The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 42

Monday 7 August 2017


Siemens, DHS warn of "low skill" exploits against CT and PET Scanners
Ars Technica
U.S. Senate is going to help improve security of the IoT
Don Gilman
U.S. Army reportedly asks units to stop using DJI drones, citing cybersecurity concerns
The Verge
200-Terabyte Proof Demonstrates the Potential of Brute-Force Math
Michael Byrne
Amazon Echo vulnerability allows hackers to eavesdrop with always-on microphone
Apple Insider via geoff goodfellow
'Anonymous' browsing data can be easily exposed, researchers reveal
The Guardian
21 Technologies Transforming Software Development
Peter Wayner
"The Death of Ruby? Developers Should Learn These Languages Instead"
Alison DeNisco
China holds drill to shut down 'harmful' websites
Reuters via Suzanne Johnson
HBO Security Contractor: Hackers Stole 'Thousands of Internal Documents'
Stolen nude photos and hacked defibrillators: is this the future of ransomware?
The Guardian
Uber drivers gang up to cause surge pricing, research says
The Telegraph
Wells Fargo faces lawsuits, angry lawmakers over car lending
"How can we stop algorithms telling lies?"
Cathy O'Neil via PGN
Grandpa Had a Pension. This Generation Has Cryptocurrency.
Cybersecurity Researcher Hailed as Hero Is Accused of Creating Malware
Have Smartphones Destroyed a Generation?
The Atlantic
More than 1 in 5 travelers knowingly or unknowingly carried prohibited items onto aircraft, survey finds
"Beware the Browser Extensions Privacy Trap!"
Lauren Weinstein
Site tracks Russian Propaganda on Social Media
Hacker who stopped WannaCry charged for writing banking malware
To Protect Voting, Use Open-Source Software
Woolsey and Fox
Fishy circumstances cause power outage in Seattle
Dyer Oxley
Re: Leaping Kangaroos
Paul Edwards
Re: somebody else's computer, in another country
Kelly Bert Manning
Re: NEC Updates like software updates
William Brodie-Tyrrell
Re: Iranians Use 'Cute Photographer' Profile To Hack Targets in Middle East
Amos Shapir
Info on RISKS (comp.risks)

Siemens, DHS warn of "low skill" exploits against CT and PET Scanners (Ars Technica)

Lauren Weinstein <>
Sun, 6 Aug 2017 08:05:06 -0700
via NNSquad

  Siemens identified the vulnerabilities in a customer alert on 26 Jul 2017,
  warning that the vulnerabilities were highly critical—giving them a
  rating of 9.8 out of a possible 10 using the Common Vulnerability Scoring
  System. The systems affected include Siemens CT, PET, and SPECT scanners
  and medical imaging workflow systems based on Windows 7.  One of the
  vulnerabilities is in the built-in Window Web server running on the
  systems. "An unauthenticated remote attacker could execute arbitrary code
  by sending specially crafted HTTP requests to the Microsoft Web server
  (port 80/tcp and port 443/tcp) of affected devices," Siemens warned in its
  alert.  The bug in the Web server software allows code injection onto the

U.S. Senate is going to help improve security of the IoT

Don Gilman <>
Wed, 2 Aug 2017 08:56:50 -0500

SAN FRANCISCO (Reuters)—A bipartisan group of U.S. senators on Tuesday
plans to introduce legislation seeking to address vulnerabilities in
computing devices embedded in everyday objects—known in the tech industry
as the Internet of Things—which experts have long warned poses a threat
to global cyber security.

U.S. Army reportedly asks units to stop using DJI drones, citing cybersecurity concerns (The Verge)

Lauren Weinstein <>
Fri, 4 Aug 2017 14:47:28 -0700

  The editor of SUAS News has obtained what appears to be an internal memo
  from the U.S. Army asking all units to discontinue the use of DJI drones
  due to an increased awareness of cybervulnerabilities with DJI products.
  The memo notes that the Army had issued over 300 separate releases
  authorizing the use of DJI products for Army missions, meaning a lot of
  hardware may have been in active use prior to the memo, which is dated
  2 Aug 2017.

