cast online, according to data collected by the U.S. Election
Assistance Commission. The actual number is likely much higher, according to
some experts.

"Tampering with mailed paper ballots is a one-at-a-time attack. Infecting
voters' computers with malware or infecting the computers in the elections
office that handle and count ballots are both effective methods for
large-scale corruption," Epstein said.

Steam vulnerability reportedly exposes Windows gamers to system hijacking (Charlie Osborne)

Gene Wirchenko <>
Tue, 13 Aug 2019 12:03:23 -0700
Charlie Osborne for Zero Day | 13 Aug 2019
The researcher was asked not to disclose the bug but did so anyway.

The Steam gaming platform reportedly contained a severe vulnerability which
could subject users to privilege escalation attacks but was not considered
in scope for Valve to fix.

"So, two weeks after my message, which was sent on July 20, a person
appears, who tells me that my report was marked as not applicable, they
closed the discussion and wouldn't offer any explanation to me," Kravets
said. "Moreover, they didn't want me to disclose the vulnerability. At the
same time, there was not even a single word from Valve."

Critical Windows 10 Warning: Millions Of Users At Risk (Forbes)

Gabe Goldberg <>
Tue, 13 Aug 2019 15:13:36 -0400
As the Black Hat security conference comes to an end in Las Vegas, so the
DEF CON hacker convention begins. It didn't take long for the first critical
warnings for Windows users to emerge as a result. This one is particularly
worrying as, according to the Eclypsium researchers who gave the
presentation, the issue applies "to all modern versions of Microsoft
Windows," which leaves millions of Windows 10 users at risk of system
compromise.  What did the researchers reveal?

In a nutshell, the researcher found a common design flaw within the hardware
device drivers from multiple vendors including Huawei, Intel, NVIDIA,
Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of
hardware vendors affected runs to 20 and includes every major BIOS
vendor. The nature of the vulnerability has the potential for the widespread
compromise of Windows 10 machines.

  [Gabe later added this on 18 Aug 2019:]

Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7

The latest Patch Tuesday update from Microsoft included several critical
security fixes. Unfortunately, as Microsoft has now confirmed, it also
borked some things. If you haven't applied that August 13 update and are
running on Windows 10, Windows 8.1 or Windows 7, you may want to read this
before you do.  What's the problem with the latest Patch Tuesday Windows

Microsoft has confirmed a bunch of "known issues" with the August 13 Windows
update. Some, such as the "black screen during first logon after installing
updates" issue, have hit users after previous updates. That can be filed in
the annoying but ultimately not much to worry about folder: it only impacts
a "small number" of users and only the first time they logon after the

Anything that impacts millions of users is a far more serious thing. And so
it is that Microsoft has confirmed that this Patch Tuesday update does just

"After installing this update, applications that were made using Visual
Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts
or apps using Visual Basic Scripting Edition (VBScript) may stop responding
and you may receive an "invalid procedure call error," Microsoft has stated.

  [The risk? Automatic updates?  GG]

Null is Not Nothing (WiReD)

David Lesher <>
Wed, 14 Aug 2019 10:58:59 -0400
"Security researcher Joseph Tartaro thought NULL would make a fun license
plate.  He's never been more wrong."


An old risk comes back to life (RISKS-6.40) and many other cases.

Little Johnny Tables <> comes to mind, too.

  [David, Thanks.  You have a good memory back to 9 Mar 1988.  PGN]

  [Also noted by Gabe Goldberg, who remarked,
     "Nice to see the old standards are still playing..."

Trend Micro fixes privilege escalation security flaw in Password Manager

Gene Wirchenko <>
Thu, 15 Aug 2019 10:14:06 -0700
Charlie Osborne for Zero Day | 15 Aug 2019
The vulnerability could be used for privilege escalation and code
execution attacks.

Ransomware Attack Hits 20 Local Governments In Texas (Kut)

the keyboard of geoff goodfellow <>
Sat, 17 Aug 2019 10:27:16 -1000
A coordinated ransomware attack has affected at least 20 local government
entities in Texas, the Texas Department of Information Resources said. It
would not release information about which local governments have been

The department said the Texas Division of Emergency Management is
coordinating support from other state agencies through the Texas State
Operations Center at DPS headquarters in Austin.

DIR said the Texas Military Department and the Texas A&M University
Systems' Cyber-response and Security Operations Center teams are deploying
resources to "the most critically impacted jurisdictions."...

Computer Outage Delays International Travelers Arriving at Dulles (NBC4 Washington)

Gabe Goldberg <>
Fri, 16 Aug 2019 17:28:16 -0400
Customs and Border Protection computers are down nationwide, and
international arrivals at Dulles International Airport are being delayed,
according to the Metropolitan Washington Airports Authority.

