The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 35

Sunday 20 February 2011

Contents

U.S.-centrism: a Blind Spot
Gene Wirchenko
UK Immigration Officer Puts Wife on the No-Fly List
Bruce Schneier
Risks of trusting GPS
Steve Lamont
Court applies "computer use" sentence enhancement due to simple cell phone use
Lauren Weinstein
New Hacking Tools Pose Bigger Threats to Wi-Fi Users
Kate Murphy via) Monty Solomon
Risk of using old techniques on new technologies
Jim Reisert
Free File Fillable Forms vs. Foreign Country
jidanni
Kill Switch, Anyone?
Gene Wirchenko
DHS/ICE vs. ICANN
Lauren Weinstein
FBI wants surveillance backdoors in ... pretty much everything
Lauren Weinstein
The Dirty Little Secrets of Search
David Segal via Monty Solomon
How does Nabble store passwords?
jidanni
SpyTunes
Andrew Mcafee via Monty Solomon
Precioussss! Mental price comparisons
Gene Wirchenko
Alarm Fatigue
Cliff Sojourner
Re: Tree octopus exposes Internet illiteracy
Kelly Bert Manning
Good, techish, update on Stuxnet
Symantec via Danny Burstein
REVIEW: "Extrusion Detection", Richard Bejtlich
Rob Slade
Computers, Freedom and Privacy 2011, WashDC, 14-16 Jun 2011
Lillie Coney
Info on RISKS (comp.risks)

U.S.-centrism: a Blind Spot

Gene Wirchenko <genew@ocis.net>
Thu, 17 Feb 2011 13:02:14 -0800

Why the revolution will not be tweeted; Twitter and Facebook didn't create
the Egyptian revolution. But Silicon Valley's belief they did shows the
smug, ethnocentric blindness that's damaging the technology industry,
*InfoWorld*, 17 Feb 2011
http://www.infoworld.com/d/the-industry-standard/why-the-revolution-will-not-be-tweeted-753

selected text:

Paul Revere galloped from Charlestown to Lexington on that famous night in
1775. He couldn't have done it without his horse, so did that mean the
American Revolution was really the "horse revolution"?  That's silly, of
course. But calling the Egyptian revolution the "Facebook (or Twitter)
revolution" is just as misguided, and it's a symptom of our ethnocentric
habit of viewing the world through the prism of the American experience or
-- in the case of Egypt—American technology.

There's no doubt that Twitter and Facebook were tools the mostly young
Egyptian rebels used to good effect. But that's all they were: tools. After
all, the revolution continued—and intensified—when those tools were
disabled by the Egyptian government's shutdown of the Internet. Yet we in
the media and the technology industry are absolutely convinced that it
couldn't have happened without social networking. As New Yorker magazine
author Malcolm Gladwell puts it: "Where activists were once defined by their
causes, they are now defined by their tools." Exactly.

The blind spot that puts the American tech industry at risk If that blind
spot extended no further than to foreign news events, it would be crippling
enough. But the emergence of the developing world as a key market, supplier,
and competitor makes that occluded vision all the more dangerous—and yet
another reason why it's so difficult for us to compete against countries
such as India, China, South Korea, and Singapore.

It's worth noting, for example, that Asia now accounts for 20 percent of
world software revenue; when that's added to Europe's 36 percent share, the
American market is a minority, according to a study by Pierre Audoin
Consultants. The middle class in those countries is growing rapidly, and
like the Horatio Alger story of old, many of those newly prosperous people
are pulling themselves up by their bootstraps.

Still, in the popular discourse, it doesn't seem matter how much logic can
be brought to bear: We're convinced that Twitter and Facebook are the
engines of everything because they are ours. We invented them, we own them,
we know how to use them. They must be important.

Such thinking isn't so different than that of the product manager who can't
find Singapore on a map and wonders why he can't sell anything in that
country or strike a deal with a supplier there. Looking at the world as if
it were a shadow of the United States is foolish and shortsighted, as well
as a recipe for failure.

