The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 31 Issue 11

Tuesday 12 March 2019


737 MAX 8 to get software upgrade
2 Billion Unencrypted Records Leaked In Marketing Data Breach —What Happened And What To Do Next
Triton is the world's most murderous malware, and it's spreading
Navy, Industry Partners Are 'Under Cybersiege' by Chinese Hackers, Review Asserts
Mystery Database of 1.8 Million Women in China
America's Undersea Battle With China for Control of the Global Internet Grid
Physician Phishing
New Zealand Farmers Have New Tool for Herding Sheep: Drones That Bark Like Dogs
Peter Holley
Hackers breach admissions files at three private colleges
Internet of Things Cybersecurity Improvement Act of 2019
Revolut, Telcos and phone numbers as unique IDs
Toby Douglass
How Kids Are Using Google Docs to Bully Each Other
Man told he's going to die by doctor on video-link robot
Drowning detection system to be set up at 28 public pools
Straits Times
First print something bad, then cover it up with something good
Dan Jacobson
U.S. DST change proposals and WWVB radio clocks
Rich Wales
Hackers can get into Macs with sneaky tricks, Crowdstrike experts say
A woman was trying to take a selfie with a jaguar when it attacked her, authorities say
Bumble Bee Foods Is Tracking Tuna on a Blockchain
More on the SwissPost hacking challenge
Anticipating a deluge of belling, revisited?
Mark Norem
Re: Robocalls Routed via Virtue Signaling Network?
Kelly Bert Manning
Re: but we never activated the cameras
Gabe Goldberg
Info on RISKS (comp.risks)

737 MAX 8 to get software upgrade (CBC)

Rob Slade <>
Tue, 12 Mar 2019 12:27:37 -0700
Boeing is issuing a software upgrade for the troubled 737 MAX 8 aircraft in
the coming weeks.  (The announcement is fairly far down this article.)

Presumably this will address some issues with the MCAS flight software.

Hopefully the upgrade won't be online, with aircraft rebooting in mid-flight

(I'm waiting for 737 MAX 8 ver. 3.0 ...)

  [Monty Solomon noted
    Boeing to Make Key Change in 737 MAX Cockpit Software.

2 Billion Unencrypted Records Leaked In Marketing Data Breach—What Happened And What To Do Next (Forbes)

geoff goodfellow <>
Sun, 10 Mar 2019 09:24:09 -0700
Excerpt: I woke up this morning to discover, yet again, that I was one of a
stupidly large number of people whose personal data had been leaked in the
latest mega breach. Troy Hunt's 'have i been pwned?'  service informed me
that 763,117,241 people have had their records leaked by Verifications IO:
including verified emails, phone numbers, addresses, dates of birth,
Facebook, LinkedIn and Instagram account details, credit scoring and even
mortgage data such as amount owing and interest rates being charged. Which
wasn't the best news to receive first thing on a Sunday morning. But then
things got even worse, a lot worse. SC Media UK reports that Andrew Martin,
CEO & founder of cybersecurity company DynaRisk, has revealed the true
number of leaked records is much higher. How much higher?  How does a total
of 2,069,145,043 unencrypted records grab you?


*So, what actually happened?*

According to Bleeping Computer
an unprotected MongoDB database was discovered by security researcher Bob
Diachenko. Having cross-referenced the data, sitting there in plain text,
with the have i been pwned site, Diachenko was able to conclude this was
fresh to the market new information and not just a dump of previously
breached data as has been seen with the recent Collection 1 leak.
After doing some more investigative work, Diachenko was able to track the
database back to the Verifications IO enterprise email validation service.
This company validates bulk email lists for companies wanting to remove
inactive addresses from newsletter mailouts. Diachenko reported, working
alongside researcher Vinny Troia, that a total of 808,539,939 records had
been leaked. The 'mailEmailDatabase' contained three sections: Emailrecords,
emailWithPhone and businessLeads containing that data.  However, DynaRisk
CEO, Andrew Martin, also analyzed the data and came to the conclusion that
on the one server exposed to the web there were actually four databases not
just the one. He told The Register
"Our analysis was conducted over all four databases and extracted over two
billion email addresses. The additional three databases were hosted on the
same server, which is no longer accessible."

