The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 60

Monday 18 November 2013


Protecting Data Privacy
Marc Rotenberg
What happens in Vegas DOESN'T stay in Vegas with new street lights that can record your conversations
Randall Head via Dewayne Hendricks
The Surveillance State Puts U.S. Elections at Risk of Manipulation
Conor Friedersdorf via Henry Baker
"Internet gambling: Play at your own risk"
Monica Goya via Gene Wirchenko
My Latest Essay on the "Public/Private Surveillance Partnership"
Bruce Schneier
Snowden persuaded other NSA workers to give up passwords - sources
Hosenball and Strobel via David Farber
Eben Moglen: Snowden and the Future
David S. Isenberg via Dewayne Hendricks
TA13-309A: CryptoLocker Ransomware Infections
"4 reasons BadBIOS isn't real"
Roger A. Grimes via Gene Wirchenko
Info on RISKS (comp.risks)

Protecting Data Privacy (Marc Rotenberg)

"Peter G. Neumann" <>
Wed, 6 Nov 2013 13:58:52 PST
Letter to the Editor of *The New York Times*, published 6 Nov 2013

For many years, consumer privacy organizations urged Internet companies to
adopt better practices to safeguard the personal information they collected.
As data services expanded, we asked the companies to minimize collection
when possible and to delete data when it was no longer necessary to keep.

When cloud services were first offered, we proposed routine encryption for
stored user data. We recommended segregating credit files and cautioned
against the consolidation of user profiles. We urged the companies to
support necessary updates to privacy laws that would lead to the adoption of
new privacy-enhancing techniques.

And when Google and the National Security Agency entered into a secret
arrangement in 2010 about Internet security, we brought an open government
lawsuit to make the agreement public.

Companies were often reluctant to adopt these security measures, arguing
cost, convenience and trade secrets. They said that self-regulation was
adequate and no new laws were necessary. Now we learn that vast amounts of
user data have been unlawfully acquired by the N.S.A. and that companies are
scrambling to implement new security practices to protect against our own
government agencies ("Angry Over U.S. Surveillance, Tech Giants Bolster
Defenses," front page, 1 Nov 2013).

Perhaps it is time to rethink the cloud computing model. The risks are too
high. The safeguards are too weak. And the companies are not prepared to
carry the responsibility of gathering so much user data.

Marc Rotenberg, Washington DC, 4 Nov 2013
[Marc Rotenberg is the president of the Electronic Privacy Information Center.]

What happens in Vegas DOESN'T stay in Vegas with new street lights that can record your conversations (Randall Head)

Dewayne Hendricks <>
November 12, 2013 at 6:47:34 AM EST
[Note:  This item comes from reader Randall Head,  DLH, via Dave Farber]

* Wireless street lights can play music, video, interact with pedestrians
  and have 'Homeland Security' applications like video surveillance monitors.
* Las Vegas residents worry that the lights are an invasion of privacy --
 'Who's protecting our rights?
* Some cities in the UK and Holland have street lights that reprimand
  pedestrians for minor offenses like littering.

*Daily Mail*, 10 Nov 2013

Las Vegas is currently installing Intellistreet lights to their well-lit
city. But Intellistreets are not just any street-lighting system.

The wireless, LED lighting, computer-operated lights are not only capable of
illuminating streets, they can also play music, interact with pedestrians
and are equipped with video screens, which can display police alerts,
weather alerts and traffic information. The high tech lights can also stream
live video of activity in the surrounding area.

But there's one major concern. These new street lights, being rolled out with
the aid of government funding, are also capable of recording video and

Neil Rohleder with the Public Works Department told NBC News 3 in Las Vegas
that the main reason for installing the new lighting system is not to record
anyone or anything.

'We want to develop more than just the street lighting component,' Rohleder
said.'We want to develop an experience for the people who come downtown.'

But some residents worry that the lights, which are currently being tested
in and around Las Vegas City Hall, are an invasion of privacy.