It is all too easy to consider others as being lesser versions of oneself.
U.S. people are rather prone to this, but it can strike anywhere.


UK Immigration Officer Puts Wife on the No-Fly List

Bruce Schneier <schneier@SCHNEIER.COM>
Tue, 15 Feb 2011 00:03:31 -0600

  [From CRYPTO-GRAM, 15 Feb 2011.  PGN]

A UK immigration officer decided to get rid of his wife by putting her on
the no-fly list, ensuring that she could not return to the UK from abroad.
This worked for three years, until he put in for a promotion and—during
the routine background check—someone investigated why his wife was on the
no-fly list.

Okay, so he's an idiot.  And a bastard.  But the real piece of news here is
how easy it is for a UK immigration officer to put someone on the no-fly
list with *absolutely no evidence* that that person belongs there.  And how
little auditing is done on that list.  Once someone is on, they're on for
good.

That's simply no way to run a free country.

http://www.cnbc.com/id/41372870
http://www.loweringthebar.net/2011/02/immigration-officer-puts-wife-on-the-no-fly-list.html
or http://tinyurl.com/4qghpxg
http://www.dailymail.co.uk/news/article-1351937/Immigration-officer-fired-putting-wife-list-terrorists-stop-flying-home.html
or http://tinyurl.com/67ofkgo


Risks of trusting GPS

Steve Lamont <spl@ncmir.ucsd.edu>
Fri, 18 Feb 2011 12:21:07 -0800

My commuter train was 90 minutes late on Wednesday evening (2/16/11).

Here's why:

GPS Blamed For Car On Tracks Hit By Train, 17 Feb 2011
  http://www.10news.com/news/26899033/detail.html

A 63-year-old Oklahoma woman in San Diego to visit her son narrowly escaped
injury when her rental car became stuck on train tracks thanks to bad
directions she received from the vehicle's GPS feature.  The rented 2009
Hyundai Accent was struck in the rear by a Coaster train at 3298 Kettner
Blvd. around 7:20 p.m. 15 Feb 2011, according to San Diego County sheriff's
Sgt. Darrell Strohl.  It was wet and dark outside, and the GPS directed the
woman to turn left onto the railway, which she believed was a street, he
said, adding that the car became stuck on some gravel.


Court applies "computer use" sentence enhancement due to simple

<Lauren Weinstein>
Mon, 14 Feb 2011 09:50:23 -0800
  cell phone use

http://j.mp/gJDb6G  (City Business)

  But the man objected when federal prosecutors moved to make his sentence
  longer for use of a computer. Prosecutors argued his cellphone qualifies
  as a computer under the definition in federal law.  U.S. District Judge
  Richard Dorr agreed, sentencing Kramer to 14 years in prison, a term that
  the judge said was more than two years longer than he otherwise would have
  imposed.  Kramer appealed, arguing he only used his phone to make calls
  and send text messages, so it shouldn't be considered a computer. But a
  three-judge panel of the St.Louis-based 8th Circuit upheld the sentence,
  finding the federal definition of computer is broad enough to encompass
  cellphones.


New Hacking Tools Pose Bigger Threats to Wi-Fi Users (Kate Murphy)

Monty Solomon <monty@roscom.com>
Sat, 19 Feb 2011 01:26:05 -0500

Kate Murphy, *The New York Times*, 16 Feb 201
http://www.nytimes.com/2011/02/17/technology/personaltech/17basics.html

You may think the only people capable of snooping on your Internet activity
are government intelligence agents or possibly a talented teenage hacker
holed up in his parents' basement. But some simple software lets just about
anyone sitting next to you at your local coffee shop watch you browse the
Web and even assume your identity online.

"Like it or not, we are now living in a cyberpunk novel," said Darren
Kitchen, a systems administrator for an aerospace company in Richmond,
Calif., and the host of Hak5, a video podcast about computer hacking and
security. "When people find out how trivial and easy it is to see and even
modify what you do online, they are shocked."

