RISKS Digest 30.49

Tuesday 7 November 2017

Airports Worldwide Are Hit by Delays After Software Outage

NYTimes <>

Date: Fri, 29 Sep 2017 04:35:39 -0400

A “network issue'' affected programs used by several major carriers, delaying flights and causing other problems for travelers.

NYPD claims to have incompetent sysadmins

Ed Ravin <>

Date: Fri, 20 Oct 2017 00:32:29 -0400

The NYC Police Department has in the past gone to great lengths to avoid disclosing information to the public. Their latest defense seems to be that they don't know how to manage their systems or databases—they told a judge that they "lack the technical capacity" to answer the public records request, and that they don't know how to make a backup copy of their data. The creation of this particular database system for civil asset forfeiture records reportedly cost the city $25.5 million back in 2009.

AirBnB monopolizing and forcing incorrect currency conversions

Toby Douglass <>

Date: Sun, 22 Oct 2017 01:51:23 +0100

AirBnB detect the currency of payment cards and force charges to be in that currency; users are no longer permitted to chose between AirBnB with their conversion rate, and their bank, with its conversion rate.

The detection mechanism is not perfect, and is incorrectly asserting Revolut (a FinTech) Mastercards, which are multi-currency, are denominated in GBP.

(It's probably not unreasonable to suspect other multi-currency cards are incorrectly detected. Presumably there are also other causes of failure, which are wholly unknown to me.)

This means that AirBnB are in the cases where currency detection goes wrong forcing an unnecessary currency conversion, which adds about 5% to the cost of a booking.

For a booking of about 1000 euro this 5% is about a 50% addition to the service charge levied by AirBnB.

It seems clear then why AirBnB have taken this step to remove from its users choice in this matter.

The possibility of the computing risk in this case—incorrect card currency detection—must have been considered, and so the problem faced by a user in that situation was perceived and understood, but the cost of this risk to users (and so, indirectly, also to AirBnB) are obviously much less than the benefit to the AirBnB and so this risk has been accepted.

To Survive the Streets, Robocars Must Learn to Think Like Humans

WiReD <>

Date: Sat, 21 Oct 2017 23:41:31 -0400

“We call it the freezing robot problem,'' says Anca Dragan, who studies autonomy in UC Berkeley's electric engineering and computer sciences department. “Anything the car could do is too risky, because there is some worst-case human action that would lead to a collision.''

Expect a thaw. Researchers like Dragan are tackling the challenges of interpreting --and predicting—human behavior to make self-driving cars safer and more efficient, but also more assertive. After all, if every machine screeches to a stop for every unpredictable human, we'll have soon millions of terrified robots choking the streets.

Humans ... think? Author must not have been on the road lately.

Palestinian Man Arrested After Facebook Auto-Translates 'Good Morning' as 'Attack Them'

Gizmodo <>

Date: Mon, 23 Oct 2017 15:40:57 -0700

A Palestinian construction worker was arrested by Israeli police after Facebook incorrectly translated the text of one of his posts. Haaretz reports that the man uploaded a picture from his job at a construction site with the text "good morning" in Arabic. When officers used Facebook's automatic translation service to read the post, the text was mistranslated as "attack them" in Hebrew and "hurt them" in English. According to Haaretz, Arabic speakers said the "English transliteration used by Facebook is not an actual word in Arabic but could look like the verb 'to hurt'—even though any Arabic speaker could clearly see the transliteration did not match the translation." No Arabic-speaking officers reportedly saw the post prior to the man's arrest. He was released after several hours of questioning.

Fixing cities' data privacy potholes

Insights <>

Date: Thu, 26 Oct 2017 14:06:59 -0400

Fun with big data

How in the world was it OK to just hand that over to anybody who asked for it, Matis wondered? "If anyone can get this information, thats getting into Big Brother," Matis mused. "If I was trying to look at what my spouse is doing, [I could]. To me, that is something that is kind of scary. Why do they allow people to release this without a law enforcement reason? Searching it or accessing the information should require a warrant."