CBP officers are processing passengers manually

Some passengers say they have been waiting for two hours at passport

"CBP is experiencing a temporary outage with its processing systems at
various air ports of entry & is taking immediate action to address the
technology disruption," the agency tweeted. "CBP officers continue to
process international travelers using alternative procedures until systems
are back online."

  [Reportedly, at least 5,000 passengers stuck in line.  PGN]

  [Monty Solomon noted Officials said service was restored after about two
  hours but travelers then faced long waits to be processed.

London Exchange Is Delayed by Technical Problem (NYTimes)

Monty Solomon <>
Fri, 16 Aug 2019 13:13:02 -0400

Opening of trading was pushed back one hour and 40 minutes as the stock exchange tried to determine the cause.

Cascading Effect of putting your data in a single cloud basket (Telus)

Kelly Bert Manning <>
Mon, 19 Aug 2019 15:45:16 -0400
Most business and home TELUS e-mail customers have been impacted to a large
degree by an e-mail outage that began Aug 15 and is still
affecting some customers across Alberta and BC, as well as customers trying
to connect from elsewhere.

The outage was aggravated by the lack of information. TELUS kept saying that
the Root Cause was unknown until Aug 19, when reports began to surface
attributing the outage to a failed Dell EMC Cloud server repair:

"This issue occurred during an overnight update to our servers in the early
hours of Thursday, August 15, in partnership with our vendor Dell EMC, when
a flawed repair procedure took the email system offline."

My experience was that pop connection attempts fared better than web mail or
imap. There is apparently some risk of at least temporary e-mail loss for
customers who kept their e-mail on TELUS servers, rather than downloading

Generally TELUS has a well earned reputation for Continuous Availability and
ability to roll back failed updates promptly.

Businesses that have come to rely on e-mail for orders and other functions
have been heavily impacted. My personal view, using e-mail for work since
the 1980s, is that it is not yet a reliable or secure form of business
communication. This reminded me of Dr.  Nancy Leveson's analogy of Software
and the early days of high pressure steam. The economic incentive to push
ahead with unreliable, potentially unsafe, methods overwhelmed the voices of
caution. If you pushed ahead you made money faster, until the boiler blew up
on your workers.

Cloud seems to have been motivated by the idea of simplifying the addition
and management of servers and storage. Looks like there is some work to be
done to balance that saving against the risk of you and your customers being
impacted for days at a time if something in the cloud goes wrong.

Electric car charging stations may be portals for power grid cyber-attacks (Tech Xplore)

the keyboard of geoff goodfellow <>
Sat, 17 Aug 2019 10:33:59 -1000
Electric cars are an essential component of a lower-carbon future, but a new
report from researchers at the New York University Tandon School of
Engineering raises the specter that plug-in electric vehicles—and the
charging stations that supply them—could be prime vectors for
cyber-attacks on urban power grids.

"In simulations using publicly available information about charging station
usage in Manhattan and the structure of the island's power grid, our
research team found that a fleet of just roughly 1,000 simultaneously
charging electric vehicles would be adequate for mounting an attack whose
effects could rival the blackout that affected the city's West Side last
month," said Yury Dvorkin, assistant professor in NYU Tandon's Department of
Electrical and Computer Engineering.

NYU Tandon doctoral candidate Samrat Acharya led the research in
collaboration with Dvorkin and Professor Ramesh Karri, also from the
Department of Electrical and Computer Engineering.

"This simulation is a wake-up call to the public and policymakers, and an
encouragement to take steps to protect the data generated between electric
cars and charging stations—most of which could be co-opted by a hacker
with college-level skills," Dvorkin said...

How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes)

Gabe Goldberg <>
Fri, 16 Aug 2019 16:55:30 -0400
What a photographer's struggle to raise money for his book of images tells
us about Facebook and conspiracy theorists.

About 24 hours after the ads were approved, he got a notification telling
him the ad had been removed. He resubmitted it. It was accepted  and then
removed again  15 or 20 times, he said. The explanation given: He had run
misleading ads that resulted in high negative feedback. He understood that
it was Facebook's algorithm that rejected the ads, not a person. Getting
additional answers proved difficult, a common complaint with advertising on
Facebook. The best clues he could find came in the comments under the ads,
which he and his colleagues captured in screenshots before they were removed
and in responses to other posts about the project: There were phrases such
as The original moon landing technology. Some comments were hard to gauge,
with users insisting that the earth was flat but that they'd buy the book


Hack in the box: Hacking into companies with "warshipping" (Ars Technica)

the keyboard of geoff goodfellow <>
Sat, 17 Aug 2019 10:46:06 -1000
  (More on Warshipping in RISKS-31.36)

*For under $100, compact hardware can turn a shipped package into a Trojan
horse for attacks.*    (Ars Technica)

Penetration testers have long gone to great lengths to demonstrate the
potential chinks in their clients' networks before less friendly attackers
exploit them. But in recent tests by IBM's X-Force Red, the penetration
testers never had to leave home to get in the door at targeted sites, and
the targets weren't aware they were exposed until they got the bad news in
report form. That's because the people at X-Force Red put a new spin on
sneaking in—something they've dubbed "warshipping."

