The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 48

Tuesday 24 September 2013

Contents

Girl's Suicide Points to Rise in Apps Used by Cyberbullies
Lizette Alvarez via Monty Solomon
Police: BMW Door Locks Contributed To 14-Year-Old Girl's Death
Erik Rosales via Lauren Weinstein
Another major government IT failure
Peter Bernard Ladkin
United Airlines Agrees to Honor Accidental $0 Tickets
Joshua Freed via Monty Solomon
Million Second Quiz gets overloaded
Paul Robinson
Fake online reviews crackdown in New York sees 19 companies fined
Lauren Weinstein
"Verizon's diabolical plan to turn the Web into pay-per-view"
Bill Snyder via Gene Wirchenko
Freedom and the Social Contract
Vint Cerf via Dave Farber
WiReD: Apple's Fingerprint ID May Mean You Can't 'Take the Fifth'
Marcia Hoffman via Lauren Weinstein
The US government has betrayed the Internet. We need to take it back
Bruce Schneier via Matthew Kruk
FBI Admits It Controlled Tor Servers Behind Mass Malware Attack
Kevin Poulsen via Monty Solomon
Gov't standards agency "strongly" discourages use of NSA-influenced algorithm
Larson and Elliott via Monty Solomon
*The New York Times* provides new details about NSA backdoor
Ars Technica via David Farber
Malware Mining Civil Aviation Data - AVweb flash Article
Gabe Goldberg
E-ZPasses Get Read All Over New York, Not Just At Toll Booths
Kashmir Hill via Henry Baker
"Adobe issues critical security updates for Flash Player, Reader and Shockwave Player"
Lucian Constantin via Gene Wirchenko
"Microsoft pulls botched KB 2871630, while many Office patch problems remain"
Woody Leonhard via Gene Wirchenko
Sharing due to phone failure
Karl Goetz
HuffPost Essay by Charles Perrow on Fukushima
John Bosley via Dave Farber
BOOK: Rebecca Slayton, Arguments that Count
PGN
Info on RISKS (comp.risks)

Girl's Suicide Points to Rise in Apps Used by Cyberbullies (Lizette Alvarez)

Monty Solomon <monty@roscom.com>
Sun, 15 Sep 2013 01:31:47 -0400
Lizette Alvarez, *The New York Times*, 13 Sep 2013

MIAMI - The clues were buried in her bedroom. Before leaving for school on
Monday morning, Rebecca Ann Sedwick had hidden her schoolbooks under a pile
of clothes and left her cellphone behind, a rare lapse for a 12-year-old
girl.

Inside her phone's virtual world, she had changed her user name on Kik
Messenger, a cellphone application, to "That Dead Girl" and delivered a
message to two friends, saying goodbye forever. Then she climbed a platform
at an abandoned cement plant near her home in the Central Florida city of
Lakeland and leaped to the ground, the Polk County sheriff said.

In jumping, Rebecca became one of the youngest members of a growing list of
children and teenagers apparently driven to suicide, at least in part, after
being maligned, threatened and taunted online, mostly through a new
collection of texting and photo-sharing cellphone `applications. Her suicide
raises new questions about the proliferation and popularity of these
applications and Web sites among children and the ability of parents to keep
up with their children's online relationships.

For more than a year, Rebecca, pretty and smart, was cyberbullied by a
coterie of 15 middle-school children who urged her to kill herself, her
mother said. The Polk County sheriff's office is investigating the role of
cyberbullying in the suicide and considering filing charges against the
middle-school students who apparently barraged Rebecca with hostile text
messages. Florida passed a law this year making it easier to bring felony
charges in online bullying cases. [...]

http://www.nytimes.com/2013/09/14/us/suicide-of-girl-after-bullying-raises-worries-on-web-sites.html


Police: BMW Door Locks Contributed To 14-Year-Old Girl's Death (Erik Rosales)

Lauren Weinstein <lauren@vortex.com>
Fri, 13 Sep 2013 17:37:40 -0700
  [This is not the first time I've heard of such problems with these
  electronic locking systems.  LW]

http://www.kmph.com/story/23421319/police-bmw-door-locks-contribute-to-14-year-old-girls-death


Another major government IT failure

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Thu, 12 Sep 2013 08:42:31 +0200
12 Sep 2013: "..... the [UK] Department for Work and Pensions (DWP) could
write off up to 161 million pounds spent on an IT system for ambitious
welfare changes......."