Apple's Machine Learning Engine Could Surface Your iPhone's Secrets

WiReD <>

Date: Thu, 26 Oct 2017 20:50:41 -0400

Of the many new features in Apple's iOS 11—which hit your iPhone a few weeks ago—a tool called Core ML stands out. It gives developers an easy way to implement pre-trained machine learning algorithms, so apps can instantly tailor their offerings to a specific person's preferences. With this advance comes a lot of personal data crunching, though, and some security researchers worry that Core ML could cough up more information than you might expect—to apps that you'd rather not have it.

Core ML boosts tasks like image and facial recognition, natural language processing, and object detection, and supports a lot of buzzy machine learning tools like neural networks and decision trees. And as with all iOS apps, those using Core ML ask user permission to access data streams like your microphone or calendar. But researchers note that Core ML could introduce some new edge cases, where an app that offers a legitimate service could also quietly use Core ML to draw conclusions about a user for ulterior purposes.

A Bug in a Popular Maritime Platform Left Ships Exposed

WiReD <>

Date: Mon, 30 Oct 2017 00:33:07 -0400

Ah, the high seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the Internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure.

A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated.

It's low-hanging fruit, says Mario Ballano, principal security consultant at IOActive who conducted the research. “The software that they're using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn't have connection over the Internet. But now things are changing.''

Corrected monitor resolution, pinup model no longer slim

Dan Jacobson <>

Date: Fri, 27 Oct 2017 22:13:12 +0800

Today I corrected the resolution on my down-the-hill neighbor's monitor to 1024x768. Finally, characters were no longer blurred and the browser was no longer hanging off the edge. However he now had to face the reality that the pinup model on his home screen that he stares at all day was very much no longer as slim as she formerly seemed.

[That's the "Zaftig" Transformation. It can do wonders for skinny pinups. PGN]

Risks of being interrupted while using Siri to comment online

NYTimes via David Tarabar <>

Date: Sat, 28 Oct 2017 06:33:12 -0400

Christine McMorrow was in the middle of using her iPhone's voice-to-text feature to comment on a *New York Times* story this week.

As she paused from ranting on the newspaper's website to take the call on the house phone, little did she know that her iPhone never stopped recording her voice. The contents of her private conversation were accidentally transcribed directly into the story's comment box, and then inadvertently posted to the Times' website.


Denver Art Museum warns donors, members, employees after sensitive data breach

John Wenzel <>

Date: Mon, 30 Oct 2017 17:15:34 -0600

John Wenzel, *The Denver Post*, 30 Oct 2017 A phishing scam in June led to the compromised email inboxes, officials said

The Denver Art Museum warned 800 people this month of a data breach that included sensitive personal and financial information about its donors, customers, and current and former employees, according to a letter obtained by *The Denver Post*.

The letter, dated 9 Oct, informed recipients of the "data security incident" over the summer, as well as the museum's discovery of the breach on 13 Sep, which triggered a forensic investigation by an unnamed third-party firm.

The unauthorized access began on or about 5 Jun, and ended on or about 27 Jun, the letter said. The breach occurred through an email phishing scam and affected two of the museum's email inboxes, said Andrea Fulton, chief marketing officer for the Denver Art Museum.

"We have no evidence that anybody's data has been compromised," Fulton said. "None of our big databases were impacted. It's simply content that was in a couple of email inboxes."

Even lower chances of winning the lottery

Jeremy Epstein <>

Date: Tue, 31 Oct 2017 12:21:30 -0400

An upgrade to software used to run the Virginia lottery meant that a few hundred tickets were sold that could not win the main jackpot. The selection criteria changed during the upgrade (and the price per ticket went from $1 to $2), and for a short period of time tickets were sold that met the old rules but not the new ones, and hence could not win. They could still win the other prizes, just not the jackpot.

Although the normal odds of winning the lottery are near-zero, reducing them to actual zero is a (microscopically small) RISK.

[microscopic? Not if anyone who actually had the winning combination tried to sue the state—and won!]

Researchers Devise 2FA System That Relies on Taking Photos of Ordinary Objects

Bleeping Computer <>

Date: Tue, 31 Oct 2017 16:48:46 -0400

Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object.

The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call.

The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions.

What could go wrong? "What do you mean you threw away that crumpled beer can? IT WAS MY PASSWORD".