*What data was leaked?*

The security researcher who made the discovery, Bob Diachenko
says that "although not all records contained the detailed profile
information about the email owner, a large amount of records were very
detailed." That detail included commonplace breach data such as email
addresses and phone numbers, but went far beyond the basics as well.
Information such as dates of birth, mortgages amounts and interest rates
and social media accounts related to the emails in question. But it doesn't
stop there, you can also throw in basic credit scoring data, company names
and revenue figures as well.

*Should you be worried?*

Yes, of course you should. This was, after all, a massive leak of the kind
of personal information that would be a goldmine for the phishers and
spammers of this world. However, that concern can be diluted by a number of
factors. Not least there's the small matter that nobody has found any
compelling evidence that the data has actually been used for any criminal
purpose as of yet. Although the databases were accessible for some time, as
soon as the problem was disclosed to Verifications IO the service was taken
offline and remains so. Which means that bad guys alerted by this news
won't be able to exploit it. What's just as important as what was in the
breach is what wasn't. So, there were no social security numbers, no credit
card numbers, no passwords. And, importantly, this was a leak not a hack:
white hat researchers found the data was accessible rather than black hats
looking to exploit it.

*Can you mitigate your risk?...*  [...]

  [Also noted by Jim Reisert and Rob Slade.  PGN]

Triton is the world's most murderous malware, and it's spreading (TechReview)

Bill Meacham <>
Fri, 8 Mar 2019 02:29:59 +0000 (UTC)

The rogue code can disable safety systems designed to prevent catastrophic
industrial accidents. It was discovered in the Middle East, but the hackers
behind it are now targeting companies in North America and other parts of
the world, too.  ...

Over the past decade or so, companies have been adding Internet connectivity
and sensors to all kinds of industrial equipment. The data captured is being
used for everything from predictive maintenance — which means using
machine-learning models to better anticipate when equipment needs
servicing — to fine-tuning production processes. There's also
been a big push to control processes remotely through things like
smartphones and tablets.

All this can make businesses much more efficient and productive, which
explains why they are expected to spend around $42 billion this year on
industrial Internet gear such as smart sensors and automated control
systems, according to the ARC Group, which tracks the market. But the risks
are also clear: the more connected equipment there is, the more targets
hackers have to aim at.  ...

Navy, Industry Partners Are 'Under Cybersiege' by Chinese Hackers, Review Asserts (WSJ)

Monty Solomon <>
Tue, 12 Mar 2019 18:26:26 -0400

Mystery Database of 1.8 Million Women in China (Gizmodo)

Rob Slade <>
Tue, 12 Mar 2019 12:09:54 -0700
A database of all kinds of personal information about 1.8 million women in
China has been found online.  Who did it?  Unknown.  What's it for? Unknown.
Oh, and one of the, very personal, info fields is "BreedReady."

America's Undersea Battle With China for Control of the Global Internet Grid (WSJ)

Monty Solomon <>
Tue, 12 Mar 2019 18:26:53 -0400

Physician Phishing (JAMA)

Paul Burke <>
Fri, 8 Mar 2019 13:44:13 -0500
The Journal of the American Medical Association (JAMA) has an article this
morning describing 3 million simulated phishing emails sent to staff at 6
US healthcare systems. 14% resulted in a click. One finding was that the
odds of clicking dropped to about 5% after 10 fake phishing campaigns. They
did not test how many people would enter login credentials, but clearly
some would, having trusted the link in the first place.

"If the simulated email is clicked, it is used as a real-time opportunity
to provide short phishing education to the employee." This missed the
chance to teach about much bigger cyber weaknesses in healthcare.
Displaying rotating messages about the multitude of cyber risks would help
administrators and staff think about and reduce risks more widely.