Until recently, only determined and knowledgeable hackers with fancy tools
and lots of time on their hands could spy while you used your laptop or
smartphone at Wi-Fi hot spots. But a free program called Firesheep, released
in October, has made it simple to see what other users of an unsecured Wi-Fi
network are doing and then log on as them at the sites they visited.

Without issuing any warnings of the possible threat, Web site administrators
have since been scrambling to provide added protections.


Risk of using old techniques on new technologies

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Thu, 17 Feb 2011 14:11:31 -0700

"At the Non-volatile Systems Laboratory we have designed a procedure to
bypass the flash translation layer (FTL) on SSDs and directly access the raw
NAND flash chips to audit the success of any given sanitization
technique. Our results show that naively applying techniques designed for
sanitizing hard drives on SSDs, such as overwriting and using built-in
secure erase commands is unreliable and sometimes results in all the data
remaining intact. Furthermore, our results also show that sanitizing single
files on an SSD is much more difficult than on a traditional hard drive."
http://nvsl.ucsd.edu/sanitize/

  Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Free File Fillable Forms vs. Foreign Country

<jidanni@jidanni.org>
Sun, 13 Feb 2011 09:03:37 +0800

http://www.irs.gov/efile/article/0,,id=218049,00.html :
"Can I electronically file using Free File Fillable Forms if my address
is in a foreign country? No, if the address on Form 1040, Form 1040A or
Form 1040EZ is in a foreign country you will not be able to
electronically file your return."

So junior/aka/bozo/aka/me fills in his mom's address.

And gets hit with a hefty Illinois tax bill.


Kill Switch, Anyone?

Gene Wirchenko <genew@ocis.net>
Thu, 17 Feb 2011 13:44:28 -0800

Ted Samson, Feds wrongly links 84,000 seized sites to child porn;
Homeland Security overshoots as it takes down popular mooo.com domain
alongside child porn sites, *InfoWorld*, 17 Feb 2011
http://www.infoworld.com/t/regulation/feds-wrongly-links-84000-seized-sites-child-porn-966

Imagine, if you will, that you're a respectable, law-abiding owner of a
small-business. You show up to your shop one fine morning only to find the
doors barred and a big sign in front window reading, "The Federal government
has seized this business as it's affiliated with creating, distributing,
and/or storing child pornography."

As part of the successful seizure of 10 Web domains suspected of storing,
displaying, or peddling child pornography, The Department of Justice and
Homeland Security's ICE (Immigration and Customs Enforcement) office also
seized a domain called mooo.com, the most popular shared domain at
afraid.org, which belongs to a DNS provider called FreeDNS.

According to FreeDNS, mooo.com isn't a domain used for anything related to
child porn; rather, it's home to some 84,000 Web sites primarily belonging
to individuals and small businesses. Yet in pulling the plug on mooo.com,
the Feds effectively shut down all 84,000 of those sites. But visitors to
those sites wouldn't simply get an error along the lines of "This site is
currently down," or even "This site has been temporarily seized by Homeland
Security."

Nope, instead, a visitor would be taken to a banner with the logos of the
Homeland Security and the Department of Justice, beneath which text reading:
"This domain name has been seized by ICE—Homeland Security Investigations
pursuant to a seizure warrant ... under the authority of Title 17 USC
2254. Advertisement, distribution, transportation, receipt, and possession
of child pornography constitute federal crimes...."

One of the big questions here is, how did this happen? Under Federal law,
the ICE simply needs to convince a district court judge to sign a seizure
warrant, then to order the domain registries to redirect the seized domains
to warning message. What's not clear, though, is how or why mooo.com ended
up seized. Clerical error? Typo? Who knows?


DHS/ICE vs. ICANN

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Feb 2011 15:17:33 -0800

Greetings.  In the vein of making lemonade when you have lemons, it occurs
to me that the upcoming damage from ICANN's TLD expansion madness may have
an unexpected solution—the folks at DHS/ICE.