Then there's this:

This is because the system doesn't restrict users and they can choose anything they want as their login trinket, from their watch to parts of their body, and from clothing objects to furniture. Users should be careful not to choose perishable objects like food, because once it's gone, users will most likely get locked out of their account.

Too bad Anthony Weiner's in jail, he could test it.

Technology seeks to preserve fading skill: Braille literacy

WashPo <>

Date: Tue, 31 Oct 2017 22:38:36 -0700

via NNSquad

For nearly a century, the National Braille Press has churned out millions of pages of Braille books and magazines a year, providing a window on the world for generations of blind people. But as it turns 90 this year, the Boston-based printing press and other advocates of the tactile writing system are wrestling with how to address record low Braille literacy. Roughly 13 percent of U.S. blind students were considered Braille readers in a 2016 survey by the American Printing House for the Blind, another major Braille publisher, located in Louisville, Kentucky. That number has steadily dropped from around 30 percent in 1974, the first year the organization started asking the question.

Fundamental problems with the Infineon crypto library

Ars via PGN <>

Date: Wed, 1 Nov 2017 11:48:37 PDT

Attacks on RSA keys generated by the Infineon crypto library.

Taser Company Ignored SEC Emails Because They Were In a Spam Folder

Bloomberg via Gabe Goldberg <>

Date: Sat, 21 Oct 2017 23:50:40 -0400

Check your spam box. It could be the SEC.

That's the lesson learned this week by Axon Enterprise Inc., the company best known for its Taser stun guns. Late Thursday, Axon announced that “due to miscommunication issues,'' the company has just become aware of SEC requests regarding its previous financial reports and is now scrambling to respond. The stock fell as much as 7 percent, its biggest drop in more than two months.

What happened? Axon's internal email filters are to blame. The SEC sent its initial comment on Aug. 10 and follow-up requests only to Axon's new CFO Jawad Ahsan, and they were quarantined in a spam filter. Dougherty & Co. analyst Jeremy Hamblin in a note to clients, called the incident "embarrassing, but nothing to be concerned about.''

That's not the lesson, it's the symptom.

Taser Company Ignored SEC Emails Because They Were In a Spam Folder

Lauren Weinstein <>

Date: Sat, 21 Oct 2017 07:28:19 -0700

The fundamental problem with spam folders, of course, is that they tend to be ignored by recipients, or only haphazardly inspected—sometimes at very long intervals. False positive emails end up in spam unread, with no indication to the sender that they likely were not seen—and may never be seen.

My policy on my servers has long been to do a hard reject on suspected spam, that should result in an immediate error returned to the sender. That error points at a URL that explains my policy, and provides another URL that can be used to push a brief "hey, you're blocking me and I'm not spam!" message through to me in those rare instances to request unblocking/whitelisting. Some sites that do this sort of real time response don't offer any way to communicate when there's a false positive—they just say stuff like "spam, go away!" That's hopelessly ignorant and antisocial since false positives DO happen.

One oddity is that sometimes a false positive person will send me their note and say something like "how dare you accuse me of suspected spam" (that's what my error messages says, "suspected" spam). I always reply asking if they would have preferred their email disappear into a black hole spam folder without their ever knowing it hadn't been seen? That always ends the argument.


USS John S McCain

Dick Mills <>

Date: Thu, 2 Nov 2017 14:15:50 -0400

The USS Fitzgerald case seems to be mostly human error, but the USS John S McCain case includes significant elements of poor ergonomics in the computers.

Extracts from the report:

At 0519, the Commanding Officer noticed the Helmsman (the watchstander steering the ship) having difficulty maintaining course while also adjusting the throttles for speed control. In response, he ordered the watch team to divide the duties of steering and throttles, maintaining course control with the Helmsman while shifting speed control to another watchstander known as the Lee Helm station ... The CO had only ordered speed control shifted. Because he did not know that steering had been transferred to the Lee Helm, the Helmsman perceived a loss of steering. ... Additionally, when the Helmsman reported loss of steering, the Commanding Officer slowed the ship to 10 knots and eventually to 5 knots, but the Lee Helmsman reduced only the speed of the port shaft as the throttles were not coupled together (ganged). The starboard shaft continued at 20 knots for another 68 seconds before the Lee Helmsman reduced its speed. The combination of the wrong rudder direction, and the two shafts working opposite to one another in this fashion caused an un-commanded turn to the left (port) into the heavily congested traffic area in close proximity to three ships, including the ALNIC.

