The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 66

Tuesday 6 December 2011

Contents

Civilian Use of Drone Aircraft May Soon Fly In the US
W. J. Hennigan
Underpublicized risks of mobile devices
Valdis Kletnieks
Comedy of Errors Led to False "Water Pump Hack" Report
Kim Zetter via Lauren Weinstein
GCHQ code-cracking challenge "cracked"—by a Google search!
Robert Meineke
Ongoing large-scale distributed SSH brute-force attack
Jonathan Kamens
Skype flaw reveals users' location, file-downloading habits
Joan Goodchild via Monty Solomon
"Security researchers say HP printers vulnerable to hackers"
Gene Wirchenko
HP printers can be remotely controlled and set on fire, researchers claim
Jon Brodkin via Monty Solomon
The risks of information sharing?
Steven Bellovin
Exam Cheating on Long Island Hardly a Secret
Anderson/Applebome
Apple iTunes ... Trojan horse that gives governments access to your computer and files
Gordon Peterson
Sneaky Mobile Ads Invade Android Phones
Tom Spring via Monty Solomon
"Carrier IQ: The Sony rootkit all over again"
Robert X. Cringely
"CarrierIQ" on various mobile handsets
Android Security Test
Re: Carrier IQ May Have Violated Wiretap Law In Millions Of Cases
Declan McCullagh
"Carrier IQ and Facebook pose the least of your privacy threats"
Galen Gruman
AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it doesn't anymore
Lauren Weinstein
Re: Cybersecurity Requires Patches, Not a Vast Bill
Martyn Thomas
Re: Complexity
Bob Frankston
Info on RISKS (comp.risks)

Civilian Use of Drone Aircraft May Soon Fly In the US (W. J. Hennigan)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 1 Dec 2011 6:06:38 PST

"Drone aircraft, best known for their role in hunting and destroying
terrorist hideouts in Afghanistan and Pakistan, may be coming soon to the
skies near you. Police agencies want drones for air support to find runaway
criminals. Utility companies expect they can help monitor oil, gas and water
pipelines. Farmers believe drones could aid in spraying crops with
pesticides. 'It's going to happen,' said Dan Elwell, vice president of civil
aviation at the Aerospace Industries Association.  'Now it's about figuring
out how to safely assimilate the technology into national airspace.'  That's
the job of the Federal Aviation Administration, which plans to propose new
rules for using small drones in January, a first step toward integrating
robotic aircraft into the nation's skyways."  [Source: W.J. Hennigan,
*Seattle Times*, 29 Nov 2011]
  http://seattletimes.nwsource.com/html/nationworld/2016882681_drones29.html

  [Misappropriating Vint Cerf's famous statement on the Internet,
    “Drones are for everyone?''  PGN]


Underpublicized risks of mobile devices

<Valdis.Kletnieks@vt.edu>
Wed, 30 Nov 2011 13:51:05 -0500

Heard on Blacksburg Transit on the way to work yesterday:

  "Damn you, Angry Birds. I just missed my stop."


Comedy of Errors Led to False "Water Pump Hack" Report (RISKS-26.65)

Lauren Weinstein <lauren@vortex.com>
Wed, 30 Nov 2011 23:39:58 -0800

  "Even though Mimlitz's username was connected to the Russian IP address in
  the SCADA log, no one from the fusion center bothered to call him to ask
  if he had logged in to the system from Russia. Instead, the center
  released a report on Nov. 10 titled "Public Water District Cyber
  Intrusion" that connected the broken water pump to the Russian log-in five
  months earlier, inexplicably stating that the intruder from Russia had
  turned the SCADA system on and off, causing the pump to burn out.  "And at
  that point all hell broke loose," Craven said."  [Source: Kim Zetter,
  *WiReD*] http://j.mp/rvWnEC

"Oh Boy!  We get to announce a Foreign CYBER-ATTACK!  Maybe Terrorists
conducting a dry run on a small water system!—That's what the "experts"
will say on TV!  Don't bother with the reality checks, that could spoil all
the fun!"


GCHQ code-cracking challenge "cracked"—by a Google search!

Robert Meineke <rmeineke@gmail.com>
Mon, 5 Dec 2011 05:27:11 -0800

*The Register*:
http://www.theregister.co.uk/2011/12/03/gchq_code_crack_compo_snafu/

I was going to make a 'crack' about security through obscurity, but I'm not
sure that this even rises to that level!

