The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 03

Saturday 29 September 2012

Contents

Fake sign causes real outage
John Carr
Healthwatch: RCN subscribers in greater NYC area
Danny Burstein
GAO recommendations on medical device security
Kevin Fu
The disappearing web: Information decay is eating away our history
Gigaom via NNSquad
Double Payments Bedevil Veterans' Pension System
James Dao via Monty Solomon
Joint Typhoon Warning Center blocked for non-US users
jidanni
New Jersey bans smiling in license photos
Mark Thorson
"Major banks hit with biggest cyberattacks in history"
David Goldman via Gene Wirchenko
Cyber Attacks on Banks Expose U.S. Infrastructure Vulnerability
Debra L Tekavec
Using a rental computer? There's a spy-app with that ...
Danny Burstein
Rented Computers Captured Customers Having Sex, F.T.C. Says
Matthew Kruk
The Anti-Cloud?
Mark Thorson
Remote wipe attack not limited to Samsung phones!
Bob Frankston
Hackers Breached Adobe Server in Order to Sign Their Malware
Kim Zetter via Monty Solomon
"Adobe confirms Windows 8 users vulnerable to active Flash exploits"
Gregg Keizer via Gene Wirchenko
Two men admit to $10 million hacking spree on Subway sandwich shops
Dan Goodin via Monty Solomon
Millions of Virgin Mobile accounts at risk of password attacks
Dan Goodin via Monty Solomon
Oracle Database suffers from "stealth password cracking vulnerability"
Lauren Weinstein
Hidden web code means hackers 'can wipe Samsung Galaxy S3'
Bob Frankston
Security experts not understanding security risks
Ars technica via Jeremy Epstein
"Do Not Call List doesn't apply for home business lines: CRTC"
Brian Jackson via Gene Wirchenko
Your Ballot is Now Available
Wendy M. Grossman
No Fundamental Right to a Secret Ballot
Jonathan S. Shapiro
"One poor security choice results in $250,000 Bitcoin heist"
Gene Wirchenko
SPAM with Calendar invites risks...
George Michaelson
Authentication monoculture
Dag-Erling Sm?rgrav
Data breach at IEEE.org: 100k plaintext passwords
Jeffrey Walton
Risks of linking information from Facebook leads to bigamy charges
Thomas Dzubin
Facebook wants you to snitch on your friends not using their real names
Paul Bernal via Lauren Weinstein
"Facebook reveals its evil plans"
Robert X. Cringely via Gene Wirchenko
A new nasty virus and an excellent tool to counter it and others
Paul Robinson
20% of new PCs in China come with malware pre-installed
Wolfgang Gruener via Jim Reisert
Hidden web code means hackers 'can wipe Samsung Galaxy S3'
Lauren Weinstein
Leaked Apple IDs ...
Gene Wirchenko
Re: When GPS Confuses, You May Be to Blame
Henry Baker
Info on RISKS (comp.risks)

Fake sign causes real outage

John Carr <jfc@mit.edu>
Tue, 18 Sep 2012 08:46:55 -0400
"High voltage" signs next to Verizon cable conduits were a bluff to
keep homeless people away.  They did not work.  Instead they kept
firefighters from extinguishing a mattress fire.  Regional phone and
Internet service went out as the cables melted.

<http://www.eagletribune.com/latestnews/x550073983/Something-that-valuable-has-to-be-secured>


Healthwatch: RCN subscribers in greater NYC area

danny burstein <dannyb@panix.com>
Thu, 6 Sep 2012 18:34:07 -0400 (EDT)
RCN was still out an hour ago (last time I was able to check). They're now
talking about a midnight restoration. That would be over thirty hours.

So this is tens of thousands of customers losing their access. Oh, and
includes plenty of servers, too.  Maybe hundreds of thousands..

A "fiber cut" has crippled RCN's service in the greater NYC area since Weds.
evening. This kills their phone, tv, and Internet users...

One of their reps posted [a]:

They are still working on the Fiber cut at this time, so services are still
affected. We have crews in the field working diligently to restore services.

Jason Nealis, V.P. Engineering and Operations


GAO recommendations on medical device security

Kevin Fu <kevinfu@cs.umass.edu>
Thu, 27 Sep 2012 16:23:01 -0400
Today GAO issued a set of recommendations to improve the information
security of certain medical devices.

http://www.gao.gov/assets/650/647767.pdf

Three lawmakers who requested the GAO review issued the following responses:

http://markey.house.gov/sites/markey.house.gov/files/GAO_MedicalImplants.pdf
http://markey.house.gov/press-release/markey-edwards-eshoo-hacking-threats-implantable-medical-devices-call-improved-fda

Kevin Fu, Associate Professor, UMass Amherst Computer Science
http://spqr.cs.umass.edu/ N.B.: My lab moves to Michigan on January 1.


