mailing list archives
Risks Digest 27.96
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 6 Jun 2014 11:22:00 PDT
RISKS-LIST: Risks-Forum Digest Friday 6 June 2014 Volume 27 : Issue 96
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Contents: [Backlogged again. More coming soon-ish. PGN]
CyberBerkut Attempt to Alter Ukrainian Election (Brian Yates)
Hack the Vote: The Perils of the Online Ballot Box (Bruce McConnell
and Pamela Smith)
New bugs found in software that caused Heartbleed cyberthreat (Jim Finkle)
Massive Baltimore speed camera system errors (Ken Shotting)
Is Progress in Technology Always Beneficial? (Stephen Unger)
Critical new bug in GnuTLS crypto library leaves Linux, apps open to
drive-by attacks (Ars Technica via NNSquad)
Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass
(Ars Technica via NNSquad)
Researchers find a global botnet of infected PoS systems (Lucian Constantin
via Monty Solomon)
New federal database will track Americans' credit ratings, other financial
information (Henry Baker)
How the NSA Could Bug Your Powered-Off iPhone, and How to Stop Them
Snowden would not get a fair trial; Kerry is wrong (Daniel Ellsberg via
NSA Collecting Millions of Faces From Web Images - NYTimes.com (David Farber)
Re: How the NSA tampers with US-made Internet routers (Mike O'Dell)
Abridged info on RISKS (comp.risks)
Date: Tue, 27 May 2014 18:23:28 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: CyberBerkut Attempt to Alter Ukrainian Election (Brian Yates)
Brian Yates, *The Guardian*, 25 May 2014.
A computer hacking group called CyberBerkut attempted to alter the
Ukrainian presidential election. They did so by having an administrator at
the Central Election Commission (CEC) plant a virus from an internal
computer that granted the hackers access.
Victor Yagun of the Security Service of the Ukraine held a press conference
announcing the cyber attack. The main target of CyberBerkut was the
election analytic system that aggregates voter data. Altering the
information would have created a different winner in the recent Ukrainian
election for president. Destroying the data would have created the illusion
of election fraud. Yagun also reported an employee of the CEC, who provided
the hacking group with internal access, was also detained.
Volodymyr Zverev, head of the State Service for Special Communication and
Information Security, said the virus released by CyberBerkut destroyed all
the internal data of the CEC servers on May 22. The virus was released
inside CEC by someone able to log into the network and open email containing
the virus. The compromised data collected by CyberBerkut included personal
emails of CEC members and technical documents on the operation of CEC's
election analytic system. All of the lost data was restored from a backup
server by 4 pm on May 22.
Evidence pointing to an inside source stemmed from tracking where the virus
first infiltrated the CEC network. The login information for a CEC computer
showed a person used the correct username and password on the first attempt.
Zverev blamed Kaspersky antivirus software for its failure to recognize the
virus. Kaspersky Lab is a Russian software firm. A spokesperson from the
company said Kaspersky Lab was ready to investigate the recent cyber attack
and write programming to help prevent such an incident from happening again.
Mykhailo Okhendovsky, the CEC director, said in a press conference the
network is operational and will continue running. The CEC's election
analytics system functioned normally after it was restored from the backup
server. Okhendovsky said if there are any failures, the CEC will not hide
the problem. His organization will speak openly about them.
The computer hacking group called CyberBerkut took credit in the attempt to
alter the Ukrainian presidential election. The group claimed it had
infiltrated CEC's digital infrastructure and disabled the election analytics
system. The group also claimed it had uploaded personal emails of CEC
officials. They also collected the technical specifications from the
analytic system that aggregates voting data. On the hacking group's website,
they stated they could now access the CEC communications system anytime they
Maxim Savanevskiy, of Watcher.com.ua, said CyberBerkut's hacking of CEC
inflicted no major damage. The main problem seemed to have been an internal
source granting the hackers access from within. Once the passwords to vital
programs are changed, access to outside sources would be eliminated.
Victoria Siumar, the deputy National Security and Defense Council Secretary
said the problem with hackers goes back to the previous pro-Russian
Yanukovych administration. Members from that government may have programmed
the CEC computers with built-in vulnerabilities to assist hackers in
gaining backdoor access into the network.
It would not be the first time former President Yanukovych faced such
allegations. In 2004, his allies rigged the presidential election in his
favor. Their plan included a similar hacking system that exploited access
to a data transit server.
