The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 40

Wednesday 31 July 2013

Contents

Surviving the blame game
Michelle Singletary via PGN
Smart Houses that are not so smart
Barry Gold
The risks of measuring progress by more of the same
Bob Frankston
Stanford University passwords compromised—again
PGN
Download manager takes Web site down
Geoff Kuenning
"Microsoft and FBI take down malware, housed on 1.9 million computers"
Lucian Constantin via Gene Wirchenko
"Cloud adoption suffers in the wake of NSA snooping"
David Linthicum via Gene Wirchenko
A Blow for the Press, and for Democracy
Margaret Sullivan via Monty Solomon
4 Russians, 1 Ukrainian charged in massive hacking
Samantha Henry via Monty Solomon
Re: Is Your Cable Box Spying On You?
F. Barry Mulligan
Re: License-plate readers let police collect millions of driver records
Geoff Kuenning
Re: And now, from the country that brought you INCIS and Novopay...
Nick Brown
Info on RISKS (comp.risks)

Surviving the blame game (Michelle Singletary)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 31 Jul 2013 10:07:45 PDT
Michelle Singletary, *The Washington Post*, 30 Jul 2013
The health of our economy relies on people finding and keeping jobs.  If
there are electronic-record systems that are preventing qualified people
from getting hired or staying employed, they [the systems, not the people
notes PGN] need to be fixed.  That's why it's important to take note of a
report from the National Employment Law Project, which estimates that 1.8
million workers every year are subjected to FBI background checks that
contain incorrect or incomplete information.  [...]
http://www.washingtonpost.com/business/surviving-the-data-blame-game/2013/07/30/3ad80f48-f890-11e2-8e84-c56731a202fb_story.html?tid=pp_stream


Smart Houses that are not so smart

Barry Gold <BarryDGold@ca.rr.com>
Tue, 30 Jul 2013 22:52:38 -0700
A pair of security researchers found that so-called smart houses have
serious security vulnerabilities.

A discontinued home automation system from Insteon is connected to the
Internet with a web server—and did not even provide a robots.txt file to
tell search engines to stay away.

The result is that all the house controls are visible if you know the right
keywords to search for.  The researcher was able (after contacting the
homeowner and getting permission) to turn the lights on and off, control TV
sets, garage doors, cameras, etc.  All the things that the owner can control
remotely with a smartphone app.  The system is shipped from the manufacturer
with a default setting of no username or password.

Other manufacturers have similar problems. The Satis Smart Toilet can be
controlled by anybody with an Android, the right app, and close enough to
communicate with the toilet.

More details at
http://onforb.es/159JEcM
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/?google_editors_picks=true


The risks of measuring progress by more of the same

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
Mon, 29 Jul 2013 16:53:13 -0400
I'm often frustrated in trying to explain that the Internet isn't just the
web or a series of tubes. The problem is that those views work well for
those who look at the surface and want more of what they see. It's hard to
explain that the web and benefits come from the days of an Internet without
borders in which we were free to experiment. Today we're back to the time
when you had a network suitable for phone calls or other enumerated
applications.

This is not a new issue but I recently posted http://rmf.vc/CILight which
might help people understand the issue by using a very simple example - the
ability to maintain a relationship between two end points. If we can't do
that then how can we innovate ahead of what offered by the incumbent
providers? For that matter why do we use words like "provide" and "access"
when we talk about the Internet which came from our innovation at the edge
despite the service providers.

Maybe this the about the risks of language and using words like communicate,
information, broadband which allow us to talk without really communicating.

http://frankston.com


Stanford University passwords compromised—again

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 30 Jul 2013 15:04:55 PDT
Various sources have reported that Stanford University has alerted its
network users that their accounts may have been compromised (for the second
time in about a month), and recommended that passwords should be changed as
a precautionary measure while the Stanford IT folks are trying to assess the
scope of the breach.  Five days later, I've heard nothing further.  Perhaps
a RISKS reader at Stanford can contribute an update.


Download manager takes Web site down

Geoff Kuenning <geoff@cs.hmc.edu>
Mon, 29 Jul 2013 23:35:34 -0700
I run a small Web site (http://iotta.snia.org) that distributes large
scientific files to researchers.  For unjustifiable reasons, it has an
absurdly slow link (10 Mbits) to the outside world.  Yes, I'd like to fix
that.