So, to gain operational flexibility it seems that the KISS principle (Keep It Simple Stupid) has been egregiously ignored. There were 8 stations to which control could be transferred via pull-down menus and pop-ups. On top of that there are multiple operating modes that change the capabilities of those stations. A minimum of 24 crew would have to be trained on all the details.

[Remember the Einstein version of the KISS principle: Everything should be made as simple as possible, *but no simpler*. PGN]

Few RISKS readers have commanded a ship at sea, but almost all have flown on an airliner. Imagine if 8 other stations on the plane or on the ground were able to take control away from the pilot such that the pilot doesn't even know if he is in control or not.

I am a technologist but also a blue water sailor. I am so KISS that I rejected a steering wheel in favor of an old fashioned tiller because complex steering can fail at sea.

I also have a grandson in the US Navy. Now, I'm very worried about his safety. There used to be "the Navy way" of doing things. That meant that any seaman with minimal training could perform critical tasks. Apparently, that no longer applies.

Stuxnet-style code signing is more widespread than anyone thought

Ars Technica <>

Date: Sat, 4 Nov 2017 22:00:17 -0400

Forgeries undermine the trust millions of people place in digital certificates.

Medical device security

Mark Thorson <>

Date: Thu, 2 Nov 2017 13:03:07 -0700

Based on my experiences as a patient, I'd say hospitals are among the least competent institutions to handle new technology. It's a target-rich environment and it will probably take a major intrusion resulting in deaths before the industry gets serious about security.

Inside story: How Russians hacked the Democrats emails

WashPo <>

Date: Sat, 4 Nov 2017 22:06:57 -0400

Estonia freezes resident ID cards due to security flaw

Engadget <>

Date: November 4, 2017 at 10:58:16 PM EDT

via NNSquad

Estonia's residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the IDs' chip that makes it easy for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that's half the small country's population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability. All ID cards issued from the beginning of the program in October 2014 to October 25th, 2017 will be frozen until their owners apply for updated certificates with the fix. They can do that online, but the online service kept crashing over the past week, leading people to flock to police stations and other government offices to get their IDs updated. For now, only medical professionals and the most frequent users will be able to apply for updated certificates online, but Estonia will open up the system to the public again on Monday.

The 2020 census is in big trouble. Here's how we got here

ThinkProgress <>

Date: Fri, 3 Nov 2017 16:45:58 -0400

Years of funding shortfalls and stalled IT projects have placed the census in a precarious position.

Skimping on every ten years must-do project—what could go wrong?

Of course, leadership gaps and botched estimates never help.

Hackers prey on home buyers, with hundreds of millions of dollars at stake

WashPo <>

Date: Sat, 4 Nov 2017 21:51:53 -0400

New to me. Though, somewhat related, I keep hearing radio commercials for some sort of "Lifelock for home titles" (my term, not theirs) preventing bogus registration/transfers and mortgages. That seems about as credible as Lifelock (that is, not).

Though I wonder about this:

Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close—often hundreds of thousands of dollars, sometimes far more—to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish.

...since funds are often wired by mortgage lenders, I'd hope (!) they pay attention to where funds go.

Re: North Korea hacking Sony

Michael Bacon <>

Date: Fri, 20 Oct 2017 08:47:23 +0100

To quote from the linked article:

Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions of dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges.

One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation's exports.

The North Korean cyberthreat crept up on us, said Robert Hannigan, the former director of Britain's Government Communications Headquarters, which handles electronic surveillance and cybersecurity. “Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn't take it seriously, how can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?"

Surely this is asking something of the wrong question, and sadly, typically so of governments?

The main issue is not how N Korean got so good at hacking, it's how the West got so bad at security!

Re: Wikipedia deletions: make my day

Denis Bloodnok <>

Date: Fri, 20 Oct 2017 17:22:53 +0100

Dan Jacobson writes: >I mentioned to my Mom about the endless deletion attempts on Wikipedia, >

Dan seems to have inexplicably forgotten to mention that he originally created this article, which might have unfortunately led the RISKS reader to suppose this was a disinterested observation on the deletion process from an unbiased observer.