Civil rights activist, Daphne Lee told NBC News 3 that she is worried about
her freedom as an American citizen.  “This technology, you know is taking
us to a place where, you know, you'll essentially be monitored from the
moment you leave your home till the moment you get home.''

On the Intellistreets website, inventor Ron Harwood explains that cameras
for surveillance and recording devices can be installed in the light
fixtures. But Las Vegas public works director, Jorge Servantes told News 3
that recording pedestrians is not in the cards in the immediate future.
“Right now our intention is not to have any cameras or recording devices,
It's just to provide output out there, not to get any feed or video feed
coming back.''

That said, the lights are being touted as security devices that can assist
with 'Homeland Security' measures by providing applications like video
surveillance and motion sensors.

Lee wonders who protecting our rights? ...

Dewayne-Net RSS Feed: <>

The Surveillance State Puts U.S. Elections at Risk of Manipulation (Conor Friedersdorf)

Henry Baker <>
Sat, 09 Nov 2013 12:33:31 -0800
FYI—These scenarios only contemplate _passive_ surveillance; even the
tiniest amount of non-passive activity would greatly magnify these effects:
a computer system which fails on election day, a selected number of email
accounts and/or text messaging systems become inaccessible at inopportune
times, mobile phones whose connections are broken during press interviews,
an inconvenient "backhoe fiber cut" which cancels a TV appearance, plane
flights delayed due to computer glitches, etc.  There's more than enough
natural "static" under which to hide considerable amounts of mischief.

The Surveillance State Puts U.S. Elections at Risk of Manipulation
By Conor Friedersdorf

Did the Obama Administration ever spy on Mitt Romney during the recent
presidential contest?  Alex Tabarrok, who raised the question at the popular
economics blog Marginal Revolution, acknowledges that it is provocative.
Until recently, he would've regarded it as a "loony" question, he writes,
and he doesn't think that President Obama ordered the NSA to spy on Romney
for political gain.

Let's be clear: I don't think so either.  In every way, I regard Obama as
our legitimate head of state, full stop.  But I agree with Tabarrok that
today, "the only loonies are those who think the question unreasonable." *
Most Americans have a strong intuition that spying and electoral
manipulation of that kind could never happen here.  I share that intuition,
but I know it's nonsense: the Nixon Administration did spy on its opponents
for political gain.  Why do I worry that an unreformed surveillance state
could put us in even greater jeopardy of such shenanigans?

Actually, I have a particular scenario in mind, and it seems frighteningly
plausible.  I'll sketch it out at the end of this article.  But first, let's
get back to Tabarrok:

Do I think Obama ordered the NSA to spy on Romney for political gain?  No.
Some people claim that President Obama didn't even know about the full
extent of NSA spying.  Indeed, I imagine that President Obama was almost as
surprised as the rest of us when he first discovered that we live in a mass
surveillance state in which billions of emails, phone calls, Facebook
metadata and other data are being collected.

The answer is yes, however, if we mean did the NSA spy on political
candidates like Mitt Romney.  Did Mitt Romney ever speak with Angela Merkel,
whose phone the NSA bugged, or any one of the dozens of her advisers that
the NSA was also bugging?  Did Romney exchange emails with Mexican President
Felipe Calderon?  Were any of Romney's emails, photos, texts or other
metadata hovered up by the NSA's break-in to the Google and Yahoo
communications links?

Almost certainly the answer is yes.

Of course, that doesn't mean that Romney's information was improperly
exploited during the election.  "Did the NSA use the information they
gathered on Mitt Romney and other political candidates for political
purposes?  Probably not," Tabarrok writes.  "Will the next president or the
one after that be so virtuous so as to not use this kind of power?  I have
grave doubts. Men are not angels."

I'll tell you why I agree on both counts.

Why do I doubt Romney was treated unfairly?  Because I doubt Obama would
have dared order it, and because the prospect of a Romney victory didn't
threaten either the NSA nor a contractor like Booz Allen Hamilton nor the
national-security state generally.  There was reason to believe he'd have
been friendlier to them than Obama!

