The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 42

Sunday 18 August 2013

Contents

Lamp-post lamp-oon
Gary Hinson
Online search for pressure cooker leads to police visit
Peter Houppermans
Four people can cut off a whole city from the railways: Getting sick
Lothar Kimmeringer
ReKords of the Keystone Kops
Richard A. O'Keefe
You can't make up the solution
Jeremy Epstein
Boston Public Schools lose flash drive with data on 21,000 students
Jonathan Kamens
Don't charge to see the last few lines of an obituary
jidanni
Researchers reveal how to hack an iPhone in 60 seconds
Violet Blue via Monty Solomon
Android one-click Google authentication method puts users, businesses at risk
Lucian Constantin via Monty Solomon
Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking devices
Darlene Storm via Monty Solomon
The devil is in the subscription-licensing details"
Robert L. Mitchell via Gene Wirchenko
"More Android malware distributed through mobile ad networks"
Lucian Constantin
"Outsourced software project with 6,000 pages of specs ends badly"
Patrick Thibodeau via Gene Wirchenko
"What's worse than a system failure? What you say about it"
Matt Prigge via Gene Wirchenko
"Dangerous Linux Trojan could be sign of things to come"
Jon Gold via Gene Wirchenko
"Anonymous is not anonymous"
Roger A. Grimes via Gene Wirchenko
"AARP website hacked"
Woody Leonhard via Gene Wirchenko
Video: Watch what happens when a Prius gets hacked"
Pete Babb via Gene Wirchenko
Re: Xerox scanners/photocopiers randomly alter numbers
T Byfield
Re: The Public/Private Surveillance Partnership
Kelly Bert Manning
Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence
Danny Burstein
Re: Download manager takes Web site down
Chris Adams
Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper
Jeffrey Alexander
Info on RISKS (comp.risks)

Lamp-post lamp-oon

"Gary Hinson" <Gary@isect.com>
Thu, 1 Aug 2013 09:41:12 +1200
"An electricity company is apologising after it sent a letter to a lamp-post
and threatened to cut its power off.  Meridian Energy apparently believed
someone was living in the pole."

<http://www.stuff.co.nz/oddstuff/8988229/Meridian-finally-sees-the-light>

Asked who might be occupying the light, Clive Saleman (the neighbour who
received the letter) said "Well he'd have to be very tall and skinny.  I
suspect he sleeps all day because the light's on all night.  So maybe he's a
night owl.  I have a suspicion he could be a being of pure energy actually,
and not actually human, but I'm just not sure.  But, whatever, he's not
paying his power bill."

Risk: being lampooned for a data integrity failure.

Dr Gary Hinson, IsecT CEO  isect.com  http://www.iso27001security.com/
NoticeBored.com  SecurityMetametrics.com  ISO27001security.com


Online search for pressure cooker leads to police visit

Peter Houppermans <ph@privacyclub.ch>
Thu, 01 Aug 2013 19:52:22 +0200
Honestly, this raises such a massive amount of questions, I don't quite
know where to begin..

  A New York woman says her family's interest in the purchase of pressure
  cookers and backpacks led to a home visit by six police investigators
  demanding information about her job, her husband's ancestry and the
  preparation of quinoa.

  Michele Catalano, who lives in Long Island, New York, said her web
  searches for pressure cookers, her husband's hunt for backpacks, and her
  `news junkie' son's craving for information on the Boston bombings had
  combined somewhere in the Internet ether to create a `perfect storm of
  terrorism profiling'.

Anyone any recipes?

Peter Houppermans  /Others take your privacy - we give it back to you/


Four people can cut off a whole city from the railways: Getting sick

Lothar Kimmeringer <lothar@kimmeringer.de>
Not terrorists but a group of four people that work at the railway control
center being responsible for the railway network in and around Mainz were
the reason why trains weren't able to get to Mainz anymore.

It's vacation time and four of the remaining people had to call in sick
today leaving DB Die Bahn with not enough people who are capable of
operating the system.  This situation will last for a couple of days at
least and might take up until the end of August.

Next week school season will start again, so the biggest chaos is still to
come if not enough qualified people are back on duty.

Risk here: Having a mission critical system with a single
point of failure: People that can become sick at the same
time, which can happen quite easily if all of them are working
in the same room.


ReKords of the Keystone Kops

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Fri, 9 Aug 2013 19:51:48 +1200
I mentioned recently that New Zealand is trying to modernise its justice
system.  Part of that is introducing a system of Audio-Visual links between
prisons and courts in order to improve safety and reduce costs by having
prisoners stay in prison and make their appearance in court electronically.
The new system is already being rolled out.

