I'd like to point out that there is a *real risk* with this posting. If you actually go to "-http://googlephone.page.tl/-" you get the opportunity to click on 2 links, one in the middle of the page or one at the bottom of it. Both of these URLs, labeled "http://googlephone.com/Apps/Google_Mobile_Phone_Tracker_v6.5.8" actually points to "http://dl.dropbox.com/u/61356096/Google%20Mobile%20Phone%20Tracker%20v6.5.8.exe". If this link is actually downloaded and run, you get a virus installed. I use a Mac that has "McAfee Security" installed, and it identified the downloaded file as a virus. I would assume that the anti-virus software for Windows will also catch this one. The link at the end of this item in the digest, "-http://googlephone.com/Apps/Google_Mobile_Phone_Tracker_v6.5.8-" gets a "server not found" error. While there is a registration by Google for googlephone.com, there is no DNS entry for it. I thoroughly understand that publishing the "Risks Digest" is a time consuming task, and following every link published to validate it is just too time consuming. This is something that the person supplying this item should have done! Tim Diebert, Sr. Research Engineer, Palo Alto Research Center 3333 Coyote Hill Road, Palo Alto, CA 94304-1313 1.650.812.4433
My sincerest apologies for including this item at all without further inspection or with a serious warning about the risks of remotely plausible messages. I should know better than try to put out an issue at 4am while half of my brain was still thinking I should be asleep. But I am glad to see that so many of you reacted sensibly and complained to me. A few more responses are included here. Others were received early on from Joe Hall, Dan Ritter, Larry Werring, Lauren Weinstein—and Richard Martin, whose note included this: The link on the website it references downloads a *very* dodgy—and very obviously not Google-produced or approved - .exe file that Chrome immediately identifies as malicious and which Sophos identifies as a variant of the Sality worm. If it infects a PC it will proceed to download further malware onto the victim machine, so not a sensible thing to have around. On the other hand, the tracking behaviour described in the badly-spelled writeup has been provided for quite a while now on all Google Android phones capable of running Google Latitude. I put a warning note in the archive copy of RISKS-26.73 rather than deleting the item altogether, which we normally do not do. The educational importance of this item and its risks is decidedly important. Again, my apologies for letting this one slip through. Thanks to all of you who responded, and my best wishes to *all* RISKS readers. The attackers are becoming ever more sophisticated and devious, and require continual escalations in our collective eternal vigilance. PGN
The cited article also says: “After the first 500 Roadsters, Tesla added a remote monitoring system to the vehicles, connecting through AT&T's GSM-based cellular network. Tesla uses this system to monitor various vehicle metrics including the battery charge levels, as long as the vehicle has the GSM connection activated and is within range of AT&T's network. According to the Tesla service manager, Tesla has used this information on multiple occasions to proactively telephone customers to warn them when their Roadster's battery was dangerously low. In at least one case, Tesla went even further. The Tesla service manager admitted that, unable to contact an owner by phone, Tesla remotely activated a dying vehicle's GPS to determine its location and then dispatched Tesla staff to go there. It is not clear if Tesla had obtained this owner's consent to allow this tracking, or if the owner is even aware that his vehicle had been tracked. Further, the service manager acknowledged that this use of tracking was not something they generally tell customers about.'' But this article suggests that there may be other reasons for the story.