With cyber attacks on individuals, businesses, and government institutions
on the rise, the Security Service of the Ukraine and members of the CEC
were lucky to be able to find the perpetrators. Losing or altering vital
election data during an election would have meant a disaster and cries of
fraud. The attempt by CyberBerkut to alter the Ukrainian presidential
election could have created a different result that would have added
further turmoil in the region.
Date: Thu, 29 May 2014 18:36:30 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Hack the Vote: The Perils of the Online Ballot Box
(Bruce McConnell and Pamela Smith)
More than 30 states and territories already allow some form of Internet
voting. They might want to reconsider.
Bruce McConnell and Pamela Smith
While most voters will cast their ballots at polling stations in November,
online voting has been quietly and rapidly expanding in the United States
over the last decade. Over 30 states and territories allow some form of
Internet voting (such as by email or through a direct portal) for some
classes of voters, including members of the military or absentees.
Utah just passed a law allowing disabled voters to vote online; and Alaska
allows anyone to cast their ballots online. And there were recent news
reports that Democratic and Republican national committees are contemplating
holding primaries and caucuses online. We estimate that over three million
voters now are eligible to vote online in the U.S.
But online voting is fraught with danger. Hackers could manipulate enough
votes to change the results of local and national elections. And a skilled
hacker can do so without leaving any evidence.
Estonia is the world leader in using online voting for its national
elections. Its government has done a great deal to improve the security of
the system, which is now used by up to 25% of voters. The country's
`I-voting system' is touted by proponents of online voting in the U.S. to
claim that secure Internet voting is possible.
It isn't. Early in May an international team of independent security experts
accredited by the Estonian government reported severe security
vulnerabilities in that country's `I-voting system'. Elections, the
researchers found, ``It could be stolen, disrupted, or cast into
The team recommended that Estonia's online voting system "be immediately
discontinued." One researcher, J. Alex Halderman of the University of
Michigan, has said that "Estonia's Internet voting system blindly trusts the
election servers and the voters' computers. Either of these would be an
attractive target for state-level attackers, such as Russia." Another
researcher, Harri Hursti from Finland, concluded, "With today's security
technology, no country in the world is able to provide a secure Internet
While the U.S. has not adopted online voting to the extent that Estonia has,
recent allegations by the U.S. Department of Justice that Chinese hackers
have been infiltrating several major American corporations since 2006 reveal
again how difficult it is to safeguard any system connected to the Internet,
and how easy it is for a skilled attacker to remain undetected for months
and years. The underlying architectures of the Internet, the personal
computer and mobile devices present numerous avenues of attack, making it
impossible to safeguard a voting system with the security tools that are
currently available. Methods of attack continue to become more
sophisticated, well-resourced and damaging.
Well-meaning state legislators and local election officials in the U.S. are
being pressed by vendors of online voting systems to adopt Internet
voting--despite warnings from federal officials. The Department of Defense
cancelled an Internet voting project for soldiers in 2004 because it felt it
could not ensure the legitimacy of the votes, and the project has not been
reconstituted. In a 2011 report, the National Institute of Standards and
Technology, the federal agency tasked with researching Internet voting,
concluded that secure Internet voting is not currently feasible.
First, NIST's report noted, "it is extremely difficult to protect against
software attacks" on personal computers outside the control of election
officials "that could violate ballot secrecy or integrity or steal a voter's
authentication credentials." Second, "remote electronic voter authentication
is a difficult problem." Third is the problem of "ensuring remote electronic
voting systems are auditable," with "no current or proposed technologies
offering a viable solution."
The move to online voting is motivated by good intentions: to improve access
to the ballot box for voters who may have difficulty exercising the
franchise, and to reduce costs. And the Internet offers enormous potential
to improve the voting process through responsible uses such as online voter
registration with appropriate safeguards, providing information on and the
location of polling places, sample ballots, blank absentee ballots and more.
But offering voters a voting method that is not secure and cannot ensure
their vote will be counted as they were cast does them, and this country, no
favors. Given the stakes, online voting should be shelved until it can be
made secure. Mr. McConnell is senior vice president at the EastWest
Institute in New York, and the former deputy under secretary for
cybersecurity at the U.S. Department of Homeland Security. Ms. Smith is
president of Verified Voting Foundation.
