RISKS Forum mailing list archives
Risks Digest 28.48
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 29 Jan 2015 12:04:24 PST
RISKS-LIST: Risks-Forum Digest Thursday 29 January 2015 Volume 28 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.48.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lack of encryption makes official NFL mobile app spearphisher's dream (Ars via Lauren Weinstein) plofkraak, or blowing up ATMs for fun and profit (Ed Ravin) Verizon's Mobile Supercookies Seen as Threat to Privacy (Natasha Singer and Brian X Chen via Dave Farber) France wants to make Google and Facebook accountable for hate speech (The Verge via Lauren Weinstein) IETF promotes ARPANET RFC 20 /ASCII format/ to Internet Standard! (Lauren Weinstein) Being clever vs. being smart (Geoff Kuenning) U.S. Spies on Millions of Cars (Devlin Barrett via Dewayne Hendricks, Lauren Weinstein, David S. H. Rosenthal, Rich Kulawiec) Re: Who owns your computer? (Anthony Thorn) Kaspersky: Regin malware likely from 5Eyes (Henry Baker) Re: Schneider ... hardcoded credentials (Dimitri Maziuk, Wols) Re: People upset that the E-911 folk want to use GLONASS (Richard I. Cook) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 27 Jan 2015 08:45:48 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Lack of encryption makes official NFL mobile app spearphisher's dream Ars via NNSquad http://arstechnica.com/security/2015/01/lack-of-encryption-makes-official-nfl-mobile-app-a-spear-phishers-dream/ "The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl LXIX, traditionally one of the world's most popular sporting events." [I hope it cannot be blamed for leaking footballs? PGN] ------------------------------ Date: Tue, 27 Jan 2015 22:43:14 -0500 From: Ed Ravin <eravin () panix com> Subject: plofkraak, or blowing up ATMs for fun and profit Europe's relatively good credit card security (i.e., Chip & Pin) is suspected as the cause of the increase in "plofkraak" attacks on ATM machines where the interior of the ATM is filled with explosive gas in order to breach its cash drawer: http://www.bloomberg.com/graphics/2015-atm-bombers/ So far this hasn't happened yet in the USA, but it stands to reason that if all the harder ways of stealing money from ATMs get fixed, the technique will spread there as well, just like carjacking became more popular as cars got harder to hot-wire or otherwise break into. [Can we do something with "The Love Song of J. Alfred Plofkraak"? ER] [Maybe its a spoonerism on ProfKlaak? PGN] ------------------------------ Date: Mon, 26 Jan 2015 10:14:10 -0500 From: "David Farber via ip" <ip () listbox com> Subject: Verizon's Mobile Supercookies Seen as Threat to Privacy (Natasha Singer and Brian X Chen) Natasha Singer and Brian X Chen, *The New York Times*,, 26 Jan 2015 http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?ref=technology&_r=0 For the last several months, cybersecurity experts have been warning Verizon Wireless that it was putting the privacy of its customers at risk. The computer codes the company uses to tag and follow its mobile subscribers around the web, they said, could make those consumers vulnerable to covert tracking and profiling. It looks as if there was reason to worry. This month Jonathan Mayer, a lawyer and computer science graduate student at Stanford University, reported on his blog that Turn, an advertising software company, was using Verizon's unique customer codes to regenerate its own tracking tags after consumers had chosen to delete what is called a cookie -- a little bit of code that can stick with your web browser after you have visited a site. In effect, Turn found a way to keep tracking visitors even after they tried to delete their digital footprints. The episode shined a spotlight on a privacy issue that is particularly pronounced at Verizon. The company's customer codes, called unique ID headers, have troubled some data security and privacy experts who say Verizon has introduced a persistent, hidden tracking mechanism into apps and browsers that third parties could easily exploit. While Internet users can choose to delete their regular cookies, Verizon Wireless users cannot delete the company's so-called supercookies. [... Long article truncated for RISKS. PGN] [Also noted by Matthew Kruk. PGN] ------------------------------ Date: Tue, 27 Jan 2015 23:17:04 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: France wants to make Google and Facebook accountable for hate speech The Verge via NNSquad http://www.theverge.com/2015/1/27/7921463/google-facebook-accountable-for-hate-speech-france The French government announced today a plan to hold web companies accountable for any extremist messages they may host, Bloomberg reports. French president Francois Hollande wants to introduce a law that would make companies like Google and Facebook "accomplices" in crimes of hate speech if users post content the government deems extremist. - - - Apparently, Europe wants to censor the world. ------------------------------ Date: Tue, 27 Jan 2015 22:06:27 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: IETF promotes ARPANET RFC 20 /ASCII format/ to Internet Standard! Meanwhile, in other news, the IETF has promoted ARPANET