The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 65

Tuesday 29 November 2011

Contents

Investigation into ICT enabled projects
Andrew Pam
Cybersecurity Requires Patches, Not a Vast Bill
Susan Crawford via Lauren Weinstein
Internet Amorality, and Cutting Thailand Off From the Internet
Lauren Weinstein
Another mass takedown of domains by U.S. authorities + discussion
Lauren Weinstein
Hackers target IPv6: Why you must address IPv6 security concerns now
Susan Perschke via Gene Wirchenko
"Face Unlock feature in Galaxy Nexus poses security risk"
Matt Hamblen via Gene Wirchenko
Google protects its current HTTPS traffic against future attacks
Lucian Constantin via Gene Wirchenko
Columbia U. researchers claim widespread security problems with laser printers
Lauren Weinstein
"Doomed by default passwords"
Roger A. Grimes via Gene Wirchenko
"When mobile apps go bad"
Galen Gruman via Gene Wirchenko
Facebook Settles With F.T.C. Over Deception Charges
Lauren Weinstein
Re: purported water plant attack
SMiller
Re: If You Can't Trust Caller ID ...
Paul Wallich
Re: Missing the point of the Internet
Amos Shapir
Complexity
Bob Frankston
Re: LaTeX as an example of ... best practices
Bob Frankston
Re: "Facebook bans at work linked to increased security breaches"
Carlos G Mendioroz
Info on RISKS (comp.risks)

Investigation into ICT enabled projects

Andrew Pam <andrew@sericyb.com.au>
Mon, 28 Nov 2011 18:12:52 +1100

Very interesting report from the Victorian state government (in Australia)
about troubles with public-sector IT projects:

<http://www.ombudsman.vic.gov.au/resources/documents/Investigation_into_ICT_enabled_projects_Nov_2011.pdf>

Extracts from the Executive summary:

11. National and international research has concluded that ICT-enabled
projects are poorly managed and failures are common. Research also indicates
that the private sector and overseas institutions have their share of ICT
project disasters with reports of cost overruns of 200 per cent, schedule
overruns of 70 per cent and some 80-90 per cent failing to meet performance
objectives.

12. Despite the research and Ombudsman and Auditor-General reports, there
are few signs that any lessons have been learnt in the public sector.


Cybersecurity Requires Patches, Not a Vast Bill (Susan Crawford)

Lauren Weinstein <lauren@vortex.com>
Mon, 28 Nov 2011 18:43:14 -0800

http://j.mp/so4rJu  (Bloomberg) [from NNSquad]

  "When cybersecurity problems arise, the best response is to adopt a patch
  as soon as it's available. You don't want to wait for an entirely new
  operating system to be created, and you really don't want to use such a
  system until it has been debugged.  That second approach, though, is what
  the Obama administration lately has been recommending. Driven by the
  National Security Agency and the Department of Homeland Security, the
  administration has been pushing the Senate to ram through an enormous
  omnibus bill on cybersecurity that hasn't yet won agreement from
  legislative working groups."  ...  Luckily, the administration's approach
  may collapse under its own weight. In October, a House Republican
  cybersecurity plan that focused on targeted voluntary efforts—rather
  than the construction of a novel superstructure for the dictation of
  security standards—grabbed the attention of legislators.  This month,
  Senate Majority Leader Harry Reid wrote to Senate Minority Leader Mitch
  McConnell saying that the House plan was consistent with his own
  cybersecurity vision, while noting that bipartisan working groups in the
  Senate hadn't been able to agree on a comprehensive legislative
  draft. Four Republican Senators (Kay Bailey Hutchison, Saxby Chambliss,
  Charles Grassley, and Lisa Murkowski) wrote to President Barack Obama
  supporting the targeted House approach.


Internet Amorality, and Cutting Thailand Off From the Internet

Lauren Weinstein <lauren@vortex.com>
Sun, 27 Nov 2011 11:43:10 -0800

Internet Amorality, and Cutting Thailand Off From the Internet
http://j.mp/trJTJn  (This message on Google+)  [From NNSquad]

 - - -

In a recent posting ( http://j.mp/vuU7RO [Google+] ), I chastised Thailand
for demanding the censorship/removal of 10K Facebook links deemed
"offensive" to their royal family, Thailand's decree that merely pressing
the "like" or "share" button on particular articles is being criminalized,
and I noted their new case of a 61-year-old man sentenced to 20 years in
prison for text messages deemed "insulting" to their royals.

And I added:

  "How about this for a way to prod these Neanderthals into the 21st
  century? Cut them off the Net totally until these practices cease."

Observant readers realized that I was writing somewhat tongue-in-cheek, but
to be honest not totally so.

And in fact, I've now received a couple of notes from people horrified by my
saying such a thing.  How can I support "censorship" of such regimes, no
matter how backwards, repressive, and abusive of their own populations?
After all, I'm known to be an anti-censorship advocate.