  [Long item truncated for RISKS.  PGN]

Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your, Computer (VICE)

"ISHIKAWA,chiaki" <>
Thu, 15 Aug 2019 10:08:17 +0900
So this cable allows attacker to access to the connected computer.  The
implant must have a Wi-Fi component as well since accessing the computer via
Wi-Fi using the cable as antennae.

Silent or passive monitoring of data that flows data and sending it out via
low-power radio signal seems to be favored by spy agencies until Snowden
released such a trick in one of his documents in wikileaks.

I recall the USB cable for this purpose. Around 1996-2000 time frame, I
noticed a USB cable with mysterious embedded chip inside (inside the plug
portion).  I found it in a photo blog of a second-hand part shop in
Akihabara.  Initially, I thought this could be similar to APC's UPS control
cable that has some components inside (for proprietary connection, I
guesss.)  But it did not make sense, and the cable did act as ordinary USB

Years later, when I read the Wikileaks document, I realized that the cables
could have been used as spying tool.

My scenario was like this:

A large company bought a ton of PCs from Lenovo/Dell/HP/Fujitsu/NEC/etc.
you name it.  The agent that delivered the PCs first assembled them in a
warehouse before shipping them to the customer site (big trading
agency/banks or even a Japanese government office?).  Then the warehouse was
"attacked" and all the USB cables inside the PC delivery boxes were replaced
with this spying cable.  However, back then, rack computers were expensive
and scarce. Many startup e-Commerce companies used ordinary PCs sans PCs and
keyboards to act as rack computers. Thus most, if not all, of the delivered
keyboard and USB cables were dumped to second hand market.  Thus they were
sold at an outlet in Akihabara and noticed by the store clerk who
accidentally broke the plug and found the strange implant and opened a few
others and found the implants there, too. And since he posted the strange
USB cable that works in a shop blog with the photo and I noticed it.

Nobody knows how that cable was used for spying and where. Intriguing mind
wants to know.  The cable was so strange and this is why I remembered it
until I read wikiweaks document.

Re: Password policy recommendations: Here's what you need to know (Goldberg, RISKS-31.36)

R A Lichtensteiger <>
Tue, 13 Aug 2019 16:31:34 -0400
I think the true RISK here is an article like this that propagates the myth
that the password complexity rules from NIST's 1980s era document are STILL
a good idea.

I find it especially egregious that the author of this article chose to
reference NIST SP-800-63b while espousing overly complex password rules.

Permit me to quote from the appendix to that document:

  Highly complex memorized secrets introduce a new potential vulnerability:
  they are less likely to be memorable, and it is more likely that they will
  be written down or stored electronically in an unsafe manner

Worse, because it was touted on a large computer company website, this
article might give weight to their inanity.

Re: Password policy recommendations: Here's what you need to know (Lichtensteiger, RISKS-31.37)

Gabe Goldberg <>
Thu, 15 Aug 2019 16:31:19 -0400
Second part of sentence you quote: "but new recommendations have led to
changes around password policies". After recapping password history, article
notes new defaults, changes, resources:

      The default levels are changing

But in May 2019, Microsoft announced changes in the Security Baselines for
Windows 10 and Windows Server build 1903
The minimum and maximum password ages will no longer be set in the baselines
and therefore will not be enforced.

Microsoft cites research (see "An Administrator's Guide to Internet Password
Research <>" and "The
Security of Modern Password Expiration
<>") to claim that
password expiration policies are no longer considered to have great
value. Other measures, such as checking lists of banned passwords, are more
effective. As they note, Windows Group Policies don't provide for checking
such lists, so neither can the Security Baselines, which is a good example
of why you should not rely only on the baselines. Microsoft offers some of
the more advanced capabilities in Azure AD Password Protection

      Password complexity: The ground rules

What is the default Windows password complexity policy

  * The password may not contain the account name or variations on the
    account name.
  * It must contain characters from three of the following five groups
    (quoted from the Microsoft document):
      o Uppercase letters of European languages (A through Z, with
        diacritical marks, Greek and Cyrillic characters)
      o Lowercase letters of European languages (A through Z, sharp S,
        with diacritical marks, Greek and Cyrillic characters)
      o Base 10 digits (0 through 9); non-alphanumeric characters
        (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
      o Currency symbols such as the euro or British pound are not
        counted as special characters for this policy setting.
      o Any Unicode character that is categorized as an alphabetic
        character but is not uppercase or lowercase. This includes
        Unicode characters from Asian languages.

