The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 32

Saturday 29 January 2011

Contents

"The Internet is For Everyone"
PGN editorial
Internet Society statement on Egypt's Internet shutdown
Greg Wood
Video: Dr. Strangelove Explains the Internet Kill Switch
Lauren Weinstein
Swedish ISP to circumvent EU data retention laws ...
Lauren Weinstein
25 Years Of Digital Vandalism
William Gibson
Another Cloud Risk: Divorcing your vendor
Gene Wirchenko
Facebook in the News
Gene Wirchenko
The Inside Story of How Facebook Responded to Tunisian Hacks
Alexis Madrigal via Monty Solomon
Lauren Weinstein
Video: Software Security and Malicious Code
Gary McGraw
WECSR 2011, March 4, 2011 - Call for participation
Sven Dietrich
Info on RISKS (comp.risks)

"The Internet is For Everyone"

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 29 Jan 2011 3:39:13 PST

This wonderful aphorism from Vint Cerf truly represents the epitome of what
most RISKS readers would undoubtedly like the Internet to be.  However,
recent events increasingly indicate that the reality may be quite different.
True Network Neutrality is still somewhat of a pipedream.  But much worse is
happening.  Egypt has basically shut down ISPs and Internet connections for
most users without very special privileges.  Many nations are censoring what
can be read (China, Iran, even Australia) to varying degrees.  Even the ACM
Risks Forum may be inaccessible to many would-be readers who would benefit
from the collective wisdom that you all have contributed here since 1985.
There are still efforts to provide some anonymity and accessibility for
those who are otherwise oppressed by draconian controls and threats of
retribution for uttering truth to power, but even these are likely to have
serious risks of jamming (don't forget Estonia), unwarranted surveillance,
and so on.  And don't forget the pending U.S. legislation, Protecting
Cyberspace as a National Asset.  This would require the Department of
Homeland Security to establish a list of critical systems that the President
could "kill" if he deemed it necessary.  This issue of RISKS again brings
some of those issues to the fore.

To a technologist, everything may seem to have a techy solution or approach
that might help.  However, the humanitarian issues tend to get lost.  They
are absolutely fundamental to our approaches to society—whether it is
something like accessibility, or network neutrality, or integrity in
elections, or abuses of social networking, or providing robust and resilient
national and regional infrastructures (especially in times of financial
woes).  Of course, personal privacy is endangered throughout.  Above all,  the
transnational nature of our social and technological problems must be
taken into account.


Internet Society statement on Egypt's Internet shutdown

Greg Wood <wood@isoc.org>
January 28, 2011 4:44:05 PM EST

  [In Dave Farber's IP distribution.  PGN]

28 January 2011

We are following the current events in Egypt with concern as it appears that
all incoming and outgoing Internet traffic has been disrupted. The Internet
Society believes that the Internet is a global medium that fundamentally
supports opportunity, empowerment, knowledge, growth, and freedom and that
these values should never be taken away from individuals.

The Internet Society considers this recent action by the Egyptian government
to block Internet traffic to be an inappropriate response to a political
crisis. It is a very serious decision for a government to block all Internet
access in its country, and a serious intrusion into its citizens' basic
rights to communicate. If the blockage continues, it will have a very
detrimental impact on Egypt's economy and society. Ultimately, the Egyptian
people and nation are the ones that will suffer, while the rest of the world
will be worse off with the loss of Egyptian voices on the net.

However we are most concerned about the safety and security of the Egyptian
people. Alongside the rest of the world, we share the hope for a positive
and lasting solution to the problems that have risen to the surface there.

In the longer term, we are sure that the world will learn a lesson from this
very unfortunate example, and come to understand that cutting off a nation's
access to the Internet only serves to fuel dissent and does not address the
underlying causes of dissatisfaction.

Also available at: http://isoc.org/wp/newsletter/?p=3091

The Internet Society: "The Internet is for Everyone"
Greg Wood, Internet Society, InternetSociety.org http://www.internetsociety.org
office: +1-703-439-2145  mobile: +1-703-625-3917


Video: Dr. Strangelove Explains the Internet Kill Switch

Lauren Weinstein <lauren@vortex.com>
Sat, 29 Jan 2011 14:01:19 -0800

  [I was thinking about running the entire Plan D message from Lauren,
  but his later note here gives you the appropriate link to it.  PGN]

http://lauren.vortex.com/archive/000805.html

Greetings.  Yesterday, in "'Plan D' - How To Disrupt the U.S.A.'s Internet"
( http://bit.ly/eV7Ivn [Lauren's Blog] ), I employed a concept from Stanley
Kubrick's film classic "Dr. Strangelove" to draw an analogy between the
specter of global warfare, and the enormous risks associated with
government-directed Internet shutdowns as have already occurred in Egypt,
and such has been advanced by some officials as a desirable
government-controlled "Internet Kill Switch" concept here in the United
States.