(Ellen Messmer) Ellen Messmer, *Network World*, 14 Feb 2012 http://www.networkworld.com/news/2012/021412-security-myths-256109.html opening paragraph: They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true—in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:
[via both Dave Farber and johnmacsgroup. PGN] http://science.slashdot.org/story/12/02/22/2116251/faulty-cable-to-blame-for-superluminal-neutrino-results Faulty Cable To Blame For Superluminal Neutrino Results firstname.lastname@example.org, from the not-so-fast dept., 22 Feb 2012 smolloy writes* "It would appear that the hotly debated faster-than-light neutrino observation is the result of a fault in the connection between a GPS unit and a CERN computer. This connection was used to correct for time delays in the neutrino flight, and after fixing the correction the researchers have found that the time discrepancy appears to have vanished."* <http://science.slashdot.org/story/11/09/22/1841217/cern-experiment-indicates-faster-than-light-neutrinos?sdsrc=rel> <http://news.sciencemag.org/scienceinsider/2012/02/breaking-news-error-undoes-faster.html?ref=hp#.T0U_N0pYVRc.twitter>
[From New Scientist's One Percent blog, via Paul on Dave Farber's IP] GPS Jamming: a clear and present reality, 22 Feb 2012 A secret network of 20 roadside listening stations across the UK has confirmed that criminals are attempting to jam GPS signals on a regular basis, a conference <https://connect.innovateuk.org/web/6517437/agenda> at the National Physical Laboratory, in London, will hear later today. Set up by the government's Technology Strategy Board (TSB) and run by Chronos Technology of the Forest of Dean, UK, the Sentinel network<http://www.chronos.co.uk/index.php/en/sentinel.html>has sensed an average of ten jamming incidents per month since September 2011. "Our jamming sensors use very small GPS receivers like those in cellphones. They are installed at locations where our partner companies have experienced unexplained outages to their professional GPS equipment," says Chronos managing director Charles Curry. "The jammers sweep a signal through the GPS band around 1.5 gigahertz and we log the impact that has on the local GPS signal." One victim of these GPS outages was Britain's national mapping agency, Ordnance Survey. Details on the 60 incidents recorded to date are scant as Sentinel is still evaluating the causes, but at least one jamming device has been seized. Curry says most jammers seem to be being used by truckers to stop 'spy-in-the-cab' tachographs working, preventing their journeys being tracked by their bosses, or by thieves stealing commercial vehicles. "The one police have confiscated is of the type that fits in a vehicle and is powered via a lighter socket," he says. Oddly, more than one person appears to be responsible for the jamming at some locations: Chronos is trying to differentiate between different jammers to give "a better idea of how many individuals at a particular location are jamming GPS". Vigilantes could be one source: a major problem with GPS is the way some small villages and towns suffer visits from dangerously outsized trucks - which often get stuck in tiny streets - attempting to follow satnav-advised shortcuts. So it is possible locals are placing jammers to prevent drivers' antisocial behaviour. The GPS signal is weak and easily jammed - its radiation is only as intense as a car headlight shining from 20,000 kilometres away. Hundreds of online vendors illegally sell jamming equipment online yet at the same time the GPS signal has fast become critical national infrastructure<http://www.newscientist.com/article/dn20202-gps-chaos-how-a-30-box-can-jam-your-life.html>. In addition to location services via satnavs, the atomic clocks aboard the satellites are used to provide crucial timing signals for systems as diverse as cellphone towers and banking systems - and without GPS they fall over. That's why it's no surprise that a US company called LightSquared, which wanted to run a 4G cellphone service very near to the GPS frequencies, has been barred from doing so<http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0215/DOC-312479A1.pdf> by the Federal Communications Commission. It could not demonstrate that its technology could steer clear of GPS signals that stray from its alloted bandwidth. The conference will also hear about how the GPS signal can be spoofed so that satnavs are lured in the wrong direction. You can see videos of how spoofing works over at the University of Texas<http://radionavlab.ae.utexas.edu/videos>. Spoofers could become the latter-day equivalent of wreckers who used to make false lights to draw ships onto the rocks. The General Lighthouse Authorities, for instance, suspect that ships are now so dependent on GPS that in the world's busiest sealane - the English Channel - they confidently expect "an incident" due to GPS failure, jamming or spoofing in the next decade. "The question for the authorities is what we are going to do once the owners of jammers are identified and how can we prevent others using them," says Curry. http://www.newscientist.com/blogs/onepercent/2012/02/gps-jamming-a-clear-and-presen.html
http://j.mp/wbMCgL (BBC) [via NNSquad] "Almost a million UK homes will need to have filters installed to prevent TV interference from 4G mobile signals - at a cost of 108m."