The disappearing web: Information decay is eating away our history

Lauren Weinstein <lauren@vortex.com>
Sun, 23 Sep 2012 09:54:05 -0700
  "In fact, the researchers said that within a year of these events, an
  average of 11 percent of the material that was linked to had disappeared
  completely (and another 20 percent had been archived), and after
  two-and-a-half years, close to 30 percent had been lost altogether and 41
  percent had been archived. Based on this rate of information decay, the
  authors predicted that more than 10 percent of the information about a
  major news event will likely be gone within a year, and the remainder will
  continue to vanish at the rate of .02 percent per day." http://j.mp/SgjSvu
  (Gigaom via NNSquad)


Double Payments Bedevil Veterans' Pension System (James Dao)

Monty Solomon <monty@roscom.com>
Thu, 27 Sep 2012 08:31:00 -0400
James Dao, 22 Sep 2012

PHILADELPHIA - In July 2010, a Department of Veterans Affairs employee named
Kristen Ruell was updating a benefit claim when she noticed something
odd. What should have been an increase of about $2,000 in a monthly payment
to the widow of a veteran showed up on her computer screen as $21,000.

Puzzled, she set the claim aside and began digging into computer files for
an answer. What she found surprised and worried her: the department's
database contained duplicate records for the widow, and the system was
trying to pay her twice. It was also recommending a retroactive payment
dating back months - though the widow had already been paid for that period.

After seeing the same problem in other claims, Ms. Ruell, who works on a
quality review team at a veterans pension management center in Philadelphia,
says she raised red flags with her bosses. If she, one of scores of payment
authorizers nationwide, was just noticing the duplicate payments, was it not
likely that the department had inadvertently overpaid many other people for
years?

Two years later, that concern has not been resolved, Ms. Ruell and several
other pension management workers say. ...

http://www.nytimes.com/2012/09/23/us/duplicate-payments-bedevil-va-pension-system-workers-say.html


Joint Typhoon Warning Center blocked for non-US users

<jidanni@jidanni.org>
Mon, 10 Sep 2012 16:48:13 +0800
The Joint Typhoon Warning Center (JTWC) is the U.S. Department of Defense
agency responsible for issuing tropical cyclone warnings for the Pacific and
Indian Oceans.  It is blocked for non US users, for National Security
Reasons.

  What will they think of next.  [...]


New Jersey bans smiling

Mark Thorson <eee@sonic.net>
Mon, 24 Sep 2012 08:55:28 -0700
Since January, New Jersey banned smiling for driver's license
photographs because it can't be handled by new facial recognition
software.

http://articles.philly.com/2012-09-21/news/33978387_1_smile-motor-vehicle-commission-facial-expressions

What good is facial recognition software that can be defeated
by a smile?  If I see someone with a forced smile at an airport,
does that meant they're likely to be a terrorist?


"Major banks hit with biggest cyberattacks in history"

Gene Wirchenko <genew@ocis.net>
Fri, 28 Sep 2012 11:00:51 -0700
David Goldman, @CNNMoneyTech, 28 Sep 2012, The Cybercrime Economy
http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html


Cyber Attacks on Banks Expose U.S. Infrastructure Vulnerability

"Debra L Tekavec" <dtekavec@andrew.cmu.edu>
Sep 28, 2012 6:32 PM
  [From Dave Farber's IP]

Even if you think you know this stuff cold, Bloomberg, 27 Sep 2012,
http://www.bgov.com/news_item/mqZezAeKXUSylBI8GncG_Q

Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. and
Wells Fargo & Co., have breached some of the nation's most advanced computer
defenses and exposed the vulnerability of its infrastructure, said
cybersecurity specialists tracking the assaults.  The attack, which a
U.S. official yesterday said was waged by a still-unidentified group outside
the country, flooded bank websites with traffic, rendering them unavailable
to consumers and disrupting transactions for hours at a time.

Such a sustained network attack ranks among the worst-case scenarios
envisioned by the National Security Agency, according to the U.S. official,
who asked not to be identified because he isn't authorized to speak
publicly. The extent of the damage may not be known for weeks or months,
said the official, who has access to classified information. ...

“The nature of this attack is sophisticated enough or large enough that
even the largest of the financial institutions would find it difficult to
defend against,'' Rodney Joffe, senior vice president at Sterling,
Virginia-based security firm Neustar Inc. said in a phone interview.

While the group is using a method known as distributed denial-of-service, or
DDoS, to overwhelm financial-industry websites with traffic from hijacked
computers, the attacks have taken control of commercial servers that have
much more power, according to the specialists.

“The notable thing is the volume and the scale of the traffic that's been
directed at these sites, and that's very rare,'' Dmitri Alperovitch,
co-founder and chief technology officer of Palo Alto, California-based
security firm CrowdStrike Inc.,said in a phone interview.