Request For Comments 20 ("ASCII format for network interchange" - Author Vint Cerf of UCLA - October 16, 1969 - http://datatracker.ietf.org/doc/rfc20/ ) to full Internet Standards status: http://datatracker.ietf.org/doc/status-change-rfc20-ascii-format-to-standard/ (2015-01-12) Now, no more complaints about slow standards tracks! ------------------------------ Date: Tue, 27 Jan 2015 20:43:22 -0800 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Being clever vs. being smart A colleague of mine likes to distinguish being "clever" (e.g., trying to outguess the stock market) from being "smart" (e.g., buying a low-overhead index fund). A couple of years ago our college built a new classroom building. It was outfitted with state-of-the-art A/V technology. Naturally, it had what were called "glitches" (e.g., a blackboard blocked by a screen that wouldn't go up because the projector's bulb had burned out) but most of those were eventually squashed. One of the shiny new features is cross-classroom broadcast. The idea is that if the main lecture hall fills up, the overflow crowd can be seated in another room and watch the show on video. The broadcast system is very flexible in terms of who can be a source or a sink. Of course it all goes through a centralized control system so that the A/V people can configure it without leaving their desks. Last night I rehearsed a presentation with a team of students; everything went smoothly. Today in the same hall, the audio refused to work properly. The students' voices cut in and out as if somebody were randomly flipping the power switch; nothing we or the A/V people in the sound booth could do seemed to fix the problem. Eventually we gave up and just asked the students to speak loudly. It turns out that the fancy cross-broadcast software was the culprit. A presentation in another room was being fed into the central control system, and somehow that audio interfered with ours (perhaps a priority system was choosing one or the other based on which was louder at the moment?). Clever, but not smart. The cross-broadcast feature is almost never used. Nor is there a real requirement for centralized control (which takes power out of the hands of the people in the sound booth, who can hear what is going on). But the people who designed the system went for shininess over robustness. Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ One could not be a successful scientist without realizing that, in contrast to the popular conception supported by newspapers and mothers of scientists, a goodly number of scientists are not only narrow-minded and dull, but also just stupid. -- James Watson ------------------------------ Date: Tuesday, January 27, 2015 From: *Hendricks Dewayne* <dewayne () warpspeed com> Subject: U.S. Spies on Millions of Cars (Devlin Barrett) Devlin Barrett, *Wall Street Journal*, 26 Jan 2015 (via Dave Farber) DEA Uses License-Plate Readers to Build Database for Federal, Local Authorities http://www.wsj.com/articles/u-s-spies-on-millions-of-cars-1422314779 WASHINGTON -- The Justice Department has been building a national database to track in real time the movement of vehicles around the U.S., a secret domestic intelligence-gathering program that scans and stores hundreds of millions of records about motorists, according to current and former officials and government documents. The primary goal of the license-plate tracking program, run by the Drug Enforcement Administration, is to seize cars, cash and other assets to combat drug trafficking, according to one government document. But the database's use has expanded to hunt for vehicles associated with numerous other potential crimes, from kidnappings to killings to rape suspects, say people familiar with the matter. Officials have publicly said that they track vehicles near the border with Mexico to help fight drug cartels. What hasn't been previously disclosed is that the DEA has spent years working to expand the database ``throughout the United States,'' according to one email reviewed by The Wall Street Journal. Many state and local law-enforcement agencies are accessing the database for a variety of investigations, according to people familiar with the program, putting a wealth of information in the hands of local officials who can track vehicles in real time on major roadways. The database raises new questions about privacy and the scope of government surveillance. The existence of the program and its expansion were described in interviews with current and former government officials, and in documents obtained by the American Civil Liberties Union through a Freedom of Information Act request and reviewed by The Wall Street Journal. It is unclear if any court oversees or approves the intelligence-gathering. A spokesman for Justice Department, which includes the DEA, said the program complies with federal law. ``It is not new that the DEA uses the license-plate reader program to arrest criminals and stop the flow of drugs in areas of high trafficking intensity,'' the spokesman said. Sen. Patrick Leahy, senior Democrat on the Senate Judiciary Committee, said the government's use of license-plate readers ``raises significant privacy concerns. The fact