The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 88

Monday 4 June 2012

Contents

Malicious E-Mail Attachment on Olympics Making Internet Rounds
Nicole Perlroth via Monty Solomon
Cyber search engine Shodan exposes industrial control systems to new risks
Robert O'Harrow Jr. via Lauren Weinstein
Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame"
Johannes Ullrich via Lauren Weinstein
Online Courses Can Offer Easy A's via High-Tech Cheating
Jeffrey R. Young via Dave Farber
Facebook takes baby steps toward kids' social network
Robert X. Cringely via Gene Wirchenko
Fighting Sign Pollution in Florida With Robocalls
Robbie Brown via Monty Solomon
Re: Future Internet Architecture: Content-Centric Networking ...
Scott Brim
Re: iCloud user tracks down iPhone thief using photo stream
Geoff Kuenning
Re: "Siri *ab*use
Dag-Erling Smørgrav
Re: Telemarketing Calls Keep Mounting Up, Along With Consumer Irritation
Geoff Kuenning
John Stanley
Re: Yet another Leap Year issue
John Stanley
Re: "Court warns on jurors' Web use"
George Ross
Info on RISKS (comp.risks)

Malicious E-Mail Attachment on Olympics Making Internet Rounds

Monty Solomon <monty@roscom.com>
Sat, 2 Jun 2012 21:24:30 -0400
  (Nicole Perlroth)

Nicole Perlroth, *The New York Times*, 30 May 2012

Olympics enthusiasts: You may want to think twice before opening that PDF
e-mail attachment of the 2012 Olympics schedule.  On Tuesday, researchers at
F-Secure, a Helsinki, Finland-based security firm, discovered a malicious
PDF file has been making the rounds on the Internet. The file, which
purports to be a schedule of the 2012 London Olympics, is actually a decoy
file which creates a backdoor between the user's computer to a Web site
registered to "student travel" in Baotou, China. ...

http://bits.blogs.nytimes.com/2012/05/30/olympics-themed-threat-makes-rounds-on-the-internet/


Cyber search engine Shodan exposes industrial control systems

Lauren Weinstein <lauren@vortex.com>
Sun, 3 Jun 2012 21:03:17 -0700
  to new risks (Robert O'Harrow Jr.)

  "Matherly and other Shodan users quickly realized they were revealing an
  astonishing fact: Uncounted numbers of industrial control computers, the
  systems that automate such things as water plants and power grids, were
  linked in, and in some cases they were wide open to exploitation by even
  moderately talented hackers."  [Robert O'Harrow Jr., *The Washington
  Post*, via NNSquad] http://j.mp/KZTZvg

Let's get this straight.  Search Engines don't expose industrial control
systems to risks.  The poorly secured control systems do that *to
themselves*.  Don't blame the messenger!


Microsoft Emergency Bulletin: Unauthorized Certificate in "Flame"

Lauren Weinstein <lauren@vortex.com>
Sun, 3 Jun 2012 19:11:52 -0700
  (Johannes Ullrich)

  "Microsoft just released an emergency bulletin, and an associated patch,
  notifying users of Windows that a "unauthorized digital certificates
  derived from a Microsoft Certificate Authority" was used to sign
  components of the "Flame" malware."  http://j.mp/KZG1to [Johannes Ullrich,
  SANS via NNSquad]


Online Courses Can Offer Easy A's via High-Tech Cheating

Dave Farber <farber@gmail.com>
Sun, 3 Jun 2012 15:46:45 -0400
  (Jeffrey R. Young)

Technology - The Chronicle of Higher Education, 3 Jun 2012
http://chronicle.com/article/Online-Courses-Can-Offer-Easy/132093/

Easy A's may be even easier to score these days, with the growing popularity
of online courses. Tech-savvy students are finding ways to cheat that let
them ace online courses with minimal effort, in ways that are difficult to
detect.

Take Bob Smith, a student at a public university in the United States. This
past semester, he spent just 25 to 30 minutes each week on an online science
course, the time it took him to take the weekly test. He never read the
online materials for the course and never cracked open a textbook. He
learned almost nothing. He got an A.

His secret was to cheat, and he's proud of the method he came up with --
though he asked that his real name and college not be used, because he
doesn't want to get caught. It involved four friends and a shared Google
Doc, an online word-processing file that all five of them could read and add
to at the same time during the test.