These efforts do not protect an organization from phishing. At a 5% click
rate, emails to 24 recipients give a 70% chance that someone will click.
There is no reliable way to tell phishing emails from legitimate emails.
When people think an email looks suspicious, and send it for checking, 90%
are "legitimate," which means most people cannot tell them apart. Sending them
for checking simply prevents access to the 90% which are legitimate, since
checkers rarely send them back. Advice never to click an email link is
impractical too, since the world lives by such links.

Even JAMA and Checkbook send email links to their articles, these links ask
for a login, and it can be hard to find the articles except by clicking.
One of the JAMA authors used to work for a contractor which sent 135
million simulated phishing emails. They got similar click rates in every
industry, so systems need to protect themselves with compartmentalization,
data transfer only to other hardware-identified health systems, etc.

The education offered upon a click is a good time to raise cyber security
awareness, but it can't stop people clicking on emails. Emails to IT
administrators can be filtered to remove all links, or this could apply
after the first time (third time?) they click on a simulated phish.

New Zealand Farmers Have New Tool for Herding Sheep: Drones That Bark Like Dogs (Peter Holley)

ACM TechNews <>
Fri, 8 Mar 2019 12:13:47 -0500
Peter Holley, *The Washington Post*, 7 Mar 2019, via ACM TechNews 8 Mar 2019

New Zealand farmers are using drones to herd livestock, with some capable of
emitting barks like dogs. One drone, the DJI Mavic Enterprise, can record
sounds and play them over a loudspeaker, allowing the machine to mimic its
canine counterparts. Shepherd Corey Lambeth said cows are less resistant to
drones than to actual dogs, which means the machines move livestock faster,
with less stress. The drones also let farmers monitor their land remotely,
tracking water and feed levels, and checking on livestock health without
upsetting the animals. Said farmer Jason Rentoul, "Being a hilly farm where
a lot of stuff is done on foot, the drones really saved a lot of
man-hours. The drone does the higher bits that you can't see [from the
ground], and you would [otherwise] have to walk half an hour to go and have
a look and then go, 'Oh, there was no sheep there.'"

  [Risks?  How about hacking into the drone, and reprogramming it to sound
  like a pack of wolves, to herd the sheep into waiting trucks?  PGN]

Hackers breach admissions files at three private colleges (WashPost)

Monty Solomon <>
Sat, 9 Mar 2019 11:59:10 -0500
The incidents occurred the same week a report revealed that Chinese hackers
targeted more than two dozen universities in the U.S. and other countries in
an effort to steal research about maritime technology being developed for
military use.

  [More than three in today's news.  Tuesday 12 Mar 2019.  PGN]

Internet of Things Cybersecurity Improvement Act of 2019 (

Richard Stein <>
Tue, 12 Mar 2019 11:31:13 -0700
via the Washington Post at

On paper, the senate bill establishes federal IoT baseline standards for
certain "covered devices." These devices consist of: "(a) capable of
connecting to and is in regular connection with the Internet; has computer
processing capabilities that can collect, send, or receive data; and is not
a general-purpose computing device, including personal computing systems,
smart mobile communications devices, programmable logic controls, and
mainframe computing systems."

Generally, wireless medical devices (pacemakers, etc.), environmental
controllers (NeST), Zigbee, etc. Should help reduce botnet co-opting via
common vulnerabilities and exposures (CVEs).

Risk: Organizational maturity that may prevent implementation compliance and
operational vigilance after policy enacted into law.

Revolut, Telcos and phone numbers as unique IDs

Toby Douglass <>
Sat, 9 Mar 2019 19:26:28 +0200
I hold a Revolut Business account.  A counter-party of mine holds a Revolut
Personal account.  Users in the Revolut Personal system are uniquely
identified by their phone number.