The parallels are striking on several levels.  But even I was surprised when
I looked back at the original "Dr. Strangelove" footage, and realized that
perhaps the characters were actually in a "Cyberwar Room"—and already
were discussing various countries' abilities to use "kill switches" to shut
down the Internet.

See what you think ...

Dr. Strangelove Explains the Internet Kill Switch:

http://bit.ly/gYevUQ   [YouTube] (~1.3 minutes)

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Blog: http://lauren.vortex.com  +1 (818) 225-2800 / Skype: vortex.com
Co-Founder: People For Internet Responsibility: http://www.pfir.org
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
 - PRIVACY Forum: http://www.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz
Quora: http://www.quora.com/Lauren-Weinstein


Swedish ISP to circumvent EU data retention laws ...

Lauren Weinstein <lauren@vortex.com>
Wed, 26 Jan 2011 21:59:14 -0800

Swedish ISP to circumvent EU data retention laws to allow anonymous surfing
http://bit.ly/euWVPZ  (P3 - Swedish->English via Google Translate)

 "In our case, we plan to let our traffic to go through a VPN service," says
  Jon Karlung, who is president.  It is about allowing customers to surf
  anonymously.  Bahnhof choose a technical solution that allows them to not
  know what their customers do online, which they sent or are talking
  to.  The information that they save is thus irrelevant to the police."

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Blog: http://lauren.vortex.com  +1 (818) 225-2800 / Skype: vortex.com


25 Years Of Digital Vandalism (William Gibson)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 27 Jan 2011 12:07:58 PST

William Gibson, *The New York Times* OpEd, 27 Jan 2011
  [Browse for the full article online. PGN-ed]

In January 1986, Basit and Amjad Alvi, sibling programmers living near the
main train station in Lahore, Pakistan, wrote a piece of code to safeguard
the latest version of their heart-monitoring software from piracy. They
called it Brain, and it was basically a wheel-clamp for PCs. Computers that
ran their program, plus this new bit of code, would stop working after a
year, though they cheerfully provided three telephone numbers, against the
day. If you were a legitimate user, and could prove it, they'd unlock you.

But in the way of all emergent technologies, something entirely unintended
happened. The Alvis' wheel-clamp was soon copied by a certain stripe of
computer hobbyist, who began to distribute it, concealed within various
digital documents that people might be expected to want to open.  Because
almost all these booby-trapped files went out on floppy disks, the virus
spread at a pre-Internet snail's pace.

Still, it did wreak a certain amount of low-grade havoc, freezing computers
across the world. The hobbyists did it because they could, or to proudly
demonstrate that they could, or to see what would happen, or simply because
they thought it was neat.  ...

Should the lights go out in our online bus shelters one day, or some
critical control system go spectacularly awry, it may in a sense, however
distantly, be because Israel found a way to shut down Iran's centrifuges.
But in another way it will be the result of a bright idea two brothers once
had, in the vicinity of Lahore Railway Station, to innocently clamp a
digital pirate's wheel.

William Gibson is the author, most recently, of the novel "Zero History."


Another Cloud Risk: Divorcing your vendor

Gene Wirchenko <genew@ocis.net>
Mon, 24 Jan 2011 11:19:40 -0800

Follow these 7 tips to protect your IT assets—and essential company data
-- from a service provider breakup gone bad
InfoWorld Home / Adventures in IT / How to divorce your tech vendor
January 24, 2011
http://www.infoworld.com/d/adventures-in-it/how-divorce-your-tech-vendor-089

Opening text (some deletions):

Sure, hooking up with a new IT service provider is all cigars and handshakes
at first. Promises are made and stars glimmer in your eyes as you sign the
contract. The future looks bright.

Then things start to go south.

Before you make a clean break and start fresh with someone new, consider
this cautionary tale of a small biotech firm in the Rocky Mountains that
decided to dump its IT consultant. When the consultant got wind he was about
to be canned, he installed a script that automatically blind-copied him on
all emails to and from the company's top executives. He quickly discovered
that the firm's lead scientist was having an affair. On the day the
consultant was to be fired, he zipped up 500 racy emails and, using another
executive's account, forwarded them to the scientist's wife.