This brings up an important question.  Are we, as technologists, required to
provide the fruits of our labors to the entire world equally, even when
those facilities are used for evil purposes?  Is it "censorship" to draw
some lines in the sand in this regard?

The amoral view is obvious enough, both historically and contemporaneously.
IBM's support of 1930s Germany (via its subsidiary Deutsche Hollerith
Maschinen GmbH) has been long condemned.

Various major U.S.-based firms today are currently embroiled in
controversies regarding their provision of Internet and other communications
technologies to countries where it has been used to battle dissidents, and
the U.S. (disingenuously to a significant extent, given SOPA , PIPA, and
other legislation here) has condemned such suppression.

Export controls have long been a tool of national policy—sometimes in
logical manners, sometimes in utterly ridiculous, crazy ways.

In any case, I found it disturbing that a least a couple of readers felt
comfortable with a stance (amoral at best, more reasonably termed unethical)
that no matter how oppressive a regime might be, the global Internet
community should be obligated to continue providing equal services to such
players as if freedom and slavery were simply equivalent "domestic policies"
of no concern to the outside world.

I cannot accept such an assertion.  And I would add that an analysis of
these concerns should extend to repressive U.S. actions as well, of course.

These issues come into play not only when a country's demands affect the
entire world (e.g., demanding that YouTube videos be removed so nobody can
see them anywhere, due to their being deemed to be offensive to the rulers
of a single country), but also when "compartmented" domestic repression is
involved.

If we do not apply basic standards of freedom and civil rights to the
Internet and its technologies, if we treat evil as a form of normalcy not
subject to sanctions, our wonderful Net will be increasingly morphed into a
weapon aimed not only at our global neighbors, but at ourselves as well.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Network Neutrality Squad: http://www.nnsquad.org
People For Internet Responsibility: http://www.pfir.org
PRIVACY Forum: http://www.vortex.com  +1 (818) 225-2800 / Skype: vortex.com


Another mass takedown of domains by U.S. authorities + discussion

Lauren Weinstein <lauren@vortex.com>
Sat, 26 Nov 2011 11:48:51 -0800

Another mass takedown of domains by U.S. authorities + discussion

http://j.mp/tE2Xtu  (TorrentFreak) [from NNSquad]

  "TorrentFreak has identified more than 130 domains taken over by the
  government during the last 24 hours, which makes this the largest seizure
  round to date. The authorities have yet to comment via official channels,
  but we assume that they will use the same justification for the domain
  seizures as they did last year."

 - - -

The authors of the above referenced article ask why there's the big push for
SOPA/PIPA when authorities seem able to seize domains on demand even today.
I would assert a key factor is wanting to censor sites that provide
information that could circumvent those seizures, and that's not limited to
search engines like Google.

Historical IP address data for the seized sites is widely available, meaning
that with a bit of effort, virtually anyone can still connect to those sites
(either manually or through automated means).

So clearly, the focus of U.S. SOPA/PIPA efforts is an attempt to censor any
and all sites that can provide that historical data or other workarounds,
which is an ever expanding circle of sites that carry all manner of search
results and Internet retrospective data.

This has very much an Orwellian feel to it, as the U.S. government wants to
delete all references to these sites regardless, it seems, of likely
collateral damage.

And this is why SOPA and PIPA will not be effective at cutting off access to
sites around the world targeted by U.S. authorities, but do carry the
potential of creating a vast censorship regime and accompanying "Darknet"
workarounds, pushing more and more legitimate Internet activity protectively
underground.


Hackers target IPv6: Why you must address IPv6 security concerns now

Gene Wirchenko <genew@ocis.net>
Mon, 28 Nov 2011 11:34:49 -0800
  (Susan Perschke}

[Source: Susan Perschke, *IT Business*, 28 Nov 2011
http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65117

selected text:

The biggest looming security threat lies in the fact that enterprise
networks already have tons of IPv6 enabled devices, including every device
running Windows Vista or Windows 7, Mac OS/X, all Linux devices and BSD.

Vyncke says the threat is real. "We have observed worldwide that bots are
increasing their use of IPv6 as a covert channel to communicate with their
botmaster." Among its many disguises, IPv6-enabled malware can take the form
of a malicious payload encapsulated in one or more IPv4 messages. Without
IPv6-specific security measures such as deep packet inspection, this type of
payload may pass through the IPv4 perimeter and DMZ defenses undetected.

Security threats aside, there is a growing business case for IPv6 that is
getting harder to sweep under the rug. Banks and online brokerages already
face the challenge of losing communication with international customers
whose networks no longer support IPv4.