  [See also

200-Terabyte Proof Demonstrates the Potential of Brute-Force Math (Michael Byrne)

ACM TechNews <>
Fri, 4 Aug 2017 11:51:42 -0400 (EDT)
Michael Byrne, *Motherboard*, 30 Jul 2017
via ACM TechNews, Friday, August 4, 2017

Researchers Marijn Heule and Oliver Kullmann envision brute-force problem
solving playing a key role in security- and safety-critical systems by
generating proofs in propositional logic, also known as Satisfiability (SAT)
solving.  "Today, SAT solving on high-performance computing systems enables
us to conquer problems of high complexity, driven by practice," the
researchers write in a paper published in the August issue of Communications
of the ACM. "This combination of enormous computational power with 'magical
brute force' can now solve very hard combinatorial problems, as well as
proving safety of systems such as railways."  As part of their work, Heule
and Kullmann have demonstrated an automated SAT solver that has produced a
200-terabyte proof.  "Now the task is to live up to big complexities, and to
embrace the new possibilities," Heule and Kullmann note.  "Proofs must
become objects for investigations, and understanding will be raised to the
next level, how to find and handle them."

Amazon Echo vulnerability allows hackers to eavesdrop with always-on microphone (Apple Insider)

geoff goodfellow <>
Thu, 3 Aug 2017 18:17:19 -1000
A security researcher has shown off the potential danger of Internet
connected speakers being used to listen in on private conversations by
publishing details of how to hack earlier models of the Amazon Echo via a
hardware-based vulnerability that cannot be fixed with a software patch.

The 2015 and 2016 models of the Amazon Echo can be exploited by using 18
debug connection pads, accessible by removing the rubber base from the
device, according to MWR InfoSecurity researcher Mark Barnes. An external SD
card breakout board was attached to the debug pads, allowing Barnes to boot
from an SD card and rewrite the onboard firmware, making it remotely

'Anonymous' browsing data can be easily exposed, researchers reveal (The Guardian)

Monty Solomon <>
Wed, 2 Aug 2017 01:44:24 -0400
A journalist and a data scientist secured data from three million users
easily by creating a fake marketing company, and were able to de-anonymise
many users

21 Technologies Transforming Software Development (Peter Wayner)

ACM TechNews <>
Mon, 7 Aug 2017 11:58:06 -0400 (EDT)
Peter Wayner, InfoWorld, 3 Aug 2017 via ACM TechNews, 7 Aug 2017

Software development is being transformed by technologies such as continuous
integration and smarter languages, while databases are improving and
fulfilling a variety of niches.  Frameworks are relieving programmers of the
burden of writing everything from scratch, and routine libraries also are
proving helpful.  Meanwhile, the development of mechanisms and rules for
enforcing uniform styles is making code easier to understand, and virtual
machines are increasingly favored over physical hardware as instruments for
running the code.  Application programming interfaces have made it largely
unnecessary to pack data tightly, and new user interfaces such as smart TVs
and smartphones are creating many novel programming opportunities and
challenges.  In addition, infrastructure as a service and platform as a
service are streamlining server and website building, while social media
portals are increasingly necessary.  Furthermore, performance monitoring is
becoming a key necessity as code defects and bottlenecks are no longer
restricted to a single machine.

"The Death of Ruby? Developers Should Learn These Languages Instead" (Alison DeNisco)

ACM TechNews <>
Mon, 7 Aug 2017 11:58:06 -0400 (EDT)
Alison DeNisco, Tech Republic, 7 Aug 2017 via ACM TechNews, 7 Aug 2017

The Ruby programming language's popularity has plummeted steeply in the past
few years, owing to scalability limits, slower application runtimes, and an
inability to let computer scientists gain the same types of insight into
their data as they can with other languages, according to experts.  "[Ruby]
might be a good language if somebody wants to start out doing programming,
but true computer scientists don't look at it as introducing the true
paradigms of computer programming," says Tufts University's Karen Panetta.
Many companies have discarded Ruby for languages that offer easier expansion
and lower long-term costs, including the MEAN stack, or Python and Java.
Coding Dojo's Speros Misirlakis stresses the importance for developers to be
agile and conversant in different languages.  "Every developer realizes you
can't specialize in one language and expect that to be true for 20 or 30
years," Misirlakis notes.  "People should be open to learning multiple
technologies, languages, and frameworks."