Of course, in order to know how much the new system is saving, you need
to know how much the old system was costing.

They don't.

From the *Otago Daily Times* front page, 29 Jul 2013, the Police and
prison system

 * do not know how much they spent transporting prisoners between
   the new jail and courts since the new jail opened in 2007;
 * do not know how much it cost last year;
 * do not know what the annual budget for transport is/was.

The newspaper was told that

 "the [prison] department cannot readily extract ... the costs or budgets
  relating to the transportation of prisoners ... from our electronic
  records ... of wider offender transportation costs.  ... we would be
  required to manually review a large number of files"

They don't know what it costs now, but they are quite certain there will be
50% to 70% savings (however much that is...)

The computer-related part of this is that in an age of manual records,
regional information would be kept locally, and only summaries
aggregated nationally.  Now, the details can be kept nationally,
making regional summaries extremely difficult to extract.

Of course, it's always possible that their data base _does_ support
ad hoc queries, and they are just lying (:-).


You can't make up the solution

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Fri, 9 Aug 2013 21:59:44 -0400
In an earlier, simpler day, notes between a publisher and reviewers and the
public took a while, and there was plenty of time for proofreading.

Not so today, with the increasing speed of publishing, which the publishers
of Organometallics discovered the hard way.  A note suggesting that data
could be fabricated to fill in a gap appeared in an online version of an
article.

The RISK is simply that there are more mistakes possible as we speed up the
publication process - both the mistakes from pressure to publish quickly,
and the mistakes of not checking what you're releasing before you do the
release.  (NSA learned this lesson some years ago in Word documents, and
more recently with redaction of PDF documents - although this case is at a
higher level of the "stack", its' a variation of the problem that with all
electronic documents, it's sometimes hard to see what's being released.)

http://sciencecareers.sciencemag.org/career_magazine/previous_issues/articles/2013_08_08/caredit.a1300167


Boston Public Schools lose flash drive with data on 21,000 students

Jonathan Kamens <jik@kamens.us>
Tue, 13 Aug 2013 11:15:32 -0400
A flash drive containing Boston Public Schools ID badge PDFs was lost en
route to the printing vendor. The PDFs contain student name, age, grade,
school, ID number, library card number, CharlieCard number, and (in some)
photo. The drive was apparently not encrypted. BPS thinks the drive was
lost, not stolen, but can't be sure. BPS is redesigning the cards and
changing the ID numbers that can be changed to minimize the likelihood of
harm from the breach.

The drive was lost on Aug 9, and BPS families were notified just three
days later, on Aug 12. The notification was clear and detailed.  As far
as I can tell, BPS's handling of the breach has been perfect.

Having said that, the big remaining question is why the flash drive wasn't
encrypted. I've emailed Superintendent John McDonough and asked him that
question, as well as encouraging him to ensure that flash drives en route to
vendors are encrypted as a matter of policy in the future.

Although the flash drive had no confidential information on it, as the
parent of a BPS parent whose data was lost, I am still concerned, because
the information on the drive can be used in social engineering attacks, not
to mention that names, ages, schools, grades, and photos is just the kind of
information a pedophile would need to pick out attractive targets.

Details:

http://www.boston.com/yourtown/news/allston_brighton/2013/08/boston_public_schools_vendor_loses_flash_drive_with_data_on.html


Don't charge to see the last few lines of an obituary

<jidanni@jidanni.org>
Fri, 16 Aug 2013 12:06:19 +0800
[Sent to American Chemical Society:]

Your Society should really consider the public relations value of not
charging users to see the last few lines of an obituary.

I'm sure your members would have never dreamed when they were alive that
half of it would be in Google and could be shared publicly. But when
80 years later someone wanted to see those last few lines, out comes the
collection plate.

And if I link to http://pubs.acs.org/doi/abs/10.1021/cen-v010n006.p073b
from my http://jidanni.org/me/ancestors.html all I would be doing is
creating more dismayed relatives.

So thanks for sending it to me so I now finally see what it says, but I
still cannot legally share it in its full form.


Researchers reveal how to hack an iPhone in 60 seconds (Violet Blue)

Monty Solomon <monty@roscom.com>
Mon, 5 Aug 2013 01:42:46 -0400
Violet Blue for Zero Day, 31 Jul 2013

Summary: Three Georgia Tech hackers have disclosed how to hack iPhones and
iPads with malware in under sixty seconds using a "malicious charger."
UPDATED.