The scenario I worry about most isn't actually another Richard Nixon type in
the Oval Office, though that could certainly happen.  What I worry about
actually more closely resembles Mark Felt, the retired FBI agent exposed 32
years after Watergate as Deep Throat—that is, I worry more about people
high up inside the national-security state using their insider knowledge to
help take down a politician.  Is part of the deference they enjoy due to
politicians worrying about that too?

Imagine a very plausible 2016 presidential contest in which an anti-NSA
candidate is threatening to win the nomination of one party or the other --
say that Ron Wyden is challenging Hillary Clinton, or that Rand Paul might
beat Chris Christie.  Does anyone doubt where Keith Alexander or his
successor as NSA director would stand in that race?  Or in a general
election where an anti-NSA candidate might win?

What would an Alexander type do if he thought the victory of one candidate
would significantly rein in the NSA with catastrophic effects on national
security? Would he really do nothing to prevent their victory?

I don't know.  But surely there is some plausible head of the NSA who'd be
tempted to use his position to sink the political prospects of candidates
antagonistic to the agency's interests.  And we needn't imagine something so
risky and unthinkable as direct blackmail.

Surveillance-state defenders will want to jump in here and insist that there
are already internal safeguards and congressional oversight to prevent the
abuses I am imagining.  But I don't buy it.  It isn't just that I can't help
but think Alexander could find a way to dig up dirt on politicians if he
wanted to without it ever getting out to overseers or the public.

Forget about Alexander.  Let's think about someone much lower in the
surveillance state hierarchy: Edward Snowden.  As we know, Snowden broke
protocol and violated his promise to keep classified information secret
because his conscience demanded it: He believed that he was acting for the
greater good; his critics have called him a narcissist for taking it upon
himself to violate rules and laws he'd agreed to obey.

It isn't hard to imagine an alternative world in which the man in Snowden's
position was bent not on reforming the NSA, but on thwarting its reformers
-- that he was willing to break the law in service of the surveillance
state, fully believing that he was acting in the best interests of the
American people.

A conscience could lead a man that way too.

This Bizarro Edward Snowden wouldn't have to abscond to a foreign country
with thousands of highly sensitive documents.  He wouldn't have to risk his
freedom.  Affecting a U.S. presidential election would be as easy as quietly
querying Rand Paul, or Ron Wyden, or one of their close associates, finding
some piece of damaging information, figuring out how someone outside the
surveillance state could plausibly happen upon that information, and then
passing it off anonymously or with a pseudonym to Politico, or The New York
Times, or Molly Ball. Raise your hand if you think that Snowden could've
pulled that off.

And if you were running for president, or senator, even today, might you
think twice about mentioning even an opinion as establishment friendly as,
"Hey, I'm all for NSA surveillance, but I don't trust a private contractor
like Booz Allen Hamilton to do it"?  Maybe safeguards put in place since the
first Snowden leak would prevent a Bizarro Edward Snowden with strong Booz
loyalties from targeting you.

Maybe.  Why risk it?

In yet another scenario, the NSA wouldn't go so far as to use information
obtained through surveillance to affect an election.  But they'd use it to
their advantage to thwart the reform agenda of the candidate they didn't
like if he or she won.

And maybe the NSA would be as horrified by this sort of thing as I am.  But
maybe one of their contractors is on the payroll of a foreign government,
and that person wants to affect a presidential election by exploiting the
unprecedented amounts of data that the surveillance state has collected and
stored on almost everyone.

American democracy could be subverted in all sorts of hypothetical ways.
Why worry about this one in particular? Here's the general standard I'd
submit as the one that should govern our thinking: If a powerful
institutional actor within government has a strong incentive to do something
bad, the means to do it, and a high likelihood of being able to do it
without getting caught, it will be done eventually.

The NSA has the incentive. At least as recently as the Snowden leaks, an
unknown number of its employees or contractors had the means.  And many
informed observers believe abuse undetected by overseers could be easily

If this particular abuse happened, it would be ruinous to self-government.

Let's fix this before it causes a scandal even bigger than Watergate—or
permits behavior more scandalous than Watergate that is never uncovered,
rectified or punished.