Full story at http://gu.com/p/3ty4n


United Airlines Agrees to Honor Accidental $0 Tickets (Joshua Freed)

Monty Solomon <monty@roscom.com>
Sun, 15 Sep 2013 01:35:14 -0400
Joshua Freed, The Associated Press, 14 Sep 2013

United Airlines said on Friday that it will honor the tickets it
accidentally gave away for free.  The decision is good news for people who
snapped up the tickets on Thursday after United listed airfares at $0. Many
customers got tickets for $5 or $10, paying only the cost of the Sept. 11
security fee.

The mistake was an especially good deal for any passengers who bought
tickets for travel within the next week. For instance, a Houston to
Washington Dulles flight for next weekend would have cost $877, according to
United's website on Friday. ...

http://www.dailyfinance.com/2013/09/14/united-airlines-price-error-free-tickets/


Million Second Quiz gets overloaded

Paul Robinson <paul@paul-robinson.us>
Wed, 11 Sep 2013 17:17:32 -0700 (PDT)
Last night on the NBC TV network program "The Million Second Quiz," Host
Ryan Seacrest admitted two things. (1) The App to allow viewers to play
along with the TV show at home is the most-downloaded free app ever provided
on iTunes. (2) So many people were playing the home game app that it crashed
the servers.

Tonight they admitted that there aren't even that many downloading the app,
a mere 1000 downloads a minute.  While that doesn't indicate how many were
connecting to the servers, clearly a game where the money accumulating as a
contestant is playing is $10/second and the grand prize which the 4 top
winners (all of whom will probably have won a minimum six figures each by
the time the game completes) will be going after is US$2,000,000 and it's
possible for a home game contestant to be invited on the show (a "line
jumper" as they call it), that it should have been obvious the home game
would be getting a lot of hits on their servers.

With inadequate provisioning like this, it doesn't even require attackers to
try to DDOS or otherwise disable a system, the users can do it just by too
many of them showing up all at once!


Fake online reviews crackdown in New York sees 19 companies fined

Lauren Weinstein <lauren@vortex.com>
Mon, 23 Sep 2013 14:03:45 -0700
http://j.mp/16CqA2Q  (*The Guardian* via NNSquad)

  "Eric Schneiderman announced agreements with 19 firms Monday that
  commissioned fake reviews and several reputation-enhancement companies
  that helped place reviews on sites like Citysearch, Google, Yahoo and
  Yelp. They were fined a total of $350,000."


"Verizon's diabolical plan to turn the Web into pay-per-view" (Bill Snyder)

Gene Wirchenko <genew@telus.net>
Thu, 12 Sep 2013 10:59:51 -0700
Bill Snyder, InfoWorld, 12 Sep 2013

The carrier wants to charge websites for carrying their packets, but
if they win it'd be the end of the Internet as we know it
http://www.infoworld.com/d/the-industry-standard/verizons-diabolical-plan-turn-the-web-pay-view-226662


Freedom and the Social Contract, by Vint Cerf

David Farber <farber@gmail.com>
Thu, 12 Sep 2013 09:06:42 -0400
  [In the CACM —Vint's Comments on the Role of Government.  DF]

FROM THE PRESIDENT (of the ACM)
Freedom and the Social Contract
By Vinton G. Cerf
Communications of the ACM, Vol. 56 No. 9, Page 7
10.1145/2500468.2500470

The last several weeks (as of this writing) have been filled with
disclosures of intelligence practices in the U.S. and elsewhere. Edward
Snowden's unauthorized release of highly classified information has stirred
a great deal of debate about national security and the means used to
preserve it.

