The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 74

Friday 24 February 2012

Contents

Re: Google Mobile Phone Tracker
Tim Diebert
PGN
Re: It's A Brick: Tesla Motor's Devastating Design Problem
Martyn Thomas
"13 security myths you'll hear—but should you believe?"
Ellen Messmer via Gene Wirchenko
Not-so-faster-than-light superluminal neutrinos!
smolloy via David Bolduc
NewSci: GPS jamming: a clear and present reality
Paul Saffo
UK - 4G TV interference: Up to a million homes 'need filters'
Lauren Weinstein
Behind the Google Goggles, Virtual Reality
Nick Bilton via Matthew Kruk
Facebook contractor reportedly reveals "secret""censorship" list
Stephen C. Webster via Lauren Weinstein
Nortel breached for years; management knew but didn't react
Jeremy Epstein
Re: Armored SUV could not protect U.S. agents in Mexico
Chris Barnabo
Richard S. Russell
R. G. Newbury
Subject: Re: Small coding mistake led to big Internet voting system failure
Mark Brader
Fifth Amendment Protects Suspects from Having to Decrypt Hard Drives
LW
Long distance mail, but why?
Richard O'Keefe
REVIEW: The Tangled Web: A Guide to Securing Modern Web Applications
Ben Rothke
Info on RISKS (comp.risks)

Re: Google Mobile Phone Tracker (Kruk, RISKS-26.73)

Tim Diebert <diebert@parc.com>
Fri, 24 Feb 2012 08:17:53 PST

I'd like to point out that there is a *real risk* with this posting.

If you actually go to "-http://googlephone.page.tl/-" you get the
opportunity to click on 2 links, one in the middle of the page or one at the
bottom of it.

Both of these URLs, labeled
"http://googlephone.com/Apps/Google_Mobile_Phone_Tracker_v6.5.8" actually
points to
"http://dl.dropbox.com/u/61356096/Google%20Mobile%20Phone%20Tracker%20v6.5.8.exe".
If this link is actually downloaded and run, you get a virus installed.

I use a Mac that has "McAfee Security" installed, and it identified the
downloaded file as a virus.  I would assume that the anti-virus software for
Windows will also catch this one.

The link at the end of this item in the digest,
"-http://googlephone.com/Apps/Google_Mobile_Phone_Tracker_v6.5.8-" gets
a "server not found" error.  While there is a registration by Google for
googlephone.com, there is no DNS entry for it.

I thoroughly understand that publishing the "Risks Digest" is a time
consuming task, and following every link published to validate it is just
too time consuming.  This is something that the person supplying this item
should have done!

Tim Diebert, Sr. Research Engineer, Palo Alto Research Center
3333 Coyote Hill Road, Palo Alto, CA 94304-1313 1.650.812.4433


Re: Google Mobile Phone Tracker (Kruk, RISKS-26.73)

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 24 Feb 2012 10:00:33 PST

My sincerest apologies for including this item at all without further
inspection or with a serious warning about the risks of remotely plausible
messages.  I should know better than try to put out an issue at 4am while
half of my brain was still thinking I should be asleep.  But I am glad to
see that so many of you reacted sensibly and complained to me.  A few more
responses are included here.  Others were received early on from Joe Hall,
Dan Ritter, Larry Werring, Lauren Weinstein—and Richard Martin, whose
note included this:

  The link on the website it references downloads a *very* dodgy—and very
  obviously not Google-produced or approved - .exe file that Chrome
  immediately identifies as malicious and which Sophos identifies as a
  variant of the Sality worm. If it infects a PC it will proceed to download
  further malware onto the victim machine, so not a sensible thing to have
  around.

  On the other hand, the tracking behaviour described in the badly-spelled
  writeup has been provided for quite a while now on all Google Android
  phones capable of running Google Latitude.

I put a warning note in the archive copy of RISKS-26.73 rather than deleting
the item altogether, which we normally do not do.  The educational
importance of this item and its risks is decidedly important.  Again, my
apologies for letting this one slip through.

Thanks to all of you who responded, and my best wishes to *all* RISKS
readers.  The attackers are becoming ever more sophisticated and devious,
and require continual escalations in our collective eternal vigilance.  PGN


Re: It's A Brick: Tesla Motor's Devastating Design Problem (R-26.73)

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 24 Feb 2012 16:49:36 +0000

The cited article also says: “After the first 500 Roadsters, Tesla added a
remote monitoring system to the vehicles, connecting through AT&T's
GSM-based cellular network. Tesla uses this system to monitor various
vehicle metrics including the battery charge levels, as long as the vehicle
has the GSM connection activated and is within range of AT&T's
network. According to the Tesla service manager, Tesla has used this
information on multiple occasions to proactively telephone customers to warn
them when their Roadster's battery was dangerously low.