*And yes, it's just as legitimate to ask, did the Bush Administration spy on
 John Kerry?

**How sure are we that we know why he leaked?

This article available online at:

"Internet gambling: Play at your own risk" (Monica Goya)

Gene Wirchenko <>
Wed, 13 Nov 2013 10:32:46 -0800
Monica Goya, IT Business, 12 Nov 2013

My Latest Essay on the "Public/Private Surveillance Partnership"

Bruce Schneier <>
Sat, 09 Nov 2013 07:59:13 -0600
A Fraying of the Public/Private Surveillance Partnership

The public/private surveillance partnership between the NSA and corporate
data collectors is starting to fray. The reason is sunlight. The publicity
resulting from the Snowden documents has made companies think twice before
allowing the NSA access to their users' and customers' data.

Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA
asked you for copies of all your Internet traffic, or to put backdoors into
your security software, you could assume that your cooperation would forever
remain secret. To be fair, not every corporation cooperated willingly. Some
fought in court. But it seems that a lot of them, telcos and backbone
providers especially, were happy to give the NSA unfettered access to
everything. Post-Snowden, this is changing. Now that many companies'
cooperation has become public, they're facing a PR backlash from customers
and users who are upset that their data is flowing to the NSA. And this is
costing those companies business.

How much is unclear. In July, right after the PRISM revelations, the Cloud
Security Alliance reported that US cloud companies could lose $35 billion
over the next three years, mostly due to losses of foreign sales. Surely
that number has increased as outrage over NSA spying continues to build in
Europe and elsewhere. There is no similar report for software sales,
although I have attended private meetings where several large US software
companies complained about the loss of foreign sales. On the hardware side,
IBM is losing business in China. The US telecom companies are also
suffering: AT&T is losing business worldwide.

This is the new reality. The rules of secrecy are different, and companies
have to assume that their responses to NSA data demands will become
public. This means there is now a significant cost to cooperating, and a
corresponding benefit to fighting.

Over the past few months, more companies have woken up to the fact that the
NSA is basically treating them as adversaries, and are responding as
such. In mid-October, it became public that the NSA was collecting e-mail
address books and buddy lists from Internet users logging into different
service providers. Yahoo, which didn't encrypt those user connections by
default, allowed the NSA to collect much more of its data than Google, which
did. That same day, Yahoo announced that it would implement SSL encryption
by default for all of its users. Two weeks later, when it became public that
the NSA was collecting data on Google users by eavesdropping on the
company's trunk connections between its data centers, Google announced that
it would encrypt those connections.

We recently learned that Yahoo fought a government order to turn over
data. Lavabit fought its order as well. Apple is now tweaking the
government. And we think better of those companies because of it.

Now Lavabit, which closed down its e-mail service rather than comply with
the NSA's request for the master keys that would compromise all of its
customers, has teamed with Silent Circle to develop a secure e-mail standard
that is resistant to these kinds of tactics.

The Snowden documents made it clear how much the NSA relies on corporations
to eavesdrop on the Internet. The NSA didn't build a massive Internet
eavesdropping system from scratch. It noticed that the corporate world was
already eavesdropping on every Internet user—surveillance is the business
model of the Internet, after all—and simply got copies for itself.

Now, that secret ecosystem is breaking down.  Supreme Court Justice Louis
Brandeis wrote about transparency, saying "Sunlight is said to be the best
of disinfectants." In this case, it seems to be working.

These developments will only help security. Remember that while Edward
Snowden has given us a window into the NSA's activities, these sorts of
tactics are probably also used by other intelligence services around the
world. And today's secret NSA programs become tomorrow's PhD theses, and the
next day's criminal hacker tools. It's impossible to build an Internet
where the good guys can eavesdrop, and the bad guys cannot. We have a choice
between an Internet that is vulnerable to all attackers, or an Internet that
is safe from all attackers. And a safe and secure Internet is in everyone's
best interests, including the US's.