Date: Fri, 6 Jun 2014 10:45:48 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: New bugs found in software that caused Heartbleed cyberthreat
Jim Finkle, Reuters, 5 Jun 2014
Seven more new security fixes for SSL just released!
Incidentally, Scytl (whose website says they have secure election management
and online voting solutions) has claimed their systems were not vulnerable
to Heartbleed -- because they were not using the Heartbleed versions of
OpenSSL. Nevertheless, they are vulnerable to the new bugs!
As always, RISKS readers must tend to believe that Internet voting is an
INHERENTLY BAD IDEA.
Date: Thu, 29 May 2014 16:02:29 -0500 (CDT)
From: kashotting () verizon net
Subject: Massive Baltimore speed camera system errors
The good news is we now know that, though fining 70,000 innocent drivers is
outrageous, fining 14,000 is acceptable!
Date: Mon, 26 May 2014 22:20:20 -0400 (EDT)
From: Stephen Unger <unger () cs columbia edu>
Subject: Is Progress in Technology Always Beneficial?
Isn't it obvious that it is alway good to acquire more scientific knowledge
and engineering know-how, and to apply it to produce new products, or to
improve the way we produce existing products? Maybe not! I'll bet that you
can think of items that you wish did not exist. Apart from this list, how
about artifacts or processes that you can imagine, but that you would be
relieved to learn could <i>not</i> be produced or implemented? How about new
technology that seems nice, and is being eagerly purchased and used by many,
but where there are disturbing indications that there may be serious
problems that won't surface for decades?
My thoughts on this subject are accessible at:
Stephen H. Unger, Professor Emeritus, Computer Science and Electrical
Engineering, Columbia University
Date: Tue, 3 Jun 2014 09:45:18 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Critical new bug in GnuTLS crypto library leaves Linux,
apps open to drive-by attacks
Ars Technica via NNSquad
``A recently discovered bug in the GnuTLS cryptographic code library puts
users of Linux and hundreds of other open source packages at risk of
surreptitious malware attacks until they incorporate a fix developers
quietly pushed out late last week. Maliciously configured servers can
exploit the bug by sending malformed data to devices as they establish
encrypted HTTPS connections. Devices that rely on an unpatched version of
GnuTLS can then be remotely hijacked by malicious code of the attacker's
choosing, security researchers who examined the fix warned.''
Date: Mon, 26 May 2014 10:33:36 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass
Ars Technica via NNSquad
"Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi
connection or other unsecured network: It's trivial for the script kiddie
a few tables down to hijack your site even if it's protected by two-factor
authentication. Yan Zhu, a staff technologist at the Electronic Frontier
Foundation, came to that determination after noticing that WordPress
servers send a key browser cookie in plain text, rather than encrypting
it, as long mandated by widely accepted security practices."
Date: May 25, 2014 at 17:57:57 EDT
From: Monty Solomon <monty () roscom com>
Subject: Researchers find a global botnet of infected PoS systems
Researchers find a global botnet of infected PoS systems
The botnet contained almost 1,500 compromised point-of-sale and other
retail systems from 36 countries, researchers from IntelCrawler said
Lucian Constantin, *Computerworld*, 23 May 2014
Security researchers uncovered a global cybercriminal operation that
infected with malware almost 1,500 point-of-sale (PoS) terminals, accounting
systems and other retail back-office platforms from businesses in 36
The infected systems were joined together in a botnet that researchers from
cybercrime intelligence firm IntelCrawler dubbed Nemanja. The researchers
believe the attackers behind the operation might be from Serbia.
The size of the botnet and the worldwide distribution of infected systems
brings into perspective the security problems faced by retailers from around
the world, problems that were also highlighted by the recent PoS breaches at
several large U.S. retailers. ...
Date: Fri, 30 May 2014 12:34:09 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: New federal database will track Americans' credit ratings,
other financial information
FYI -- When (not "if") this database gets hacked, it's game over, and we
know that the NSA is at least one of the hackers.
Also, what is to keep politicians from accessing this database for targeting
Richard Pollock, *Washington Examiner*, 30 May 2014
As many as 227 million Americans may be compelled to disclose intimate
details of their families and financial lives -- including their Social
Security numbers -- in a new national database being assembled by two
The Federal Housing Finance Agency and the Consumer Financial Protection
Bureau posted an April 16 Federal Register notice of an expansion of their
joint National Mortgage Database Program to include personally identifiable
information that reveals actual users, a reversal of previously stated
FHFA will manage the database and share it with CFPB. A CFPB internal
planning document for 2013-17 describes the bureau as monitoring 95 percent
of all mortgage transactions.
