The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 44

Wednesday 28 August 2013


*NY Times* Site is Disrupted in Attack by Hackers
Haughney/Perlroth via Dewayne Hendricks
NSA intimidation expanding surveillance state
Bruce Schneier via Dewayne Hendricks
In ACLU lawsuit, scientist demolishes NSA's `It's just metadata'
Joe Mullin via Dewayne Hendricks
In ACLU lawsuit, scientist demolishes NSA's `It's just metadata'
Emin Gun Sirer
Cry wolf: Early warning for an earthquake
More risks of CableWiFi
Bob Frankston
REVIEW: Hacking Exposed Mobile: Security Secrets & Solutions
Ben Rothke
Info on RISKS (comp.risks)

*NY Times* Site is Disrupted in Attack by Hackers (Haughney/Perlroth)

Dewayne Hendricks <>
August 28, 2013 2:21:50 AM EDT
Hristine Haughney and Nicole Perlroth, *The New York Times*. 27 Aug 2013,
  (via Dave Farber)

*The New York Times* Web site was unavailable to readers on Tuesday afternoon
after an online attack on the company's domain name registrar. The attack
also forced employees of The Times to take care in sending e-mails.

The hacking was just the latest of a major media organization, with *The
Financial Times* and *The Washington Post* also having their operations
disrupted within the last few months. It was also the second time this month
that the Web site of The New York Times was unavailable for several hours.

Marc Frons, chief information officer for The New York Times Company, issued
a statement at 4:20 p.m. on Tuesday warning employees that the disruption --
which appeared to be affecting the Web site well into the evening—was
“the result of a malicious external attack.'' He advised employees to
“be careful when sending e-mail communications until this situation is

In an interview, Mr. Frons said the attack was carried out by a group known
as “the Syrian Electronic Army, or someone trying very hard to be them.''
The group attacked the company's domain name registrar, Melbourne IT. The
Web site first went down after 3 p.m.; once service was restored, the
hackers quickly disrupted the site again. Shortly after 6 p.m., Mr. Frons
said that “we believe that we are on the road to fixing the problem.''

The Syrian Electronic Army is a group of hackers who support President
Bashar al-Assad of Syria. Matt Johansen, head of the Threat Research Center
at White Hat Security, posted on Twitter that he was directed to a Syrian
Web domain when he tried to view The Times's Web site.

Until now, The Times has been spared from being hacked by the S.E.A., but on
15 Aug, the group attacked The Washington Post's Web site through a
third-party service provided by a company called Outbrain. At the time, the
S.E.A. also tried to hack CNN.

Just a day earlier, The Times's Web site was down for several hours. The
Times cited technical problems and said there was no indication the site had
been hacked.

The S.E.A. first emerged in May 2011, during the first Syrian uprisings,
when it started attacking a wide array of media outlets and nonprofits and
spamming popular Facebook pages like President Obama's and Oprah Winfrey's
with pro-Assad comments. Their goal, they said, was to offer a
pro-government counter-narrative to media coverage of Syria.

The group, which also disrupted *The Financial Times* in May, has
consistently denied ties to the government and has said it does not target
Syrian dissidents, but security researchers and Syrian rebels say they are
not convinced. They say the group is the outward-facing campaign of a much
quieter surveillance campaign focused on Syrian dissidents and are quick to
point out that Mr. Assad once referred to the S.E.A. as “a real army in a
virtual reality.''  ...

Dewayne-Net RSS Feed: <>

NSA intimidation expanding surveillance state (Bruce Schneier)

Dewayne Hendricks <>
Tuesday, August 27, 2013
Bruce Schneier, Aug 27 2013
NSA intimidation expanding surveillance state
We need protection from intelligence-gathering run amok
  (via Dave Farber)

If there's any confirmation that the U.S. government has commandeered the
Internet for worldwide surveillance, it is what happened with Lavabit
earlier this month.

Lavabit is—well, was—an e-mail service that offered more privacy than
the typical large-Internet-corporation services that most of us use. It was
a small company, owned and operated by Ladar Levison, and it was popular
among the tech-savvy. NSA whistleblower Edward Snowden among its
half-million users.