>They even tired to delete >

He also seems to have failed to mention that the mysterious "they" here was one person who politely withdrew the deletion proposal after a few comments. Is there no end to their iniquity?

I've said in the past that Wikipedia's a bit of a sausage factory under the surface, but I'm not sure these are the most trenchant criticisms of the process RISKS has ever featured.

Re: UK Banks, etc. to check account-holders' residence eligibility

Peter Houppermans <>

Date: Fri, 20 Oct 2017 09:57:46 +0200

There is another side effect: it actively legitimises banks to acquire more personal data (to then presumably lose to hackers who got bored reading through what they had already stolen from Equifax).

Apropos Equifax: I wonder how certain is the company of the integrity of own its data now. We're only focusing on the loss and possible abuse, but I imagine there's more you can do when you have that kind of months long open door access.

Re: UK Banks, etc. to check account-holders' residence eligibility

Tom Gardner <>

Date: Fri, 20 Oct 2017 09:33:45 +0100

My mother has already suffered from a similar problem. When her husband died she was 89 had been driving cars without accident for 50 years. We tried to get insurance for her to continue to drive her car, but no company would insure her. Why not? Because the "all driver" comprehensive insurance had been in her husband's name so the companies had no record of her, and they would not insure a "new" 89 year old driver.

So I tried to get insurance for her car in my name and to add her as a named driver, but you can't insure a car you don't own. The only solution was for me to take ownership of her car and insure it in my name, which presents different risks.

Seven years later she doesn't drive any more, but we've kept her driving licence up to data since it is the only form of photo ID she possesses. (My driving licence doesn't have a photo, which occasionally flummoxes youngsters in banks.)

Google exec: Our society is in real jeopardy

Gerhard Eschelbeck <>

Date: Thu, 19 Oct 2017 16:40:20 -0700

via NNSquad

Gerhard Eschelbeck is the vice president of privacy and security at Google. He published the "Laws of Vulnerabilities," is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security.

Susan Landau: Listening In: Cybersecurity in an Insecure Age

PGN <>

Date: Sun, 5 Nov 2017 10:56:18 PST

240 pages, Yale University Press, 28 Nov 2017

*A cybersecurity expert and former Google privacy analyst's urgent call to protect devices and networks against malicious hackers*

New technologies have provided both incredible convenience and new threats. The same kinds of digital networks that allow you to hail a ride using your smartphone let power grid operators control a country's electricity—and these personal, corporate, and government systems are all vulnerable. In Ukraine, unknown hackers shut off electricity to nearly 230,000 people for six hours. North Korean hackers destroyed networks at Sony Pictures in retaliation for a film that mocked Kim Jong-un. And Russian cyberattackers leaked Democratic National Committee emails in an attempt to sway a U.S. presidential election.

And yet despite such documented risks, government agencies, whose investigations and surveillance are stymied by encryption, push for a weakening of protections. In this accessible and riveting read, Susan Landau makes a compelling case for the need to secure our data, explaining how we must maintain cybersecurity in an insecure age.

"Susan Landau is eminently qualified to guide readers to deeper understanding of risks and threats that accompany an increasingly connected world. Our online appetites are growing and our presence attracts hacking and surveillance among other uses we may not have authorized or even anticipated. Must read." Vint Cerf, Internet pioneer

"Susan Landau manages to harness the sprint of our online era and provides a lasting framework for how to manage, protect, and even master our digital footprint." Juliette Kayyem, former Assistant Secretary, United States Department of Homeland Security

"Encryption is essential to our online security, but it also makes the job of law enforcement harder. In Listening In, Landau gives us an authoritative and unflinching look at this challenge and confronts the urgent question of security in the digital age." Matt Olsen, Former Director, National Counterterrorism Center

"Susan Landau has performed a remarkable feat of public service with
*Listening In*: she simplifies the complex contemporary debate around privacy and security trade-offs in a way that welcomes anyone with an interest in these topics to engage with them—and she demonstrates why everyone should." Jonathan Zittrain, author of *The Future of the Internet—and How to Stop It*

[See Susan's website: ]