Three Georgia Tech hackers have revealed how to hack iPhones and iPads with
malware imitating ordinary apps in under sixty seconds using a "malicious
charger."

Today at a Black Hat USA 2013 press conference, the researchers revealed for
the first time exactly how the USB charger they built can compromise iOS
devices in less than a minute.

Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary
looking charger into a malicious vector for transmitting malware using an
open source BeagleBoard, available for $125 (similar to a Raspberry Pi).

For the demonstration, the researchers used an iPhone. They plugged in the
phone, and when the passcode was entered, the sign-code attack began.

For the demo, the Facebook app was used as an example.

Within seconds of plugging in the charger, the Facebook app was invisibly
removed from the device and seamlessly replaced with a Facebook app
imitation with a malicious payload.

The app's icon was in the exact same spot as it was before the attack -
there is no way of knowing the application is not malware. ...

http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/


Android one-click Google authentication method puts users, businesses at risk (Lucian Constantin)

Monty Solomon <monty@roscom.com>
Mon, 5 Aug 2013 01:39:04 -0400
Lucian Constantin, PCWorld, 4 Aug 2013

A feature that allows Android users to authenticate themselves on Google
websites without having to enter their account password can be abused by
rogue apps to give attackers access to Google accounts, a security
researcher showed Saturday at the Defcon security conference in Las Vegas.

The feature is called "weblogin" and works by generating a unique token that
can be used to directly authenticate users on Google websites using the
accounts they have already configured on their devices.

Weblogin provides a better user experience but can potentially compromise
the privacy and security of personal Google accounts, as well as Google Apps
accounts used by businesses, Craig Young, a researcher at security firm
Tripwire, said during his talk.

Young created a proof-of-concept rogue app that can steal weblogin tokens
and send them back to an attacker who can then use them in a Web browser to
impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other
Google services.

The app was designed to masquerade as a stock viewing app for Google Finance
and was published on Google Play, with a description that clearly indicated
it was malicious and shouldn't be installed by users. ...

http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html


Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking devices (Darlene Storm)

Monty Solomon <monty@roscom.com>
Mon, 5 Aug 2013 01:49:33 -0400
Darlene Storm, 1 Aug 2013

A trio of researchers presented "Mactans: Injecting Malware into iOS Devices
via Malicious Chargers" at Black Hat, demonstrating how an "iOS device can
be compromised within one minute" after plugging into a maliciously crafted
charger. Until Apple patches the vulnerability that allows the exploit, all
iPhone or iPad users are vulnerable as the device does not need to be
jailbroken for the attack to work. It takes advantage of an iOS flaw that
allows pairing without any notification to the user.

Their proof-of-concept charger, dubbed Mactans, was built using a $45
BeagleBoard. As soon as an iOS device is plugged in, the fake charger
instantly captures the Unique Device Identifier (UDID). Then it connects to
Apple's developer support website and submits that UDID for a "provisioning
profile." The charger installs code and the attacker now has full control of
the device. GTISC associate director Paul Royal said, "Getting the UDID is
trivial, and getting a provisioning profile is easy and automated."

In one demonstration of what an attacker could do remotely, the researchers
plugged an iPhone 5 into the charger, hid the iPhone Facebook app and
installed a malicious copy over it that launched before the legitimate
"hidden" copy. The Mactans' malicious payload could be about anything, from
allowing "a remote attacker to make an unauthorized phone call from the iOS
device" to taking "a screenshot whenever the user enters a password or other
sensitive information."  Basically it turns an iOS device into a spy tool.
...

http://blogs.computerworld.com/cybercrime-and-hacking/22579/wolf-sheeps-clothing-black-hat-getting-pwnd-innocent-looking-devices


"The devil is in the subscription-licensing details" (Robert L. Mitchell)

Gene Wirchenko <genew@telus.net>
Thu, 15 Aug 2013 13:00:32 -0700
Robert L. Mitchell | Computerworld, 13 Aug 2013
The transition to cloud-based services is ratcheting up traditional
enterprise software costs and adding layers of complexity


"More Android malware distributed through mobile ad networks" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 16 Aug 2013 10:24:02 -0700
http://www.infoworld.com/d/mobile-technology/more-android-malware-distributed-through-mobile-ad-networks-224815
Lucian Constantin | IDG News Service, InfoWorld, 13 Aug 2013
Security researchers from Palo Alto Networks found Android apps
downloading malware from rogue mobile ad networks


"Outsourced software project with 6,000 pages of specs ends badly" (Patrick Thibodeau)

