The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 63

Tuesday 22 November 2011


Online elections
Rob Slade
Americans Elect
Jim Cook
Android leads the way in mobile malware growth
Peter Houppermans
Firm Sought to Install Spyware Via Faked iTunes Updates
Werner U
"Why Law Enforcement Can't Stop Hackers"
Meridith Levinson via Gene Wirchenko
The Web as Backyard Fence Gone Wild
Galen Gruman via Gene Wirchenko
Re: Update: U.S. water plants reportedly hit by cyber attacks
Howard Webb
Re: 9 Million Israelis' PII hacked
Barry Jaspan
Slovenia attacks panoramic photography
Lauren Weinstein
Re: How Google, by voluntarily implementing facial blurring...
Amos Shapir
Protecting data for the long term with forward secrecy
Lauren Weinstein
Re: "Coming conundrum: Malware signed ...
David Shambroom
Congress Declares War on the Global Internet - Internet Replies "Bring It On!"
Robert Heuman
Re: ANA plane goes nearly belly up ... wrong knob turned
John Stanley
Larry Sheldon
Re: The Coming Fascist Internet
Amos Shapir
The Surveillance Catalog
Gabe Goldberg
How to persuade lawmakers to change their passwords
Chiaki Ishikawa
I think I got a spammed
Info on RISKS (comp.risks)

Online elections

Rob Slade <>
Fri, 18 Nov 2011 17:17:19 -0800

Electronic and online voting systems have been a topic of interest on this
forum.  I thought I'd add some observations from recent experience.

I belong to an organization that is holding board elections.  We used to
have elections at the AGM, with those who couldn't attend submitting mail
ballots.  Our "voter turnout" has always been low.  In the past few years,
there has been an option for online voting.

There have been problems in the last few years, but this year it seems the
problems are greater.  I was one of those having difficulty voting.  I tried
nine times, with four browsers, on two machines, before I succeeded.

Wednesday (Firefox) the voting button (at that time just labeled "Button")
had no function.  Thursday I got "Sorry, an error has occurred while
processing your request."  No option to do anything.  When I tried to go
back to the page, the button said "Submitting" and was inactive. When I
tried to reload or revisit the page, the button again said "Submit," but was
no longer active.

Firefox gave me an error submitting the vote.  Safari gave me an error
submitting the vote.  IE initially wouldn't show me the information about
the election on the member home page: when I specified the voting URL it
wouldn't even let me log in.  (Firefox and Safari both demanded that I log
in twice, once for the main site, and once for the election.)

I did, finally (after eight attempts on the first machine), manage to vote
by going to a different machine (a Mac, using Safari).  I fairly sure I
voted, because now the system says I can't vote twice.  Whether or not my
vote was counted is a matter of faith.  But there is obviously a fairly
severe problem.

(In terms of faith in the system, I should note that this years system lacks
a feature of the old system that was very reassuring.  The voting takes
place over a period of approximately two weeks.  Under the old system, you
could vote, and then go back at any time up to the end of the voting period
and review your vote.  Granted, this reassurance still relied upon the
supposition that the system and/or people behind it did count the votes, and
that they did not read your voting in the meantime.  However, if it did not
actually fulfill much of a functional requirement for confidence in the
voting system, it did, at least, provide something of an assurance
requirement that your vote had actually been entered [somewhere].)

I'm not sure what the problem is.  It isn't with the browser or system,
because others have voted with Win7 (64) and Firefox 8.  (It may possibly be
with the settings: I'm fairly aggressive about privacy and security.  For
obvious reasons.  However, this is unlikely, since I'm mainly aggressive
with FireFox, and don't use the others much.)

It can't be to do with cookies, because all three browsers failed on my main
machine, and they don't share cookies.  It may be possible that some slip in
the procedure did something with my IP address, hence the ability to vote on
a different machine.  (No, wait, that shouldn't matter, because I'm behind a
NAT ...)

(I very strongly suspect, for a variety of reasons, that this new voting
system is built on top of Sharepoint.  From past experiences I am definitely
not a Sharepoint fan.)