[Nick Bilton, Behind the Google Goggles, Virtual Reality, *The New York Times*, 22 Feb 2012; PGN-ed] http://www.nytimes.com/2012/02/23/technology/google-glasses-will-be-powered-by-android.html?_r=2&nl=todaysheadlines&emc=tha25 It wasn't so long ago that legions of people began walking the streets, talking to themselves. On closer inspection, many of them turned out to be wearing tiny earpieces that connected wirelessly to their smartphones. What's next? Perhaps throngs of people in thick-framed sunglasses lurching down the streets, cocking and twisting their heads like extras in a zombie movie. That's because later this year, Google is expected to start selling eyeglasses that will project information, entertainment and, this being a Google product, advertisements onto the lenses. The glasses are not being designed to be worn constantly - although Google engineers expect some users will wear them a lot - but will be more like smartphones, used when needed, with the lenses serving as a kind of see-through computer monitor. [Dig up the entire article. PGN]
(Stephen C. Webster) http://j.mp/w1AqEb (Raw Story) http://j.mp/Aaeis5 (Facebook "Abuse Standards Violations" doc [JPG]) "A secret list curated by social network giant Facebook was published online recently after an employee for one of the company's third-world contractors, upset at his poor working conditions and meager wage, decided to fight back. The document reveals exactly what Facebook's censorship brigade looks for on the social network, which boasts over 850 million users spanning the globe." [via NNSquad.org]
*The Wall Street Journal*, *The Washington Post*, and pretty much all other major papers are reporting that Nortel's security had been breached for years (2004-present), and information was being leaked out to Chinese sites. There are a few key things in this story: * The problem was deep. "The hackers also hid spying software so deeply within some employees' computers that it took investigators years to realize the pervasiveness of the problem." * Management seems to have deliberately turned a blind eye to the problem. "Nortel made no effort to determine if its products were also compromised by hackers" according to several employees the WSJ interviewed. * As they were selling its assets, Nortel executives did not disclose the known breach. "Ciena was not made aware, whether during diligence or any other part of the bankruptcy-sale process, of any possible prior infiltration of the Nortel network by third parties." * Executives seem to be unaware of the risks. "Mr. Zafirovski [former Nortel CEO] said he didn't believe the infiltrations could be passed on to acquiring companies. [...] a significant number of people continued to use Nortel laptops and desktop computers after moving to Avaya and Genband and connected them to those companies' networks." The blame should be shared - assuming that Nortel didn't volunteer the information, it seems that it should be on the M&A checklist for a buyer to ask about risks relating to computer infiltrations. And checking machines brought over should be part of the checklist for the integrated IT department. But perhaps the M&A folks are too busy with the spreadsheets to understand the underlying risks. But the part that I find the scariest is the lack of understanding that not only was the problem spreading within their organization, but it may have also spread within their customers' organizations through infected products. We've certainly seen that happen before... The recent SEC guidance that network security breaches are material events should help push this harder in the future. Perhaps this will be a wakeup call to companies doing acquisitions? The RISKS? Lots, but most notably that buying another organization also buys their risks, which may be unseen.... just the way manufacturing companies discovered in the 1970s and 1980s that they had purchased liability for pollution in addition to buying corporate assets. http://online.wsj.com/article_email/SB10001424052970203363504577187502201577054-lMyQjAxMTAyMDEwNDExNDQyWj.html?mod=wsj_share_email_bot#printMode http://www.washingtonpost.com/business/technology/report-chinese-hackers-breach-nortel-networks/2012/02/14/gIQApXsRDR_story.html?hpid=z11
I own a Suburban (not armored, unfortunately) and the behavior of the door locks is user-selectable. They can be set so only the driver's door unlocks when shifted to park, all doors unlock when shifted to park, all doors unlock when the key is removed from the ignition, or no automatic door unlock occurs (in which case you have to use the button). If power is out, you can manually unlock the door as well. The factory default is to have the driver's door unlock when you shift to park. The RISK here applies to more than armored cars and U.S. special agents - with ANY product, the user should evaluate the available settings and determine what is appropriate for their environment. Factory-defaults are not necessarily secure - we've seen this time and again with wireless routers that ship with security disabled, firewalls initially configured to allow all traffic, etc. In this particular case I'd expect the company that armored the vehicle (i.e. had responsibility for securing it) should have set the door lock parameters, and perhaps they did - there's nothing to prevent any driver from changing the setting. Hopefully in the future they'll inspect these settings and include some user training on them (e.g. DON'T TOUCH!)