Using a rental computer? There's a spy-app with that ...

danny burstein <dannyb@panix.com>
Wed, 26 Sep 2012 22:36:40 -0400 (EDT)
[FTC press release]

FTC Halts Computer Spying

Secretly Installed Software on Rented Computers Collected Information, Took
Pictures of Consumers in Their Homes, Tracked Consumers' Locations

Seven rent-to-own companies and a software design firm have agreed to settle
Federal Trade Commission charges that they spied on consumers using
computers that consumers rented from them, capturing screenshots of
confidential and personal information, logging their computer keystrokes,
and in some cases taking webcam pictures of people in their homes, all
without notice to, or consent from, the consumers. ...  user names and
passwords for e-mail accounts, social media websites, and financial
institutions; Social Security numbers; medical records; private e-mails to
doctors; bank and credit card statements; and webcam pictures of children,
partially undressed individuals, and intimate activities at home, according
to the FTC.

rest: http://www.ftc.gov/opa/2012/09/designware.shtm


Rented Computers Captured Customers Having Sex, F.T.C. Says (Nick Bilton)

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 27 Sep 2012 21:06:26 -0600
http://bits.blogs.nytimes.com/2012/09/26/rented-computers-captured-customers-having-sex-f-t-c-says/?nl=todaysheadlines&emc=tha26_20120927

Nick Bilton, *The New York Times*, Sep 26 2012
Rented Computers Captured Customers Having Sex, F.T.C. Says

If you rented a computer, you probably should not have been blogging without
your shirt on.  On Tuesday, seven computer rental companies agreed to a
settlement with the federal government after it was discovered that they
were unlawfully capturing photos of customers by using illicit software that
controlled a computer's webcam. ...  The webcam software, called PC Rental
Agent, had been installed on approximately 420,000 computers worldwide,
according to the F.T.C., and as of August 2011 it was being used by
approximately 1,617 rent-to-own stores in the United States, Canada and
Australia.

  [Article Copyright 2012 *The New York Times*, Excerpted for RISKS. PGN]


The Anti-Cloud?

Mark Thorson <eee@sonic.net>
Sat, 15 Sep 2012 10:38:59 -0700
Symform is offering cloud storage services on the front end,
but instead of operating their own cloud on the back end,
they store data in unused space on other customer's drives.

http://siliconangle.com/blog/2012/09/14/symform-brings-bartering-to-the-cloud/

It seems to me this is a step beyond traditional cloud computing
(if something as new as cloud computing can be said to have
anything "traditional").  Not only is my data trusted to another
party, they in turn are trusting it to unknown (to me) third parties.

I can see the argument that encryption and redundancy might make this as
secure and reliable as any other cloud services, and perhaps even more so
because there's no datacenter to flood or catch fire.  But it still seems
weird to me, like going to the hospital and finding out my surgery will be
performed remotely by a doctor in Bangladesh.


Remote wipe attack not limited to Samsung phones!

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
Wed, 26 Sep 2012 15:14:14 -0400
http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer

The article points to a web page which uses tel:*%2306%23 to display the IME
number! Just click on the tel: URL in this message on affected phones.

Put that through your firewall and see how futile primitive security is.


Hackers Breached Adobe Server in Order to Sign Their Malware (Kim Zetter)

Monty Solomon <monty@roscom.com>
Thu, 27 Sep 2012 22:11:02 -0400
Kim Zetter, *WiReD*, 27 Sep 2012

The ongoing security saga involving digital certificates got a new and
disturbing wrinkle on Thursday when software giant Adobe announced that
attackers breached its code-signing system and used it to sign their malware
with a valid digital certificate from Adobe.

Adobe said the attackers signed at least two malicious utility programs with
the valid Adobe certificate. The company traced the problem to a compromised
build server that had the ability get code approved from the company's
code-signing system.

Adobe said it was revoking the certificate and planned to issue new
certificates for legitimate Adobe products that were also signed with the
same certificate, wrote Brad Arkin, senior director of product security and
privacy for Adobe, in a blog post. ...

http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/

Inappropriate Use of Adobe Code Signing Certificate
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html


"Adobe confirms Windows 8 users vulnerable to active Flash exploits" (Gregg Keizer)

Gene Wirchenko <genew@ocis.net>
Tue, 11 Sep 2012 14:23:17 -0700
Gregg Keizer, *Computerworld*, 10 Sep 2012
Baked-in Flash Player in Windows 8's IE10 won't be updated until late
October, says Microsoft
http://www.infoworld.com/d/security/adobe-confirms-windows-8-users-vulnerable-active-flash-exploits-201941


Two men admit to $10 million hacking spree on Subway sandwich shops

Monty Solomon <monty@roscom.com>
Wed, 19 Sep 2012 00:04:14 -0400
Dan Goodin, Ars Technica, 17 Sep 2012