"Face Unlock feature in Galaxy Nexus poses security risk"

Gene Wirchenko <genew@ocis.net>
Tue, 29 Nov 2011 12:05:31 -0800
  (Matt Hamblen)

Matt Hamblen, *Computerworld*, 22 NMov 2011
Analysts suggest a PIN or password is a more secure alternative than
Google's facial recognition software for unlocking smartphones

http://www.infoworld.com/d/security/face-unlock-feature-in-galaxy-nexus-poses-security-risk-179813

opening text:

Face Unlock, the facial recognition software offered in Android 4.0 on the
Galaxy Nexus, is being promoted by Google as an alternative to using a PIN
to unlock a phone.

But early reviewers have noticed that Face Unlock sometimes can be spoofed
by a photograph of the owner of the phone, posing a security risk.


Google protects its current HTTPS traffic against future attacks

Gene Wirchenko <genew@ocis.net>
Tue, 29 Nov 2011 11:55:06 -0800
  (Lucian Constantin)

Lucian Constantin, *InfoWorld*, 23 Nov 2011
HTTPS-enabled Google services now implement a special encryption
technique to mitigate future key recovery attacks
https://www.infoworld.com/d/security/google-protects-its-current-https-traffic-against-future-attacks-179934

selected text:

Google has modified the encryption method used by its HTTPS-enabled services
including Gmail, Docs, and Google+, in order to prevent current traffic from
being decrypted in the future when technological advances make this
possible.

This approach exposes the connections to so-called retrospective decryption
attacks. "In 10 years time, when computers are much faster, an adversary
could break the server private key and retrospectively decrypt today's email
traffic," explained Adam Langley, a member of Google's security team, in a
blog post.


Columbia U. researchers claim widespread security problems with

Lauren Weinstein <lauren@vortex.com>
Tue, 29 Nov 2011 09:27:46 -0800
  laser printers

http://j.mp/vYfGoJ  (MSNBC)  [From NNSquad]

  "Could a hacker from half-way around the planet control your printer and
  give it instructions so frantic that it could eventually catch fire? Or
  use a hijacked printer as a copy machine for criminals, making it easy to
  commit identity theft or even take control of entire networks that would
  otherwise be secure?"

I sense that there may be a bit of grandstanding in the referenced article.


"Doomed by default passwords" (Roger A. Grimes)

Gene Wirchenko <genew@ocis.net>
Tue, 29 Nov 2011 10:18:29 -0800

Roger A. Grimes, *InfoWorld*, 29 nov 2011, Recent hacks reveal that admins
and vendors have fallen behind on protecting legacy systems
http://www.infoworld.com/d/security/doomed-default-passwords-180214

opening text:

  Many years ago, I was hired to penetration-test a customer's IBM AS/400
  system, and the system administrator admonished me for even
  trying. "AS/400s aren't like cheap and insecure little PC systems," he
  argued. "They're built from the ground up to be secure."

  As he completed his last sentence, I logged into his system and took
  complete control of it. He had not changed the default account
  password. It had been left as is for almost 20 years. His system was
  contactable over the Internet, so I had to wonder, as his mouth dropped
  open, if I'd been the first to try the obvious.

The author also mentions doing a password check against default passwords
and lists three such sites that he uses.


"When mobile apps go bad" (Galen Gruman)

Gene Wirchenko <genew@ocis.net>
Tue, 29 Nov 2011 10:09:04 -0800

Galen Gruman, *InfoWorld*, 29 Nov 2011
When mobile apps go bad
Mobile apps get frequent updates—whether you want them or not --
and sometimes the result is an inferior product
http://www.infoworld.com/d/mobile-technology/when-mobile-apps-go-bad-178063

This article deals with mobile apps, but the situation occurs with other
apps, too.  Years ago, I downloaded Netscape 6, installed it, saw that it
was really bad, and bailed.

The risk is losing an app that really works well for you.  Even if you can
keep your old version, you may be out of luck for support.


Facebook Settles With F.T.C. Over Deception Charges

Lauren Weinstein <lauren@vortex.com>
Tue, 29 Nov 2011 10:45:48 -0800

http://j.mp/uAzFMh  (FTC)  [From NNSquad]

  The social networking service Facebook has agreed to settle Federal Trade
  Commission charges that it deceived consumers by telling them they could
  keep their information on Facebook private, and then repeatedly allowing
  it to be shared and made public. The proposed settlement requires Facebook
  to take several steps to make sure it lives up to its promises in the
  future, including giving consumers clear and prominent notice and
  obtaining consumers' express consent before their information is shared
  beyond the privacy settings they have established.


