The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 89

Saturday 9 June 2012


Medical device software update, server distributes malware
Kevin Fu
Haverhill teen to serve year in jail for fatal texting crash ...
Ballou and Ellement via Monty Solomon
Teen texting behind wheel common: 42% in Mass. say they do it
Kay Lazar via Monty Solomon
Flame required world-class cryptographers
Dan Goodin
Texting While Driving: Despite penalties, it's not sinking in
Billy Baker via Monty Solomon
"VIDEO: "Heads Up" Distraction Safety Campaign Targets Pedestrians"
Michelle Rosa via Gene Wirchenko
"Lawful access 'one of the greatest threats to privacy"
Nestor E. Arellano via Gene Wirchenko
"Ontario service kiosks shut down"
Nestor E. Arellano via Gene Wirchenko
SSNs on P2P? The Feds found businesses that leaked private info
Megan Geuss via Monty Solomon
MD5 password scrambler 'no longer safe'
John Kemp
LinkedIn and eHarmony reportedly did not "salt" password hashes
Lauren Weinstein
LinkedIn app under scrutiny for transferring iOS calendar entries
Monty Solomon
ATM-style provincial government services suspended due to breach
Mark Brader
"Researchers find ways to bypass Google's Android malware scanner"
Lucian Constantin via Gene Wirchenko
Police: mobile software hack defeating anti-theft measure
Cyrus Farivar via Monty Solomon
Observations on changing passwords
Geoff Kuenning
Stupid security mistakes: Things you missed while doing the hard stuff
Josh Fruhlinger via Gene Wirchenko
Re: 60% of Wikipedia entries about companies contain errors
Geo Swan
`Siri, Kill That Guy': Drones Might Get Voice Controls"
David Axe via ACM TechNews
Another Siri risk
Martyn Thomas
Re: Telemarketing Calls Keep Mounting Up
Isaac Morland
Info on RISKS (comp.risks)

Medical device software update, server distributes malware

Kevin Fu <>
Sat, 9 Jun 2012 12:21:08 -0400

The web server distributing the software updates for a ventilator (a medical
device) itself needs some help with software updates.  According to Google,
the web server was infected with 48 viruses and 2 scripting exploits.  20
pages resulted in malicious software being downloaded and installed without
user consent.

The risks should be obvious.  This is an update for a medical device, and
yet one must download it in a manner as if software sepsis is no big deal.
Health care professionals might as well stop their washing hands while
they're at it.

Click Here to Download Your AVEA Ventilator Software Update. Trust Me.

Haverhill teen to serve year in jail for fatal texting crash ...

Monty Solomon <>
Thu, 7 Jun 2012 13:10:57 -0400
  (Ballou and Ellement)

Brian R. Ballou and John R. Ellement, *The Boston Globe*, 6 Jun 2012
... judge calls for people to keep eyes on road

Saying he was sending a message of deterrence to Massachusetts drivers,
District Court Judge Stephen Abany today imposed maximum sentences on
Haverhill teen Aaron Deveau for causing a fatal crash by texting while
driving.  The judge sentenced Deveau, who was 17 at the time of the crash,
to concurrent sentences of 2 years on a charge of motor vehicle homicide and
2 years for a charge of negligent operation of a motor vehicle causing
serious injury while texting.

Noting Deveau's youth and lack of criminal record, Abany ordered the teen to
serve one year in the Essex County House of Corrections, suspending the rest
of the sentences. Deveau, who has been free on bail since his arrest in
2011, was taken into custody by court officers.

Abany said from the bench that a criminal sentence is based on four
principles - punishment, public safety, rehabilitation, and deterrence. Of
those four issues, deterrence was his primary concern. ...

Teen texting behind wheel common: 42% in Mass. say they do it

Monty Solomon <>
Sat, 9 Jun 2012 00:24:35 -0400
  (Kay Lazar)

Kay Lazar, *The Boston Globe*, 8 Jun 2012

Forty-two percent of Massachusetts high school students who drive admit they
text while behind the wheel, according to a state survey to be released
Friday.  The report, from the state's Department of Public Health, also
finds that texting while driving is most common among high school seniors,
with 61 percent of drivers admitting to the behavior, more than three times
the percentage for sophomore drivers. ...

Flame required world-class cryptographers (Dan Goodin)

"Peter G. Neumann" <>
Fri, 8 Jun 2012 4:42:06 PDT

Dan Goodin, *ars technica*, 7 Jun 2012

The Flame espionage malware that infected computers in Iran achieved
mathematic breakthroughs that could only have been accomplished by
world-class cryptographers, two of the world's foremost cryptography experts
said.  "We have confirmed that Flame uses a yet unknown MD5 chosen-prefix
collision attack," Marc Stevens and B.M.M. de Weger wrote in an e-mail
posted to a cryptography discussion group earlier this week. "The collision
attack itself is very interesting from a scientific viewpoint, and there are
already some practical implications."