The Romanians admitted their role in ring that compromised some 146,000
cards.  Two Romanian men have admitted to participating in an international
conspiracy that hacked into credit-card payment terminals at more than 150
Subway restaurant franchises and stole data for more than 146,000
accounts. The heist, which spanned the years 2009 to 2011, racked up more
than $10 million in losses, federal prosecutors said.

http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/


Millions of Virgin Mobile accounts at risk of password attacks

Monty Solomon <monty@roscom.com>
Wed, 19 Sep 2012 00:04:14 -0400
A customer who cracked his password shows just how easy account takeovers are.
Dan Goodin, Ars Technica, 18 Sep 2012
http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/


Oracle Database suffers from "stealth password cracking vulnerability"

Lauren Weinstein <lauren@vortex.com>
Thu, 20 Sep 2012 15:48:42 -0700
  "A weakness in an Oracle login system-used in the company's databases
  which grant access to sensitive information-makes it trivial for attackers
  to crack user passwords and gain entry without authorization, a researcher
  has warned."  http://j.mp/PMr1Q3  (ars technica via NNSquad)

  [See also Oracle database flaw deemed serious, could expose data, noted by
  Gene Wirchenko.  PGN]
  http://www.infoworld.com/d/security/oracle-database-flaw-deemed-serious-could-expose-data-203001


Hidden web code means hackers 'can wipe Samsung Galaxy S3' - Telegraph

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
Tue, 25 Sep 2012 11:09:00 -0400
http://www.telegraph.co.uk/technology/samsung/9565395/Hidden-web-code-means-hackers-can-wipe-Samsung-Galaxy-S3.html

Malicious hackers can hide a code in a web page that will trigger a full
factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting
contacts, photographs, music, apps and other valuable data, security
researchers have discovered.


Security experts not understanding security risks

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Tue, 25 Sep 2012 09:05:10 -0400
http://arstechnica.com/security/2012/09/secret-microsoft-policy-limited-hotmail-passwords-to-16-characters/

Ars Technica reports that Costin Raiu from Kaspersky Lab noticed that
Hotmail no longer accepts passwords longer than 16 characters, and
quotes him as saying "To pull off this trick [of allowing login with
only the first 16 characters of the password] with older passwords,
Microsoft has two choices. [Either] store full plaintext passwords in
their [database]; compare the first 16 [characters] only [or]
Calculate the hash only on the first 16; ignore the rest."  He then
goes on to comment that he isn't sure which option is worse.

The article then goes on to note that Hotmail's limit is shorter than
other services, and quotes a Microsoft spokesperson as saying that the
rule has always been there, and silently enforced - only now it gives
a message if you try to type more than 16 characters.  Microsoft also
noted that length isn't the key thing, it's uniqueness.  Further, the
Microsoft spokesperson notes that "we've found the vast majority of
attacks are through phishing, malware infected machines, and the reuse
of passwords on third-party sites—none of which are helped by very
long passwords."

Of all people, a technical expert like Raiu should understand this
last point - if he's relying on Hotmail to protect his information by
virtue of a long password, he's putting his faith in the wrong place.
Even if he's protected against client-side threats suggested by
Microsoft, there's still attacks against the Hotmail servers, not to
mention insider attacks.

Many years ago, Sami Saydjari used the analogy of security as a picket
fence, where security techniques can raise & lower pickets (or create
additional fences to be scaled).  16 character passwords are already a
reasonably high picket, when compared to the other pickets in our
security infrastructure.  As security experts, we have a moral
obligation to raise the low pickets, and not spend our time
complaining about the high pickets, especially in ways that are likely
to unreasonably stoke public fears about the wrong problems.


"Do Not Call List doesn't apply for home business lines: CRTC" (Brian Jackson)

Gene Wirchenko <genew@ocis.net>
Mon, 10 Sep 2012 10:01:24 -0700
Brian Jackson, *IT Business*, 7 Sep 2012
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68759
In a decision made today, the CRTC says that a home phone line associated
with a business can receive telemarketing calls even if it's on the DNCL and
the calls are for consumer services.


Fwd: Your Ballot is Now Available

"Wendy M. Grossman" <wendyg@pelicancrossing.net>
Sat, 22 Sep 2012 12:48:41 +0100
The most dangerous spam...

I got two different variants of this (appended below) about half an hour
apart last night, both mentioning NY state (which is the state I vote
from), and had to think for a minute before saying, no, spam. I don't
*think* it's a genuine effort to game the election by deterring voters
like the more traditional tactics of phone-calling and leaflets
(advertising, for example, that Democrats vote on Monday and Republicans
on Tuesday or vice-versa, or some other misinformation that leads a
whole class of voters to disqualify themselves). I think it's just
ordinary, but very clever and very dangerous, spam.