Re: purported water plant attack (RISKS-26.64)

<SMiller@unimin.com>
Mon, 28 Nov 2011 12:08:18 -0500

The FBI/DHS analysis has been challenged by many, Joe Weiss among them.
While I am not in a position to confirm or deny many of the items in
dispute, I can confirm Weiss' allegation that many PLC/SCADA systems do not
keep the kind of log that is amenable to intrusion analysis. It also seems
odd that the Illinois fusion center would release such a report only to be
directly contradicted by DHS Central - aren't those centers designed,
sponsored and implemented by that very outfit? Seems equally likely that the
"nothing to see here, move along" response is the result of reluctance to
confirm the breach of a common, critical system that it is presently
infeasible to adequately protect. If this is indeed an attempt at obscurity,
I think we already know the story-line.


Re: If You Can't Trust Caller ID ... (RISKS-26.64)

Paul Wallich <pw@panix.com>
Sat, 26 Nov 2011 22:56:23 -0500

> Telemarketers increasingly are disguising their real identities and
> phone numbers...  Caller ID [properly, Calling Number ID] is becoming
> Fake ID.  New FCC rules have been instituted to combat this practice,
> but are apparently very limited in their effectiveness...  [Source: Matt
> Richtel,*The New York Times*  front page, 23 Nov 2011; PGN-ed]

It is perhaps telling in a political-systems sense (if not a
computer-systems one, since the technical hurdles are stacked the other way)
that congress is considering making it a federal crime to falsify even a
part of the personal information demanded by online services, while
deliberately fraudulent provision of identifying information via phone
system carries only civil penalties, and even then only at the discretion of
an overworked regulatory agency. Perhaps the relative pocket depth of the
respective perps has something to do with it.


Re: Missing the point of the Internet (Frankston, RISKS-26.64)

Amos Shapir <amos083@hotmail.com>
Sun, 27 Nov 2011 18:09:48 +0200

In Risks 26.64 Bob Frankston says:
> As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not
> fundamental. This means that the Internet is not easier to control once
> there is a funding model that doesn't require controlling the path.

While Frankston's ideas may keep the Internet free, in the sense that we
would not have to pay for it (not for each bit individually anyway), IMHO
they would not help to keep it free of central control.  Public ownership of
the infrastructure would necessarily mean public control; which in turns
means that the rules would be made by politicians rather than businessmen --
is that any better?

Like in the auto industry, the complexity of the devices involved results in
most of the devices being made by a few large companies; the requirement
that all devices work together on the same infrastructure mandates rules and
regulations, which have to be coordinated by a central entity (or a few of
those, at most).  This leaves a relatively small number of control points,
which might not be difficult to be taken over by a ruling body.

Surely we can avoid driving licenses by walking or riding bicycles, but we
would not get very far...


Complexity (Re: LaTeX ..., RISKS-26.64)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Sat, 26 Nov 2011 23:16:34 -0500

"Complex systems are intrinsically complex."

This is a topic in its own right as I argue that complexity is about point
of view and framing. My standard example is Ptolemy vs. Copernicus in the
difference that a shift frame makes. Complexity is also relative to purpose
or context.

One risk is in accepting complexity as intrinsic rather than trying to find
the simplicity. What makes this tricky is that we often need to change the
question we are asking. The Internet provides us with many examples as when
we assume that quality is a property of the network and thus we build a
rigid transport rather than defining quality outside the network. But this
requires accepting that there isn't a single measure of quality.

I go into some of this in essays such as http://rmf.vc/PurposeVsDiscovery
and http://rmf.vc/WrongStuff.

  [PGN notes: I was rather lazy in writing the line that Bob quotes.  I
  should have written something more like this:
    "Systems that must satisfy inherently complex requirements (e.g., for
    trustworthiness in its multidimensional manifestations) are likely to be
    inherently difficult to build and maintain—even if they are extremely
    carefully designed, implemented, and operated."  In the research
    community, some of us believe in modular encapsulation, predictable
    composability, least privilege, formal analyses, and so on.  But all
    that is still generally not enough.  PGN]


Re: LaTeX as an example of ... best practices (Thorson, RISKS-26.64)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Sat, 26 Nov 2011 23:23:29 -0500

I do need to react to the dig at Microsoft. Sure there is a lot of code that
has hung around for 20 to 30 years and it captive to promises made long ago.
But I also see Microsoft at the forefront of research in programming
practices as with F# feeding into C#.

These prejudices have real consequences as people limit their choice of
tools and languages including the use of C.


Re: "Facebook bans at work linked to increased security breaches"

Carlos G Mendioroz <tron@huapi.ba.ar>
Sun, 27 Nov 2011 08:01:19 -0300

It's been long known in research that you can "discover" a cause-effect
relations and even have "proof" by analysing correlations.

If you analyse some variables and get strong correlation between A, B (and
C?), it's easy to say that A causes B when in fact it could be that C causes
A and B. (Even easier when C is unknown!)

In this case, it could be that companies that have sensitive material (C)
have stronger security measures (A) but even so get higher breaches (B).

Risk? Use correlations (undirected) to find cause-effect (directed)
relations.

Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

Please report problems with the web pages to the maintainer

Top