"Collision" attacks, in which two different sources of plaintext generate
identical cryptographic hashes, have long been theorized. But it wasn't
until late 2008 that a team of researchers made one truly practical. By
using a bank of 200 PlayStation 3 consoles to find collisions in the MD5
algorithm---and exploiting weaknesses in the way secure sockets layer
certificates were issued---they constructed a rogue certificate authority
that was trusted by all major browsers and operating systems. Stevens, from
the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the
Technische Universiteit Eindhoven were two of the driving forces behind the
research that made it possible.

Flame is the first known example of an MD5 collision attack being used
maliciously in a real-world environment. It wielded the esoteric technique
to digitally sign malicious code with a fraudulent certificate that appeared
to originate with Microsoft. By deploying fake servers on networks that
hosted machines already infected by Flame---and using the certificates to
sign Flame modules---the malware was able to hijack the Windows Update
mechanism Microsoft uses to distribute patches to hundreds of millions of
customers. [...]

Texting While Driving: Despite penalties, it's not sinking in

Monty Solomon <>
Thu, 7 Jun 2012 16:57:23 -0400
  (Billy Baker)

Billy Baker, *The Boston Globe*, 7 Jun 2012 [PGN-ed]

After a judge imposed the maximum sentence Wednesday on a local teenager who
became the first person in the state convicted of causing a fatal crash
while texting, it is still not clear the message is sinking in. ...

Aaron Deveau - who was 17 in February 2011, when he drifted over the center
lane on River Street and slammed head-on into a car driven by Donald Bowley
Jr., 56 - was convicted of motor vehicle homicide and negligent operation of
a motor vehicle causing serious injury while texting.  He was sentenced to a
year in prison.  Bowley died 18 days after the crash. His girlfriend, Luz
Roman, was injured. ...  During the trial, prosecutors used phone records to
argue that Deveau was texting just before the accident, an assertion he
denied on the witness stand.

"VIDEO: "Heads Up" Distraction Safety Campaign Targets Pedestrians"

Gene Wirchenko <>
Thu, 07 Jun 2012 10:06:16 -0700
VIDEO: "Heads Up" Distraction Safety Campaign Targets Pedestrians
Posted By: Michelle Rosa  29 May 2012

opening text:

Look Up! Toronto police are asking you to take a minute and stop texting and
pay more attention when walking around the city.

"Lawful access 'one of the greatest threats to privacy"

Gene Wirchenko <>
Tue, 05 Jun 2012 10:11:48 -0700
  (Nestor E. Arellano)

Nestor E. Arellano, *IT Business*, 4 Jun 2012
Lawful access 'one of the greatest threats to privacy,' says watchdog
Ontario's privacy commissioner focused her annual report on the
federal government's desire to keep a closer eye on its citizen's
onlined activities.

Initiatives to provide law enforcement agents greater powers to access and
track personal individual information may have suffered a set back early
this year, but Ontario's information and privacy commissioner said today
that vigilance is needed to protect individual rights.

Bill C-30, "represents one of the most invasive threats to our privacy and
freedom that I have encountered in 25 years of my career,"" said Dr. Ann
Cavoukian, Ontario's Information and Privacy commissioner. ...

"Ontario service kiosks shut down" (Nestor E. Arellano)

Gene Wirchenko <>
Fri, 08 Jun 2012 09:47:27 -0700

Nestor E. Arellano, *IT Business*, 7 Jun 2012
Authorities say "security violations" prompted them to order the
deactivation of self-serve terminals that provide birth certificates,
driver's licences and other documents.

SSNs on P2P? The Feds found businesses that leaked private info

Monty Solomon <>
Fri, 8 Jun 2012 10:15:10 -0400
  *Megan Geuss)

Megan Geuss, *ars technica*, 7 Jun 2012

The FTC charged a debt collector and a car dealership with illegal
indiscretion.  Back in 2010, the FTC conducted a probe revealing that a lot
of sensitive customer data could be found on P2P networks, uploaded by
companies that had pledged to safeguard that data. That led the FTC to
investigate more specific impropriety, and today the Federal Trade
Commission charged a debt collection agency in Provo, Utah, and a car
dealership in Statesboro, Georgia, with illegally exposing the personal
information of thousands of customers.