Gene Wirchenko <genew@telus.net>
Thu, 15 Aug 2013 12:47:58 -0700
http://www.infoworld.com/t/outsourcing/outsourced-software-project-6000-pages-of-specs-ends-badly-224777
Patrick Thibodeau | Computerworld, 13 Aug 2013
Orange County files lawsuit to recover damages from offshore firm
Tata in tax system rewrite


"What's worse than a system failure? What you say about it" (Matt Prigge)

Gene Wirchenko <genew@telus.net>
Thu, 15 Aug 2013 12:43:18 -0700
http://www.infoworld.com/d/data-explosion/whats-worse-system-failure-what-you-say-about-it-224751
Matt Prigge, Infoworld, 13 Aug 2013
Communicating well in emergencies is often just as important as
working to end the emergency


"Dangerous Linux Trojan could be sign of things to come" (Jon Gold)

Gene Wirchenko <genew@telus.net>
Thu, 15 Aug 2013 12:29:36 -0700
http://www.infoworld.com/d/security/dangerous-linux-trojan-could-be-sign-of-things-come-224649
Jon Gold | Network World, 12 Aug 2013
'Hand of Thief' Trojan specifically targets Linux but operates a lot
like similar malware that targets Windows machines


"Anonymous is not anonymous" (Roger A. Grimes)

Gene Wirchenko <genew@telus.net>
Thu, 15 Aug 2013 12:25:39 -0700
http://www.infoworld.com/d/security/anonymous-not-anonymous-224783
Roger A. Grimes | InfoWorld, 13 Aug 2013
At this point, most of us would welcome shelter from the gaze of
government cyber spies. Here are six reasons why that may be unattainable


"AARP website hacked" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Wed, 14 Aug 2013 12:49:01 -0700
Woody Leonhard | InfoWorld
Now would be a good time to change your passwords


"Video: Watch what happens when a Prius gets hacked" (Pete Babb)

Gene Wirchenko <genew@telus.net>
Wed, 14 Aug 2013 12:46:22 -0700
http://www.infoworld.com/t/hacking/video-watch-what-happens-when-prius-gets-hacked-224270
Pete Babb | InfoWorld, 07 Aug 2013
Security engineers take over the various computerized systems of a
Toyota hybrid and wirelessly control it


Re: Xerox scanners/photocopiers randomly alter numbers (RISKS-27.41)

t byfield <tbyfield@panix.com>
Sun, 18 Aug 2013 09:54:01 -0400
Glynn Clements <glynn@gclements.plus.com> wrote:

> Any scanner has limits to its accuracy, and any form of lossy compression
> has some loss. But unlike e.g. JPEG, where the artifacts are often clearly
> visible, there is no indication of the degree of uncertainty involved.

Therein lies the real innovation: arbitrary textual variations that can't be
detected by the human eye. This kind of technique can and, I expect, will be
used to serialize documents by introducing subtle variations into each
instance of them—to trace leaks, for example.

>—From a legal perspective, the mere fact that such scanners exist brings
> into question the authenticity of any document unless its entire history
> is known.

One way to establish that provenance is to ensure that each instance
of a document is unique—by serializing it!


Re: The Public/Private Surveillance Partnership (RISKS-27.41)

Kelly Bert Manning
Sun, 18 Aug 2013 12:55:09 -0400 (EDT)
I carry a cell phone only when my employer pays for it, and pays me to carry
it. The battery in the work phone lasts longer with GPS and blue tooth
turned off.

The GPS is supposed to activate automatically if I press 911.  GPS is a real
time compute intensive application. In other words a battery drainer for
mobile devices.

Walking around, or commuting by transit I often feel that I an in the middle
of some science fiction story, surrounded by people largely oblivious to
what is going on around them, eyes focused on a display screen and their
hearing blocked by ear buds or by a phone held to their head. Pedestrians
often seem oblivious to traffic or sidewalk hazards while they focus on a
display or a conversation.

RAND Emeritus Willis H. Ware, an ACM and IEEE Fellow, who chaired the
committee which wrote the "Records, Computers, and the Rights of Citizens"
HEW report, might have an interesting perspective on radio location,
identification and tracking.

I have read that during the 2nd World War Dr. Ware did classified work on
advanced Radio Location and Identify Friend or Foe transponders.

I am old enough to remember politicians making a big deal of the fact that
that citizens don't have to carry Internal Passports with them at all times,
even within the same city, unlike folks in Moscow. Seemed like a killer
argument to me at the time. Now you can't get on an intercity bus without
identifying yourself.