I sent a copy of the earlier message to Rebecca Mercuri as a curiosity,
and she took the trouble to dig through the pages at the link given; she
notes they ask for a *ton* of information - driver's license number,
SSN, etc. - but also that the quality of the spam breaks down with
errors such as mentioning Alabama on the NY State pages.

I am in fact an overseas voter from NY state. The giveaways are:

- overseas voters do not deal with the NY State Board of Elections but
with the Board of Elections in the last county they lived in.

- I have always been sent paper registration forms, primary ballots, and
election ballots. I've had no information that the BoE I deal with is
changing that.

- There is nothing on my county's BoE Web site to indicate that they are
shifting to electronic ballots for overseas voters.

- I don't recall ever having given my BoE my e-mail address. If I ever
do, it seems clear that it should be one that is unique, used for no
other purpose, and not published.

Nonetheless, this is a very cleverly timed spam that could easily lead
some people to panic. I'd like it publicized as widely as possible.

wg

- ------- Original Message --------
Subject: Electronic Ballot Access for Military/Overseas Voters
Date: Sat, 22 Sep 2012 02:23:27 +0100
From: NYsupport@secureballotusa.com
To: <my correct e-mail address>

Dear Voter,

An electronic ballot has been made available to you for the GE 11/6/12
(Federal) by your local County Board of Elections. Please access
www.secureballotusa.com/NY to download your ballot.

Due to recent upgrades, all voters will need to go through the "First
Time Access" process on the site in order to gain access to the
electronic ballot delivery system.

- - - - -

Important information for members of the Uniformed Services or Merchant
Marine on active duty, their spouses and/or dependents:

Please be aware that this is the first of two ballots you will be given
access to. This ballot will list only Federal contests (President/Vice
President, U.S. Senate and Congressional offices). The second ballot, to
be made available the first week in October, will list State contests
for Supreme Court Justice, State Senate, State Assembly and any local
contests (county/town/village). More detailed information on this has
been included inside the downloadable file containing your ballot.

- ------- Original Message --------
Subject: 	Your Ballot is Now Available
Date: 	22 Sep 2012 00:07:11 -0400
From: 	NYS Board of Elections <Move@elections.ny.gov>
Reply-To: 	MOVE@elections.ny.gov
To: <my correct e-mail address>

Dear Voter,

An electronic ballot has been made available to you for the November 6,
2012 General Election. Please access https://www.secureballotusa.com/NY
to download your ballot.

Due to recent upgrades, all voters will need to go through the "First
Time Access" process on the site in order to gain access to the
electronic ballot delivery system.

If you have any questions or experience any problems, please e-mail
NYsupport@secureballotusa.com <mailto:NYsupport@secureballotusa.com> or
visit the NYS Board of Elections’ website at http://www.elections.ny.gov
for additional information.

/*Important information for members of the Uniformed Services or
Merchant Marine on active duty, their spouses and/or dependents:*/

Please be aware that this is the first of two ballots you will be given
access to. This ballot will list only Federal contests (President/Vice
President, U.S. Senate and Congressional offices). The second ballot, to
be made available the first week in October, will list State contests
for Supreme Court Justice, State Senate, State Assembly and any local
contests (county/town/village). More detailed information on this has
been included inside the downloadable file containing your ballot.


No Fundamental Right to a Secret Ballot

"Jonathan S. Shapiro" <shap@eros-os.org>
Sep 23, 2012 6:38 PM
   [Via Dave Farber's IP]

Excerpt from Examiner.com
article<http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot>

On Friday, Federal Judge Christine Arguello dismissed a case by Citizen
Center, a voter protection and election transparency organization regarding
the privacy of ballots in Boulder, Chaffee and Eagle Counties...  The
ruling, which members of the organization have called *shocking*, argues
that there is no constitutional right to a secret ballot.

Online article here:
http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot

It will be interesting to see what happens with this. The ruling is
surprising and deeply problematic, but I'm not aware of anything in the
constitution that guarantees voter privacy. I'm inclined to think that
Justice Arguello might be on firm constitutional ground here. As I read
Article 1, Section 4, the question of voter anonymity for Legislative Branch
elections appears to be a state-decided issue. For the Executive Branch
election process, the states have *complete* discretion in setting the rules
for choice of Electors, and I see nothing in Article 2, Section 1, or
Amendment 18 that precludes a state from requiring full transparency of
voting at the Elector level.

Oh what a fascinating digital age we live in.


"One poor security choice results in $250,000 Bitcoin heist"

Gene Wirchenko <genew@ocis.net>
Thu, 06 Sep 2012 14:27:32 -0700
Ted Samson, *InfoWorld*, 06 Sep 2012
http://www.infoworld.com/t/cyber-crime/one-poor-security-choice-results-in-250000-bitcoin-heist-201814

One poor security choice results in $250,000 Bitcoin heist Bitfloor operator
admits to leaving unencrypted wallet keys laying around, leading to theft of
24,000 Bitcoins


SPAM with Calendar invites risks...