  [Robert, You are a real firecracker!  PGN]


Ongoing large-scale distributed SSH brute-force attack

Jonathan Kamens <jik@kamens.us>
Sun, 04 Dec 2011 00:23:21 -0500

In the past, securing SSH on the public Internet has been pretty much as
easy as (a) keep your OS patched, (b) don't let root log in with a password,
and (c) run fail2ban to stop brute-force attacks.

Unfortunately, it looks like the bad guys have finally figured out how to
put their bots to work running distributed SSH brute-force attacks.  If so,
then fail2ban is no longer going to be good enough, and more sophisticated
(and inconvenient) measures are going to be needed.

Prior to 1 Dec, the five machines I maintain with SSH servers accessible to
the public have been probed by an average of 13 different IP addresses per
day.  On 1 Dec, they were probed by 109 different IP addresses, a 738%
increase over the prior average. On 2 and 3 Dec, they were probed by 79 and
72 different IP addresses. Not as high as the first day, but still quite a
jump!

I saw this increase across the board on five different machines on four
distinct networks run by four different network service providers. I've been
in correspondence with someone at the SANS Internet Storm Center who says
he's seen a similar spike on machines he maintains.

It seems clear to me that someone is engaging in a distributed brute-force
attack trying to break into servers as root via ssh.

Since this particular attack is targeted at the root user, you're safe for
the time being as long as you don't allow root to log in with a
password. But it's only a matter of time before they start attempting
distributed brute-force attacks of non-root accounts. When that happens,
blocking individual IP addresses with a series of failed login attempts is
no longer going to be sufficient.

If you maintain a server whose SSH port is open to the public, please let me
know the details if you're seeing a similar attack on your server (you can
post a comment on my blog
<http://blog.kamens.us/2011/12/04/ongoing-large-scale-distributed-ssh-brute-force-attack/>
or email me <mailto:jik@kamens.us>. In case it is useful, here
<http://stuff.mit.edu/%7Ejik/software/ssh-logs.pl.txt> is the script I have
been using to collect and display data from the machines I maintain.


Skype flaw reveals users' location, file-downloading habits

Monty Solomon <monty@roscom.com>
Fri, 2 Dec 2011 10:30:30 -0500

Joan Goodchild, CSO Online, 1 Dec 2011
A team of researchers has uncovered an issue that imperils Skype
users' privacy by putting their location and identity up for grabs

Researchers have found a flaw in Skype that can expose your location,
identity and the content you're downloading. Microsoft, which owns Skype,
says they are working on the problem.

The issue was uncovered earlier this year by a team of researchers from
Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany
and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang,
Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin
recently at the Internet Measurement Conference 2011 in a paper titled "I
know where you are and what you are sharing."

The researchers found several properties of Skype that can track not only
users' locations over time, but also their peer-to-peer (P2P) file-sharing
activity, according to a summary of the findings on the NYU-Poly web
site. Earlier this year, a German researcher found a cross-site scripting
flaw in Skype that could allow someone to change an account password without
the user's consent. ...

http://www.csoonline.com/article/695631/skype-flaw-reveals-users-location-file-downloading-habits

 - - - -

Somini Sengupta, Skype Can Expose Your Location, Researchers Say,
*The New York Times* blogs, 29 Nov 2011
http://bits.blogs.nytimes.com/2011/11/29/skype-can-expose-your-location-researchers-say/

Remember when a prankster could make himself a general nuisance by calling
your home phone and quickly hanging up?

The equivalent of a prank call on Skype, the popular
voice-over-Internet-Protocol service, can be much more than a nuisance. If
you are logged in to Skype, a prankster - or thief or spy - can effectively
track where you are and in some circumstances, what you do and even what you
download, according to an experiment led by Keith Ross, a computer science
professor at the Polytechnic Institute of New York University in Brooklyn.
Mr. Ross, along with his collaborators at the French computer research
institute, Inria, followed 10,000 randomly selected Skype users over 16
days. ...


"Security researchers say HP printers vulnerable to hackers"

Gene Wirchenko <genew@ocis.net>
Tue, 29 Nov 2011 13:35:44 -0800

Woody Leonhard | InfoWorld, 29 Nov 2011
Flaw in HP's printer firmware update procedures could expose your
company's printers to hackers. Here are the steps you should take to
protect them
http://www.infoworld.com/t/hacking/security-researchers-say-hp-printers-vulnerable-hackers-180253

selected text:

MSNBC released an "exclusive" report quoting two Columbia University
researchers as saying that millions of HP printers are open to potentially
devastating online hacks. While the security holes appear to be very real,
there's a great deal of question about whether the attacks could ever be
implemented in a real-world situation—and there are steps you can take at
your corporate firewall right now to mitigate the threat.