China holds drill to shut down 'harmful' websites

Suzanne Johnson <>
August 4, 2017 at 10:31:21 AM EDT
  (via Dave Farber)

President Xi Jinping has overseen a tightening of China's cyberspace
controls, including tough new data surveillance and censorship rules. This
push is now ramping up ahead of an expected consolidation of power at the
Communist Party Congress this autumn.

The drill asked Internet data centers to practice shutting down target web
pages speedily and report relevant details to the police, including the
affected websites' contact details, IP address and server location.

HBO Security Contractor: Hackers Stole 'Thousands of Internal Documents' (Variety)

Lauren Weinstein <>
Wed, 2 Aug 2017 11:48:24 -0700
via NNSquad

  The HBO hack may have been worse than the initial leaks of a few un-aired
  TV show episodes suggested. A security company hired by HBO to scrub
  search results for the hacked files from search engines has told Google
  that the hackers stole "thousands of Home Box Office (HBO) internal
  company documents."  The disclosure came as part of a DMCA take-down
  notice sent to Google Tuesday to force the search engine to take down
  links to the leaked files. The take-down notice also detailed that the
  hackers did away with "masses of copyrighted items including documents,
  images, videos and sound."  The company in question, IP Echelon, is
  frequently being used by HBO to remove links to infringing material from
  Google. An HBO spokesperson declined to comment on the take-down notice
  and the nature of any files stolen by the hackers when contacted by
  Variety Wednesday "due to an ongoing investigation."

Stolen nude photos and hacked defibrillators: is this the future of ransomware? (The Guardian)

Monty Solomon <>
Thu, 3 Aug 2017 09:54:23 -0400
Hackers behind attacks such as WannaCry might not have become hugely rich,
but that doesn't mean they are going to give up any time soon

Uber drivers gang up to cause surge pricing, research says (The Telegraph)

Lauren Weinstein <>
Wed, 2 Aug 2017 13:58:29 -0700

  Researchers at the University of Warwick found Uber drivers in London and
  New York have been tricking the app into thinking there is a shortage of
  cars in order to raise surge prices.  According to the study. drivers
  manipulate Uber's algorithm by logging out of the app at the same time,
  making it think that there is a shortage of cars.

    [Maybe they are just going through pUBERty?  PGN]

Wells Fargo faces lawsuits, angry lawmakers over car lending

Monty Solomon <>
Fri, 4 Aug 2017 09:07:54 -0400

"How can we stop algorithms telling lies?" (Cathy O'Neil)

Peter G. Neumann <>
Fri, 4 Aug 2017 14:29:28 -0700
Thanks to Ben Schneiderman for serendipitously reminding me that I have been
meaning to mention Cathy O'Neil's book, Weapons of Math Destruction (which
to my British colleagues would of course be Weapons of Maths Destruction --
seemingly closer phonetically).  (Browsing that title turns up many hits.)

Cathy has an item in *The Guardian* on problematic algorithms, which
seems very relevant for RISKS:

Grandpa Had a Pension. This Generation Has Cryptocurrency.

Monty Solomon <>
Thu, 3 Aug 2017 22:01:28 -0400
After years as a niche market for technologically sophisticated anarchists
and libertarians, digital coins may be on the verge of going mainstream.

Cybersecurity Researcher Hailed as Hero Is Accused of Creating Malware

Monty Solomon <>
Thu, 3 Aug 2017 19:51:38 -0400
A British security researcher, credited with stopping the spread of malicious software in May, was arrested in connection with a separate attack.