Recently we observed an enormous spike in download attempts--all of which
failed.  After investigating and contacting the responsible parties
(fortunately, we ask our users to provide an e-mail address and most tell
the truth) we learned that they were using "Internet Download Manager", a
Windows application that purports to speed up and simplify downloads.  In
this case, IDM was opening dozens of simultaneous connections, each of which
attempted to acquire a different file.  The resulting logjam caused ALL of
the downloads to time out, at which point the package would try again.
Telling the users to disable IDM and be patient cured the problem.  (In the
longer term, we'll be activating per-IP connection limits, which are an
imperfect but helpful solution.)

RISK: The TCP/IP specification is extensive and explicit, but doesn't
address simultaneous connections from the same client.  As far as I can
figure out, the HTTP specification doesn't offer a way for servers to
suggest a maximum (let alone a way to enforce one).  And overeager
developers are welcome to ignore conventions and common courtesy in an
attempt to gain personal benefit.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


"Microsoft and FBI take down malware, housed on 1.9 million computers" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jul 2013 14:47:50 -0700
Lucian Constantin, *ITBusiness*, 26 Jul 2013
http://www.itbusiness.ca/article/microsoft-almost-90-percent-of-citadel-botnets-in-the-world-disrupted-in-june

selected text:

But one security researcher says he believes Microsoft had already been
controlling about 1,000 of the 4,000 Citadel-related domain names, since its
researchers were using them to track the botnets. He also adds Microsoft
modified settings on people's computers without getting their permission, as
it sent configuration files to infected computers connecting to the sinkhole
servers.

   [Said researcher posted https://www.abuse.ch/?pS62 about this.]


"Cloud adoption suffers in the wake of NSA snooping" (David Linthicum)

Gene Wirchenko <genew@telus.net>
Tue, 30 Jul 2013 14:55:47 -0700
David Linthicum, InfoWorld, 30 Jul 2013
Due to PRISM, non-U.S. firms are avoiding Stateside cloud providers,
but government access to cloud data can't be stopped
http://www.infoworld.com/d/cloud-computing/cloud-adoption-suffers-in-the-wake-of-nsa-snooping-223606

opening text:

According to a survey by the Cloud Security Alliance, 10 percent of the
CSA's non-U.S. members have canceled a contract with a U.S.-based cloud
provider due to fears of U.S. government abuse of their citizens' data, a
fear stoked by revelations of extensive spying on electronic communications
by the U.S. National Security Agency through its PRISM program. Moreover, 56
percent said they were now less likely to use an American company.


A Blow for the Press, and for Democracy (Margaret Sullivan)

Monty Solomon <monty@roscom.com>
Tue, 30 Jul 2013 23:51:52 -0400
Margaret Sullivan, *The New York Times*, 28 Jul 2013

Sometimes James Risen feels like Jean Valjean, the beleaguered protagonist
of "Les Miserables," hounded for years by the authorities.  "They just keep
coming at me," Mr. Risen, a Times reporter in Washington, told me by phone
last week. It has been 10 years since he learned of a secret C.I.A. program
to interfere with Iran's quest for nuclear weapons, and six since he got an
ominous FedEx package containing a government subpoena. Since then, it has
been one legal hurdle after another, trying to stay out of court.

Just over a week ago, another blow came: A federal appeals court panel
ruled, 2 to 1, against his effort to avoid testifying in the government's
case against Jeffrey Sterling, a former C.I.A. official charged with leaking
secret information about the matter.

Mr. Risen's lawyers, backed by a flotilla of press organizations and
journalists, argue that his testimony isn't necessary and that First
Amendment protections, combined with legal precedent, should keep him out of
court.

Unwilling to testify, Mr. Risen may end up in jail. Meanwhile, the
distractions and the continued scrutiny of government investigators - sure
to make sources skittish - have hurt his ability to do his job.  That's a
shame given the importance of his work: it was Mr. Risen and his Times
colleague Eric Lichtblau who disclosed the Bush administration's
eavesdropping on American citizens without warrants, and the recent
revelations of National Security Agency surveillance have built on that
foundation.

The chilling ruling by the United States Court of Appeals for the Fourth
Circuit said that even though a journalist has promised confidentiality to a
source, "there is no First Amendment testimonial privilege, absolute or
qualified, that protects a reporter from being compelled to testify by the
prosecution or the defense in criminal proceedings about criminal conduct
that the reporter personally witnessed or participated in." National
security necessitates that those who illegally leak classified information
be brought to justice, the court said. It added that it saw no clear legal
justification for treating a reporter differently than any other citizen,
and that "other than Sterling himself, Risen is the only witness who can
identify Sterling as a source (or not) of the illegal leak." ...

http://www.nytimes.com/2013/07/28/public-editor/a-blow-for-the-press-and-for-democracy.html


4 Russians, 1 Ukrainian charged in massive hacking (Samantha Henry)

Monty Solomon <monty@roscom.com>
Fri, 26 Jul 2013 01:00:13 -0400
  [More on the item in RISKS-27.39]

Samantha Henry, Associated Press. 25 Jul 2013

NEWARK, N.J. (AP) - Four Russian nationals and a Ukrainian have been charged
with running a sophisticated hacking organization that penetrated computer
networks of more than a dozen major American and international corporations
over seven years, stealing and selling at least 160 million credit and debit
card numbers, resulting in losses of hundreds of millions of dollars.