Some months ago I added this counter-party in my Revolut Business account
and about two weeks ago made a (small - no need to shed tears) transfer to

The transfer did not arrive.  We then began a game of customer support
ping-ping.  Revolut Business assured me the transfer had succeeded, and
referred me to Revolut Personal support.  Revolut Personal assured my
counter-party the transfer was unknown to them, and referred them to Revolut
Business support.  In the end, my counter-party and I realised for ourselves
what had happened : my counter-party had since I created their counter-party
entry changed their phone number—my information for them still used their
old number.

(The Revolut Business web-site does not display the phone number of a
counter-party *anywhere*.  In fact, you can retrieve the phone number of a
counter-party only by contacting customer support.)

Revolut Business support assert that if a transfer is made to a non-existent
phone number, the transfer will fail.

This is not correct (but this is expected - first line customer support for
any larger company always and invariably is to truth what whiskey is to

The transfer was made, but went and silently into limbo.

When we had noticed this has happened, and then later had worked out what
had happened, and informed Revolut Personal customer support, providing the
old number, they retrieved the funds and moved them to the counter-party's
account.  (I'm not sure how they validated their claim to the old number.)

This begs the question as to what happens if the phone number has in the
meantime been reused by the telco and another person has opened a Revolut
account with that number and, for good measure, while we're asking
questions, possibly spent those funds.  (I would expect the customer to be
held completely and fully responsible, for using the wrong phone number.)

In the existing banking system, the unique ID for an account is controlled
by the bank itself.  They do not re-use IDs, or only knowingly re-use IDs.

In the Revolut system, the unique ID for the account is controlled by the
telco, who are oblivious to the existence of Revolut and with a complete
lack of consideration for FinTech startups, re-use IDs.

(Please bear strongly in mind it is impossible for me to verify or even
discuss any of this information with Revolut, so it could be there is a
flaw, or many, in my understanding.  What I have written is what is true to
the best of my knowledge.)

In general, phone numbers as unique IDs are now not uncommon.  This issue of
a third party controlling ID would seem then on the face of it to extend
potentially to all such systems, and when there are a range of systems
facing the same challenge, there exists a range of success in the response
to that challenge.

(Actually, using a phone number as an ID is I think extremely unwise always,
since it enables your identity to be linked up to third party information.
Privacy is best served with a web-based burner email address service, such
as mailinator, accessed via Tor.  However, burner mobile phones can be found
on Amazon for 10 USD.  Remember the phone has a unique ID, and the SIM also,
so you need to change both the phone and the SIM; never re-use a burner
phone with multiple SIMs.  Also remember when you do use it, don't use it at
home - you will be geolocated by the telco, and that will also give you
away.  Go somewhere you've never been before, and never go there again.
Actually of course, none of this I mean seriously, rather, I write it to
show how much specialist knowledge, and effort, is required to be

How Kids Are Using Google Docs to Bully Each Other (Offspring)

Gabe Goldberg <>
Sat, 9 Mar 2019 20:38:12 -0500
As a parent, you might walk past your child's room and see her happily
typing away on a Google Docs page.  “Lovely!'', you think.  “She's
probably working on her science report or finishing up her essay on the rise
of RBG.''

Or, she could be in a secret chat room.

In today's edition of Let's Try to Stay One Step Ahead of Our Kids on the
Internet (spoiler: we can't!), we're offering this heads-up: Some are using
Google Docs, the seemingly wholesome web-based word processor, to skirt
their parents' tech rules. It's impressive, really. All they need to do is
open up a document, invite their friends to become collaborators, and boom
-- they have a private space to chat, draw, share links, upload photos and
post memes. Google Docs is hardly a program parents think to block (in fact,
on tech message boards, I've seen several parents asking how to ban
everything except for the software) and many kids already have accounts for
school. After the chat session, they can simply delete the document and
empty their Trash folder without leaving any record.

Man told he's going to die by doctor on video-link robot (

Richard Stein <>
Sat, 9 Mar 2019 10:56:00 -0800

"A doctor in California told a patient he was going to die using a robot
with a video-link screen.