If you drive a private car, it may have built in GP. Your license plate may
be scanned as you leave town, drive along the highway, or enter a new town.
We saw that used by police in Boston earlier this year, in combination with
phone location tracking.

How times have changed.

www.worldcat.org/title/records-computers-and-the-rights-of-citizens/oclc/251870191/editions?referer=di&editionsView=true


Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (R-27.41)

Danny Burstein <dannyb@panix.com>
Sun, 18 Aug 2013 10:31:15 -0400 (EDT)
> "The District has also recently been installing next-generation speed
> cameras that use infrared light instead of a visible flash when
> photographing vehicles. This means drivers will have no way of knowing
> whether they will receive a ticket until weeks after the alleged
> violation."

About 30 years ago (where does the time go?) I read a snippet in New
Scientist that their Spy Folk accidentally released some of their super
duper sekrit tech tricks. Per the article, the Brits had patented a "near
infrared" [a] flash unit assembly for their spooks that hooked into a
surveillance camera, letting them take nighttime photograph license plates
of the folk they were watching without warning them.

So... unless the folk on this side of the pond are paying royalties, they
might get hit with Patent Trolls!

- I was heavily into photography back then and had my very own Wratton 87C
(infrared) filters for my lights, was using Kodak's B&W and colour IR
recording film, had the books, etc.

[a] "near infrared" is the part of the spectrum just beyond standard and
visible red light. It looks... black to the human eye since we can't see
that far up the scale.

"Far infrared" (or usually, just "infrared" by itself) refers to heat. I'm
highly doubtful consumer level speed cameras are using temperature readings
for license plate number catching, and doubt it would even work.


Re: Download manager takes Web site down (Kuenning, RISKS-27.40)

Chris Adams <chris@improbable.org>
Sat, 3 Aug 2013 13:41:31 -0400
> RISK: The TCP/IP specification is extensive and explicit, but doesn't
> address simultaneous connections from the same client.  ...

I'm not sure this can really be blamed on TCP/IP: in the specific example
above, the HTTP specification both recommends a connection limit (2,
although common convention has adjusted up to 6 over the last few years) and
does offer the convention of quickly returning HTTP 503 errors when the
server is over capacity.

The problem, however, is that this is neither effective nor desirable in
practice because by now it's quite rare for the hard limit to actually be
the number of simultaneous connections rather than the total bandwidth
available—it's quite easy to end up with, say, a hundred slow connections
using as much bandwidth as one connection from someone with a gigabit link
and modern web servers can easily handle many tens of thousands of
simultaneous connections. Total capacity is also affected by traffic using
protocols other than HTTP, or even TCP, so effective flow control has to
happen at a lower level: there's an existing standard called ECN
(http://en.wikipedia.org/wiki/Explicit_Congestion_Notification), which
provides a mechanism for a router to inform clients that the upstream path
is congested. This problem is also more crudely but effectively solved on
the client by adjusting the connection count and speed based on measured
performance and error rates.

Unfortunately, as the example illustrates there's no way to handle this
situation nicely when faced with clients which are buggy and do not follow
either standards or accepted best practices. As described above, IDM
obviously does not follow standard HTTP conventions, honor ECN, or even
throttle or retry failed attempts (a ridiculous lapse for a download
manager). There's simply no way to handle that kind of badly broken client
without deploying some sort of fair-queuing system on either your servers
or, better, the upstream router to avoid clogging the pipe with
likely-doomed packets. A good queuing system, possibly combined with a
robust fronting cache like Varnish, would also tend to keep the connections
from timing even when they become quite slow by ensuring that each
connection doesn't go too long without receiving at least a few bytes.

Chris

P.S. As an aside, http://iotta.snia.org/ does not appear to support HTTP
byte ranges, which more intelligent clients can use to resume partial
transfers. While this obviously can't help with broken clients I have found
this quite effective for retrieving files over unstable links as something
wget or curl can repeatedly retry as needed until they've retrieved every
chunk of the file.


Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper (Saffo, RISKS-27.13)

Jeffrey Alexander <jeffrey.alexander@sri.com>
Fri, 9 Aug 2013 06:11:57 +0000
[Jeff missed Paul Saffo's earlier posting in RISKS-27.13, Jan 2013,
having sent in an incremental item.  He then responded to my response.]

Perhaps of greater interest is the link to the site with the official report
on the incident, completed in May 2013:

  http://www.cpf.navy.mil/foia/reading-room/

Jeffrey Alexander, Assoc.Dir. Research & Analytics, Center for Science,
Technology & Economic Development, SRI Arlington VA http://csted.sri.com

Please report problems with the web pages to the maintainer

Top