The FTC's 2010 probe originally led to an uncovering of "health-related
information, financial records, and driver's license and social security
numbers" on peer-to-peer networks that had been shared by a legitimate
organization's computer network. As is the nature of P2P, that leaked data
was available to any users of the P2P network, and exposed many unwitting
citizens to fraud and harm.

Two years later, the FTC is doling out charges against two companies that
were caught with computers that had connected to P2P networks and leaked
sensitive data belonging to the companies' customers. In the settlement
offer extended by the FTC, both companies would be required to disclose
their privacy practices more clearly, and would undergo a security audit by
the FTC every other year for the next 20 years to ensure compliance.

The first company, EPN, Inc. (otherwise known as Checknet) is a debt
collection agency in Provo, Utah, whose clients are healthcare providers,
commercial credit organizations, and retailers. The FTC alleges that the
company allowed its chief operating officer "to install P2P file-sharing
software on the EPN computer system, causing sensitive information including
Social Security numbers, health insurance numbers and medical diagnosis
codes of 3,800 hospital patients to be made available to any computer
connected to the P2P network." ...

MD5 password scrambler 'no longer safe'

John Kemp <>
Thu, Jun 7, 2012 at 1:26 PM

  [From Dave Farber's IP distribution.  PGN]

This blog post doesn't tell us anything useful. The issue with the LinkedIn
hack is that the password database was obtained and shared publicly.
Although it is indeed possible with brute force to find a colliding
cleartext for a given MD5 hash, you have to first have the hash value.

In most such attacks, the attacker doesn't know the hashed value of the
cleartext, or the cleartext. Thus, they are simply running a "dictionary
attack" - generating passwords, hashing them and trying to match them. They
do that until a hash that they generate matches, and the account is
unlocked. Try doing that for a single password, online, and most sites will
lock you out after about 3 tries. That alone makes most dictionary attacks

When people have said that "MD5 is broken" they mean that MD5 is subject to
"collision attacks" in which two different cleartext values can hash to the
same value. So MD5 is broken for certain applications where you need unique
hash values per unique string (note that SHA-1 is also vulnerable to these
attacks), but it is still useful in some situations, and indeed, probably
still mostly just fine for storing passwords, provided that certain other
security measures are taken:

(i) Online password retries must be limited
(ii) Passwords should be stored "salted" - i.e.. where the cleartext is
concatenated with a random value. In such a case, the attacker will have to
run an individual dictionary attack for each user's password.
(iii) Password databases should be stored securely

ii only causes the attacker to spend more time in cracking passwords; iii
and i are the really important measures for keeping passwords safe.  The
problem with the LinkedIn hack is that they let an attacker get access to
their password database in the first place—that is a serious security

LinkedIn and eHarmony reportedly did not "salt" password hashes

Lauren Weinstein <>
Thu, 7 Jun 2012 12:50:40 -0700

LinkedIn and eHarmony reportedly did not "salt" their password hashes

  "LinkedIn and eHarmony encrypted, or "hashed," the passwords of registered
  users, but neither salted the hashes with random data that would have made
  them much more difficult to decrypt.  Without salting, it's very easy to
  crack".  (Security News Daily via NNSquad)

For LinkedIn and eHarmony to have reportedly not been "salting" their
password cryptographic systems amounts to gross negligence.  UNIX/Linux
systems have been routinely using salted functions for decades.  This isn't
rocket science.  There is *no* excuse.

LinkedIn app under scrutiny for transferring iOS calendar entries

Monty Solomon <>
Fri, 8 Jun 2012 10:48:28 -0400

LinkedOut - A LinkedIn Privacy Issue!/2012/06/linkedout-linkedin-privacy-issue.html

LinkedIn's Leaky Mobile App Has Access to Your Meeting Notes

More about our mobile calendar feature

ATM-style provincial government services suspended due to breach

Mark Brader
Thu, 7 Jun 2012 14:19:49 -0400 (EDT)

In Ontario, Canada, various routine provincial government services are
provided by a government agency called ServiceOntario—for example, that's
where I went when I lost my wallet last year and needed a new driver's
license and provincial health insurance card.  For some simple services that
don't require any human interaction, ServiceOntario provides self-serve
ATM-style kiosks in places like shopping malls.  Any fees, of course, are
paid using credit or debit cards.

Today the government announced that it "suspected that attempts were made to
gain access to key credit/debit card data that would allow for the
replication of debit/credit cards" and that, "out of an abundance of
caution", all 72 of these kiosks were being temporarily shut down.

Police here have recently issued warnings about other attempts to steal such
bank card data.


Mark Brader, Toronto, | "Fast, cheap, good: choose any two."