More on his method in a minute. You've probably already heard of plenty of
clever ways students cheat, and this might simply add one more to the list.
But the issue of online cheating may rise in prominence, as more and more
institutions embrace online courses, and as reformers try new systems of
educational badges, certifying skills and abilities learned online. The
promise of such systems is that education can be delivered cheaply and
conveniently online. Yet as access improves, so will the number of people
gaming the system, unless courses are designed carefully. ...

IP Archives: https://www.listbox.com/member/archive/247/=3Dnow
RSS Feed: https://www.listbox.com/member/archive/rss/247/126123-51093ba0


"Facebook takes baby steps toward kids' social network"

Gene Wirchenko <genew@ocis.net>
Mon, 04 Jun 2012 14:18:52 -0700
  (Robert X. Cringely)

Robert X. Cringely, *InfoWorld*, 4 Jun 2012
Facebook's real goal: selling games to tweens and teens, but the move
could make Facebook safer and better overall, if done right
http://www.infoworld.com/t/cringely/facebook-takes-baby-steps-toward-kids-social-network-194782

"Cringely" covers some of the obvious risks.


Fighting Sign Pollution in Florida With Robocalls (Robbie Brown)

Monty Solomon <monty@roscom.com>
Sat, 2 Jun 2012 22:56:14 -0400

Robbie Brown, *The New York Times*, 2 Jun 2012

In Florida, they are as much a part of the landscape as palm trees and
oceanfront hotels: plastic signs cluttering roadsides with messages like "We
Buy Houses!" "Junk Cars!" and "Avoid Foreclosure!"  But now, worried about
the impact on tourism and the state's natural beauty, some coastal
communities have begun aggressive campaigns against the signs - by
robocalling the advertisers' phone numbers.

"It's the only crime I know of where a person deliberately leaves their
phone number behind," said Mayor Peter Bober of Hollywood, which uses
computer software to call the phone numbers, up to 20 times per day, until
offenders pay a $75 fine. "They want us to call.  So let's call. And keep
calling."

Think of it as fighting one nuisance with another. The advertisements, known
as snipe signs, are illegal in many Florida communities on public property
like highway medians or telephone poles. But they are also cheap to print
and hard to eradicate.  After years of removing the signs by hand, officials
in Hollywood, Oakland Park and St. Johns County recently turned to
robocalling.  Other cities say they are considering the option. ...

http://www.nytimes.com/2012/06/03/us/in-florida-fighting-sign-pollution-with-robocalls.html


Re: Future Internet Architecture: Content-Centric Networking ...

"Scott Brim" <scott.brim@gmail.com>
Jun 2, 2012 7:21 PM
   (MacFie, RISKS-26.87)

  [From Dave Farber's IP distribution.  PGN]

> Don't bittorrent magnet links do this already?

There are several levels and times at which you can do this sort of thing.
For example:

- DNS: the name is mapped to an IP address - early binding to a location.

- Magnet links, if I understand correctly: like DNS, but with just in time
  binding to where they direct you.

- Directors of various sorts: the IP address is essentially virtualized,
  referring to one of several possible servers.  Early binding to the server
  group, late binding to the actual server.

- Layers 4 and above deal only with a "service id". An IP option is inserted
  in the packets, to be read by special middleboxes that guide the packet in
  the right direction (how they determine the right direction, and cache
  such information, is orthogonal) - medium to late binding.

- Layers 4 and above deal only with a service id.  A shim below Layer 4 maps
  the service id to an IP address of the next smart middlebox.  Late
  binding.

- IP addresses are eliminated entirely, and packets are routed only on
  "interest" names.  There is never a binding to an IP address.

It seems to me that people's preferences for different layers and binding
times depend on the time frame of deployment they are interested in.


Re: iCloud user tracks down iPhone thief using photo stream (26.86)

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, 03 Jun 2012 21:40:27 -0700

  [Geoff and Andrew Douglass thought this private reply to Geoff from
  Andrew might be RISKS-worthy, so I am including it here.  PGN]

Here's what Andrew said:

I erred by including too many hypotheticals, distracting from the central
issues of (1) can you spy and (2) if so, with what scope? Does it matter
whether the target is the thief? What if the thief is innocent (maybe you
mistakenly accuse them of having bought the thing with a bad check).

I think you could very well get in civil and criminal trouble for violating
their privacy under existing law, but I've seen no mention of
this. Certainly it would be a 4th amendment issue if law enforcement did
it. Even if you have a privilege to poke around (self-help or whatever)
obviously it should be a minimal intrusion. Caveat snoop.

You're right about good-faith purchasers—they take no title. That doesn't
open them to privacy rape. I was just trying to get readers away from the
vapid criminals-have-no-rights perspective.