I should mention one other point.  There is a provision for write-in
candidates in the system.  Today someone noted the fact that there are five
slots for write-in candidates, but you are only supposed to vote for four
people.  I figured it was a great piece of social engineering if you truly
wanted to rig the vote in favour of the "official" candidates: those who are
likely to vote for anyone other than the official candidates would be those
most likely to spoil their ballots by putting in too many votes.  Then I
began to wonder.  Given the problems with the rest of the system, did anyone
think of that possibility?  Is there anything in the programming that
actually checks to see how many people you voted for?  And, even if there
is, is there anything that checks to make sure you don't vote for the same
write-in candidate four times?  (Or five, if the check isn't there.)

I'm beginning to wonder if we should have scrutineers.  And if the scrutineers
should have to have full access to the Web logs ...  And the voting site
programming ...

I think that the people at our HQ are doing their best to make the election
work, and to ensure that everyone gets to vote. (Given our abysmal voting
turnout even *with* the online voting, which, if I remember correctly, is
running around three percent.)  I'm sure they are working at it.  In fact I
know they are working hard to fix the problems.

I do think this fiasco makes an important point.  It's really, really hard
to do online voting properly.  Just go to the archives and see the
discussions on electronic and online voting.  So far, nobody has been able
to come up with a really solid system.

It's an interesting exercise in risk management.  We are a semi-private
organization, and it's unlikely anyone is going to try and rig the
elections.  At the moment, our biggest problem seems to be that some people
can't vote.  But if we drop the online voting system, a lot more people will
be unable to vote.

Americans Elect (Jim Cook)

"Peter G. Neumann" <>
Sun, 20 Nov 2011 19:08:06 PST

Americans Elect Holds its First Vote—and it's Broken!
Jim Cook,, 19 Nov 2011

  [Jim Cook visited AE's Shape the Debates feature, allowing up-or-down
  votes on selected issues.]

Android leads the way in mobile malware growth

Peter Houppermans <>
Tue, 22 Nov 2011 09:58:15 +0100

  “What happens when anyone can develop and publish an application to the
  Android Market? A 472% increase in Android malware samples since July
  2011. These days, it seems all you need is a developer account, that is
  relatively easy to anonymize, pay $25 and you can post your

Interesting is the growth of malicious Android apps that can acquire
root level.  That has changed from "a few" to "just about all".

Too Open Source?

Firm Sought to Install Spyware Via Faked iTunes Updates

Werner U <>
Tue, 22 Nov 2011 22:52:37 +0100

Troublesome Trojans, *Der SPIEGEL*

A surveillance firm claims it can distribute its spyware via faked iTunes
updates. Apple appears to have moved to eliminate the security gap, but the
debate over trojans used by governments, both democratic and
otherwise, continues to boil.

"Why Law Enforcement Can't Stop Hackers" (Meridith Levinson)

Gene Wirchenko <>
Mon, 21 Nov 2011 15:07:51 -0800

The threat that criminal hackers pose to corporate and government
information systems has spiked in the past five years, according to the FBI,
and shows no signs of abating. The worst part: Law enforcement is virtually
powerless in cracking down on cybercrime. investigates the
challenges law enforcement officials face in investigating and prosecuting
hackers.  [Source: Meridith Levinson,, 15 Nov 2011]

The Web as Backyard Fence Gone Wild (Galen Gruman)

Gene Wirchenko <>
Tue, 22 Nov 2011 09:51:27 -0800
   Ah, Web rumours.  Here is a good example of the effects that can result:

Off with their heads! Mobile Edge's 2011 Turkey Awards
In a year of amazing innovation and adoption of mobile tech, there
were also some amazing duds and boneheaded moves
[Source: Galen Gruman, *InfoWorld*, 22 Nov 2011]

[This example starts on page 2.]

The technology press. I've gone apoplectic several times this past year
watching the parade of obviously false iPhone 5 and iPad 3 stories appear on
practically every tech news site, as well as many general news outlets. It's
as if the journalism community decided to hell with truth and became Weekly
World News wannabes in their quest for that Holy Grail of page views. I need
page views too, but I don't believe I have to fake stories or, worse, copy
others' fake stories to get them.