"Researchers find ways to bypass Google's Android malware scanner"

Gene Wirchenko <>
Thu, 07 Jun 2012 11:04:31 -0700
  (Lucian Constantin)
InfoWorld Home / Security / News
June 05, 2012
Researchers find ways to bypass Google's Android malware scanner
Mobile security researchers devised methods that could allow Android
malware to detect when it's being analyzed by Google's Bouncer system
By Lucian Constantin | IDG News Service

key paragraph:

Antivirus programs have long used built-in emulators to safely observe how
suspicious files behave when executed and most antivirus experts analyze
malware samples in virtual machines. As a result, a lot of malware programs
are now designed to suppress their malicious behavior if they detect the use
of emulated environments.

Police: mobile software hack defeating anti-theft measure

Monty Solomon <>
Fri, 8 Jun 2012 10:12:19 -0400

Cyrus Farivar, *ars technica*, 8 Jun2012

A Ukrainian group has a worldwide network of resellers to reset IMEI
numbers.  For over a year now, a French law has provided a means for law
enforcement to block stolen phones and prevent them from being used.  French
mobile phone users are encouraged to record their IMEI number online with
authorities as a precautionary measure. Once a phone is reported stolen to
the police, operators are required to transmit the unique IMEI number on
each phone to a European bank in Dublin, Ireland. Then, this bank is
supposed to block usage of that phone, rendering it unusable.

The French newspaper Le Monde (Google Translate) reports that mobile theft
in France has dropped 20 percent between April 2011 and April 2012,
suggesting that this measure has been somewhat effective.

However, the Paris police department has now announced that it has
discovered the use of software called Z3X, which has apparently been found
in 50 mobile phone shops in eastern Paris. Z3X is a Ukrainian-made tool that
offers what appears to be a specific way to reset IMEI numbers on various
specific phones, including models of Samsung, LG, NEC and other phones. The
group has listed resellers scattered across the United States, Europe,
Russia, Ukraine and Libya.  ...

Observations on changing passwords

Geoff Kuenning <>
Fri, 08 Jun 2012 01:05:28 -0700

OK, I'll admit to being foolish.  I had a low-security password that I used
on many Web sites where the cost (to me) of a compromised account was pretty
low.  One of those, unfortunately, was LinkedIn.  What I hadn't reckoned
with was the pain of changing passwords on nearly 100 sites, a task I just
finished (it took me two long evenings).

In the process, though I made some amusing discoveries relevant to RISKS:

* On many sites, it's hard to figure out how to change your password.  Even
  when it's obvious, it usually takes many clicks.  That discourages
  password updates, which seems like a bad idea.

* Some sites require you to create an account to do anything, but they don't
  provide you with a way to log into that account later (at least, not
  without initiating a new transaction).  This is common at sites used to
  make reservations in the U.S. National Parks system.  I couldn't change
  those passwords.  (Quick! Go make a reservation in my name!)

* Some sites seem to have been defunct for many years (I found one
  Palm-related site whose latest "news" was from 2006) but are still running
  and allowing password changes.  Why is somebody paying for their
  electricity and domain name?

* Only a few sites choose to delete really old accounts.

* A few sites have password-construction rules that actually decrease
  security.  The worst required precisely 7 or 8 characters chosen from the
  36 alphanumerics.  Another required you to have "at least one" lowercase
  character (want to bet the CEO types in all caps?).

* Two large companies that are well known for their horrible customer
  service had rules prohibiting obscenities in passwords.  I couldn't resist
  testing their limits, so my password at both sites now contains a thinly
  disguised insult.  I probably should have set the password to the famous
  "Scunthorpe" but didn't think of it.  [See RISKS-18.07,08.  PGN]

* One site (I think it was NewEgg) asked for the new password only once but
  wanted me to enter my e-mail address twice, bringing to mind this cartoon:

* A number of sites wouldn't work with Firefox/NoScript, even when I enabled
  JavaScript for them.  In most cases, bringing up a different browser cured
  the problem, but for one I had to try a third.  Is it really _that_ hard
  to write a robust Web site?

* But the winner of the incompetent-design sweepstakes has to be Dollar
  Rent-a-Car, who asked me for the last four digits of my driver's license
  number and my birth date for verification (but not my old password).
  Then, when I clicked "Change Password", it took me to a customer-support
  e-mail form!  Apparently I was expected to type a message asking a human
  to change my password for me.  I declined; it seems monumentally stupid
  for them to let one of their employees to have access to thousands of
  customer passwords.  Instead, I used the form to ask them to let me know
  when they deploy a secure system.