In the midst of all this, I looked to Jean-Jacques Rousseau's well-known
18th-century writings on the Social Contract (Du Contrat Social, Ou
Principes du Droit Politique) for insight. Distilled and interpreted through
my perspective, I took away several notions. One is that in a society, to
achieve a degree of safety and stability, we as individuals give up some
absolute freedom of action to what Rousseau called the sovereign will of the
people. He did not equate this to government, which he argued was distinct
and derived its power from the sovereign people.

I think it may be fair to say that most of us would not want to live in a
society that had no limits to individual behavior. In such a society, there
would be no limit to the potential harm an individual could visit upon
others. In exchange for some measure of stability and safety, we voluntarily
give up absolute freedom in exchange for the rule of law. In Rousseau's
terms, however, the laws must come from the sovereign people, not from the
government. We approximate this in most modern societies creating
representative government using public elections to populate the key parts
of the government.

I think it is also likely to be widely agreed that a society in which there
was no privacy and every action or plan was visible to everyone might not be
a place in which most of us might like to live. I am reminded, however, of
my life in a small village of about 3,000 people in Germany. In the 1960s,
no one had phones at home (well, very few). You went to the post office to
mail letters, pick up mail, and make or receive phone calls. In some sense,
the Postmaster was the most well-informed person about the doings of the
town. He saw who was calling or writing to whom. There was not a lot of
privacy. The modern notion of privacy may in part have derived from the
growth of large urban concentrations in which few people know one another.

In today's world, threats to our safety and threats to national security
come from many directions and not all or even many of them originate from
state actors. If I can use the term "cyber-safety" to suggest safety while
making use of the content and tools of the Internet, World Wide Web, and
computing devices in general, it seems fair to say the expansion of these
services and systems has been accompanied by a growth in their
abuse. Moreover, it has been frequently observed that there is an asymmetry
in the degree of abuse and harm that individuals can perpetrate on citizens,
and on the varied infrastructure of our society. Vast harm and damage may be
inflicted with only modest investment in resources. Whether we speak of
damage and harm using computer-based tools or damage from lethal, homemade
explosives, the asymmetry is apparent. While there remain serious potential
threats to the well-being of citizens from entities we call nation- states,
there are similarly serious potential threats originating with individuals
and small groups.

Presuming we have accepted the theory that safety is partly found through
voluntarily following law, we must also recognize that there are parties
domestic and otherwise who wish us individual and collective harm. The
societal response to this is to provide for law enforcement and intelligence
gathering (domestic and non-domestic) in an attempt to detect and thwart
harmful plans from becoming harmful reality. We do not always succeed.

The tension we feel between preserving privacy and a desire to be protected
from harm feeds the debate about the extent to which we are willing to trade
one for the other. Not everyone, nor every culture, will find the same point
of equilibrium. Moreover, as technology and society evolve, the equilibrium
points may shift. It has been said that "security" is not found in
apprehending a guilty party but in preventing the harm from occurring. While
this notion can surely be overextended, it can also be understood to justify
a certain degree of intelligence gathering in the service of safety and
security.

There is some irony in the fact that our privacy is more difficult than ever
to preserve, given the advent of smartphones, tablets, laptops, the Web and
the Internet, but that the threats against our safety and security use the
same infrastructure to achieve nefarious ends. Our discipline, computer
science, is deeply involved in the many dimensions of this conundrum and we
owe it to our fellow citizens to be thoughtful in response and to contribute
to reasoned consideration of the balance our society needs between potential
policy extremes.

Vinton G. Cerf, ACM PRESIDENT

Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and full citation on the first page. Copyright for
components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, to
republish, to post on servers, or to redistribute to lists, requires prior
specific permission and/or fee. Request permission to publish from
permissions@acm.org or fax (212) 869-0481.