This abdication of professional practice—which may have started with
untrained bloggers but quickly became adopted by mainstream journalists --
ironically led to a big letdown in the same media when the iPhone 4S was
announced. The reality of the upgraded product couldn't match the fiction
they built up over the course of a year.  Perhaps trained to believe none of
us any more, buyers snapped up the iPhone 4S in droves, causing supplies to
run out quickly. Ironically, it was the stock market—that
once-rationalizing economic force that has become an emotion-driven
roller-coaster ride—that reacted in the most damaging way, pummeling
Apple's stocks when Apple said its iPhone sales had declined more than usual
before a new release because the incessant rumors caused a higher proportion
of buyers to wait.

Even sadder, I still see iPhone 5 and iPad 3 stories in the technology
press, not just in fanboy blogs, even after this year's embarrassing saga
became clear. I hope readers have stopped paying attention to these turkey
stories and their turkey publications.  These turkeys will keep gobbling
nonsense as long as they think you're listening.

Re: Update: U.S. water plants reportedly hit by cyber attacks

Howard Webb <>
Fri, 18 Nov 2011 17:00:39 -0800

The story was also covered by Ellen Nakashima of the Washington Post:

The money lines in this story are:

According to the report, hackers apparently broke into a software company's
database and retrieved user names and passwords of various control systems
that run water plant computer equipment. Using that data, they were able to
hack into the plant in [Springfield] Illinois, Weiss said.

It's not the first time that two-step technique—hack a security firm to
gain the keys to enter other companies or entities—has been used.  I
wonder if the hacked software company gets to buy the water plant a new
water pump, or do they get off the hook because someone gave Internet access
to critical infrastructure and blabbed user/password info to a 3rd party.

Re: 9 Million Israelis' PII hacked (RISKS-26.61)

Barry Jaspan <>
Mon, 21 Nov 2011 00:31:50 -0500

According to the Israeli Central Bureau of Statistics, the total living
population of Israel as of May 2011 is 7.7M. The 9 million records stolen
includes data on both living and dead residents, but roughly speaking, it
seems like it covers "all of them."

Slovenia attacks panoramic photography

Lauren Weinstein <>
Fri, 18 Nov 2011 15:42:10 -0800

Apparently inspired by Street View face blurring,
Slovenia attacks panoramic photography

  "So how did an arbitrary technical distinction come to decide whether an
  uncensored photograph is legal or illegal in Slovenia? The following is a
  cautionary tale of what happens when non-technical regulators meet a
  new-to-them technological innovation they are ill-equipped to judge. It is
  also a case study of how Google, by voluntarily implementing facial
  blurring in its relatively new but hugely popular Street View automated
  360-degree panoramas, created norms in the minds of regulators that they
  are now eager to set in stone legally. By focusing on the technical
  details distinguishing Street View from more conventional photography
  formats, these regulators have managed to condemn an entire emerging field
  of photography to burdensome and invasive censorship requirements that are
  impossible to scale without Google-sized automation resources."  (Dliberation)

Re: How Google, by voluntarily implementing facial blurring...

Amos Shapir <>
Sun, 20 Nov 2011 16:47:56 +0200

If I understand the Slovenian rules correctly (it seems that nobody does),
in most cases publishing individual street photographs is ok, but combining
the same photographs in a panorama is not?  What if one site contained the
images while another the application to combine them on-line in real time?

What if the image on top of the referred article at D-liberation would have
been shot in Slovenia instead of Yemen (lets even assume that the images
were exported out of Slovenia before the law took effect), would Slovenians
be committing a crime by clicking on it?  The mind boggles.

Protecting data for the long term with forward secrecy

Lauren Weinstein <>
Tue, 22 Nov 2011 10:43:37 -0800  (Google Online Security Blog)

  "Forward secrecy requires that the private keys for a connection are not
  kept in persistent storage. An adversary that breaks a single key will no
  longer be able to decrypt months' worth of connections; in fact, not even
  the server operator will be able to retroactively decrypt HTTPS sessions.
  Forward secret HTTPS is now live for Gmail and many other Google HTTPS
  services(*), like SSL Search, Docs and Google+. We have also released the
  work that we did on the open source OpenSSL library that made this

*Excellent* work.  Congrats to the team(s) responsible.