Everyone who has had to deal with these policies, which are enabled
in the Security Baselines, knows what a pain they can be. As the Microsoft
document says, enabling the policies "may cause some additional help desk
calls for locked-out accounts because users might not be used to having
passwords that contain characters other than those found in the
alphabet. However, this policy setting is liberal enough that all users
should be able to abide by the requirements with a minor learning curve."

The default password length requirement
is seven characters, but elsewhere Microsoft recommends eight characters, as
do the NIST requirements. In the Security Baselines, the minimum password
length is 14 characters.

The NIST policies specifically reject (though they do not ban) complexity
requirements. Microsoft has not removed the default imposition of these
requirements from Windows or the Security Baselines, but it may be a change
you want to make yourself.

If you want finer control of password filtering but want to stick with
Active Directory
you can replace Microsoft's standard Passfilt.dll
with a commercial one or write one yourself, as Yelp did, based on an open
source implementation
Examples of commercial replacements are those from nFront Security
<>, ManageEngine
and Anixis <>. Using one of these
replacements, you can implement current best practices within your otherwise
standard Active Directory infrastructure.  SecLists keeps a collection of
many large common password lists.

      Beyond banned passwords

Banned password lists are useful, but another way may be better. Have I Been
Pwned <> is a site that keeps records of major
user ID and password breaches and allows you to check whether any of your
logins have been compromised.

The site was built and is maintained by Troy Hunt, a Microsoft regional
director <> and well-known security
expert. It has data on 369 breached sites and 7,860,402,548 breached
accounts. The site also has an API that allows you to check whether a
particular account has been breached or just if a particular password exists
in the breach database.

Hunt thinks that, once a list is as large as his, it is “exceptionally
unlikely to have anything outside that collection which is both terrible and
actively used.''  The answer is to check against the separate Pwned
Passwords database <>, which contains
551 million passwords that have been in one or more of the breaches, using
its API. Hunt says he would set a minimum of six characters and then block
anything that shows up in Pwned Passwords. One more tip from Hunt: “I'd
block every variation of the company name; nobody on the Acme Corp. website
can use AcmeCorp, AcmeCorp1, AcmeC0rp, etc.''

If you want to use the Pwned Passwords API, you can build on one of the many
projects already doing so
<>. Typically, they create an
environment-native interface to the API, such as with the many PHP
libraries, Python and Perl scripts, WordPress plugins, and Java clients, as
well as an IFTTT recipe.

In addition to many weak passwords, Pwned Passwords has a large number of
passwords that would satisfy any set of complexity rules, so it might seem
to be overkill. But compared with the range of possible passwords, 551
million isn't as big a number as it seems. Nearly all of my own passwords
are randomly generated by my password manager, but I tested several
passwords I made up on my own in recent years, and none appear in the Pwned
Passwords database. So maybe relying on Hunt's API and a minimum length and
blocking organization name variants is the easiest route to strong

I wrote a program to check the contents of one of the SecLists lists of
`common credentials' against the Pwned Passwords database. All but 3,663 of
262,000 passwords tested were in Pwned Passwords, and more than half of
those that weren't had fewer than eight characters. Perhaps this means that
Hunt is right that checking banned password lists is largely redundant,
though if you're going to check one or the other, it's easy enough to check

But all of this is about usernames and passwords, a technology that we
should all hope will someday be deprecated. At the same time you make sure
your passwords are strong, move forward with multifactor authentication
and biometrics
that bypass the inherent problems with passwords.

      Password policy best practices: Lessons for leaders

  * Stay up to date with recommendations for creating and maintaining
    secure passwords.
  * Minimize opportunities for user password failures.
  * Make use of public databases of password failures and account breaches.

Re: Climate change: how the jet stream is changing your weather (RISKS-31.36)

"R. G. Newbury" <>
Tue, 13 Aug 2019 00:39:25 -0400
 > As temperatures rose across the massive ice sheet, which blankets an area
 > five times the size of Germany, around 60 per cent of the surface
 > started to melt, one of the largest ever recorded.

Except it didn't:

And the last sentence is a basically a lie. Even if that one station had
recorded an above zero temperature, it would not mean that 60% of the
surface was also melting.

Now from the Danish Meteorological Institute (DMI), via the news website The
Local, the cooler reality:

Danish climate body wrongly reported Greenland heat record

The Danish Meteorological Institute, which has a key role in monitoring
Greenland's climate, last week reported a shocking August temperature of
between 2.7C and 4.7C at the Summit weather station, which is located 3,202m
above sea level at the the centre of the Greenland ice sheet, generating a
spate of global headlines.

But on Wednesday it posted a tweet saying that a closer look had shown that
monitoring equipment had been giving erroneous results.

“Was there record-level warmth on the inland ice on Friday?  No! A quality
check has confirmed out suspicion that the measurement was too high.''

Shoot out the headlines first, ask questions later.

Please report problems with the web pages to the maintainer