"It was worse than a soap opera and very tragic for the client," says Patty
Laushman, CEO of the Uptime Group, an IT shop asked to perform computer
forensics to prove that the firm's IT vendor was behind the scheme. "Had we
known how unhappy they were with their current vendor, we would have coached
them on how to safely make the switch."

Of course, not all jilted vendors turn into Glenn Close in "Fatal
Attraction." Most vendors who feel wronged just sue you. But with easy
access to your confidential information and core business systems, the risks
from a bad breakup with IT service providers are especially high.


Facebook in the News

Gene Wirchenko <genew@ocis.net>
Thu, 27 Jan 2011 14:50:15 -0800

  [Should I apologise to the RISKS readership because I did not post about
  Mr. Zuckerberg's Facebook page being defaced?  In my defence, there are
  just so many Facebook risks, and I was busy.]

Two more articles:

No one's Facebook profile is safe
When both the Facebook founder and the president of France are
targeted by hackers, it's time to revisit your security settings
January 26, 2011

http://www.infoworld.com/d/adventures-in-it/no-ones-facebook-profile-safe-552
InfoWorld Home / Adventures in IT / The Gripe Line

selected text:

Demonstrating the system's adaptability—quickly, judging by the response
to the Zuckerberg hack—Facebook announced two new security measures this
morning. The first is an HTTPS login that allows you to visit Facebook on a
secure connection. "We are rolling this out slowly over the next few weeks,"
says the site in a public announcement, "but you will be able to turn this
feature on in your Account Settings soon."

The second is called "social authentication." It takes the idea of the
CAPTCHA—the security measure that asks you to eyeball mangled letters,
translate them to English, and type them into a box before you can log on --
a step further. Before you can log on, the system taps your social network
and quizzes you on who you know.

If, for example, the site sees you logged in from Denver in the morning and
London in the afternoon, it might ask you to authenticate your identity by
displaying a picture of one of your own friends and asking you to choose his
name from a list. (You might want to take a look at your privacy settings to
be sure the hacker community can't browse for the answer.) This could prove
embarrassing for those of us who are very bad with names and faces or who
have a zillion friends on Facebook.

Or as pointed out elsewhere, if someone knows your friends, you may be in
for trouble.

InfoWorld Home / InfoWorld Tech Watch
January 26, 2011
Facebook rolls out always-on encryption in wake of CEO's fan page being hacked
Facebook users can opt to connect via SSL over HTTP, but some
third-party features still won't be secure
http://www.infoworld.com/t/data-security/facebook-rolls-out-always-encryption-in-wake-ceos-fan-page-being-hacked-589

selected text:

The important caveat here is that HTTPS implementation will not render
Facebook sessions entirely secure: As noted in the Facebook blog, "Some
Facebook features, including many third-party applications, are not
currently supported in HTTPS. We'll be working hard to resolve these
remaining issues."

In other words, Facebook accounts might still be in jeopardy when used to
access apps for important activities like managing virtual farms, zoos,
towns, mafias, fish tanks, and the like.

  Does anyone else see setups for the next round of trouble?


The Inside Story of How Facebook Responded to Tunisian Hacks

Monty Solomon <monty@roscom.com>
Tue, 25 Jan 2011 00:20:53 -0500
  (Alexis Madrigal)

Alexis Madrigal, The Inside Story of How Facebook Responded to Tunisian
Hacks, *The Atlantic*, 24 Jan 2011

It was on Christmas Day that Facebook's Chief Security Officer Joe Sullivan
first noticed strange things going on in Tunisia. Reports started to trickle
in that political-protest pages were being hacked.  "We were getting
anecdotal reports saying, 'It looks like someone logged into my account and
deleted it,'" Sullivan said.

For Tunisians, it was another run-in with Ammar, the nickname they've given
to the authorities that censor the country's Internet. They'd come to expect
it.