George Michaelson <ggm@apnic.net>
Thu, 20 Sep 2012 09:42:56 +1000
I'm being told that a (new?) class of SPAM with embedded Calendar invites is
triggering 'do you want to attend' interactions with Mail.app on OSX.

These popups have no exit which doesn't cause a reply to the embedded IP in
the invite.

ie, the SPAM can force you to an interaction.

If true.. worrysome.


Authentication monoculture

=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
Tue, 18 Sep 2012 20:27:03 +0200
Most Norwegian financial institutions participate in a decentralized
authentication network called BankID.  Briefly summarized, you choose
one institution as your primary identity provider, and when you log in
on that or any other participating institution's web site, your identity
provider handles authentication and certifies to the relying party that
you are who you say you are.  It's a bit like OpenID, but not quite;
more like eduroam, for those familiar with it.

The interactive part of the authentication process is handled by a Java
applet.  One risk is immediately obvious: compromise Java and you've
compromised the entire system.  During the recent Java debacle, there was at
least one report of a user being asked for his credit card number instead of
(or in addition to?) his BankID credentials.

There is another, more insidious risk.  While BankID is opt-in for the
customer, once activated, it is enabled for *all* participating institutions
- and there is no way to opt out of opting in, so to speak.  What does this
mean?  It's quite simple: someone steals your passport and all your credit
cards.  You immediately report the theft, notify your bank and credit card
issuer, etc. and you're safe, right?  Not so - whoever has your passport and
looks a bit like you can, if they act quickly, open an account in your name
at a different bank, select that bank as their BankID provider, and
immediately gain access to all your accounts in all participating
institutions.

This particular hole has received some press coverage, so I suppose it will
be plugged quickly - but it probably won't be long until someone finds
another.

DES Dag-Erling Sm?rgrav - des@des.no


[funsec] Data breach at IEEE.org: 100k plaintext passwords

Jeffrey Walton <noloader@gmail.com>
Tue, 25 Sep 2012 12:45:06 -0400
  [Forwarded message from Jeffrey Walton <noloader@gmail.com>, via
  RicKulawiec in Dave Farber's IP, truncated for RISKS.  PGN]

I expected better from IEEE.
http://ieeelog.com

IEEE suffered a data breach which I discovered on Sep 18. For a few days I
was uncertain what to do with the information and the data.  Yesterday I let
them know, and they fixed (at least partially) the problem. The usernames
and passwords kept in plaintext were publicly available on their FTP server
for at least one month prior to my discovery. Among the almost 100.000
compromised users are Apple, Google, IBM, Oracle and Samsung employees, as
well as researchers from NASA, Stanford and many other places. I did not and
will not make the raw data available to anyone else. ...

Due to several undoubtedly grave mistakes, the ieee.org account username and
plaintext password of around 100,000 IEEE members were publicly available on
the IEEE FTP server for at least one month.  Furthermore, all the actions
these users performed on the ieee.org website were also
available. Separately, spectrum.ieee.org visitor activity is also publicly
available.

The simplest and most important mistake on the part of the IEEE web
administrators was that they failed to restrict access to their webserver
logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by
anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on
September 24 around 13:00 UTC, after I reported it). On these logs, as is
the norm, every web request was recorded (more than 376 million HTTP
requests in total). Web server logs should never be publicly available,
since they usually contain information that can be used to identify users
(sometimes even after the log was anonymized as in the "AOL incident"
[3]). However, this case is much worse, since 411.308 of the log entries
contain both usernames and passwords. Out of these, there seem to be 99.979
unique usernames.

If leaving an FTP directory containing 100GB of logs publicly open could be
a simple mistake in setting access permissions, keeping both usernames and
passwords in plaintext is much more troublesome. Keeping a salted
cryptographic hash of the password is considered best practice, since it
would mitigate exactly such an access permission mistake. Also, keeping
passwords in logs is inherently insecure, especially plaintext passwords,
since any employee with access to logs (for the purpose of analysis,
monitoring or intrusion detection) could pose a threat to the privacy of
users.


Risks of linking information from Facebook leads to bigamy charges

Thomas Dzubin <dzubint@vcn.bc.ca>
Fri, 14 Sep 2012 11:20:03 -0700 (PDT)
Facebook likes to suggest friends of friends to people with the "People You
May Know" feature.  Unfortunately, this can lead to some unintended
consequences.

http://www.theglobeandmail.com/technology/digital-culture/social-web/facebook-pics-of-secret-wife-lead-to-bigamy-charges/article4545321/

Thomas Dzubin, Saskatoon, Vancouver, or Calgary CANADA


Facebook wants you to snitch on your friends not using their real names

Lauren Weinstein <pfir@pfir.org>
Fri, 21 Sep 2012 17:10:45 -0700
http://j.mp/PvI0I7  (Paul Bernal's Blog)

  "A story about Facebook went around twitter last night that provoked quite
  a reaction in privacy advocates like me: Facebook, it seems, is
  experimenting with getting people to 'snitch' on any of their friends who
  don't use their real names." - Paul Bernal

Facebook appears to claim that such snitching "won't affect your friends'
accounts" (now? later?) ... perhaps suggesting it's "only" for data analysis
purposes.  Maybe so, but it's still seriously creepy, Zuck.