What I learned during Severe Weather Awareness Week: (1) On the road, you're in danger from tornadoes. Get out of your car and lie down in a ditch. (2) In low-lying areas, you can drown in a flash flood. Get out of that ditch and head for the hills. (3) The highest object around gets hit by lightning. Get off of that hill and into your car. (4) On the road, you're in danger from tornadoes... Richard S. Russell, 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 RichardSRussell@tds.net http://richardsrussell.livejournal.com/
> That terrifying sound—a quiet click -- And it can get *even* worse than that! This morning, as it happened, as I backed out of the garage, I knocked the right hand rear view mirror out of alignment. My only excuse is that the dog was trying to lick me ear off. Since I could not quite reach the mirror from the driver's seat through the window, I put the car in park with the engine running, and got out. When I closed the door, *the doors locked!* With the engine running! Luckily I *had* left the right window open. I have NO idea what the settings allow. I do know that there are some settings, but I have not found a way to defeat the 'you must be in park to open the doors' rule. But locking the doors when the engine is running is not my idea of a 'positive outcome'. R. Geoffrey Newbury, Barrister and Solicitor, Suite 106, 150 Lakeshore Road West, Mississauga, Ontario, L5H 3R2 o905-271-9600 f905-271-1638
Ah, would you believe https://jhalderm.com/pub/papers/dcvoting-fc12.pdf [Corrected URL now noted in RISKS ARCHIVE copies.]
Court: Fifth Amendment Protects Suspects from Having to Decrypt Hard Drives (+ my comments; from Network Neutrality Squad) http://j.mp/zt5iyr (This message on Google+) http://j.mp/yjQAPV (WSJ) "In a ruling that could have broad ramifications for law enforcement, a federal appeals court has ruled that a man under investigation for child pornography isn't required to unlock his computer hard drives for the federal government, because that act would amount to the man offering testimony against himself." - - - The Journal of course discusses this case in their usual "even-handed" manner—note the graphic of the hooded man glaring at the reader, holder a keyboard with gloved hands. And loaded language such as, "The ruling could handcuff federal investigators ..." demonstrates the usual News Corp. "balance" in action. Be that as it may, it is true that this is not the end of the line for such disputes. There are other cases in progress that will directly contradict the reasoning of this decision, and the entire mess ending up in front of the Supreme Court seems like a pretty good bet. But will it really matter in the long run? I'm doubtful. The availability of powerful encryption systems that can be applied to disk drives, even in the presence of hardware-based surveillance mechanisms, will continue to expand. Weak key generation and poor key management systems will gradually become the exception rather than rule in many cases, and the power of technologies such as distributed encryption and key systems—which could make it impossible to decrypt data without the cooperation of parties in multiple jurisdictions, may become common. Over time, whether one chooses to like it or not, governments may be forced to accept the reality that increasing amounts of data will remain beyond their abilities to successfully demand, regardless of sanctions and pressures applied to defendants or other interested parties. Lauren Weinstein http://www.vortex.com/lauren Blog: http://lauren.vortex.com Network Neutrality Squad: http://www.nnsquad.org 1(818) 225-2800
A lecturer in Dunedin sends e-mail to his class. It is sent to Microsoft (Redmond is 7,600 miles away) who pass it on to Singapore (another 8,100 miles), which is 5,200 miles away from Dunedin. When a student wants to read this mail, she does so through a web browser. Log in here, it forwards you to Microsoft, which forwards you to Singapore, and then it's easy, just send requests to Singapore and get your mail back. This is all very impressive, and for students studying off campus it might make sense, but it's a very strange way to communicate with students on the same campus, living in the same city. Surely we have better things to do with the electricity? The idea of mail for students within a single country that doesn't even have any states being subject to three different sets of laws bothers me. Tell me why I am crazy to worry.
Michal Zalewski The Tangled Web: A Guide to Securing Modern Web Applications Publisher: No Starch Press; 1st edition (26 Nov 2011) ISBN-13: 978-1593273880 In the classic poem *Inferno*, Dante passes through the gates of Hell, which has the inscription *abandon all hope, ye who enter here* above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience. In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers. The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks. Full review posted at http://365.rsaconference.com/blogs/securityreading/2012/01/25/the-tangled-web-a-guide-to-securing-modern-web-applications
Please report problems with the web pages to the maintainer