In the days after the holiday, Sullivan's security team started to take a
closer look at the data, but it wasn't entirely clear what was happening. In
the US, they could look to see if different IP addresses, which identify
particular nodes on the network, were accessing the same account. But in
Tunisia, the addresses are commonly reassigned. The evidence that accounts
were being hacked remained anecdotal. Facebook's security team couldn't
prove something was wrong in the data.  It wasn't until after the new year
that the shocking truth emerged:

Ammar was in the process of stealing an entire country's worth of passwords.
...

http://www.theatlantic.com/technology/print/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/


The Inside Story of How Facebook Responded to Tunisian Hacks

Lauren Weinstein <lauren@vortex.com>
Mon, 24 Jan 2011 21:37:36 -0800

  [More from Network Neutrality, which is full of goodies these days. PGN]

   "The country's Internet service providers were running a malicious
    piece of code that was recording users' login information when they
    went to sites like Facebook."  http://bit.ly/i5YBm6  (The Atlantic)


Yet Another Risk: Not reading the package very carefully

Paul Robinson <paul@paul-robinson.us>
Wed, 26 Jan 2011 14:16:04 -0800 (PST)

Previously, I told my wale of toe about knocking over a hard drive with
thousands of MP3s that I should have known better and been more careful.
With my serious insistence on safety I am deeply ashamed.

Well, now needing to lock - and bolt - the door after the horse escaped I
have to do something I hate, to "spend money in anger", to expend funds to
fix a problem: buy a new hard drive in order to prevent a recurrence of my
last problem of insufficient backup of data from lack of a place to store
it.

I went over to Micro Center as they are a great place to buy computer stuff
and prices are very competitive, often better than many Internet retailers.

I'm used to 40-pin drives so I figure I'll either buy an internal one or
external USB.  Internals are about $50 cheaper in the two terabyte size, USB
is about $120 and internal is around $89.  So I pick up an internal,
especially since Seagate offers a 5-year warranty.  If I don't drop it again
and it goes bad, I get a replacement.  No it doesn't cover replacement of
data; I'm stupid but not that stupid, I will have backups.

So I want to buy a Blu-Ray burner, they're around $120, but the store
personnel can't find them even though they're supposed to have two in stock,
until the guy brings out one, which I read the box "very" carefully.  It's a
DVD writer and BD disk reader, it does not write BD-R disks.  One of the
clerks does find one, but it's like $350, waaay over my threshold of pain.

Well, if I use my old computer as a file server, make a backup on my new
one, I can get by until next month and buy a BD-writer.

So I get the drive home and discover I didn't even look at the box, it said
right on it, it's a SATA drive.  I discover I'm used to the 40-pin PATA
drive type, and they are different connectors.  But I decide to take a look;
I open up my replacement computer and discover by sheer dumb luck its hard
drive - and even the DVD burner - are SATA drives.  I notice also they've
eliminated jumpers on the drive, SATA drives are cable select.  All I have
to do is pull the DVD drive out, plug the new drive in, and I can clone it
over.

I tried some downloadable software from the Internet but it fails on a minor
block error on the original drive in this machine.  The new drive came with
a CD containing a drive cloning software program, only I've removed the DVD
drive, I'd have to shut down, replace the DVD, restart, set up the software,
then shut down, remove the DVD and replace the other hard drive.

Fortunately, last year I had bought a USB DVD burner, so I was prepared.  I
used that, duplicated the old disk and it knew the new partition was 1.7 TB
instead of the current 72 GB.  (There's a 4.9GB recovery partition and I
figure there's spacing issues because propeller heads like myself think of
1TB as 1024^4 but hard drive makers call 1 TB 1000^4.) Only problem was I
didn't watch and it copied by percentages, so the recovery partition will be
122GB, not 4.9.  I do not want to lose over 110 GB so I have to wait until
it finishes, reboots, then run it over again, this time manually resetting
the size of the recovery partition.  That ends up being 6GB (I can live with
losing one gigabyte!) and the procedure is flawless, it even recovers from
two small errors on the original disc.

I move the clone disk in place of the original, reinstall the DVD player,
and the computer starts up, you can't tell the difference except the
computer now reports it has 1.9 TB free instead of about 50GB.  I am using
that computer with the new hard drive to write this message.

But the other thing I want to do is have disc backups.  Since my files now
exceed 40GB - not counting what I lost from my music collection - I decide
DVD backup at 4GB a pop is getting tedious, I should move to Blu-Ray, at
25GB a pop.  Price is only about twice that of DVD, about $2 a disk.  But I
saw an excellent deal on Buy.Com, two BD-R spindles of 15 for $28 and free
shipping, or about 2 for the price of 1.

I mention my story to some friends and one notes Tiger Direct is selling
Blu-Ray burners for $69.  I check it out, and discover what I suspected.  If
you read the specifications carefully, you find it again is a DVD writer and
Blu-Ray reader.  I saw one for $79, again had to read its specs; BD reader,
not burner.

But I find one that definitely says it writes BD-R disks, and it's $109
(Internal).  So I might buy that one, or I might spend a little more and get
a USB model so I can take it with me if I take my backup disks elsewhere.