In at least one case, Tesla went even further. The Tesla service manager
admitted that, unable to contact an owner by phone, Tesla remotely activated
a dying vehicle's GPS to determine its location and then dispatched Tesla
staff to go there. It is not clear if Tesla had obtained this owner's
consent to allow this tracking, or if the owner is even aware that his
vehicle had been tracked.  Further, the service manager acknowledged that
this use of tracking was not something they generally tell customers
about.''

But this article suggests that there may be other reasons for the story.


"13 security myths you'll hear—but should you believe?"

Gene Wirchenko <genew@ocis.net>
Fri, 24 Feb 2012 09:15:18 -0800
  (Ellen Messmer)

Ellen Messmer, *Network World*, 14 Feb 2012
http://www.networkworld.com/news/2012/021412-security-myths-256109.html

opening paragraph:

They're "security myths," oft-repeated and generally accepted notions about
IT security that arguably are simply not true—in order words, it's just a
myth. We asked security experts, consultants, vendors and enterprise
security managers to share their favorite "security myths" with us. Here are
13 of them:


Not-so-faster-than-light superluminal neutrinos!

"David Bolduc" <bolduc@austin.rr.com>
Feb 22, 2012 5:43 PM

 [via both Dave Farber and johnmacsgroup.  PGN]

http://science.slashdot.org/story/12/02/22/2116251/faulty-cable-to-blame-for-superluminal-neutrino-results

Faulty Cable To Blame For Superluminal Neutrino Results
samzenpus@slashdot.org, from the not-so-fast dept., 22 Feb 2012

smolloy writes*

"It would appear that the hotly debated faster-than-light neutrino
observation is the result of a fault in the connection between a GPS unit
and a CERN computer.  This connection was used to correct for time delays in
the neutrino flight, and after fixing the correction the researchers have
found that the time discrepancy appears to have vanished."*

<http://science.slashdot.org/story/11/09/22/1841217/cern-experiment-indicates-faster-than-light-neutrinos?sdsrc=rel>
<http://news.sciencemag.org/scienceinsider/2012/02/breaking-news-error-undoes-faster.html?ref=hp#.T0U_N0pYVRc.twitter>


NewSci: GPS jamming: a clear and present reality

"Paul Saffo" <paul@saffo.com>
Feb 23, 2012 9:21 AM

[From New Scientist's One Percent blog, via Paul on Dave Farber's IP]
GPS Jamming: a clear and present reality, 22 Feb 2012

A secret network of 20 roadside listening stations across the UK has
confirmed that criminals are attempting to jam GPS signals on a regular
basis, a conference <https://connect.innovateuk.org/web/6517437/agenda> at
the National Physical Laboratory, in London, will hear later today. Set up
by the government's Technology Strategy Board (TSB) and run by Chronos
Technology of the Forest of Dean, UK, the Sentinel
network<http://www.chronos.co.uk/index.php/en/sentinel.html>has sensed an
average of ten jamming incidents per month since September 2011.

"Our jamming sensors use very small GPS receivers like those in cellphones.
They are installed at locations where our partner companies have experienced
unexplained outages to their professional GPS equipment," says Chronos
managing director Charles Curry. "The jammers sweep a signal through the GPS
band around 1.5 gigahertz and we log the impact that has on the local GPS
signal." One victim of these GPS outages was Britain's national mapping
agency, Ordnance Survey.

Details on the 60 incidents recorded to date are scant as Sentinel is still
evaluating the causes, but at least one jamming device has been
seized. Curry says most jammers seem to be being used by truckers to stop
'spy-in-the-cab' tachographs working, preventing their journeys being
tracked by their bosses, or by thieves stealing commercial vehicles. "The
one police have confiscated is of the type that fits in a vehicle and is
powered via a lighter socket," he says.

Oddly, more than one person appears to be responsible for the jamming at
some locations: Chronos is trying to differentiate between different jammers
to give "a better idea of how many individuals at a particular location are
jamming GPS". Vigilantes could be one source: a major problem with GPS is
the way some small villages and towns suffer visits from dangerously
outsized trucks - which often get stuck in tiny streets - attempting to
follow satnav-advised shortcuts. So it is possible locals are placing
jammers to prevent drivers' antisocial behaviour.