Have Smartphones Destroyed a Generation? (The Atlantic)

Monty Solomon <>
Thu, 3 Aug 2017 22:19:37 -0400
More comfortable online than out partying, post-Millennials are safer,
physically, than adolescents have ever been. But they're on the brink of a
mental-health crisis.

More than 1 in 5 travelers knowingly or unknowingly carried prohibited items onto aircraft, survey finds

Monty Solomon <>
Thu, 3 Aug 2017 21:46:41 -0400
A jet-chartering service says its survey found that at least 6 percent
boarded a commercial aircraft knowingly or unknowingly carrying a bladed
object. prohibited by the TSA.

Lauren's Blog: "Beware the Browser Extensions Privacy Trap!"

Lauren Weinstein <>
Wed, 2 Aug 2017 10:12:58 -0700
via NNSquad

There's a story going around currently about a group of researchers who
claim to have de-anonymized a variety of browser users' search data. The
fact that proper anonymization of data is a nontrivial task is quite well
known. Sloppy "anonymization" can be effectively as bad as no anonymization
at all.

But the interested observer might wonder ... where did these researchers get
their search data in the first place?

It turns out that the main source of this data are the individuals or firms
behind third-party browser extensions and apps, which provide or sell the
user data that they collect to data brokers and to other entities.

And so we open up a very big can of worms.

The major browsers (e.g., Google's Chrome) provide various means for users
to install extensions and applications to extend browser functionalities.
While the browser firms work extensively to build top-notch security and
privacy controls into the browsers themselves, the unfortunate fact is that
these can be undermined by such add-ons, some of which are downright
crooked, many more of which are sloppily written and poorly maintained.

Ironically, some of these add-on extensions and apps claim to be providing
more security, while actually undermining the intrinsic security of the
browsers themselves. Others (and this is an extremely common scenario) claim
to be providing additional search or shopping functionalities, while
actually only existing to silently collect and sell user browsing activity
data of all sorts.

The manner in which these apps and extensions end up being installed can be
insidious, and relates to the fundamental complexity of the underlying
security models, which are not understood by the vast majority of users,
especially non-techie users. For the record, similar confusion exists
regarding smartphone app security models, e.g. for Android.

The bottom line is that most users, faced with a prompt to install an
extension or app that claims to provide useful functions, will simply grant
the requested permissions, no matter how privacy and/or security invasive
those permission actually are.

And why should we expect these users to do anything differently?  Expecting
them to really understand what these permissions mean is ludicrous. We're
the software engineers and computer scientists—most users aren't either
of these. They have busy lives—they expect our stuff to just work, and
not to screw them over.

I recently helped an older Chrome user whom I know clean out their Chrome
browser on Windows 10. As is routine for me, I used Chrome Remote Desktop
for this purpose (please see: "Google Asked Me How I'd Fix Chrome Remote
Desktop—Here's How!")

He must have had 25 or 30 "crap" extensions installed that I needed to
individually remove (some of which appeared to have been "slave" extensions
installed by other "master" extensions). He claimed not to have knowingly
installed any of them. Almost certainly, these were all prompted
installations at sites he visited once or twice, with which he could have
easily interacted without installing any of these add-ons at all.

But these sites push users very hard to install these privacy-invasive, data
sucking extensions, and as noted above most users will grant requested
permissions, implicitly assuming that they're protected by the browser

Underlying browser security models can complicate the situation. For
example, one of the most common—and most easily abused—categories of
permissions requested by extensions and apps is one that grants read and
write access to all data at all websites you visit—or even that *plus*
all data on your computer!

Now, here's the kicker. While these sorts of permissions are the golden
ticket for abuse by crooked and sloppy extensions or apps, there are many
legitimate, well-written add-ons that also require such permissions to

But how is the average user to make a reasonable determination in this
context, faced with a site urging them to install an add-on that is being
portrayed as necessary? Most users don't have a site reputation database at
hand for reference—they just want to get on with what they're trying to
do online.