Last month, Levison reportedly received an order—probably a National
Security Letter—to allow the NSA to eavesdrop on everyone's e-mail
accounts on Lavabit. Rather than "become complicit in crimes against the
American people," he turned the service off. Note that we don't know for
sure that he received a NSL—that's the order authorized by thePatriot
Act that doesn't require a judge's signature and prohibits the recipient
from talking about it—or what it covered, but Levison has said that he
had complied with requests for individual e-mail access in the past, but
this was very different.

So far, we just have an extreme moral act in the face of government
pressure. It's what happened next that is the most chilling. The government
threatened him with arrest, arguing that shutting down this e-mail service
was a violation of the order.

There it is. If you run a business, and the FBI or NSA want to turn it into
a mass surveillance tool, they believe they can do so, solely on their own
initiative. They can force you to modify your system. They can do it all in
secret and then force your business to keep that secret. Once they do that,
you no longer control that part of your business. You can't shut it down.
You can't terminate part of your service. In a very real sense, it is not
your business anymore. It is an arm of the vast U.S. surveillance
apparatus, and if your interest conflicts with theirs then they win. Your
business has been commandeered. ...

Dewayne-Net RSS Feed: <>

In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Joe Mullin)

"Dewayne Hendricks" <>
Aug 27, 2013 5:18 PM
Joe Mullin, Arstechnica, 27 Aug 2013
In ACLU lawsuit, scientist demolishes NSA's “It's just metadata'' excuse
The power of metadata: Addiction, sex, and accusations can all be discovered.

When the scandal about the National Security Agency (NSA) leaks first broke,
one of the government's talking points quickly became that its giant
database of domestic phone calls was simply "metadata."

"Nobody is listening to your telephone calls," said President Barack Obama
a few days after the program became public. "That's not what this program's
about... by sifting through this so-called metadata, they may identify
potential leads with respect to folks who might engage in terrorism."

Privacy activists noted that the "metadata" held plenty of private
information. Just six days after the Snowden NSA leaks revealed that the
government was collecting essentially all telephone call "metadata," the
ACLU filed a new lawsuit challenging the practice as unconstitutional.

Yesterday, the ACLU filed a declaration by Princeton Computer Science Prof.
Edward Felten to support its quest for a preliminary injunction in that
lawsuit. Felten, a former technical director of the Federal Trade
Commission, has testified to Congress several times on technology issues,
and he explained why "metadata" really is a big deal.

Storage and data-mining have come a long way in the past 35 years, Felten
notes, and metadata is uniquely easy to analyze—unlike the complicated
data of a call itself, with variations in language, voice, and conversation
style. "This newfound data storage capacity has led to new ways of
exploiting the digital record," writes Felten. "Sophisticated computing
tools permit the analysis of large datasets to identify embedded patterns
and relationships, including personal details, habits, and behaviors."

There are already programs that make it easy for law enforcement and
intelligence agencies to analyze such data, like IBM's Analyst's Notebook.
IBM offers courses on how to use Analyst's Notebook to understand call data

Unlike the actual contents of calls and e-mails, the metadata about those
calls often can't be hidden. And it can be incredibly revealing—sometimes
more so than the actual content.

Knowing who you're calling reveals information that isn't supposed to be
public. Inspectors general at nearly every federal agency, including the
NSA, "have hotlines through which misconduct, waste, and fraud can be
reported." Hotlines exist for people who suffer from addictions to alcohol,
drugs, or gambling; for victims of rape and domestic violence; and for
people considering suicide.

Text messages can measure donations to churches, to Planned Parenthood, or
to a particular political candidate.

Felten points out what should be obvious to those arguing "it's just
metadata"—the most important piece of information in these situations is
the recipient of the call.  [...]

Dewayne-Net RSS Feed: <>

In ACLU lawsuit, scientist demolishes NSA's `It's just metadata'

Emin Gun Sirer <>
August 28, 2013 8:20:27 AM EDT
Here's my take on why the term "metadata" is a red herring, invented to
distract the public.

Metadata is in the eye of the beholder
by Emin Gun Sirer

The intelligence community has been harping on the word "metadata" to try to
underscore that the information they collected is not quite "data", is not
subject to the same limits, and is not quite as bad. I want to put an end to
this charade, by way of an analogy.

Clearly, what constitutes data versus metadata is determined not by any
intrinsic property of the data itself, but by the questions that that data
is meant to answer.

Let's examine what it is that the intelligence community wants to do with
phone call records and online activity logs to see if it fits any kind of
meta designation.