Re: "Coming conundrum: Malware signed ... (Lemos, RISKS-26.62)

David Shambroom <>
Mon, 21 Nov 2011 01:12:56 -0500

This item from refers to code signing with certificates.  Of course, the
public keys in certificates are used to verify signatures, not to generate
them.  This particular confusion is a major source of headaches for me,
personally, in dealing with my colleagues and customers at InterSystems.

Re: Congress Declares War on the Global Internet - Internet Replies

RsH <>
Sat, 19 Nov 2011 10:59:24 -0500
  "Bring It On!"

My suggested solution, and I am in Canada, which has its IP addresses assigned
by ARIN and its .com, .net and .org domain names assigned out of the U.S.
according to SOPA, is to move ARIN to CRIN [Canadian Registry of Internet
Numbers] and the Domain Name servers to Canada as well.

Once outside the U.S. the SOPA rules cannot be applied the same way, since the
jurisdiction of the U.S. Congress does NOT apply to Canada, or so we in Canada
like to think.

ARIN covers the U.S., Canada and 20 Caribbean nations. .COM, .NET and .ORG are
used around the world, so in both cases, moving out of the U.S. is going to be
part of the battle.

As it stands, unless I misread SOPA, the Canadian and Canadian provincial and
territorial government web sites are consider domestic U.S. sites! We CANNOT
permit the U.S. government to shut down the Canadian government's web access
because someone in the U.S. doesn't like a film on file at the Library of
Parliament, or whatever other excuse may be used.

Re: ANA plane goes nearly belly up ... wrong knob turned

John Stanley <>
Fri, 18 Nov 2011 18:59:44 -0800 (PST)

In part, Tony B Atkinson <> wrote:

  The pilot has to reach behind him to access the control, it's effectively
  out of his line of sight. Distinguishing the control is probably done by
  feel most of the time. ...

  Ahh, the benefit of hindsight.

The irony of the statement is punishable. I think increasing the amount of
visual processing a pilot has to do would be punitive.

Re: ANA plane goes nearly belly up ... wrong knob turned

Larry Sheldon <>
Fri, 18 Nov 2011 21:54:27 -0600

Since the days when the risk was a quick trip to Havana, I have believed the
obvious (but so far unnoticed) answer is that air-carrier aircraft should be
configured so the cockpit door can not be opened unless there is weight on
the nose gear, or so that cockpit access if via a separate door to the

Yes, that means a separate toilet in the cockpit, and it means some
provision for meals (I'd say packages that require no cabin access at all).

I might even go so far as to say there can be no communication
cabin-to-flight deck at all except "Emergency" which results in landing

(Flight deck-to-cabin announcements would be allowed.)

Re: The Coming Fascist Internet (Weinstein, RISKS-26.61)

Amos Shapir <>
Sun, 20 Nov 2011 16:59:22 +0200

Comparing the Internet to other rather new technologies shows that prognosis
is not good.  Take driving as a case in point: about 20 years after the
invention of the automobile, anyone could drive anything anywhere; now no
one can drive anywhere unless both vehicle and driver are licensed and
registered by some government.

The Internet is even easier to control than roads, as all infrastructure is
supplied by a few big companies, which usually comply with the government.
China seems to be the future.

The Surveillance Catalog

Gabe Goldberg <>
Sun, 20 Nov 2011 10:23:32 -0500

The Surveillance Catalog, Where governments get their tools

Documents obtained by The Wall Street Journal open a rare window into a new
global market for the off-the-shelf surveillance technology that has arisen
in the decade since the terrorist attacks of 11 Sep 2001.  The techniques
described in the trove of 200-plus marketing documents include hacking tools
that enable governments to break into people's computers and cellphones, and
"massive intercept" gear that can gather all Internet communications in a

The documents—the highlights of which are cataloged and searchable here
-- were obtained from attendees of a secretive surveillance conference held
near Washington, D.C., last month.

Gabriel Goldberg, Computers and Publishing, Inc. 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433

How to persuade lawmakers to change their passwords

"Chiaki Ishikawa" <>
Sat, 19 Nov 2011 12:06:03 +0900

Since this summer, there have been a series of reports of consorted attacks
based on phishing or malware attachment in e-mails against large companies,
government agencies and similar organizations in Japan.