Indictments were announced Thursday in Newark, where U.S. Attorney Paul
Fishman called the case the largest hacking and data breach scheme ever
prosecuted in the United States.

Princeton-based Heartland Payment Systems Inc., which processes credit and
debit cards for small to mid-sized businesses, was identified as taking the
biggest hit in a scheme starting in 2007 - the theft of more than 130
million card numbers at a loss of about $200 million.

Atlanta-based Global Payment Systems, another major payment processing
company, had nearly 1 million card numbers stolen, with losses of nearly $93
million, prosecutors said.

The indictment did not put a loss figure on the thefts at some other major
corporations, including Commidea Ltd., a European provider of electronic
payment processing for retailers. The government said hackers in 2008
covertly removed about 30 million card numbers from its computer network.

About 800,000 card numbers were stolen in an attack on the Visa network, but
the indictment did not cite any loss figure. ...

http://www.boston.com/business/news/2013/07/25/russians-ukrainian-charged-massive-hacking/zj9q9jvyKAKT6FTgD7YdLI/singlepage.html


Re: Is Your Cable Box Spying On You? (RISKS-27.39)

"F. Barry Mulligan" <mulligan@acm.org>
Tue, 30 Jul 2013 10:10:37 -0400
For the first time in many years, I suddenly feel ahead of the technology.

I have two cable boxes, one to feed the actual television and a secondary
box to feed the (antiquated) VCR. Since they are located close to each
other, I fabricated a sliding cover to obscure the sensor on the secondary
box.

Should these intrusive cable boxes become real products, I foresee a niche
market for similar covers that would obscure the spy sensors while still
allowing desired remote functions.


Re: License-plate readers let police collect millions of driver records (Alexander, RISKS-27.39)

Geoff Kuenning <geoff@cs.hmc.edu>
Mon, 29 Jul 2013 23:49:54 -0700
> If a car is scanned that shows a potential offence, an alert sounds and
> displays the reason why the car is suspected to be illegal.

Wow.  So failure to pay a tax is now grounds for immediate arrest.  Gotta
catch those tax evaders right away!  It'd be unforgivably dangerous to let
them drive another ten miles and catch them the old-fashioned way.  (Note
that by definition, the government knows who they are, so most of them
aren't going to be dodging the tax man for very long.)

If you're "disqualified for some other offence" then anybody who happens to
borrow your car is at risk of false arrest, at best wasting both their time
and that of the police.  That's not what I'd call good design.

And in the future, what a great tool this will be for apprehending the
dastardly mastermind who dared to post a video of a burning poppy.

Or, if you're not afraid of government overreaching, there's always the fact
that The Sun might bribe somebody to search the records to prove that a
particular politician was cheating on his wife.

I'll take my privacy, thanks.  I can stand to live in a world with a few
tax evaders and even the occasional faulty brakes.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Re: And now, from the country that brought you INCIS and Novopay... (O'Keefe, RISKS-27.39)

<nick.brown@free.fr>
Tue, 30 Jul 2013 00:06:02 +0200 (CEST)
>>The changes duly took place this year, in anticipation of the benefits of
>>the new system...  I wonder if any of the decision-makers had heard of
>>"counting your chickens before they're hatched"?

This situation reminded me that this is the 20th anniversary of the
publication of my favourite book about computing of all time, namely
"Digital Woes: Why We Should Not Depend on Software" by Lauren Ruth
Wiener. Inspired partly by stories from RISKs as well as by the author's
personal experiences as a writer of software documentation and observer of
the development process, this book is still as relevant today as it was in
1993, despite containing not one reference to the World-Wide Web, or indeed,
as far as I can recall, any other part of the Internet. Everyone who is even
remotely connected to any software development process should read this
book.

Wiener gave examples of projects similar to this one, where exaggerated
savings on personnel and other overheads from the new computer system were
used to pay for the system, thus creating a double bind for executives when
the system failed to materialise, leaving them with no staff and no money to
re-hire them. It seems that we have learned very little in the intervening
20 years.

Please report problems with the web pages to the maintainer

Top