Geoff Kuenning

[I have always wished for my computer to be as easy to use as my telephone;
my wish has come true because I can no longer figure out how to use my
telephone. —Bjarne Stroustrup]

Stupid security mistakes: Things you missed while doing the hard stuff

Gene Wirchenko <>
Fri, 08 Jun 2012 09:31:23 -0700
  (Josh Fruhlinger)

Josh Fruhlinger, *InfoWorld*, 8 Jun 2012
While you were upgrading your servers with the latest intrusion
detection, did someone just walk in and steal them?

Re: 60% of Wikipedia entries about companies contain errors

Geo Swan <>
Wed, 6 Jun 2012 13:24:45 -0400

Back in April, Lauren Weinstein told us about a report in Science News with
the headline "Most Wikipedia Entries About Companies Contain Factual Errors,
Study Finds"

Note, the Science News report is a summary of a study published in the
"Public Relations Journal".

In the fall of 2011 the UK newspaper The Independent caught executives at a
UK public relations firm named Bell Pottinger, claiming great success at
sanitizing wikipedia articles about their clients.  How did they do this?
They employed individuals who masqueraded as genuine wikipedia volunteers to
remove the embarrassing material through subtle and gradual editing

The example of their success the executives offered was their sanitization
of the wikipedia's article about their client a Somilia based funds
remittance company named Dahadshiil. The article (correctly) reported that
an employee of Dahabshiil, based in Pakistan, ended up in Guantanamo.

I started that article and I stand by its accuracy and fairness.

More recently Jane Wilson, a spokesman for the public relations industry
wrote an appeal to her colleagues, in the Huffington Post, encouraging them
to eschew what she called "dark arts" techniques and openly and
transparently engage with wikipedia volunteers to address accuracy and
fairness concerns, through the mechanisms the wikipedia has set in place for
doing so.

I am afraid the Science News article appears to me to be another instance of
what Wilson called "dark arts"—smearing the wikipedia to distract the
public from the black eye The Independent's report delivered.  The stock of
Bell Pottinger's parent is reported to have dropped about 25 percent due to
the bad press.—The Independent —"Caught on
camera: top lobbyists boasting how they influence the PM". --Suba News --"Dahabshiil—you
couldn't find it within the first 10 pages.""—the wikipedia article —Huffington Post --
"PR: If You Want to Understand Wikipedia, Become a Wikipedian"

"'Siri, Kill That Guy': Drones Might Get Voice Controls" (David Axe)

ACM TechNews <technews@HQ.ACM.ORG>
Fri, 8 Jun 2012 11:06:41 -0400

[Source: David Axe, *WiReD* News, 5 Jun 2012]

Future U.S. Air Force drone operators could talk to a drone and receive a
verbal response, similar to the Siri-style two-way voice exchange.
Moreover, next-generation controls could include smarter,
easier-to-interpret computer displays and tactile feedback, similar to
vibrating controls such as the Xbox controller, that shake the drone
operator's virtual cockpit if the robot detects incoming enemy fire.  The
current interface consists of computer screens, keyboards, and joysticks for
steering robots, while input is limited to keystrokes and mouse and joystick
movements transmitted via satellite.  The Air Force Research Laboratory's
(AFRL's) Mike Patzek says man-machine interfaces could replace this
desktop-type environment in the next decade or so.  The progress of the Air
Force's research and its funding will determine how the interfaces evolve,
but there is no dispute that flying robots will have a key role in U.S. air
power in the years to come.  "The fundamental issue is that the [robotic]
systems are going to be more capable and have more automation," says AFRL's
Mark Draper.  "The trick is, how do you keep the human who is located in a
different location understanding what that system is doing, monitoring and
intervening when he or she needs to?"

Another Siri risk

Martyn Thomas <>
Tue, 05 Jun 2012 10:43:39 +0100

A few weeks ago, I was at the theatre with my iPhone switched to "airplane
mode". Shifting in my seat, I must have put pressure on the phone, because
Siri suddenly complained loudly that I didn't have an Internet connection.

Re: Telemarketing Calls Keep Mounting Up

Isaac Morland <>
Tue, 5 Jun 2012 10:10:51 -0400 (EDT)

`... Along With Consumer Irritation, `Re: the answering machine message that starts with the Service Interruption Tone:

For some years some members of my family have had a device which plays just
the first note of that tone when they pick up the phone (I think it also
works when their answering machine picks up).  So when calling them, one

<ring> ... <ring> ... <beep> Hello?

The beep is very short.  Apparently they get essentially no telemarketing
calls, so maybe just that one beep is enough by itself.

Isaac Morland CSCF Web Guru DC 2554C, x36650 WWW Software Specialist

Please report problems with the web pages to the maintainer