Wired: Apple's Fingerprint ID May Mean You Can't 'Take the Fifth' (Marcia Hoffman)

Lauren Weinstein <lauren@vortex.com>
Fri, 13 Sep 2013 17:21:13 -0700
http://j.mp/17VN56u (Marcia Hoffman in *WiReD.com* via NNSquad)

  "But if we move toward authentication systems based solely on physical
  tokens or biometrics—things we have or things we are, rather than things
  we remember—the government could demand that we produce them without
  implicating anything we know. Which would make it less likely that a valid
  privilege against self-incrimination would apply."


The US government has betrayed the Internet. We need to take it back

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 19 Sep 2013 20:48:59 -0600
Bruce Schneier, *The Guardian*, Thursday 5 September 2013 20.04 BST
The NSA has undermined a fundamental social contract. We engineers built the
Internet - and now we have to fix it
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying


FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (Kevin Poulsen)

Monty Solomon <monty@roscom.com>
Sun, 15 Sep 2013 01:54:43 -0400
Kevin Poulsen, *WiReD.com*, 13 Sep 2013

It wasn't ever seriously in doubt, but the FBI yesterday acknowledged that
it secretly took control of Freedom Hosting last July, days before the
servers of the largest provider of ultra-anonymous hosting were found to be
serving custom malware designed to identify visitors.

Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from
an unnamed commercial hosting provider in France, and paid for them from a
bank account in Las Vegas. It's not clear how the FBI took over the servers
in late July, but the bureau was temporarily thwarted when Marques somehow
regained access and changed the passwords, briefly locking out the FBI until
it gained back control.

The new details emerged in local press reports from a Thursday bail hearing
in Dublin, Ireland, where Marques, 28, is fighting extradition to America on
charges that Freedom Hosting facilitated child pornography on a massive
scale. He was denied bail today for the second time since his arrest in
July.

Freedom Hosting was a provider of turnkey "Tor hidden service" sites -
special sites, with addresses ending in .onion, that hide their geographic
location behind layers of routing, and can be reached only over the Tor
anonymity network. Tor hidden services are used by sites that need to evade
surveillance or protect users' privacy to an extraordinary degree -
including human rights groups and journalists.  But they also appeal to
serious criminal elements, child-pornography traders among them.

On August 4, all the sites hosted by Freedom Hosting - some with no
connection to child porn - began serving an error message with hidden code
embedded in the page. Security researchers dissected the code and found it
exploited a security hole in Firefox to identify users of the Tor Browser
Bundle, reporting back to a mysterious server in Northern Virginia. The FBI
was the obvious suspect, but declined to comment on the incident. The FBI
also didn't respond to inquiries from WIRED today. ...

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/


Gov't standards agency "strongly" discourages use of NSA-influenced algorithm (Larson and Elliott)

Monty Solomon <monty@roscom.com>
Sun, 15 Sep 2013 01:57:35 -0400
NIST: "we are not deliberately... working to undermine or weaken encryption."

Jeff Larson and Justin Elliott, ProPublica.org
Sept 13 2013
Ars Technica

Following revelations about the National Security Agency's (NSA) covert
influence on computer security standards, the National Institute of
Standards and Technology, or NIST, announced earlier this week it is
revisiting some of its encryption standards. But in a little-noticed
footnote, NIST went a step further, saying it is "strongly" recommending
against even using one of the standards.

The institute sets standards for everything from the time to weights to
computer security that are used by the government and widely adopted by
industry.

As ProPublica, The New York Times, and The Guardian reported last week,
documents provided by Edward Snowden suggest that the NSA has heavily
influenced the standard, which has been used around the world. In its
statement Tuesday, the NIST acknowledged that the NSA participates in
creating cryptography standards "because of its recognized expertise" and
because the NIST is required by law to consult with the spy agency. "We are
not deliberately, knowingly, working to undermine or weaken encryption,"
NIST chief Patrick Gallagher said at a public conference Tuesday.

Various versions of Microsoft Windows, including those used in tablets and
smartphones, contain implementations of the standard, though the
NSA-influenced portion isn't enabled by default.  Developers creating
applications for the platform must choose to enable it. ...