The GPS signal is weak and easily jammed - its radiation is only as intense
as a car headlight shining from 20,000 kilometres away. Hundreds of online
vendors illegally sell jamming equipment online yet at the same time the GPS
signal has fast become critical national
infrastructure<http://www.newscientist.com/article/dn20202-gps-chaos-how-a-30-box-can-jam-your-life.html>.
In addition to location services via satnavs, the atomic clocks aboard the
satellites are used to provide crucial timing signals for systems as diverse
as cellphone towers and banking systems - and without GPS they fall over.

That's why it's no surprise that a US company called LightSquared, which
wanted to run a 4G cellphone service very near to the GPS frequencies, has
been barred from doing
so<http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0215/DOC-312479A1.pdf>
by the Federal Communications Commission. It could not demonstrate that its
technology could steer clear of GPS signals that stray from its alloted
bandwidth.

The conference will also hear about how the GPS signal can be spoofed so
that satnavs are lured in the wrong direction. You can see videos of how
spoofing works over at the University of
Texas<http://radionavlab.ae.utexas.edu/videos>.  Spoofers could become the
latter-day equivalent of wreckers who used to make false lights to draw
ships onto the rocks. The General Lighthouse Authorities, for instance,
suspect that ships are now so dependent on GPS that in the world's busiest
sealane - the English Channel - they confidently expect "an incident" due to
GPS failure, jamming or spoofing in the next decade.

"The question for the authorities is what we are going to do once the owners
of jammers are identified and how can we prevent others using them," says
Curry.

http://www.newscientist.com/blogs/onepercent/2012/02/gps-jamming-a-clear-and-presen.html


UK - 4G TV interference: Up to a million homes 'need filters'

Lauren Weinstein <lauren@vortex.com>
Wed, 22 Feb 2012 21:43:24 -0800

http://j.mp/wbMCgL (BBC) [via NNSquad]

  "Almost a million UK homes will need to have filters installed to prevent
  TV interference from 4G mobile signals - at a cost of 108m."


Behind the Google Goggles, Virtual Reality (Nick Bilton)

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 23 Feb 2012 19:02:58 -0700

[Nick Bilton, Behind the Google Goggles, Virtual Reality, *The New York
Times*, 22 Feb 2012; PGN-ed]
http://www.nytimes.com/2012/02/23/technology/google-glasses-will-be-powered-by-android.html?_r=2&nl=todaysheadlines&emc=tha25

It wasn't so long ago that legions of people began walking the streets,
talking to themselves.  On closer inspection, many of them turned out to be
wearing tiny earpieces that connected wirelessly to their smartphones.

What's next? Perhaps throngs of people in thick-framed sunglasses lurching
down the streets, cocking and twisting their heads like extras in a zombie
movie.  That's because later this year, Google is expected to start selling
eyeglasses that will project information, entertainment and, this being a
Google product, advertisements onto the lenses. The glasses are not being
designed to be worn constantly - although Google engineers expect some users
will wear them a lot - but will be more like smartphones, used when needed,
with the lenses serving as a kind of see-through computer monitor.

  [Dig up the entire article.  PGN]


Facebook contractor reportedly reveals "secret""censorship" list

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Feb 2012 13:23:25 -0800
  (Stephen C. Webster)

http://j.mp/w1AqEb  (Raw Story)
http://j.mp/Aaeis5  (Facebook "Abuse Standards Violations" doc [JPG])

  "A secret list curated by social network giant Facebook was published
  online recently after an employee for one of the company's third-world
  contractors, upset at his poor working conditions and meager wage, decided
  to fight back.  The document reveals exactly what Facebook's censorship
  brigade looks for on the social network, which boasts over 850 million
  users spanning the globe."  [via NNSquad.org]


Nortel breached for years; management knew but didn't react

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Wed, 15 Feb 2012 09:27:16 -0500

*The Wall Street Journal*, *The Washington Post*, and pretty much all other
major papers are reporting that Nortel's security had been breached for
years (2004-present), and information was being leaked out to Chinese sites.

There are a few key things in this story:

* The problem was deep.  "The hackers also hid spying software so deeply
  within some employees' computers that it took investigators years to
  realize the pervasiveness of the problem."
* Management seems to have deliberately turned a blind eye to the
  problem. "Nortel made no effort to determine if its products were also
  compromised by hackers" according to several employees the WSJ
  interviewed.
* As they were selling its assets, Nortel executives did not disclose the
  known breach. "Ciena was not made aware, whether during diligence or any
  other part of the bankruptcy-sale process, of any possible prior
  infiltration of the Nortel network by third parties."
* Executives seem to be unaware of the risks. "Mr. Zafirovski [former Nortel
  CEO] said he didn't believe the infiltrations could be passed on to
  acquiring companies.  [...] a significant number of people continued to
  use Nortel laptops and desktop computers after moving to Avaya and Genband
  and connected them to those companies' networks."