The contents of phone conversations are clearly important. If our goal is to
stop an immediate attack, a voice that says "attack at dawn" is what we want
to catch. And this is the imaginary scenario that the intelligence community
will play up. But if our goal is to investigate a network, to find out who
is related to whom by what degree, and what their usual communication
activities are, then the call log "metadata" is very much the actual data we
seek. It is not one-step removed; it is the very thing and the only thing we
want. If we're doing anomaly detection or community discovery or determining
some kind of a simplistic color-coded terror alert level, we'd be able to do
our analyses solely with metadata.

The "meta" designation is really an attempt to denigrate the value of the
data at stake, to insinuate that this data is one step removed from that
which we want, and to subtly insist that it should therefore be subject to
less scrutiny.

Yet metadata is often far more valuable than so-called data itself.

Take, for instance, the NSA's current predicament following Snowden's
leaks. What Snowden leaked was information about the information that the
NSA collected. Since NSA calls that information "metadata," this makes
Snowden's leaks meta-metadata. I don't need to belabor how damaging the leak
was for the NSA.

And going further, here's the NSA's response to a FOIA request, explaining
why revealing the presence or absence of some metadata (which would be
metametadata) would cause grave harm to the United States, because it would
reveal information about the capabilities of the NSA. We're veering off to
cubic-meta territory here.

There have been narrow legalistic arguments between legal scholars about the
privacy guarantees over call records. While it's futile to try to keep
lawyers from discussing arcane legalistic definitions, these discussions all
miss the point. Simply put, the public finds it creepy for the government to
track their lives, their interactions and their overall behavior at that
scale and in that fashion. Jane Average can turn a blind eye towards evil,
unwarranted or even illegal activities on occasion, especially if they take
place overseas, but a domestic creeper is a hard sell to families.

So the intelligence community, which never met-a-data that it didn't want to
collect, should drop the whole metadata charade. The discussion should not
be about legalistic definitions. It should be whether or not collecting this
particular information, for the particular purpose of massively
cross-linking and analyzing it, at this massive scale, is at odds with our

Cry wolf: Early warning for an earthquake

ishikawa <>
Wed, 28 Aug 2013 13:37:20 +0900
In Japan, due to the large number of earthquakes and the potential damage to
the social infrastructure and people's lives, many sensors on land, and on
the sea bed have been installed to allow a government agency to detect the
tremor as it happens and, before the the vibration through earth's crust
reaches populated cities, send early warnings by radio and wire.

How is such warning useful?

It can help organizations or people to take preventive actions such as:

 * speeding trains can hit the brake automatically before the tremor causes

 * drivers of cars can slow down after hearing the notice on the radio or
   seeing it on the billboard, if they are lucky, and most importantly,

 * people can take safety positions (or at least not taken by surprise when
   the tremor hits.)

The early warning is given only for large earthquakes and gives 10-20
seconds of time of preparation (of course, it depends how far you are from
the epicenter), has been sent over TV.

Lately the frequency of such warnings have shot up after the big earthquake
in March, 2011. Obviously the geophysically there are more large earthquakes
than before especially in the eastern part of Japan.

On August 8th, the agency in charge of the warning sent out such an early
warning over TV, and these days, they are sent to mobile phones as well.

At the office, during a conversation, I notice the strange beep sound from
my mobile phone (the unit was configured to receive the signal automatically
by default. I didn't know this) and thought I must have set up wrong alarm
or something.  Then a few moments later everybody's mobile began sending out
this sound in the office, and eventually some units gave out audio warning
well. And when I look at the phone's screen, it displays the early warning
of a really big earthquake in western part of Japan.

I looked at the watch and thought it would be 40 seconds before it hit our
office in Tokyo assuming the tremor traveled at 10km/sec approximately.
(Actually the so called primary wave travels 5-7 km/sec. so 100-120 seconds
are more like it.)  I was on the seventh floor of a building. Not the best
place to be when a big tremor comes.

40 seconds passed, but nothing happened.

People's tension eased up gradually.
Eventually, it was determined that the signal was a false alarm indeed.

What happened was:

According to an explanation released two days later, a sensor detected a
vibration (which seems to have been caused by a true but very weak tremor)
in one place, but at the same instance, an ocean-floor sensor placed not far
(approx. 100km) detected a noise and the system as a whole regarded this
noise as part of a large earthquake that just occurred, and thus sent out
the warning to a wide-area after deducing the strength of the earthquake.