FHFA officials claim the database is essential to conducting a monthly
mortgage survey required by the Housing and Economic Recovery Act of 2008
and to help it prepare an annual report for Congress.
Critics, however, question the need for such a ``vast database'' for
simple reporting purposes.
In a May 15 letter to FHFA Director Mel Watt and CFPB Director Richard
Cordray, Rep. Jeb Hensarling, R-Texas, and Sen. Mike Crapo, R-Idaho,
charged, "this expansion represents an unwarranted intrusion into the
private lives of ordinary Americans." ...
Critics also warn the new database will be vulnerable to cyber attacks that
could put private information about millions of consumers at risk. They also
question the agency's authority to collect such information.
[Long item truncated for RISKS. PGN]
Date: June 3, 2014 at 1:03:11 PM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: How the NSA Could Bug Your Powered-Off iPhone, and How to Stop Them
[Via Dave Farber, who notes ``That's why it is nice to have a removable
battery and/or a package made from heavy duty aluminum foil.]
Andy Greenberg, *WiReD*, 3 Jun 2014
Just because you turned off your phone doesn't mean the NSA isn't using it
to spy on you.
Edward Snowden's latest revelation about the NSA's snooping inspired an
extra dose of shock and disbelief when he said the agency's hackers can use
a mobile phone as a bug even after it's been turned off. The whistleblower
made that eye-opening claim when Brian Williams of NBC Nightly News, holding
his iPhone aloft during last Wednesday's interview, asked, ``What can the
NSA do with this device if they want to get into my life? Can anyone turn it
on remotely if it's off? Can they turn on apps?
``They can absolutely turn them on with the power turned off to the
device,'' Snowden replied.
Snowden didn't offer any details on this seemingly magical feat. But a group
of particularly cunning iPhone hackers say it's possible. They also say you
can totally and completely turn off your iPhone so no one -- not even the
NSA -- can use it to spy on you.
Your Phone Is Playing Dead
Like any magic trick, the most plausible method of eavesdropping through a
switched-off phone starts with an illusion. Security researchers posit that
if an attacker has a chance to install malware before you shut down your
phone, that software could make the phone look like it's shutting down --
complete with a fake ``slide to power off'' screen. Instead of powering
down, it enters a low-power mode that leaves its baseband chip -- which
controls communication with the carrier -- on.
This ``playing dead'' state would allow the phone to receive commands,
including one to activate its microphone, says Eric McDonald, a hardware
engineer in Los Angeles. McDonald is also a member of the Evad3rs, a team of
iPhone hackers who created jailbreaks for the two previous iPhone operating
systems. If the NSA used an exploit like those McDonald's worked on to
infect phone with malware that fakes a shutdown, ``the screen would look
black and nothing would happen if you pressed buttons,'' he says. ``But it's
conceivable that the baseband is still on, or turns on periodically. And it
would be very difficult to know whether the phone has been compromised.''
Date: May 31, 2014 at 4:14:37 PM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: Daniel Ellsberg: Snowden would not get a fair trial; Kerry is wrong
[Note: This item comes from friend Janos Gereben. DLH (via Dave Farber)]
Daniel Ellsberg, *The Guardian*, 30 May 2014
Edward Snowden is the greatest patriot whistleblower of our time, and he
knows what I learned more than four decades ago: until the Espionage Act
gets reformed, he can never come home safe and receive justice
John Kerry was in my mind Wednesday morning, and not because he had called
me a patriot on NBC News. I was reading the lead story in the New York Times
-- US Troops to Leave Afghanistan by End of 2016 -- with a photo of
American soldiers looking for caves. I recalled not the Secretary of State
but a 27-year-old Kerry, asking, as he testified to the Senate about the US
troops who were still in Vietnam and were to remain for another two years:
How do you ask a man to be the last man to die for a mistake?