The blame should be shared - assuming that Nortel didn't volunteer the
information, it seems that it should be on the M&A checklist for a buyer to
ask about risks relating to computer infiltrations.  And checking machines
brought over should be part of the checklist for the integrated IT
department.  But perhaps the M&A folks are too busy with the spreadsheets to
understand the underlying risks.

But the part that I find the scariest is the lack of understanding that not
only was the problem spreading within their organization, but it may have
also spread within their customers' organizations through infected products.
We've certainly seen that happen before...

The recent SEC guidance that network security breaches are material events
should help push this harder in the future.  Perhaps this will be a wakeup
call to companies doing acquisitions?

The RISKS? Lots, but most notably that buying another organization also buys
their risks, which may be unseen.... just the way manufacturing companies
discovered in the 1970s and 1980s that they had purchased liability for
pollution in addition to buying corporate assets.

http://online.wsj.com/article_email/SB10001424052970203363504577187502201577054-lMyQjAxMTAyMDEwNDExNDQyWj.html?mod=wsj_share_email_bot#printMode

http://www.washingtonpost.com/business/technology/report-chinese-hackers-breach-nortel-networks/2012/02/14/gIQApXsRDR_story.html?hpid=z11


Re: Armored SUV could not protect U.S. agents in Mexico (RISKS-26.73)

Chris Barnabo <chris@spagnet.com>
Fri, 24 Feb 2012 10:57:45 -0500

I own a Suburban (not armored, unfortunately) and the behavior of the door
locks is user-selectable.  They can be set so only the driver's door unlocks
when shifted to park, all doors unlock when shifted to park, all doors
unlock when the key is removed from the ignition, or no automatic door
unlock occurs (in which case you have to use the button).  If power is out,
you can manually unlock the door as well.  The factory default is to have
the driver's door unlock when you shift to park.

The RISK here applies to more than armored cars and U.S. special agents -
with ANY product, the user should evaluate the available settings and
determine what is appropriate for their environment.  Factory-defaults are
not necessarily secure - we've seen this time and again with wireless
routers that ship with security disabled, firewalls initially configured to
allow all traffic, etc.

In this particular case I'd expect the company that armored the vehicle
(i.e. had responsibility for securing it) should have set the door lock
parameters, and perhaps they did - there's nothing to prevent any driver
from changing the setting.  Hopefully in the future they'll inspect these
settings and include some user training on them (e.g. DON'T TOUCH!)


Re: Armored SUV could not protect U.S. agents in Mexico (R-26.73)

"Richard S. Russell" <richardsrussell@tds.net>
Fri, 24 Feb 2012 09:59:14 -0600

What I learned during Severe Weather Awareness Week:
 (1) On the road, you're in danger from tornadoes. Get out of your
     car and lie down in a ditch.
 (2) In low-lying areas, you can drown in a flash flood. Get out of
     that ditch and head for the hills.
 (3) The highest object around gets hit by lightning. Get off of that
     hill and into your car.
 (4) On the road, you're in danger from tornadoes...

Richard S. Russell, 2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640 RichardSRussell@tds.net http://richardsrussell.livejournal.com/


Re: Armored SUV could not protect U.S. agents in Mexico (R-26.73)

"R. G. Newbury" <newbury@mandamus.org>
Fri, 24 Feb 2012 10:37:55 -0500

> That terrifying sound—a quiet click --

And it can get *even* worse than that! This morning, as it happened, as I
backed out of the garage, I knocked the right hand rear view mirror out of
alignment. My only excuse is that the dog was trying to lick me ear
off. Since I could not quite reach the mirror from the driver's seat through
the window, I put the car in park with the engine running, and got out. When
I closed the door, *the doors locked!* With the engine running! Luckily I
*had* left the right window open.

I have NO idea what the settings allow. I do know that there are some
settings, but I have not found a way to defeat the 'you must be in park to
open the doors' rule. But locking the doors when the engine is running is
not my idea of a 'positive outcome'.

R. Geoffrey Newbury, Barrister and Solicitor, Suite 106, 150 Lakeshore Road
West, Mississauga, Ontario, L5H 3R2 o905-271-9600 f905-271-1638


Re: Small coding mistake led to big Internet voting system failure (RISKS-26.73)

Mark Brader
Fri, 24 Feb 2012 10:46:11 -0500 (EST)

Ah, would you believe

   https://jhalderm.com/pub/papers/dcvoting-fc12.pdf

  [Corrected URL now noted in RISKS ARCHIVE copies.]