Re: "Siri *ab*use (Solomon and Wirchenko, RISKS-26.86)

Dag-Erling Smørgrav <des@des.no>
Mon, 04 Jun 2012 12:00:48 +0200

Peter Houppermans <peter@houppermans.com> writes:
> Siri has been on my "list of things to avoid" pretty much from before
> I obtained the new iPhone.  [...]  An iPhone doesn't have the local
> power to process voice commands, so it sends them to a US hosted service.

The same goes for Android's voice search feature, which is annoyingly
easy to trigger by accident.  Luckily, it is also easy to disable:
Settings -> Apps -> All -> Google Search -> Disable


Re: Telemarketing Calls Keep Mounting Up, Along With Consumer

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, 03 Jun 2012 20:55:22 -0700
  Irritation (Alina Tugend)

For many years now, my outgoing answering-machine message has begun with the
Service Interruption Tone: the three rising beeps that you get when you dial
a seriously bogus number.  For obvious reasons, most telemarketing
autodialers are programmed to delete a number from their database when they
encounter that tone.

The result is that we get fewer than one telemarketing call per week; the
primary offenders are local construction companies who appear to be dialing
by hand.  (The rate goes up during election season, but even then it's not
too bad.)

The only downside is that a *very* few legitimate callers will hang up at
the tone rather than waiting long enough to hear our familiar voice say
"Hello, you've reached the Kuennings."  But it hasn't really been a problem.

Google for "sit.wav" (with or without quotes) to download the tone so you
can add it to your own answering machine.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Re: Telemarketing Calls Keep Mounting Up, Along With Consumer

John Stanley <stanley+risks@peak.org>
Mon, 4 Jun 2012 12:11:30 -0700 (PDT)
   Irritation (Solomon, RISKS-26.87)

> Readers told me that the Do Not Call Registry seemed to work just fine at
> blocking calls when it began in 2003 and for several years after that.

It is a misconception that the DNC list blocks anything. The DNC list is
nothing more than that: a list. Marketers are required to search the list at
least every 31 days and drop from their own calling lists any number they
find on the federal list, after considering any of the multitude of
barn-door-wide exceptions.

The system worked well for awhile because the phone service providers and
telespammers had not yet deployed the systems that allow a phone spammer to
display any information they want to via caller ID. Now that a crook hawking
his "cheaper credit card rates" can pretend to be calling from "Illinois" or
"Florida" (two of the recent caller ID 'ids' I've seen from these people)
and display a completely fictitious number, there is very little that a
consumer can use to make a complaint to the FTC.


Re: Yet another Leap Year issue (Duncan, RISKS-26.87)

John Stanley <stanley+risks@peak.org>
Mon, 4 Jun 2012 11:57:26 -0700 (PDT)

This is not a leap-year issue; it is putting off a mission-critical
operation until the very last minute.  That is a human failure, not a
computer failure.

There was a 180-day window for filing; the decision was made to wait until
day 180, which turned out to be day 181. There are any number of reasons why
paperwork can be delayed by a day, so anyone who waits until the very last
day is inviting failure. Blaming it on a day planner, either computerized or
manual, is ridiculous.

Failure to plan is planning to fail, I think the saying goes.


Re "Court warns on jurors' Web use" (Valencia, RISKS-26.87)

George Ross <gdmr@inf.ed.ac.uk>
Mon, 04 Jun 2012 13:29:20 +0100

That's not new.  For example

   http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16676871
   ("Juror Theodora Dallas jailed for contempt of court")

   http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16742365
   ("Juror who researched defendant refused leave to appeal"—same case)

   http://www.bbc.co.uk/news/uk-15939922
   ("Juror faces contempt proceedings over 'case research'"—same case)

   http://www.bbc.co.uk/news/uk-16101533
   ("Lord Chief Justice warns juries over Internet research")

   http://www.bbc.co.uk/news/uk-13792080
   ("Facebook juror sentenced to eight months for contempt")

   http://www.bbc.co.uk/news/uk-england-south-yorkshire-12632587
   ("Sun and Daily Mail in contempt over online gun photos")

   http://news.bbc.co.uk/1/hi/england/kent/4270957.stm
   ("Retrial after jury web page found")

   http://news.bbc.co.uk/1/hi/scotland/1628431.stm
   ("Judge details Beggs 'Internet ruling'")

the last of these being from 2001.

George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh,
Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB  0131 650 5147

Please report problems with the web pages to the maintainer

Top