The fundamental problem stems from the way HP printers validate firmware
updates prior to applying them. Or more accurately, the way HP printers
don't bother to validate firmware updates prior to applying them.

The demo referenced in the MSNBC report involved an HP printer's fuser. The
altered firmware turned the fuser on and left it on, browning the paper and
throwing off smoke, before the printer's thermal interrupt kicked in.


HP printers can be remotely controlled and set on fire,

Monty Solomon <monty@roscom.com>
Tue, 29 Nov 2011 23:41:05 -0500
 researchers claim (Jon Brodkin)

Jon Brodkin, Ars Technica

Security researchers at Columbia University have accused HP of selling
printers with a flaw that could let hackers gain remote control over the
devices. Once compromised, the access can be used to steal personal
information, attack networks, and even set printers on fire by feeding them
a continuous stream of instructions designed to heat them up.

The researchers, funded by government and industry grants, reported the flaw
to federal officials and HP this month, and gave a demonstration to MSNBC,
which has an extensive article on the subject today. HP told MSNBC that it
is reviewing the details, but denied that the problem is as extensive as
claimed by Columbia PhD student Ang Cui and Professor Salvatore Stolfo.  ...

http://arstechnica.com/business/news/2011/11/hp-printers-can-be-remotely-controlled-and-set-on-fire-researchers-claim.ars


The risks of information sharing?

Steven Bellovin <smb@cs.columbia.edu>
Mon, 5 Dec 2011 10:25:01 -0500

My daughter sent me the following note:

  There's some discussion on the cycling list I'm on about whether bike
  thieves are looking at Strava, a site that lets people compare routes
  they've ridden, to target nice bikes.  Apparently, people's profiles show
  the bikes they've ridden on which rides, and given the ride data, you can
  make a pretty good guess about where their bikes are stored...

There's no hard evidence that this is the thieves' MO, but a lot of people
are speculating and wondering.

Steve Bellovin, https://www.cs.columbia.edu/~smb


Exam Cheating on Long Island Hardly a Secret (Anderson/Applebome)

Monty Solomon <monty@roscom.com>
Fri, 2 Dec 2011 03:33:26 -0500

Jenny Anderson and Peter Applebome, *The New York Times*, 2 Dec 2011
http://www.nytimes.com/2011/12/02/education/on-long-island-sat-cheating-was-hardly-a-secret.html

The suspected test takers came from prominent, respected families, some of
them in financial distress - among the five facing felony charges were the
sons of a well-known lawyer, the president of the local library board and a
wealthy philanthropic family.  The youths who are accused of paying them as
much as $3,600 to take SAT and ACT tests were largely undistinguished
students willing to cut corners to strengthen their modest sums.

The combination yielded one of the most conspicuous cheating scandals in
memory, a telling reflection on the college admissions rat race - and,
perhaps, contemporary ethics more broadly. According to prosecutors,
principals, parents and teenagers here on Long Island's Gold Coast, it was
common knowledge at some of the nation's most prestigious high schools that
if you had the money, you could find someone with a sharper vocabulary and a
surer grasp of geometry to fill in the blanks for you. ...


Apple iTunes ... Trojan horse that gives governments access to your computer and files

Gordon Peterson <gep2@terabites.com>
  [From Dave Farber's IP]

It is being announced that the iTunes software you probably have on your
computer has a purposely built-in back door that allows governments to
surreptitiously log into your computer and prowl around through your
personal data and files.  And of course, virtually everyone allows iTunes to
go through firewalls and other security protections that would otherwise
prevent malicious intrusion.

(This web page is in French, if you're using Google Chrome and don't
understand French, I suggest you use the Google Chrome translation feature.)
http://www.nikopik.com/2011/12/itunes-un-cheval-de-troie-a-la-solde-des-gouvernements.html

Gordon Peterson II  http://personal.terabites.com


Sneaky Mobile Ads Invade Android Phones

Monty Solomon <monty@roscom.com>
Mon, 5 Dec 2011 13:34:09 -0500

Download the wrong app to your Android phone, and you may end up with ads on
your home screen or notification bar. We'll tell you who's behind the
annoyance and how to get the ads off your phone.

Tom Spring, 4 Dec 2011

Are you wondering how that mysterious icon ended up on your Android phone's
start screen? Annoyed at the ads clogging your notification bar? You aren't
alone. Thousands of Android apps now include software that shoves marketing
icons onto your phone's start screen or pushes advertising into your
notification bar--and many of the apps give you no warning about the ad
invasion.