Here's the simple plan.  All we have to do is convince ICE to confiscate
domains faster than ICANN can issue TLDs for new ones.  Given how ICE
managed to shut down 84K innocent domains in one fell swoop and tarnish them
with c-porn allegations for site visitors, this should be easy as pie for
those guys, especially since due process isn't required!

After all, much of the world is going to block dot-ex-ex-ex from day one
anyway.  And probably dot-gay.  And who knows what else ...

All it should take is a few allegations of illicit Disney videos hosted on
(or even just linked from) a TLD, and ICE will be out at the registry
ordering them to flip the domain "off" switch.

In fact, to make this even easier, perhaps the government should have direct
access to DNS databases so that they can terminate domains without all the
muss and fuss of dealing with the registries and registrars at all!

Or is that already in pending legislation?  Gotta go check that again.

It's all so much simpler when you just toss Internet Freedoms out the
window.  Phew.  Problem solved.

http://j.mp/euQaAB  (Google Buzz)

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Network Neutrality Squad: http://www.nnsquad.org Tel: +1 (818) 225-2800
Blog: http://lauren.vortex.com Twitter: https://twitter.com/laurenweinstein


FBI wants surveillance backdoors in ... pretty much everything

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Feb 2011 10:56:21 -0800

http://j.mp/hdBHRE  (CNET)

  [From Network Neutrality Squad]


The Dirty Little Secrets of Search (David Segal)

Monty Solomon <monty@roscom.com>
Sun, 13 Feb 2011 15:14:59 -0500

David Segal, The Dirty Little Secrets of Search, 12 Feb 2011
http://www.nytimes.com/2011/02/13/business/13search.html

PRETEND for a moment that you are Google's search engine.  Someone types the
word "dresses" and hits enter. What will be the very first result?  There
are, of course, a lot of possibilities. Macy's comes to mind.  Maybe a
specialty chain, like J. Crew or the Gap. Perhaps a Wikipedia entry on the
history of hemlines.

O.K., how about the word "bedding"? Bed Bath & Beyond seems a candidate. Or
Wal-Mart, or perhaps the bedding section of Amazon.com.  "Area rugs"? Crate
& Barrel is a possibility. Home Depot, too, and Sears, Pier 1 or any of
those Web sites with "area rug" in the name, like arearugs.com.

You could imagine a dozen contenders for each of these searches. But in the
last several months, one name turned up, with uncanny regularity, in the
No. 1 spot for each and every term:

J. C. Penney.

The company bested millions of sites - and not just in searches for dresses,
bedding and area rugs. For months, it was consistently at or near the top in
searches for "skinny jeans," "home decor," "comforter sets," "furniture" and
dozens of other words and phrases, from the blandly generic ("tablecloths")
to the strangely specific ("grommet top curtains").

This striking performance lasted for months, most crucially through the
holiday season, when there is a huge spike in online shopping. J.  C. Penney
even beat out the sites of manufacturers in searches for the products of
those manufacturers. Type in "Samsonite carry on luggage," for instance, and
Penney for months was first on the list, ahead of Samsonite.com.

With more than 1,100 stores and $17.8 billion in total revenue in 2010,
Penney is certainly a major player in American retailing. But Google's
stated goal is to sift through every corner of the Internet and find the
most important, relevant Web sites.

Does the collective wisdom of the Web really say that Penney has the most
essential site when it comes to dresses? And bedding? And area rugs? And
dozens of other words and phrases?  ...


How does Nabble store passwords?