I will note here that I know of various corporate environments where
security policies absolutely prohibit the installation of apps or extensions
with such broad permissions, with few if any exceptions (e.g. unless they're
of internal origin and have passed rigorous internal security and privacy

I don't have a brilliant "magic wand" solution to this set of problems.

Personally, I install as few browser extensions and apps as possible unless
I am absolutely confident in the reputation of their origins, and I
absolutely minimize the installation of any add-ons that require broad
permissions either to websites or the local machines. Sometimes there are
situations where an app or extensions looks very useful and enticing—but
I still need to say "no go" to them the vast majority of the time.

One last thing. I urge you to check right now to see what extensions and/or
apps you have installed, and remove the ones that you don't need (or worse,
don't even recognize). For most versions of Chrome, you can do this by
entering on your browser address bar:


On the extension list, a little trash can at the right is where you click to
remove an extension. On the app list page (page select is at the bottom of
that page), right click to access the menu that includes a "Remove from
Chrome" entry. On Chrome OS, you may not be able to access the app page(s)
using the link above. If the link doesn't work in this case, click on the
white circle in the bottom of screen toolbar to bring up the app page.

Is this all too complicated? Yep, it sure is.

Site tracks Russian Propaganda on Social Media (Dashboard)

Lauren Weinstein <>
Wed, 2 Aug 2017 11:06:42 -0700
via NNSquad

Hacker who stopped WannaCry charged for writing banking malware (WiReD)

Lauren Weinstein <>
Thu, 3 Aug 2017 13:16:37 -0700
via NNSquad

  Just three short months ago, security researcher Marcus Hutchins entered
  the pantheon of hacker heroes for stopping the WannaCry ransomware that
  ripped through the Internet and paralyzed hundreds of thousands of
  computers.  Now, he's been arrested and charged with involvement in
  another mass hacking scheme--this time on the wrong side.  Yesterday,
  authorities detained 22-year-old Hutchins after the Defcon hacker
  conference in Las Vegas as he attempted to fly home to the UK, where he
  works as a researcher for the security firm Kryptos Logic. Upon his
  arrest, the Department of Justice unsealed an indictment against Hutchins,
  charging that he created the Kronos banking trojan, a widespread piece of
  malware used to steal banking credentials for fraud. He's accused of
  intentionally creating that banking malware for criminal use, as well as
  being part of a conspiracy to sell it for $3,000 between 2014 and 2015 on
  cybercrime market sites like the now-defunct AlphaBay dark web market. The
  news of Hutchins' arrest shocked Defcon attendees and the wider
  cybersecurity community, in which Hutchins is a widely admired figure for
  his technical knowledge and his key actions to neuter the WannaCry
  epidemic in May.

To Protect Voting, Use Open-Source Software (Woolsey and Fox)

"Peter G. Neumann" <>
Thu, 3 Aug 2017 10:45:32 PDT
R. James Woolsey and Brian J. Fox

Fishy circumstances cause power outage in Seattle (Dyer Oxley)

Mark Thorson <>
Fri, 4 Aug 2017 19:14:13 -0700
  [Another animal-related power outage in the Pacific Northwest, to add to
  the fish tank item in RISKS-30.40.  PGN]

A bird dropped a fish on power lines in South Seattle, causing a 2.5-hour
outage in the area.  Connie MacDougal, a City Light spokesperson said, "It
is rare, I've been here 16 years and I've heard of raccoon-caused outages,
and many bird outages.  But never a fish."

  [A short fish could not have caused the short, so therein lies a long
  tail.  PGN]

Re: Leaping Kangaroos (Horsfall, RISKS-30.39)Re: Leaping Kangaroos (Horsfall, RISKS-30.39)

Paul Edwards <>
Sat, 5 Aug 2017 15:06:12 +1000
Having spent a lot of time traveling through regional and rural parts of
Australia (and having been a driver in two instances of a kangaroo and my
car wanting to occupy the same point in space at the same time) I do wonder
about how local knowledge can be incorporated into self-driving cars.