"Ernest Quintana, 78, was at Kaiser Permanente Medical Center in Fremont
when a doctor - appearing on the robot's screen - informed him that he would
die within a few days.

"A family friend wrote on social media that it was 'not the way to show
value and compassion to a patient'.

"The hospital says it 'regrets falling short' of the family's expectations.

"Mr Quintana died the next day."

"Michelle Gaskill-Hames, senior vice-president of Kaiser Permanente Greater
Southern Alameda County, told the Associated Press that its policy was to
have a nurse or doctor in the room when remote consultations took place."

Risk: Telemedicine's convenience eliminates compassion from healthcare
delivery, especially for acute patient illness.

  [Also noted by Mark Thorson.  PGN]

Drowning detection system to be set up at 28 public pools (Straits Times)

Richard Stein <>
Sat, 9 Mar 2019 11:14:15 -0800

Silicon supplements lifeguard vigilance.

Risk: Image recognition to detect drowning swimmer and alert public
safety/lifeguard response.

First print something bad, then cover it up with something good

Dan Jacobson <>
Sun, 10 Mar 2019 09:14:25 +0800
Let's say we first print something bad, then we cover it up with something

And say we really shouldn't print something bad in the first place, but it
doesn't matter, because at today's speeds, users will surely never notice.

Got me thinking about this.

U.S. DST change proposals and WWVB radio clocks

Rich Wales <>
Sat, 9 Mar 2019 22:46:28 -0800
Some U.S. states are mulling proposals to adopt Daylight Saving Time year
round—I'm aware of California and Florida, for example.  At least one
Canadian province (British Columbia) is considering doing the same.

It occurs to me that if states in the Eastern time zone (UTC-5; UTC-4 in
summer) adopt year-round DST, this will break WWVB-based "atomic clocks" in
those states during the winter (November through early March).

WWVB-based clocks currently on the market in the US offer four time zones
(Pacific, Mountain, Central, and Eastern), plus an option either to move
between standard and daylight time per the US-wide rules or to stay
permanently on standard time.  If California goes to year-round DST, "atomic
clock" owners in CA could set their clocks to use Mountain time with no DST.
These option settings do not provide any way to specify Eastern daylight
time during winter, however, so if an east- coast state (like Florida) moves
to year-round DST, "atomic" clocks in use there will be an hour off for four
months out of the year.

Two possible solutions would be either to add a third DST setting (i.e., DST
always on), or else to add a fifth time zone (Atlantic) and tell consumers
in the affected states to select Atlantic time with no DST.  Affected
consumers would, of course, need to buy new clocks, since it's impossible to
upgrade the firmware in existing clocks.

Hackers can get into Macs with sneaky tricks, Crowdstrike experts say (CNET)

geoff goodfellow <>
Sat, 9 Mar 2019 10:06:22 -0700
*The cybersecurity company says it's seen hackers get deep access into the
Macs of regular users.*


It's long been legend that Macs are harder to hack than other computers.
Not only are they said to be more secure, but fewer people use them, so
hackers have less incentive to break in.

Cybersecurity company Crowdstrike is happy to bust that myth. At the RSA
Conference on Thursday, CEO George Kurtz and CTO Dmitri Alperovitch
detailed hacking techniques they've seen used to do a host of bad things on
Apple-built computers.

Attackers can trick Mac users into downloading malicious software and then
get deep access into the computer, the Crowdstrike executives said. They
also have tools to loot the system's keychain for more passwords and build
backdoors into the machines, allowing hackers to have repeated access.

"They have interesting tradecraft on Macs," Alperovitch said of the hackers.
The Crowdstrike presentation comes in the wake of a flaw found in Apple's
Facetime app
 that could have let hackers listen in on unwitting iPhone
users, as well as a
vulnerability in the keychain
which stores the passwords of apps connected to a Mac. Taken together,
these flaws mean Mac users should take steps to keep their computers secure
instead of relying on Apple's reputation for security to keep them safe...