that this intrusive technology is potentially being used to expand the reach of the government's asset-forfeiture efforts is of even greater concern.'' The senator called for ``additional accountability'' and said Americans shouldn't have to fear ``their locations and movements are constantly being tracked and stored in a massive government database.'' [...] ------------------------------ Date: Mon, 26 Jan 2015 18:04:04 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Re: U.S. Spies on Millions of Cars FOIA Documents Reveal Massive DEA Program to Record American's Whereabouts With License Plate Readers ACLU via NNSquad https://www.aclu.org/blog/technology-and-liberty-criminal-law-reform/foia-documents-reveal-massive-dea-program-record-ame "The Drug Enforcement Administration has initiated a massive national license plate reader program with major civil liberties concerns but disclosed very few details, according to new DEA documents obtained by the ACLU through the Freedom of Information Act. The DEA is currently operating a National License Plate Recognition initiative that connects DEA license plate readers with those of other law enforcement agencies around the country." ------------------------------ Date: January 27, 2015 at 13:22:25 EST From: "David S. H. Rosenthal" <dshr () abitare org> Subject: Re: U.S. Spies on Millions of Cars (via DLH and Dave Farber) And here's why they're doing it - as Deep Throat said "follow the money": <https://www.emptywheel.net/2015/01/27/double-duty-dragnets/> ------------------------------ Date: Jan 27, 2015 3:24 PM From: "Rich Kulawiec" <rsk () gsp org> Subject: Re: U.S. Spies on Millions of Cars (via Dave Farber) There are many objectionable things about this program, but one that's (perhaps) less than obvious is that the databases being constructed by it are *enormously* tempting targets for third parties. To stalkers, kidnappers, spies, pedophiles, rapists, blackmailers, extortionists and other people, this is a motherlode just waiting to be mined. (And the best part? They don't have to spend the money to compile it. It's already been paid for by US citizens.) I'm sure we'll be told that it's being gathered, stored, and searched securely. And that it will never be misused. And that it will never be breached or leaked. And that it's completely immune from this: New report: DHS is a mess of cybersecurity incompetence http://www.zdnet.com/article/new-report-the-dhs-is-a-mess-of-cybersecurity-incompetence/ ------------------------------ Date: Tue, 27 Jan 2015 10:19:15 +0100 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Re: Who owns your computer? (RISKS-28.47) Henry Baker is right that our computers (and routers etc.) are owned by the manufacturers and their suppliers (and anyone who hacks them), but the proposed test "can I reflash its operating system with contents of my choosing" does not go far enough. Code in the BIOS can be used to insert backdoors in a subsequently reloaded operating system, and logically the BIOS updating mechanism and credentials must also be trusted. We never believed in 100% security, did we? ------------------------------ Date: Tue, 27 Jan 2015 07:01:34 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Kaspersky: Regin malware likely from 5Eyes FYI -- Security researchers are shocked, shocked... Michael Mimoso, ThreatPost, 27 Jan 2015 Researchers Link Regin to Malware Disclosed in Recent Snowden Documents https://threatpost.com/researchers-link-regin-to-malware-disclosed-in-recent-snowden-documents/110667 Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany's Der Spiegel. The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together. ``Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,'' wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report. The Der Spiegel article describes how the U.S National Security Agency, the U.K.'s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries. The new Snowden documents, disclosed by Laura Poitras and a collection of eight security and privacy technologists and experts, also include an overview of a malware platform called WARRIORPRIDE. Within WARRIORPRIDE is QWERTY, a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced. The magazine released QWERTY to the public upon publication of its article. It describes QWERTY's structure as `simple' and said there is a core driver called QWERTYKM that interacts with the Windows keyboard manager, and a QWERTYLP library which logs and stores keystrokes for analysis. Der Spiegel said after its examination of binary files, various components and libraries it's likely there's a connection between WARRIORPRIDE and the Australian Signals Directorate, an Aussie government intelligence agency. Kaspersky researchers Raiu and Soumenkov said after analysis that the QWERTY malware is identical in functionality to a particular Regin plugin. Raiu and Soumenkov said researchers took apart the QWERTY module and found three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251. In a report published today, side-by-side comparisons of the respective source code shows they are close to identical, sharing large chunks of code. The researchers said that one piece of code in particular references