... elliptic curve-based deterministic random bit generator

http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/


*The New York Times* provides new details about NSA backdoor

David Farber <dave@farber.net>
Wed, 11 Sep 2013 04:42:17 -0400
http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/

NSA leaks, Ars Technica

Of course NSA can crack crypto. Anyone can. The question is, how much?
Long-shot bill forbidding NSA backdoors in encryption has renewed attention
Spooks break most Internet crypto, but how?
Google speeding up end-to-end crypto between data centers worldwide
Let us count the ways: How the feds (legally, technically) get our data

Today, *The New York Times* reported that an algorithm for generating random
numbers, which was adopted in 2006 by the National Institute of Standards
and Technology (NIST), contains a backdoor for the NSA. The news followed a
*NYT* report from last week, which indicated that the National Security
Agency (NSA) had circumvented widely used (but then-unnamed) encryption
schemes by placing backdoors in the standards that are used to implement the
encryption.

In 2007, cryptographers Niels Ferguson and Dan Shumow presented research
suggesting that there could be a potential backdoor in the Dual_EC_DRBG
algorithm, which NIST had included in Special Publication 800-90. If the
parameters used to define the algorithm were chosen in a particular way,
they would allow the NSA to predict the supposedly random numbers produced
by the algorithm. It wasn't entirely clear at the time that the NSA had
picked the parameters in this way; as Ars noted last week, the rationale for
choosing the particular Dual_EC_DRBG parameters in SP 800-90 was never
actually stated.

Today, *The NYT* says that internal memos leaked by Edward Snowden confirm
that the NSA generated the Dual_EC_DRBG algorithm. Publicly, however, the
agency's role in development was significantly underbilled: “In publishing
the standard, NIST acknowledged 'contributions' from NSA, but not primary
authorship,'' wrote the NYT. From there, the NSA pushed the International
Organization for Standardization to adopt the algorithm, calling it “a
challenge in finesse'' to convince the organization's leadership.

“Eventually, NSA became the sole editor'' of the international standard,
 according to one classified memo seen by the NYT.

The details come just as NIST released a promise to reopen the public
vetting process for SP 800-90.  “We want to assure the IT cybersecurity
community that the transparent, public process used to rigorously vet our
standards is still in place,'' a memo from the Institute read. “NIST would
not deliberately weaken a cryptographic standard. We will continue in our
mission to work with the cryptographic community to create the strongest
possible encryption standards for the US government and industry at large.''

Still, NIST asserted that its purpose was to protect the federal government
first: “NIST's mandate is to develop standards and guidelines to protect
federal information and information systems. Because of the high degree of
confidence in NIST standards, many private industry groups also voluntarily
adopt these standards.''

The public comment period on SP 800-90 ends November 6, 2013.


Malware Mining Civil Aviation Data - AVweb flash Article

Gabe Goldberg <gabe@gabegold.com>
Tue, 17 Sep 2013 10:02:00 -0400
A computer security company, TrendMicro, Thursday reported that it has found
a particular family of malware gathering information "related to the civil
aviation sector."

  [but doesn't mention how such a sector is targeted]

The best defense against the Sykipot malware is to keep your computer
systems updated with the most current security software.

  [Profoundly advises a company selling security software]

Sykipot attacks normally arrive via email attachments that exploit
applications like Adobe Reader and Microsoft Office but has evolved to use a
target's operating system, web browsers and Java scripts.

  [Exploiting such innovative attack vectors...]

http://www.avweb.com/avwebflash/news/Malware-Mining-Civil-Aviation-sykipot-attack220572-1.html


E-ZPasses Get Read All Over New York, Not Just At Toll Booths (Kashmir Hill)

Henry Baker <hbaker1@pipeline.com>
Sat, 14 Sep 2013 05:17:12 -0700
Of course, with license plate readers everywhere, this is now old news...

http://www.forbes.com/sites/kashmirhill/2013/09/12/e-zpasses-get-read-all-over-new-york-not-just-at-toll-booths/

Kashmir Hill, *Forbes*, 12 Sep 2013 (PGN-ed)

After spotting a police car with two huge boxes on its trunk—that turned
out to be license-plate-reading cameras—a man in New Jersey became
obsessed with the loss of privacy for vehicles on American roads. (He's not
the only one.) The man, who goes by the Internet handle Puking Monkey, did
an analysis of the many ways his car could be tracked and stumbled upon
something rather interesting: his E-ZPass, which he obtained for the purpose
of paying tolls, was being used to track his car in unexpected places, far
away from any toll booths.