Many of these ads come from mobile marketing firms such as AirPush, Appenda,
LeadBolt, Moolah Media, and StartApp. The companies work with app developers
hungry for some way to make money from their smartphone software. By
bundling their adware into popular Android programs, these marketing
companies say they are now pushing ads to millions of new smartphones each
week.

Smartphone users generally hate the swarm of marketing on their
touchscreens, but the approach is growing fast. One of the companies,
AirPush, says 800,000 people a day download an Android app with its adware
inside--up from 250,000 just three months ago.

It may be next to impossible to completely avoid this kind of advertising on
your phone. I looked at dozens of apps that contain ad software and found
that few of them disclose that they contain adware. But there are ways to
get the ads off your phone, as we'll see below. ...

http://www.pcworld.com/article/245305/sneaky_mobile_ads_invade_android_phones.html


"Carrier IQ: The Sony rootkit all over again"

Gene Wirchenko <genew@ocis.net>
Wed, 30 Nov 2011 13:42:01 -0800

Robert X. Cringely, *InfoWorld*, 30 Nov 2011
Can someone legally record almost everything you do on your phone
without telling you? Yes. Meet Carrier IQ, whose software is
installed on nearly 142 million handsets
http://www.infoworld.com/t/cringely/carrier-iq-spying-your-cellphone-180425


"CarrierIQ" on various mobile handsets

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Nov 2011 12:45:04 -0800

  "Carrier IQ (CIQ) sells rootkit software included on many US handsets sold
  on Sprint, Verizon and more.  Devices supported include android phones,
  Blackberries, Nokias, Tablet devices and more ...  Carrier IQ is able to
  query any metric from a device.  A metric can be a dropped call because of
  lack of service.  The scope of the word metric is very broad though,
  including device type, such as manufacturer and model, available memory
  and battery life, the type of applications resident on the device, the
  geographical location of the device, the end user's pressing of keys on
  the device, usage history of the device, including those that characterize
  a user's interaction with a device."  http://j.mp/vCyUA1 (Android Security
  Test) [NNSquad]


Re: Carrier IQ May Have Violated Wiretap Law In Millions Of Cases

Declan McCullagh <declan@well.com>
Thu, 01 Dec 2011 5:45 PM

  [From Dave Farber's IP]

On the other hand, Carrier IQ may *not* have violated wiretap law in
millions of cases.

Dan Rosenberg said that he has reverse-engineered Carrier IQ and found "no
evidence that they are collecting anything more than what they've publicly
claimed: anonymized metrics data." He found "no code in CarrierIQ that
actually records keystrokes for data collection purposes." See:
  http://pastebin.com/aiYNmYVz

John Graham-Cumming also is unconvinced:
"If you watch the 'security researcher's' video you'll find that nowhere
does he make the claim that content that the application sees is leaving
the device... At no point does he enter a debugger and look inside the
CarrierIQ application, and at no point does he run a network sniffer and
look at what data is being transmitted to CarrierIQ."
  http://blog.jgc.org/2011/11/getting-little-tired-of-security.html

Sprint said today that "we do not and cannot look at the contents of
messages, photos, videos, etc., using this tool," which is a pretty broad
denial:
  http://news.cnet.com/8301-31921_3-57335110-281

I hope that IPers remember the panic earlier this year when Samsung was
falsely accused of installing key loggers on laptops. Network World, which
ran the article, ended up deleting it and saying, in a lovely passive voice,
that "an apology has been issued":
  http://news.cnet.com/8301-31921_3-20049259-281.html

If Carrier IQ is transmitting keystrokes or the contents of communications,
I'll be the first to call them on it. But, as far as I know after watching
the video, nobody has demonstrated that's what the software actually does.


"Carrier IQ and Facebook pose the least of your privacy threats"

Gene Wirchenko <genew@ocis.net>
Fri, 02 Dec 2011 11:15:23 -0800

Galen Gruman, *InfoWorld*, 2 Dec 2011
Users are regularly signing up for Big Brother-like tech that could
result in the loss of insurance coverage or worse
http://www.infoworld.com/t/internet-privacy/carrier-iq-and-facebook-pose-the-least-your-privacy-threats-180619

selected text:

But the worst risk is what people aren't talking about: Big Brother-type
technology used to monitor specific individuals and shape their behavior
through penalties and rewards. If the government were doing this, we'd have
people in the streets, but in the hands of private companies, these
seductive methods convince people to naively agree to being controlled.

Take, for example, Progressive Insurance's program of offering tracking
devices to monitor how you drive. If you drive safely, as determined by
Progressive, you get an discount. If you're determined to be unsafe, you pay
the "normal" rate.