For example, near where my parents-in-law live in central New South Wales,
there are several roads (generally abutting dams) where you do not drive
close to dawn or dusk to avoid the roos as they congregate to drink. (We
drove out to one such place late one afternoon with a picnic dinner and
watched over 30 kangaroos crossing the road in a 15-20 minute period during

Likewise there are many country roads where the verge creates puddles after
rain which are also favoured spots for roos to get water (so you avoid these
areas but only after rain). And there are other times when you are driving
along and see one or more kangaroos hopping parallel to you and you switch
off your headlights to ensure they do not veer toward you. Doubtless there
are more examples for kangaroos, generally localized knowledge.

I can imagine (but don’t know) that Laplanders may have similar local
knowledge and rules of thumb for avoiding reindeer, or Canadians with moose
(or PGN with squirrels).

The interesting questions then become: how hard would it be to incorporate
this into the AI, and what would the cost/benefit ratio look like?

Re: somebody else's computer, in another country (Slade, RISKS-30.40)

Kelly Bert Manning <>
Thu, 3 Aug 2017 18:08:23 -0400 (EDT)
Rob Slade echoed a phrase I often use when cloud enthusiasts blithely skip
over privacy and security issues, but I phrase it as "a computer belonging
to someone else, probably in a different legal jurisdiction".

A few years ago I was at a party where a friend invited everybody that she
knew was turning 60. One of the people I met described how his iPhone had
been lifted from his shorts pocket on a crowded transit train in Europe,
leading him to panic when he realised that he had lost access to information
about all his customers, needed to run his business

Eventually someone suggested that he buy a new iPhone and restore access
from Apple's cloud. That seemed to work for him. Problem solved?

I just sat there, wondering if he had any idea about the legal ramifications
under BC Provincial PIPEDA, Canadian Federal PIPA and other regulations.

Take a device your business depends on along on a world tour, hooked to the
contact and other Personally Identifiable Data of your customers. Then
restore access from a server probably hosted in another country, subject to
no notice access under the PATRIOT Act or similar legislation. Where to
start, so I didn't.

Most of us in Canada and the USA are familiar with out of country telephone
scammers calling from India, for example, with claims that we are valued
customers who have won ..., or that the IRS or CRA is about to arrest us.

Canadian and USA Do Not Call List violation penalties have little deterrent
effect of foreign scofflaws. How much effect do our Privacy Protection laws
and regulations have on foreign criminals?

There are very effective methods that could greatly reduce the number of
these calls that ring through to our phones, but telecom providers seem slow
to adopt them. I expect that there will be a similar organisational inertia
reluctance to secure IoT and clouds.

Smartphone users may be able to install an app, but those of us with Plain
Old Telephone Service do not have that option to block the scammers.

Re: NEC Updates like software updates (Newbury, RISKS-30.41)

William Brodie-Tyrrell <>
Wed, 2 Aug 2017 15:24:47 +0930
> What goes un-noticed is that the legislature effectively grants to an
> un-named, un-accountable body the power to unilaterally *amend the law*.

Even better, they get to charge you money for the privilege of reading those
laws to which you are subject.  I'm not sure of the situation in the EU/US,
but access to any/all (I think) Australian Standards documents requires
significant payments to SAI Global.

Re: Iranians Use 'Cute Photographer' Profile To Hack Targets in Middle East (RISKS-30.41)

Amos Shapir <>
Wed, 2 Aug 2017 17:55:02 +0300
> used a polished social media profile of a young, English woman using the
  name "Mia Ash" ...

There is a meta-data giveaway here: The source could be identified by
noting that "Mia Ash" means "my dear" in Persian.

I wonder if the NSA scans the social network looking for such out-of-context

  [If they do, I Foresee that Farsi might become Farce-y.  PGN]

Please report problems with the web pages to the maintainer