Fifth Amendment Protects Suspects from Having to Decrypt Hard Drives

<Lauren Weinstein>
Thursday, February 23, 2012

Court: Fifth Amendment Protects Suspects from Having to Decrypt Hard Drives
(+ my comments; from Network Neutrality Squad)
http://j.mp/zt5iyr  (This message on Google+)
http://j.mp/yjQAPV  (WSJ)

  "In a ruling that could have broad ramifications for law enforcement, a
  federal appeals court has ruled that a man under investigation for child
  pornography isn't required to unlock his computer hard drives for the
  federal government, because that act would amount to the man offering
  testimony against himself."

 - - -

The Journal of course discusses this case in their usual "even-handed"
manner—note the graphic of the hooded man glaring at the reader, holder a
keyboard with gloved hands.  And loaded language such as, "The ruling could
handcuff federal investigators ..." demonstrates the usual News
Corp. "balance" in action.

Be that as it may, it is true that this is not the end of the line for such
disputes.  There are other cases in progress that will directly contradict
the reasoning of this decision, and the entire mess ending up in front of
the Supreme Court seems like a pretty good bet.

But will it really matter in the long run?  I'm doubtful.  The availability
of powerful encryption systems that can be applied to disk drives, even in
the presence of hardware-based surveillance mechanisms, will continue to
expand.  Weak key generation and poor key management systems will gradually
become the exception rather than rule in many cases, and the power of
technologies such as distributed encryption and key systems—which could
make it impossible to decrypt data without the cooperation of parties in
multiple jurisdictions, may become common.

Over time, whether one chooses to like it or not, governments may be forced
to accept the reality that increasing amounts of data will remain beyond
their abilities to successfully demand, regardless of sanctions and
pressures applied to defendants or other interested parties.

Lauren Weinstein http://www.vortex.com/lauren Blog: http://lauren.vortex.com
Network Neutrality Squad: http://www.nnsquad.org 1(818) 225-2800


Long distance mail, but why?

"Richard O'Keefe" <ok@cs.otago.ac.nz>
Fri, 24 Feb 2012 19:54:17 +1300

A lecturer in Dunedin sends e-mail to his class.  It is sent to Microsoft
(Redmond is 7,600 miles away) who pass it on to Singapore (another 8,100
miles), which is 5,200 miles away from Dunedin.  When a student wants to
read this mail, she does so through a web browser.  Log in here, it forwards
you to Microsoft, which forwards you to Singapore, and then it's easy, just
send requests to Singapore and get your mail back.

This is all very impressive, and for students studying off campus it might
make sense, but it's a very strange way to communicate with students on the
same campus, living in the same city.  Surely we have better things to do
with the electricity?

The idea of mail for students within a single country that doesn't even have
any states being subject to three different sets of laws bothers me.

Tell me why I am crazy to worry.


REVIEW: The Tangled Web: A Guide to Securing Modern Web Applications

Ben Rothke <brothke@gmail.com>
Fri, 24 Feb 2012 09:37:39 -0500

Michal Zalewski
The Tangled Web: A Guide to Securing Modern Web Applications
Publisher: No Starch Press; 1st edition (26 Nov 2011)
ISBN-13: 978-1593273880

In the classic poem *Inferno*, Dante passes through the gates of Hell, which
has the inscription *abandon all hope, ye who enter here* above the
entrance.  After reading The Tangled Web: A Guide to Securing Modern Web
Applications, one gets the feeling the writing secure web code is akin to
Dante's experience.

In this incredibly good and highly technical book, author Michal Zalewski
writes that modern web applications are built on a tangled mesh of
technologies that have been developed over time and then haphazardly pieced
together.  Every piece of the web application stack, from HTTP requests to
browser-side scripts, comes with important yet subtle security consequences.
In the book, Zalewski dissects those subtle security consequences to show
what their dangers are, and how developers can take it to heart and write
secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in
the same style as Zalewski's last book - Silence on the Wire: A Field Guide
to Passive Reconnaissance and Indirect Attacks, which is another highly
technical and dense book on the topic.  This book tackles the issues
surrounding insecure web browsers.  Since the browser is the portal of
choice for so many users; its inherent secure flaws leaves the user at a
significant risk.  The book details what developers can do to mitigate those
risks.

Full review posted at
http://365.rsaconference.com/blogs/securityreading/2012/01/25/the-tangled-web-a-guide-to-securing-modern-web-applications

Please report problems with the web pages to the maintainer

Top