<jidanni@jidanni.org>
Sat, 19 Feb 2011 06:25:08 +0800

Nabble is a public forum where all users' messages are public records.
With Nabble, your user account is for public posting and identification,
and contains no valuable private information. Because of this public
nature, we do not see a need to encrypt password. Your password is
stored in our secure database but is not encrypted. If you forget your
password, you can retrieve it through our website and the password will
be emailed to you in clear text.
  http://old.nabble.com/help/Answer.jtp?id=25


SpyTunes (Andrew Mcafee)

Monty Solomon <monty@roscom.com>
Sat, 19 Feb 2011 01:16:08 -0500

Andrew Mcafee, 18 Feb 2011

A little while back I was putting together an iTunes playlist to give to my
Mom as a gift, and found myself frustrated by the application's user
interface. It kept telling me that Mom already had one song after another,
and refusing to let me complete the gifting process until I removed the
duplicate song from the playlist.

After I did this three or four times I gave up, complaining to my girlfriend
how clunky the process was. She replied "That's not the real problem. The
real problem is that iTunes is telling you what music someone else has."

http://andrewmcafee.org/2011/02/mcafee-apple-itunes-privacy-hole-violation/


Precioussss! Mental price comparisons

Gene Wirchenko <genew@ocis.net>
Tue, 15 Feb 2011 10:59:25 -0800

Inapt price comparisons are all too common.  Comparing the price of a with
the price of an equal weight of precious metal might seem to be one, but.

Keir Thomas, High prices threaten to kill tablet adoption;
With the Motorola Xoom rumored to cost $1199, a high-price niche
could turn people away from tablet computing.  *ITBusiness*, 15 Feb 2011
http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=61312

This sounds like a grouchy (and obvious) question, but are tablet computers
too expensive? Are high prices going to push the nascent tablet computing
platform into a nose dive it can't recover from?

The Galaxy Tab weighs 368 grams. If you decided to invest in the equivalent
weight of pure silver, it'd cost half the price of a Tab ($356 for 368 grams
of silver vs. $600 for the Tab at $0.97 per gram of silver).

The top-range, Wi-Fi-only iPad is also more expensive as its own weight in
silver: $659.60 for 680 grams of silver vs. $699 for a 64GB Wi-Fi iPad.

Comparisons to precious metals are apt. I've yet to invest in a tablet and
there's a reason: I'm seriously concerned about theft.

Like jewelry, tablet computers are highly portable by design. A computer
journalist friend of mine wanted to write about the practicality of tablets
so he used one on subway trains, and in the park, and on buses. It was going
very well until one particular bus came to a stop, and somebody snatched the
tablet out of his hands before sprinting away.


Alarm Fatigue

Cliff Sojourner <cls@employees.org>
Fri, 18 Feb 2011 09:23:33 -0800

As a follow-up from my note 15 years ago in RISKS-17.50,
(http://catless.ncl.ac.uk/Risks/17.50.html#subj6.1)...
this article from *The Boston Globe* does a good job relating risks of
medical alarm systems.
http://www.boston.com/news/local/massachusetts/articles/2011/02/14/no_easy_solutions_for_alarm_fatigue/

"Alarm fatigue" is a good term, I think most people can grasp the concept.
The article also talks about "unintended consequences," a major component of
risk assessment.


Re: Tree octopus exposes Internet illiteracy

Kelly Bert Manning
Wed, 16 Feb 2011 02:49:44 -0500 (EST)

Seeing should not always be believing.

Do a web search on BBC Spaghetti Harvest.

West Coast Pioneering photographers found they could earn money making and
selling composite photos of fish superimposed on railway flatcars and
similar spectacles.

One result of the recent proliferation of using edited digital photos in
court and other arenas is that some people, at least, are beginning to
realize that "photographic evidence" may not be all that it claims to be.