Snowden persuaded other NSA workers to give up passwords - sources (Hosenball and Strobel)

David Farber <>
Fri, 8 Nov 2013 09:36:19 -0500
Exclusive: Snowden persuaded other NSA workers to give up passwords - sources
Mark Hosenball and Warren Strobel, Reuters, 07 Nov 2013

Former U.S. National Security Agency contractor Edward Snowden used login
credentials and passwords provided unwittingly by colleagues at a spy base
in Hawaii to access some of the classified material he leaked to the media,
sources said.

A handful of agency employees who gave their login details to Snowden were
identified, questioned and removed from their assignments, said a source
close to several U.S. government investigations into the damage caused by
the leaks.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA
regional operations center in Hawaii to give him their logins and passwords
by telling them they were needed for him to do his job as a computer systems
administrator, a second source said.

The revelation is the latest to indicate that inadequate security measures
at the NSA played a significant role in the worst breach of classified data
in the super-secret eavesdropping agency's 61-year history.

Reuters reported last month that the NSA failed to install the most
up-to-date, anti-leak software at the Hawaii site before Snowden went to
work there and downloaded highly classified documents belonging to the
agency and its British counterpart, Government Communication Headquarters.

It is not clear what rules the employees broke by giving Snowden their
passwords, which allowed the contractor access to data that he was not
authorized to see.

Snowden worked at the Hawaii site for about a month last spring, during
which he got access to and downloaded tens of thousands of secret NSA


"In the classified world, there is a sharp distinction between insiders and
outsiders. If you've been cleared and especially if you've been polygraphed,
you're an insider and you are presumed to be trustworthy," said Steven
Aftergood, a secrecy expert with the Federation of American Scientists.

"What agencies are having a hard time grappling with is the insider threat,
the idea that the guy in the next cubicle may not be reliable," he added.

Officials with the NSA and the Office of Director of National Intelligence
declined to comment due to a criminal investigation related to Snowden, who
disclosed previously secret U.S. government mass surveillance programs while
in Hong Kong in June and then fled to Russia where he was granted temporary

People familiar with efforts to assess the damage to U.S. intelligence
caused by Snowden's leaks have said assessments are proceeding slowly
because Snowden succeeded in obscuring some electronic traces of how he
accessed NSA records.

The sources did not know if the NSA employees who were removed from their
assignments were given other duties or fired.

While the U.S. government now believes it has a good idea of all the data to
which Snowden could have accessed, investigators are not positive which and
how much of that data Snowden actually downloaded, the sources said.

Snowden and some of his interlocutors, such as former Guardian writer Glenn
Greenwald, have said that Snowden provided NSA secrets only to media
representatives such as Greenwald, filmmaker Laura Poitras, and a reporter
with the British newspaper.

They have emphatically denied that he provided any classified material to
countries such as China or Russia.

The revelation that Snowden got access to some of the material he leaked by
using colleagues' passwords surfaced as the U.S. Senate Intelligence
Committee approved a bill intended in part to tighten security over
U.S. intelligence data.

One provision of the bill would earmark a classified sum of money -
estimated as less than $100 million - to help fund efforts by intelligence
agencies to install new software designed to spot and track attempts to
access or download secret materials without proper authorization.

The bill also requires that the Director of National Intelligence set up a
system requiring intelligence contractors to quickly report to spy agencies
on incidents in which data networks have been penetrated by unauthorized

(Editing by Alistair Bell and Paul Simao)

Eben Moglen: Snowden and the Future (David Isenberg)

"Dewayne Hendricks" <>
Nov 12, 2013 11:01 AM
[Note: This item comes from friend David Isenberg. Moglen is in the process
of giving a four-part series of talks on this subject.  Links to the first
two are below.  You can go back to the website in the coming weeks to pickup
the remainder.  The talks are available in a number of formats.  I rate this
series as a must watch/listen!  DLH (via Dave Farber)]

From: David S. Isenberg (g) <>
Subject: Eben Moglen: Snowden and the Future
Date: November 12, 2013 at 7:48:02 AM PST
To: Dewayne Hendricks <>