Puking Monkey is an electronics tinkerer, so he hacked his RFID-enabled
E-ZPass to set off a light and a `moo cow' every time it was being
read. Then he drove around New York. His tag got milked multiple times on
the short drive from Times Square to Madison Square Garden in mid-town
Manhattan, and also on his way out of New York through Lincoln Tunnel, again
in a place with no toll plaza.

At Defcon, where he presented his findings, Puking Monkey said he found the
reading of the E-ZPass outside of where he thought it would be read when he
put it in his car “intrusive and unsettling,'' quoting from Sen. Chuck
Schumer's remarks about retailers tracking people who come into their stores
using their cell phones.  [...]

  [Also noted by Monty Solomon.  PGN]


"Adobe issues critical security updates for Flash Player, Reader and Shockwave Player" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Fri, 13 Sep 2013 10:59:35 -0700
Does it seem to you that it has been a bad time lately for patches?

Lucian Constantin, InfoWorld, 11 Sep 2013
The new updates address vulnerabilities that could allow attackers to
compromise computers
http://www.infoworld.com/d/security/adobe-issues-critical-security-updates-flash-player-reader-and-shockwave-player-226621


"Microsoft pulls botched KB 2871630, while many Office patch problems remain" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Fri, 13 Sep 2013 10:54:23 -0700
Woody Leonhard, *InfoWorld*, 12 Sep 2013
Pulling the KB 2871630 patch took Microsoft more than 14 hours after the
first warnings appeared, and admins are furious. What's Microsoft doing
wrong?
http://www.infoworld.com/t/microsoft-windows/microsoft-pulls-botched-kb-2871630-while-many-office-patch-problems-remain-226690

  [Gene previously had noted an earlier article:
It must be Wretched Wednesday—the day after Black Tuesday. Watch
out for automatic patches KB 2817630, KB 2810009, KB 2760411, KB 2760588,
  and KB 2760583.   PGN-ed]
http://www.infoworld.com/t/microsoft-windows/microsoft-botches-still-more-patches-in-latest-automatic-update-226594


Sharing due to phone failure

Karl Goetz <karl@kgoetz.id.au>
Fri, 20 Sep 2013 19:23:13 +1000
My partner's phone developed problems in the last few weeks and was finally
taken in for repair this week.

I will brush over the risks associated with over dependence on mobile
devices (we have no fixed voice line so depend on our mobiles heavily) to
consider what I found the most interesting bit of the experience.

The loaner phone she was given still had the last users messages on it!

I can see three places someone should have checked for data that shouldn't
be shared:

- when the previous user was done with the phone
- when the shop received the phone back
- before the phone was given out again

An interesting vector for data leakage.


HuffPost Essay by Charles Perrow on Fukushima (via Dave Farber)

John Bosley <jandpbosley@verizon.net>
September 23, 2013 9:43:56 AM EDT
Dr. Perrow has a long history of studying how safe systems seem to go wrong.
http://www.huffingtonpost.com/charles-perrow/fukushima-forever_b_3941589.html


BOOK: Rebecca Slayton, Arguments that Count

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 24 Sep 2013 11:37:07 PDT
Rebecca Slayton
Arguments that Count:
Physics, Computing, and Missile Defense, 1949-2012
MIT Press, 2013
xi + 325 (including 76 pages of end notes and a 21-page index)

Here is a remarkably well researched and comprehensive book that is totally
within the mainstream of RISKS.  The MIT Press release includes this text:

  She compares how two different professional communities—physicists
  and computer scientist—constructed arguments about the risks of
  missile defense, and how these changed over time.

Please report problems with the web pages to the maintainer

Top