I wondered how a 70-year-old Kerry would relate to that question as he
looked at that picture and that headline. And then there he was on MSNBC an
hour later, thinking about me, too, during a round of interviews about
Afghanistan that inevitably turned to Edward Snowden ahead of my fellow
whistleblower's own primetime interview that night:
There are many a patriot -- you can go back to the Pentagon Papers with Dan
Ellsberg and others who stood and went to the court system of America and
made their case. Edward Snowden is a coward, he is a traitor, and he has
betrayed his country. And if he wants to come home tomorrow to face the
music, he can do so.
On the Today show and CBS, Kerry complimented me again -- and said Snowden
``should man up and come back to the United States'' to face charges. But
John Kerry is wrong, because that's not the measure of patriotism when it
comes to whistleblowing, for me or Snowden, who is facing the same criminal
charges I did for exposing the Pentagon Papers.
As Snowden told Brian Williams on NBC later that night and Snowden's lawyer
told me the next morning, he would have no chance whatsoever to come home
and make his case -- in public or in court.
Snowden would come back home to a jail cell -- and not just an ordinary
cell-block but isolation in solitary confinement, not just for months like
Chelsea Manning but for the rest of his sentence, and probably the rest of
his life. His legal adviser, Ben Wizner, told me that he estimates Snowden's
chance of being allowed out on bail as zero. (I was out on bond, speaking
against the Vietnam war, the whole 23 months I was under indictment).
More importantly, the current state of whistleblowing prosecutions under the
Espionage Act makes a truly fair trial wholly unavailable to an American who
has exposed classified wrongdoing. Legal scholars have strongly argued that
the US supreme court -- which has never yet addressed the constitutionality
of applying the Espionage Act to leaks to the American public -- should find
the use of it overbroad and unconstitutional in the absence of a public
interest defense. The Espionage Act, as applied to whistleblowers, violates
the First Amendment, is what they're saying.
As I know from my own case, even Snowden's own testimony on the stand would
be gagged by government objections and the (arguably unconstitutional)
nature of his charges. That was my own experience in court, as the first
American to be prosecuted under the Espionage Act -- or any other statute --
for giving information to the American people.
I had looked forward to offering a fuller account in my trial than I had
given previously to any journalist -- any Glenn Greenwald or Brian Williams
of my time -- as to the considerations that led me to copy and distribute
thousands of pages of top-secret documents. I had saved many details until I
could present them on the stand, under oath, just as a young John Kerry had
delivered his strongest lines in sworn testimony.
Date: Sun, 1 Jun 2014 05:30:02 -0400
From: "David Farber via ip" <ip () listbox com>
Subject: NSA Collecting Millions of Faces From Web Images - NYTimes.com
The National Security Agency is harvesting huge numbers of images of people
from communications that it intercepts through its global surveillance
operations for use in sophisticated facial recognition programs, according
to top-secret documents.
The spy agency's reliance on facial recognition technology has grown
significantly over the last four years as the agency has turned to new
software to exploit the flood of images included in emails, text messages,
social media, videoconferences and other communications, the
N.S.A. documents reveal. Agency officials believe that technological
advances could revolutionize the way that the N.S.A. finds intelligence
targets around the world, the documents show. The agency's ambitions for
this highly sensitive ability and the scale of its effort have not
previously been disclosed.
The agency intercepts ``millions of images per day'' -- including about
55,000 ``facial recognition quality images'' -- which translate into
``tremendous untapped potential,'' according to 2011 documents obtained from
the former agency contractor Edward J. Snowden. While once focused on
written and oral communications, the N.S.A. now considers facial images,
fingerprints and other identifiers just as important to its mission of
tracking suspected terrorists and other intelligence targets, the documents
Date: May 27, 2014 at 6:27:49 PM EDT
From: Mike O'Dell <mo () ccr org>
Subject: Re: How the NSA tampers with U.S.-made Internet routers
The things that have been revealed about how the U.S. has behaved in the
last 15 years are precisely the things which, during the Cold War, were
cited as things the U.S. would never do, and hence distinguished the
U.S. from The Bad Guys.
If we don't want to be The Bad Guys, stop pretending we can behave like them
and get away with it.
The entire purpose of the Constitution was to ensure that the government
isn't making up rules as it sees fit for its convienence.
The fact that nobody has gone to jail for the gross violations committed
over the last 15 years is a Constitutional Atrocity. The fact the Supreme
Court has decided to have the Constitution reprinted on 4"x4" squares in 400
sheet rolls doesn't make it right; it only makes it legal.
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.96
- Risks Digest 27.96 RISKS List Owner (Jun 06)