Good, techish, update on Stuxnet (Symantec)

danny burstein <dannyb@panix.com>
Sat, 12 Feb 2011 23:09:02 -0500 (EST)

When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu,
and Eric Chien in September, we mentioned we=E2=80=99d likely continue to
make revisions.  We have two major updates to the paper and some other minor
changes throughout.  A summary of these updates follows and more detailed
information can be found in the paper.  [Symantec]

http://www.symantec.com/connect/fr/blogs/updated-w32stuxnet-dossier-available


REVIEW: "Extrusion Detection", Richard Bejtlich

Rob Slade <rMslade@shaw.ca>
Mon, 14 Feb 2011 16:51:47 -0800

BKEXTDET.RVW   20101023

"Extrusion Detection", Richard Bejtlich, 2006, 0-321-34996-2,
U$49.99/C$69.99
%A   Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-34996-2
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   385 p.
%T   "Extrusion Detection:Security Monitoring for Internal Intrusions"

According to the preface, this book explains the use of extrusion detection
(related to egress scanning), to detect intruders who are using client-side
attacks to enter or work within your network.  The audience is intended to
be architects, engineers, analysts, operators and managers with an
intermediate to advanced knowledge of network security.  Background for
readers should include knowledge of scripting, network attack tools and
controls, basic system administration, TCP/IP, as well as management and
policy.  (It should also be understood that those who will get the most out
of the text should know not only the concepts of TCP/IP, but advanced level
details of packet and log structures.)  Bejtlich notes that he is not
explicitly addressing malware or phishing, and provides references for those
areas.  (It appears that the work is not directed at information which might
detect insider attacks.)

Part one is about detecting and controlling intrusions.  Chapter one reviews
network security monitoring, with a basic introduction to security (brief
but clear), and then gives an overview of monitoring and listing of some
tools.  Defensible network architecture, in chapter two, provides lucid
explanations of the basics, but the later sections delve deeply into
packets, scripts and configurations.  Managers will understand the
fundamental points being made, but pages of the material will be
impenetrable unless you have serious hands-on experience with traffic
analysis.  Extrusion detection itself is illustrated with intelligible
concepts and examples (and a useful survey of the literature) in chapter
three.  Chapter four examines both hardware and software instruments for
viewing enterprise network traffic.  Useful but limited instances of layer
three network access controls are reviewed in chapter five.

Part two addresses network security operations.  Chapter six delves into
traffic threat assessment, and, oddly, at this point explains the details of
logs, packets, and sessions clearly and in more detail.  A decent outline of
the advance planning and basic concepts necessary for network incident
response is detailed in chapter seven (although the material is generic and
has limited relation to the rest of the content of the book).  Network
forensics gets an excellent overview in chapter eight: not just technical
points, but stressing the importance of documentation and transparent
procedures.

Part three turns to internal intrusions.  Chapter nine is a case study of a
traffic threat assessment.  It is, somewhat of necessity, dependent upon
detailed examination of logs, but the material demands an advanced
background in packet analysis.  The (somewhat outdated) use of IRC channels
in botnet command and control is reviewed in chapter ten.

Bejtlich's prose is clear, informative, and even has touches of humour.  The
content is well-organized.  (There is a tendency to use idiosyncratic
acronyms, sometimes before they've been expanded or defined.)  This work is
demanding, particularly for those still at the intermediate level, but does
examine an area of security which does not get sufficient attention.

copyright, Robert M. Slade   2010     BKEXTDET.RVW   20101023
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/


Computers, Freedom and Privacy 2011, WashDC, 14-16 Jun 2011

Lillie Coney <coney@epic.org>
Fri, 18 Feb 2011 17:54:59 -0500

The 2011 Computers Freedom and Privacy annual conference will convene at the
Georgetown Law Center located in Washington DC on 14-16 Jun 2011.  This
year's CFP will explore the intersection of policy, technology, and action.
The meeting will involve technology and policy experts and activists in
forums designed to engage the public and policymakers in discussions about
the information society and the future of technology, innovation, and
freedom. For more on the meeting visit:
  http://cfp.org/2011

A research poster session is planned for 16 Jun 2011.  To submit for the
research poster session visit:
  https://www.easychair.org/account/signin.cgi?conf=cfp21research

To submit proposals for panels, workshops, plenaries, speakers or BoFs visit:
  http://www.cfp.org/2011/wiki/index.php/Submission_guidelines

You are encouraged to share information regarding the meeting with your
online and offline network.

Please report problems with the web pages to the maintainer

Top