A woman was trying to take a selfie with a jaguar when it attacked her, authorities say (WashPost)

Jim Reisert AD1C <>
Sun, 10 Mar 2019 15:58:43 -0600
Lindsey Bever, *The Washington Post*, 10 Mar 2019

  A woman was attacked by a jaguar as she was apparently trying to get a
  photo outside the big cat's enclosure at Wildlife World Zoo in Arizona,
  authorities said.

  Shawn Gilleland, a spokesman for the Rural Metro Fire Department, told The
  Washington Post on Sunday that fire crews said the woman, who is in her
  30s, climbed over a barrier at the zoo Saturday to get closer to the
  jaguar's enclosure so that she could get a selfie with the animal. The
  jaguar reached out and grabbed her arm with its paw, leaving lacerations,
  Gilleland said.

Bumble Bee Foods Is Tracking Tuna on a Blockchain (Fortune)

Gabe Goldberg <>
Tue, 12 Mar 2019 00:20:01 -0400
Supporters of enterprise blockchains say they tend to work best in
situations where people want to share tamper-resistant data among many
parties. Critics of the technology argue that it offers little in the way of
improvement over traditional database software; still other critics say the
technology doesn't truly qualify as a blockchain unless it is public and
open and has a cryptocurrency, like Bitcoin, tied to it.

As usual, no explanation of what "tracking tuna on a blockchain" MEANS... in, how is an individual fish—or shipment—irrevocably tied to a
transaction or data?

  [O ForTuna!  (Carl Orff, Carmina Burana)  PGN]

More on the SwissPost hacking challenge (RISKS-30.81-82)

"Peter G. Neumann" <>
Tue, 12 Mar 2019 11:12:27 PDT
The Swiss challenge to hack their voting system has moved along.  Three
independent research groups have announced a vulnerability that permits the
undetectable insertion of bogus votes (and alteration of existing ones?).

Anticipating a deluge of belling, revisited?

Not the best way To stay unknown <>
Fri, 8 Mar 2019 17:02:29 -0600
One of the URLs listed in the Editorial comment had health-data links that
shared an ironic similarity of some Facebook postings.

By comparison, a Slashdot article noted:

I have followed RISKS for decades, finding it providing education and
information not widely available. I did not expect to be reminded of a
newspaper city editor's skepticism in "if your mother says she loves you,
check it out."

(I recognize that this email is likely to be trashed.  [No.  Sorry, I could
not do that.  PGN]  Thus the reference to who will bell the cat.  I do find
your work on RISKS large-hearted and helping inestimably in pushing back the
FUD.)  Mark Norem

Re: Robocalls Routed via Virtue Signaling Network? (NYTimes)

Kelly Bert Manning <>
Mon, 11 Mar 2019 15:18:00 -0400
Here in Canada a number of classes of operations are exempt from having to
comply with the National CRTC Do Not Call List, in particular politicians
and their Opinion Polling Allies, among other exceptions.

However each of these entities is required to clearly identify themselves,
and to stop talking if you interrupt. At that point you can order them to
add your number to their own internal Do Not Call List, giving you a
confirmation code. After that they cannot call you again. This seems to be
cloaked in Security by Obscurity, few people seem aware of these secondary
DNC lists.

Am I an exempt telemarketer?

* registered charities raising funds newspapers looking for subscriptions
political parties and their candidates companies who only make telemarketing
calls and send faxes to businesses

* Being an exempt telemarketer does not eliminate your responsibility
to maintain your own internal do not call list.

* You must also maintain your own internal do not call list ...

* You can't call or send faxes to the consumers on your own internal
do not call lists."

Re: but we never activated the cameras (RISKS-31.10)

Gabe Goldberg <>
Fri, 8 Mar 2019 16:25:07 -0500
Is Your Seatmate Googling You? (NYTimes)
We underestimate the risks to privacy in our everyday, offline lives.
Read More... <>

Please report problems with the web pages to the maintainer