"Facebook reveals its evil plans" (Cringely)

Gene Wirchenko <genew@ocis.net>
Mon, 24 Sep 2012 17:29:13 -0700
http://www.infoworld.com/t/cringely/facebook-reveals-its-evil-plans-203126
InfoWorld Home / Notes from the Field
September 24, 2012
Facebook reveals its evil plans
Facebook has announced it will start logging users' searche and
track their real world purchases. And so it begins
By Robert X. Cringely | InfoWorld


A new nasty virus and an excellent tool to counter it and others

Paul Robinson <paul@paul-robinson.us>
Fri, 7 Sep 2012 00:14:11 -0700 (PDT)
I stumbled upon a really nasty virus on one of my computers running Windows
XP, this one bringing up notices that the hard drive is having read errors.
Which is strange, it's a 2 terabyte drive I bought maybe 18 months ago and
has a 5 year warranty (I bought it for about $90; I just lucked out because
hard drive prices doubled shortly after that.)

Anyway, I don't even recognize the program - supposedly an anti-virus
program - that's telling me about these errors.  And, of course, what's
running is a so-called "demo" version which tells you about errors but you
have to pay for the full version to get it to fix them.  Well, for curiosity
I tried the link for the "full version" and apparently either it's not there
any more or it can't be reached.  Anyway, I realized that this was another
one of those fake anti-virus programs that actually are a virus or trojan
horse, infecting your system or in some way making it look like you're
infected with something worse, and demanding payment to "fix" the
nonexistent problem.  In simple terms, electronic extortion.

But I think it hoisted itself on its own petard; it deleted or blocked the
networking software that my computer uses to connect to the Internet, so if
they're trying to collect money from people thinking it's a legitimate
anti-virus, it locked itself out of the Internet! (My desktop is connected
by USB wireless adapter so that I don't have to run wires all over the
place, so lose the driver for it and I lose the Internet.)

This extortion program is really nasty, because it's figured out how to hide
everything; the C drive literally appears as nothing is present and all
directories (which supposedly aren't there) are also empty.  Even the
desktop is almost blank except for a couple items.  While it might not be
that hard to hide files to Windows or Windows explorer, it's even figured
out how to make files disappear to the command interpreter CMD.EXE. Your C
drive becomes empty - a big red flag, because if the C drive is empty,
Windows wouldn't even start - and the program is a bit too smart for its own
good, in an attempt to hide everything, if you're in the directory assigned
to the desktop, and you go up one directory, the subdirectory you just left
isn't there any more.

Dragging something out of the recycling bin to the desktop causes *nothing*
to happen, which is a neat trick.  And it clears out the start menu except
for itself.  If you've never seen an absolutely blank start menu - even My
Computer is missing - you're in for a big surprise.

Another hint that it's basically pulling a stunt to hide directory listings
is that the usual programs that run in the background are showing their
icons in the bottom right corner of Systray, so it's rather interesting to
see that supposedly there are hard drive errors popping up, but the usual
stuff that runs in the background at startup is still there, even if you
can't see the startup folder in the Start Menu and those very same files are
not present in a directory listing.

And what's more interesting that it is able to continue to replicate this
behavior even in Safe Mode.  The desktop is basically coming up blank except
for this program's shortcut and the recycle bin.  And the Start Menu is
still blank.

Well, I have found a very useful, free tool to fix really badly infected or
contaminated or corrupted systems, especially when the people who put the
so-called anti-virus or whatever software have killed the TCP/IP stack so
badly that you can't even connect to the Internet through an Ethernet cable
(I had two laptops my Sister asked me to take a look at because the Internet
stopped working.)

This program is called Combofix, it is recommended to only download it from
the people who release it at www.bleepingcomputer.com, and it is regularly
updated so if you have an old version it will warn you.  So I downloaded the
latest release on another computer, copied it to a jump drive, and proceeded
to use it.

Problem is, with the start menu blank it really makes it difficult to do
anything; even the RUN command is missing.  But, there is one save which I
didn't know about until I right-clicked on the recycling bin: Command
Prompt.  And sure enough, I get to a command prompt for the desktop, and a
DIR command says it's empty.  But I found one way around the emptiness of
the system from this program.  It doesn't block anything but the C drive; if
you plug a jump drive into it, you can see that drive and its contents.