plug-ins from the Regin platform and is used in QWERTY and its Regin counterpart. It addresses a Regin plug-in, called 50225, that is responsible for kernel-mode hooking, the Kaspersky researchers said. ``This is solid proof that the QWERTY plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,'' Raiu and Soumenkov wrote. ``As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.'' The Regin malware platform was disclosed in late November by Kaspersky Lab and it was quickly labeled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators. Last week, Kaspersky researchers published another Regin report, this one describing two standalone modules used for lateral movement and to establish a backdoor in order to move data off compromised machines. The modules, named Hopscotch and Legspin, have also likely been retired given they were developed perhaps more than a decade ago. ------------------------------ Date: Mon, 26 Jan 2015 17:57:33 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Schneider ... hardcoded credentials (Gezelter, RISKS-28.47) Yeah, well. You can have a SAFE brick or the UNSAFE built-in hardcoded credentials. You choose. Consider getting locks that ensure nobody will be able to get into the house, ever, after you lose the key. Sadly, "encased in concrete and dropped to the bottom of the sea" still applies. Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu ------------------------------ Date: Tue, 27 Jan 2015 15:57:48 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Schneider ... contains hardcoded credentials (Baker) I am [re]minded of the Dick Feynman story (part of his safe-cracker legend) where he was called in, shortly after the war, to try and get into some general's top secret safe, said general having left the service. Recalling that many safes shipped with an initial combination of 0000 or 01234, he tried them, and opened the safe at the first attempt. Considerably enhancing his reputation as a safe cracker in the process. ------------------------------ Date: Tue, 27 Jan 2015 09:15:37 +0100 From: "Richard I. Cook, MD" <ricookmd () gmail com> Subject: Re: People upset that the E-911 folk want to use GLONASS (RISKS 28.47) http://www.nena.org/news/news.asp?id=212385 NENA Responds to Unfounded GLONASS Concerns Thursday, January 22, 2015 Posted by: Chris Nussman Statement of NENA: The 9-1-1 Association The recently-announced Roadmap for Wireless E9-1-1 Location Accuracy improvements is not a `carrier plan'. It is a consensus plan negotiated by the national associations representing the 9-1-1 and field responder radio communities, NENA and APCO, and agreed to by the four national wireless carriers. The plan does contemplate carrier use of Assisted Global Navigation Satellite Systems (A-GNSS) -- including both the U.S. NavStar/GPS system and the Russian GLONASS system -- as one aspect of a multi-pronged approach to improving wireless E9-1-1 location accuracy. The consensus plan discusses the GLONASS system as a new component of handset A-GNSS capabilities because it is the only globally-available GNSS, other than NavStar/GPS that is currently operating. The consensus plan does not restrict carriers' ability to add or substitute other GNSSs, such as the European Galileo and Chinese BeiDou constellations, as those systems come online over the next 5-7 years. However, neither of these systems is currently available. Because handset A-GNSS chips can operate with any combination of satellites from any supported constellation, adding GLONASS support to existing GPS capabilities will not provide the Russian Federation with any leverage over U.S. 911 capabilities: Even if the GLONASS system were shut-down completely, handsets in locations with clear views of the sky could still calculate location estimates based solely on measurements of U.S. GPS satellite signals. Even if Russia attempted to somehow degrade the performance of its satellite network, both carrier networks and consumer handsets would be capable of detecting erroneous signals and rejecting them from a position fix. The consensus Roadmap makes available the full panoply of rapidly-advancing commercial location technologies for E9-1-1 use for the first time. In the event of a GLONASS failure or shut-down, other high-accuracy handset and network-based technologies -- including the ability to return the exact address (including apartment, suite, or floor number) of the caller's location -- will still be available. It's true that an NDAA amendment places limits on the proposed construction of Russian monitoring facilities on U.S. soil. That amendment, however, will not impact the availability of GLONASS ranging. Transportation and other critical life-safety sectors are rapidly adopting multi-constellation GNSS technology -- including GLONASS -- because of its ability to improve fix yield and quality. Using GLONASS, GPS, or any other A-GNSS system would not give any government power over consumers' 911 calls: These systems are `receive-only', and no signals from consumer handsets are ever transmitted to a GNSS satellite. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.48 ************************
Current thread:
- Risks Digest 28.48 RISKS List Owner (Jan 29)