Obviously, there were some DoS attacks some well-known government web sites
for the last few years.

Also, companies that make military equipment were targets.  And these
companies also make big public works such as nuclear power plants.

Past summer, Mitsubishi Heavy Industries, IHI Corp, and Kawasaki Heavy
Industries were reported as victims of such attacks. Initially, the extent
of attack and how successful was not clear.

  Signs of concerted cyberattack on Japanese defense firms
 (This page and others mentioned here  have
  a series of links to other recent updates.)

However, after a flurry of such reports were made public in September and
October, it became evident that at least these large companies building
military gears were the target of concerted attacks.

U.S. government concerned at hacking of Japan arms firms

US has a good reason to get worried. Under license, MHI builds F-15s,
Patriot missiles, nuclear reactor parts.  Also, IHI builds engine parts for
the military aircrafts, Kawasaki Heavy Industries builds helicopters, etc.
Friendly military gears created by companies whose computers are compromised
are not something you can easily trust, eh?

It seemed at least some non-top-secret proprietary data seemed to have been
sent to external web sites.  Basically, some PCs were infected after the
initial attack (it seems that some of them are 0-day attack from what I
read) and from there servers were attacked and then compromised.  Once that
happened, many PCs on the same LAN were infected.

Cyber-attackers could have stolen defense contractor's passwords.
"45 servers and 38 personal computers at 11 of MHI's facilities were
infected with viruses. "

Now I gave the benefit of doubt to the security officers or admins
because some early reports suggested that at least some attacks were
0-day attack or some were so advanced that even anti-virus software
companies could not keep up with.
Although I want high-standard for someone handling sensitive
material, still I gave benefit of doubt.
(After all the extent became evident however, I wonder why IDS could
not detect some suspicious activity, though. Stringent after-the-fact
analysis is in order here.)

But along such revelations of attacks on these companies came
the report of attack to the office of members Japanese parliament
(called Diet for some reason. There are Upper House and Lower House).

Upper House Computers also hacked.

According the report and earlier ones, someone sent e-mails with a
trojan to lawmakers' offices. First the computers of Lower House members
were infected.
I suspect people who need to open e-mails from unknown
third parties such as members of parliament (an e-mail from a possible
voter in his/her district?) are very vulnerable to this kind of attack.

To make a long story short, it is now believed that a server used
for serving the needs of offices of members were compromised eventually
and it is possible that the ID/passwords were stolen.

What struck me as a blow is the following news.

Only 45% of lawmakers changed passwords after cyber-attack

On Oct 25th, the possibility of passwords being stolen became real.
So lawmakers's offices were asked to change passwords immediately
on Oct 27th.

So far, so good.

BUT, on Nov 2., the house secretariat visited each lawmaker's office
one by one and asked if the password had been changed.
It was found that ONLY 45% of the lawmakers had done so!?
(Others either didn't or the answer was not available immediately.)

Nov 14, it was made clear that ALL the passwords of Lower House members
have been stolen (with the secretaries' of the members), 480 passwords
in total!

Mind boggling, isn't it?

Open Government, you bet.

Given a pre-announced or pre-agreed procedure [or even without such a
predefined procedure in place], I wonder if it had been a proper
measure to disable the existing account or at least change the
passwords of all accounts from the server side on Oct 27th.

If your user is a law-maker, and not an undergraduate or graduate
student, it may be difficult to do so :-(

Chiaki Ishikawa

PS: Concerted attacks of this nature (and the use of 0-day attack)
seem to suggest an involvement of national-level organization.

I think I got a spammed

Sun, 20 Nov 2011 07:40:51 +0800

|Date: Sat, 19 Nov 2011 15:27:47 +0100
|X-Spam-Status: Yes, score=49.9 required=1.9 tests=ADVANCE_FEE_2_NEW_FORM,
|X-Spam-Languages: en
|X-Size: 10456
|X-File: Mail/almost-certainly-spam/new/1321732877.10157_0.ps11007
I guess they try a multifaceted approach these days.

  [Wow! A score of 49.9 is REALLY impressive!  PGN]
    [jidanni- ah no wonder... they are now competing for a world's record.
    And I thought it was just a SPAM 1.0 spam!]

Please report problems with the web pages to the maintainer