After three weeks, people's reactions which I culled from some blog postings
(not very scientific) are

 - oh boy, somebody screwed up royally :-)
  (To date, nobody filed an official suit for financial damage caused by
   false alarm, etc.)

 - it is a good thing that some train services, etc. indeed stop quickly.
  (Some wonder why some services did NOT stop!)

 - If the false alarm of this scale occurs two more times, maybe people
   don't bother to take notice anymore.

I agree with the second sentiment. It is not usually possible to test this
scheme in such a wide-scale realistic manner. Thanks to the false alarm, we
got a real-world drill!

I am afraid of the third scenario which is likely to happen :-(

It is true organizations in charge of the large scale infrastructure are
taking this earthquake warning seriously: for example, national railway
system was the first to introduce such automatic braking of speeding trains
in the 1980's and it has already proved useful. A Shinkansen bullet-train
train slowed down enough due to such early warning of a big earthquake and
despite the wheels got off track, the train remained upright and intact  and
nobody got hurt (this happened in 2004. The first such derailment incident
for Shinkansen.)
Thanks to this warning, Shinkansen train did not get derailed even during
the big earthquake in 2011. Railway companies do learn.

But ordinary people may not take these warnings seriously enough if false
alarms continue. And people injured in such situations need medical
care/help which compound the already jammed traffic routes in such situations.

There are these things that people can do in the 10-20 seconds after the
warning and the tremor comes.
A simple move like trying to stay away from loose furniture or move away
from loose structures hanging from the ceiling can avoid many injuries.
Or, get out of the elevator car quickly by punching all floor buttons and
exit immediately as soon as the car stops. This will save rescue people to
visit every building to save people being trapped in the car.
Many Japanese elevators stop when big earthquakes hit them.)
Or open the entrance door of the office or home so that it will stay open
even if the door frame get warped due to the strong vibration. This will
save people from being trapped in a room or office, etc.
On and on, there are things people can learn to do.

But if people come to disregard the warning, that is tough.

September 1st is an 90th anniversary of the  Great Kanto Earthquake that
devastated Tokyo/Yokohama area in 1923. To be honest, I thought the alarm
sent out on August 8th was a god-sent opportunity for  a serious drill of
this anniversary as an after-thought. But not many people are as lenient of
false alarms.

We need to learn to cope with such false alarms of highly useful ICT
systems. But how often such false alarms can be tolerated is a matter of
discussion, I suppose. The straight explanation of the false alarm of the
agency in charge seemed to help people's acceptance of the error in this case.

(If only we could have some kind of real-world drill(s) of nuclear power
stations losing power, etc. before the March 11, 2013 earthquake.)

More risks of CableWiFi

"Bob Frankston" <>
28 Aug 2013 10:07:58 -0400
Recently I noted a Risk of Xfinity (AKA CableWiFi) in that your connection
can get captured by an access point that isn't fully functioning or weak.
With Cox announcing the availability of their Wi-Fi service I realize there
seems to be yet another sets of risks in a simple denial of service by
spoofing SSIDs or MAC addresses. Of course it would also be easy to listen
in on any conversation that doesn't use end-to-end encryption because too
many apps and protocols still presume we can trust "providers" of the pipe.

These are not fundamental risks in themselves as much as a risk of using old
paradigms (in this case - the railroad metaphors for speech as a service)
and treating the engineering heuristic of layering as if it were a necessary
design principle. There are many similar examples as when we try to solve
the problem of extending GPS rather than recognizing the goal of providing
location information needn't depend on a signal for a satellite.

More at

REVIEW: Hacking Exposed Mobile: Security Secrets & Solutions

Ben Rothke <>
Tue, 27 Aug 2013 22:19:10 -0400
Little did anyone know that when the first Hacking Exposed books came out
over 15 years ago, that it would launch a set of sequels on topics from
Windows, Linux, web development, to virtualization and cloud computing, and
much more.  It was a series that launched a generation of script kiddies, in
addition to security experts.

In 2013, the newest edition is Hacking Exposed Mobile Security Secrets &
Solutions.  In this edition, authors Neil Bergman, Mike Stanfield, Jason
Rouse & Joel Scambray provide an extremely detailed overview of the security
and privacy issues around mobile devices.  The authors have decades of
experience in the various mobile topics and bring that to every chapter.

Full review at

Please report problems with the web pages to the maintainer