But again, the risk here is you must read the package to make sure you do
get the right product.  You also need to make sure you know when what you're
using has changed so, again, you get the product you actually need, not what
you think you do.  More than 2,500 years ago the Romans had a phrase that
told us that if you're buying stuff make sure you read the package and know
what you're buying:

Caveat Emptor.


Video: Software Security and Malicious Code

Gary McGraw <gem@cigital.com>
Wed, 19 Jan 2011 14:24:20 -0500

Sadly, the world is pretty seriously confused about malicious code (aka
malware) and its relationship to software security.  I tried to address the
basics in a video recently released by Invincea.  We posted a copy on the
Justice League blog:

http://www.cigital.com/justiceleague/2011/01/19/malicious-code-and-software-security/


WECSR 2011, March 4, 2011 - Call for participation

Sven Dietrich <wecsr2011@easychair.org>
Wed, 26 Jan 2011 17:24:28 +0000

2nd Workshop on Ethics in Computer Security Research (WECSR 2011)
Bay Gardens Beach Resort, St. Lucia
http://www.cs.stevens.edu/~spock/wecsr2011/
March 4, 2011

CALL FOR PARTICIPATION

The workshop is an international platform for discussing ethical issues in
computer security research, where researchers, practitioners, policy makers,
and others can contribute. Presentations, panels, and invited speakers will
be featured in this year's instance.

The workshop is held in conjunction with Financial Cryptography and Data
Security 2011.

Topics:

Ethics, Role of IRBs, Electronic voting security, Botnets, Human subject
research, Take-down research, Data sharing, Shaping the future

IMPORTANT DATES

Reduced registration rate cut-off: February 11, 2011

Please send any questions to spock + wecsr2011 @ cs . stevens . edu

Further details can be found at http://www.cs.stevens.edu/~spock/wecsr2011/

INVITED SPEAKERS

Alex Halderman (University of Michigan)
Ethical Issues in E-Voting Security Analysis

Christopher Soghoian (Indiana University)
Enforced community standards for privacy-violating research

PROGRAM

Papers:

Security Research with Human Subjects: Informed Consent, Risk, and Benefits.
Maritza Johnson, Steven Bellovin and Angelos Keromytis (Columbia University)

Ethical Dilemmas in Take-down Research.
Tyler Moore (Harvard University) and Richard Clayton (University of Cambridge)

Ethical Considerations of Sharing Data for Cybersecurity Research.
Darren Shou (Symantec)

Panels:

Human Subjects, Agents, or Bots: Current Issues in Ethics and Computer Security Research.
Panel moderator: Elizabeth Buchanan
Panelists: John Aycock (University of Calgary), Scott Dexter (Brooklyn College, CUNY) and Dave Dittrich (University of Washington)

Moving forward, building an ethics community
Moderator: Erin Kenneally (UC San Diego/CAIDA/Elchemy)
Panelists: TBD

Rump session:

There will be a rump session for presenting recent research and controversial ideas and topics.

SOCIAL PROGRAM

There will be excursions the day before and after the workshop, as well as a reception the night before the workshop.

ORGANIZERS

All FC'11 (http://fc11.ifca.ai) workshops are organized by:

General Chair: Steven Murdoch, University of Cambridge
Local Arrangements Chair: Fabian Monrose, University of North Carolina
  Chapel Hill

PROGRAM COMMITTEE:

Program Chair: Sven Dietrich, Stevens Institute of Technology

Michael Bailey, University of Michigan
Elizabeth Buchanan, University of Wisconsin-Milwaukee
Aaron Burstein, University of California Berkeley
Nicolas Christin, Carnegie Mellon University
Michael Collins, RedJack
Marc Dacier, Symantec Research
Roger Dingledine, The Tor Project
David Dittrich, University of Washington
Kenneth Fleischmann, University of Maryland
Rachel Greenstadt, Drexel University
Erin Kenneally, UC San Diego/CAIDA/Elchemy
Engin Kirda, EURECOM
Howard Lipson, CERT
John McHugh, University of North Carolina, Chapel Hill
Peter Neumann, SRI International
Vern Paxson, University of California, Berkeley / ICSI
Len Sassaman, KU Leuven
Angelos Stavrou, George Mason University
Michael Steinmann, Stevens Institute of Technology
Paul Syverson, Naval Research Laboratory

The Workshop on Ethics in Computer Security Research is organized by
The International Financial Cryptography Association (IFCA).

Please report problems with the web pages to the maintainer

Top