The members of your technology list may find this of

Eben Moglen, the Columbia University law professor who
founded the Open Software Law Foundation, has delivered
two lectures, entitled "Snowden and the Future," that
cast today's events in a broad historical and sociological


David I

Dewayne-Net RSS Feed: <>

TA13-309A: CryptoLocker Ransomware Infections

"US-CERT" <>
Wed, 13 Nov 2013 11:09:36 -0600
National Cyber Awareness System:

TA13-309A: CryptoLocker Ransomware Infections
Original release 05 Nov 2013, Last revised 13 Nov 2013

Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP
operating systems


US-CERT is aware of a malware campaign that surfaced in 2013 and is
associated with an increasing number of ransomware infections. CryptoLocker
is a new variant of ransomware that restricts access to infected computers
and demands the victim provide a payment to the attackers in order to
decrypt and recover their files. As of this time, the primary means of
infection appears to be phishing emails containing malicious attachments.


CryptoLocker appears to have been spreading through fake emails designed to
mimic the look of legitimate businesses and through phony FedEx and UPS
tracking notices.  In addition, there have been reports that some victims
saw the malware appear following after a previous infection from one of
several botnets frequently leveraged in the cyber-criminal underground.


The malware has the ability to find and encrypt files located within shared
network drives, USB drives, external hard drives, network file shares and
even some cloud storage drives.  If one computer on a network becomes
infected, mapped network drives could also become infected. CryptoLocker
then connects to the attackers' command and control (C2) server to deposit
the asymmetric private encryption key out of the victim's reach.

Victim files are encrypted using asymmetric encryption. Asymmetric
encryption uses two different keys for encrypting and decrypting
messages. Asymmetric encryption is a more secure form of encryption as only
one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a
third-party payment method (MoneyPak, Bitcoin), some victims have claimed
online that they paid the attackers and did not receive the promised
decryption key.  US-CERT and DHS encourage users and administrators
experiencing a ransomware infection NOT to respond to extortion attempts by
attempting payment and instead to report the incident to the FBI at the
Internet Crime Complaint Center (IC3) [ ].



US-CERT recommends users and administrators take the following preventative
measures to protect their computer networks from a CryptoLocker infection:

  * Do not follow unsolicited web links in email messages or submit any information to webpages in links.
  * Use caution when opening email attachments. Refer to the Security Tip
  * Using Caution with Email Attachments [ ] for more information on
    safely handling email attachments.
  * Maintain up-to-date anti-virus software.
  * Perform regular backups of all systems to limit the impact of data
    and/or system loss.
  * Apply changes to your Intrusion Detection/Prevention Systems and
    Firewalls to detect any known malicious activity.
  * Secure open-share drives by only allowing connections from authorized users.
  * Keep your operating system and software up-to-date with the latest patches.
  * Refer to the Recognizing and Avoiding Email Scams
   (pdf) document for more information on avoiding email scams.
  * Refer to the Security Tip Avoiding Social Engineering and Phishing
    Attacks [ ] for more
    information on social engineering attacks.


US-CERT suggests the following possible mitigation steps that users and
administrators can implement, if you believe your computer has been infected
with CryptoLocker malware:

  * Immediately disconnect the infected system from the wireless or wired
    network. This may prevent the malware from further encrypting any more
    files on the network.
  * Users who are infected should change all passwords AFTER removing the
    malware from their system.
  * Users who are infected with the malware should consult with a reputable
    security expert to assist in removing the malware, or users can retrieve
    encrypted files by the following methods:
  * Restore from backup,
  * Restore from a shadow copy or
  * Perform a system restore.

[Lots of References: See original]

"4 reasons BadBIOS isn't real" (Roger A. Grimes)

Gene Wirchenko <>
Tue, 12 Nov 2013 11:00:34 -0800
Roger A. Grimes, InfoWorld, 12 Nov 2013
Did a noted security researcher find a superbug—or go crazy? In
light of the facts, supposed existence of BadBIOS doesn't add up

Please report problems with the web pages to the maintainer