Given insurance companies' business model—pay out as little as possible,
take in as much as possible—the long-term result is obvious: "Unsafe"
drivers will pay more, or they won't be eligible for insurance.

It's not just Progressive. There's been a lot of excitement in the health
care industry over monitoring devices that can make sure people are taking
their medication, eating right, and even exercising. If you do what you're
supposed to, you may get a discount, such as on medical insurance, a measure
now being considered for employer-sponsored plans. If you don't, you may get
nagged, pay more, or be denied coverage. The Orwellian name for such control
approaches is "wellness incentives."

Here is what one poster had to say about the medical monitoring.  That last
paragraph is particularly nasty:

unbound55:
A very good article pointing out activities that are already occurring that
will impact people's lives far more than they think.

My company has been on the leading edge of the health care tracking that is
mentioned in this article.  Already offering incentives for providing
additional health information, they are now offering incentives for
providing detailed health information such as height, weight, cholesterol,
etc.  The plan has already been announced that in another year that
information will be provided to some kind of CSR that will make sure that
your numbers either improve, or that you are actively working on improving
your numbers...or you lose access to the premium insurance.  It is only a
half-step further to lose access to all insurance altogether by
participating in the program.

Unfortunately, most people do not understand the very real problem being
started here.  They likely will not understand it until they get bit by it.
All they see is the discounts being offered.  As someone who spent 9 years
trying to get doctors to understand that I actually was exercising very well
and ate correctly culminating in the discovery of Conn's Syndrome (the
actual root cause of my very high hypertension), I shudder to think how I
would have to deal with that with some under-educated CSR who would simply
report that I clearly was lying about something.


AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it

Lauren Weinstein <lauren@vortex.com>
Fri, 2 Dec 2011 10:16:02 -0800
  doesn't anymore (NNSquad)

> AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it
> doesn't anymore + my comments

> http://j.mp/rPycF6  (This message on Google+)

 - - -

> http://j.mp/vVRV3J  (Fierce Mobile)

> "The controversy over Carrier IQ illegally tracking cell phone users'
> activities continues. AT&T Mobility (NYSE:T), Sprint Nextel (NYSE:S) and
> T-Mobile USA have come forward, admitting to using Carrier IQ software,
> albeit allegedly only to improve their network performance.  On the other
> end of the spectrum, Apple said it stopped using Carrier IQ's platform in
> the latest version of its operating system, iOS 5."

As I noted originally, it seems unwise to "pile on" in this situation, given
that the facts are not entirely clear.  In particular, it apparently has not
yet been demonstrated that CIQ is actually *transmitting* specific user data
that would be trigger wiretap laws, irrespective of ephemeral data
collection on the device to gather service and use statistics that are being
sent.

My gut feeling is that in this case there may be parties opportunistically
attacking ahead of the facts, and that it is quite possible that the
failures in this situation are mainly ones of transparency, disclosure, and
user control, rather than the much more serious issues of "wiretapping" per
se.

We shall see.


Re: Cybersecurity Requires Patches, Not a Vast Bill (RISKS-26.65)

Martyn Thomas <martyn@thomas-associates.co.uk>
Thu, 01 Dec 2011 21:24:38 +0000

What other industry would get away with selling a product that isn't fit for
purpose, and then blaming the customers for failing to be quick enough to
carry out repairs?

The vendors should be liable for the consequences of their incompetence and
lack of professionalism. Let's stop blaming the customers.


Re: Complexity (RISKS-26.64)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Wed, 30 Nov 2011 16:44:35 -0500

I'll admit that I took the comment on complexity out of context but the
larger context actually reinforces my point. The more constraints you put on
a system the less likely you'll satisfy them so there is inherent complexity
in the sense that the odds of finding an effective solution are
significantly reduced.

This is why we need to understand a fundamentally different dynamic based on
discovery or opportunity. You have a solution and then find out what
problems it solves. Once you look around you'll find that is the norm not
the exception. We use USB for power because creating a standard with new
requirements would've been too difficult. We may lament Facebook's security
model but use it because we find value and deal with the trust problems,
even if we don't do it very well. We can't really articulate what we mean by
"trust" anyway and certainly not as a spec.

Perhaps the most Internet-relevant example is defining "quality" outside the
network rather than in the network. Thus instead of having to have a perfect
network we get the kind of quality we want by choosing our own polices such
as better never than late or vice versa. This is why the Internet is so many
orders of magnitude less expensive than the traditional phone networks.

In fact I argue that tolerance is the key to Moore's law as I wrote in
http://rmf.vc/BeyondLimits.

Please report problems with the web pages to the maintainer