I copy combofix over from the jump drive and it shows up, so I run it.  It
unpacks itself and goes to work; I respond to a couple of prompts as it
finds a few things that are missing, and I otherwise just let it go as it
has about 45 passes to fix things on the system.  I come back to it a while
later, and there's a file being shown from Notepad with a huge list of
things it's fixed and stuff it's removed.

Close that and I can see that all the icons that were there are now back on
the desktop.  Somehow the networking software for the wireless adapter got
lost, but I had the CD and reinstalled it. I am able to use that computer to
post this message.

So I recommend anyone who has to worry about the risk of a computer losing
its Internet connection or having been hit by a virus infection, get a copy
of Combofix and run it.  It's free, it's very good, and in some really bad
cases will do an excellent job of fixing things.


20% of new PCs in China come with malware pre-installed

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 24 Sep 2012 14:41:32 -0600
Wolfgang Gruener, 24 Sep 2012 (source: Microsoft)

"In China, there is not much you have to do to contract a virus on your
PC. Plus, you have a one in five chance that you will get that first virus
on your brand new PC right out of the box."

"Microsoft revealed this finding in a new whitepaper and attributes the high
rate of infections of PCs to a shaky supply chain structure that does not
prevent the presence of counterfeit products. To lower the cost of a new PC,
potentially compromised products are sometimes knowingly accepted. It does
not take much to see that this scenario is a goldmine for malware makers and
allows the malware business to flourish."

http://www.tomshardware.com/news/microsoft-pc-windows-security-china,17758.html

There's a link to a more detailed Microsoft blog post  here:

Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an
Unsecure Supply Chain
https://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

"The discovery and successive action against the Nitol botnet stemmed from a
Microsoft study looking into unsecure supply chains. The study confirmed
that cybercriminals preload malware infected counterfeit software onto
computers that are offered for sale to innocent people.  In fact, twenty
percent of the PCs researchers bought from an unsecure supply chain were
infected with malware. Making matters worse, the malware was capable of
spreading like an infectious disease through devices like USB flash drives,
potentially causing the victim's family, friends and co-workers to become
infected with malware when simply sharing computer files."

It really *does* sound a like a disease!

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Hidden web code means hackers 'can wipe Samsung Galaxy S3'

Lauren Weinstein <lauren@vortex.com>
Tue, Sep 25, 2012 at 1:06 PM
Hidden web code means hackers 'can wipe Samsung Galaxy S3'

http://j.mp/QvVlCa  (Telegraph UK)

  "Malicious hackers can hide a code in a web page that will trigger a full
  factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting
  contacts, photographs, music, apps and other valuable data, security
  researchers have discovered."

 - - -

As bad as this exploit is, you can of course restore much of this data
automatically from Google servers even after a factory reset.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
nnsquad mailing list http://lists.nnsquad.org/mailman/listinfo/nnsquad


"Leaked Apple IDs ..."

Gene Wirchenko <genew@ocis.net>
Thu, 06 Sep 2012 14:18:46 -0700
http://www.infoworld.com/t/data-security/leaked-apple-ids-expose-holes-in-corporate-information-security-201608
InfoWorld Home / InfoWorld Tech Watch
September 04, 2012
Leaked Apple IDs expose holes in corporate information security
Most organizations suffering data breaches don't enforce security
policies, study finds
By Ted Samson | InfoWorld

http://www.infoworld.com/d/security/fbi-denies-it-was-source-of-leaked-apple-device-id-data-201644
InfoWorld Home / Security / News
September 05, 2012
FBI denies it was source of leaked Apple device ID data
Hacking group AntiSec claimed earlier it had accessed 12 million
UDIDs from an FBI agent's computer
By Jaikumar Vijayan | Computerworld

  [Subsequently, "Blue Toad admits it was source of leaked Apple UDIDs".  PGN]
http://www.infoworld.com/t/data-security/blue-toad-admits-it-was-source-of-12-million-leaked-apple-udids-202037


Re: When GPS Confuses, You May Be to Blame (Stross, Kruk)

Henry Baker <hbaker1@pipeline.com>
Thu, 06 Sep 2012 20:47:40 -0700
When I explained how the Google self-driving car could drive itself, my wife
said such a capability would help in taking drunk drivers off the road.

But it then occurred to both of us that a drunk "driver" is just as
likely to tell a Googlized car to take him/her to the wrong place --
perhaps even 3,000 miles from his/her intended destination.

"I'm sorry, Dave—I don't have enough gas to take you to Home" (in
Pennsylvania, 60 miles NE of Pittsburgh).

http://www.itsallgood.itgo.com/photo4.html

(As you can see from this web site, my example could have been a _lot_
worse!  ;-)

Please report problems with the web pages to the maintainer

Top