The RISKS Digest
Volume 27 Issue 68

Friday, 3rd January 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Searching the Internet for evidence of time travelers
Robert J. Nemiroff via Dave Farber
Lauren Weinstein
Apple, Cisco, Dell unhappy over alleged NSA back doors in their gear
Gene Wirchenko
Apple Says It Is 'Unaware' of N.S.A. iPhone Hack Program
Nicole Perlroth
Backdoor in popular wireless routers/DSL modems
Lauren Weinstein
TA14-002A: Malware Targeting Point of Sale Systems
US-CERT
4.6 million Snapchat phone numbers and usernames leaked
Lauren Weinstein
Local restaurant chain source of data breach that compromised card info of conventioneers
Deirdre Fernandes
Researchers Hack Webcam While Disabling Warning Lights
Nick Bilton
Edward Snowden, Whistle-Blower
NYT Editorial via Dewayne Hendricks
Recent *Der Spiegel* coverage about the NSA and GCHQ
Jacob Appelbaum
Court Rules No Suspicion Needed for Laptop Searches at Border
ACLU via Richard Forno
Re: Hackers target cash machines with USB sticks
David Alexander
Re: Data brokers won't even tell the government how it ... your data
Matthew Kruk
Internet citizen mobilization and the law
Gary T Marx
Info on RISKS (comp.risks)

Searching the Internet for evidence of time travelers

David Farber <farber@gmail.com>
Thu, 2 Jan 2014 07:59:58 -0500
Physics > Popular Physics (Submitted on 26 Dec 2013)
(From Robert J. Nemiroff via Dave Farber)
http://arxiv.org/abs/1312.7128

Time travel has captured the public imagination for much of the past
century, but little has been done to actually search for time
travelers. Here, three implementations of Internet searches for time
travelers are described, all seeking a prescient mention of information not
previously available. The first search covered prescient content placed on
the Internet, highlighted by a comprehensive search for specific terms in
tweets on Twitter. The second search examined prescient inquiries submitted
to a search engine, highlighted by a comprehensive search for specific
search terms submitted to a popular astronomy web site. The third search
involved a request for a direct Internet communication, either by e-mail or
tweet, pre-dating to the time of the inquiry. Given practical verifiability
concerns, only time travelers from the future were investigated. No time
travelers were discovered. Although these negative results do not disprove
time travel, given the great reach of the Internet, this search is perhaps
the most comprehensive to date.


Searching the Internet for evidence of time travelers

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Jan 2014 21:14:13 -0800
I should note that whenever I've conducted time travel experiments, I've
always scanned for any published research revealing it later (or, well,
earlier) and then gone "back" and introduced sufficient changes (small "c"
as per Asimov) to eliminate any evidence of those articles and/or newscasts,
etc.  That process will ultimately include this message.


Apple, Cisco, Dell unhappy over alleged NSA back doors in their gear

Gene Wirchenko <genew@telus.net>
Fri, 03 Jan 2014 09:29:14 -0800
Germany's Der Spiegel reports that the NSA has compromised a wide range of
  hardware for years to enable its spying
InfoWorld, 31 Dec 2013
http://www.infoworld.com/d/security/apple-cisco-dell-unhappy-over-alleged-nsa-back-doors-in-their-gear-233261


Apple Says It Is 'Unaware' of N.S.A. iPhone Hack Program (Nicole Perlroth)

Monty Solomon <monty@roscom.com>
Wed, 1 Jan 2014 01:34:31 -0500
Nicole Perlroth, *The New York Times*, 31 Dec 2013

Apple said Tuesday that it was unaware of the National Security Agency's
efforts to hack into the iPhone and has never facilitated agency efforts to
install backdoors into its products.

The Cupertino, Calif., company released a strongly worded statement in
response to a recent article in the German magazine Der Spiegel, which
reported that N.S.A. analysts refer internally to iPhone users as "zombies"
who "pay for their own surveillance."

"Apple has never worked with the N.S.A. to create a backdoor in any of our
products, including iPhone," an Apple spokeswoman said in an e-mail.

*Der Spiegel* released a number of slides detailing the agency's hacking
division - known internally as the Tailored Access Operations, or T.A.O.
division. One slide, describing an N.S.A.  software implant called
DROPOUTJEEP, stood out.

The agency described DROPOUTJEEP as a "software implant for Apple iPhone"
that has all kinds of handy spy capabilities. DROPOUTJEEP can pull or push
information onto the iPhone, snag SMS text messages, contact lists,
voicemail and a person's geolocation, both from the phone itself and from
cell towers in close proximity.

It can also turn the iPhone into a "hot mic" using the phone's own
microphone as a recording device and capture images via the iPhone's
camera. (Reminder to readers: Masking tape is not a bad idea). ...

http://bits.blogs.nytimes.com/2013/12/31/apple-says-it-is-unaware-of-n-s-a-iphone-hack-program/


Backdoor in popular wireless routers/DSL modems

Lauren Weinstein <lauren@vortex.com>
Thu, 2 Jan 2014 17:03:17 -0800
  "A hacker has found a backdoor to wireless combination router/DSL modems
  that could allow an attacker to reset the router's configuration and gain
  access to the administrative control panel. The attack, confirmed to work
  on several Linksys and Netgear DSL modems, exploits an open port
  accessible over the wireless local network.  The backdoor requires that
  the attacker be on the local network, so this isn't something that could
  be used to remotely attack DSL users.  However, it could be used to
  commandeer a wireless access point and allow an attacker to get unfettered
  access to local network resources."
    http://j.mp/1cpQ717  (Ars Technica via NNSquad)


TA14-002A: Malware Targeting Point of Sale Systems

"US-CERT" <US-CERT@ncas.us-cert.gov>
Thu, 02 Jan 2014 17:13:59 -0600
National Cyber Awareness System:
TA14-002A: Malware Targeting Point of Sale Systems, 2 Jan 2014
https://www.us-cert.gov/ncas/alerts/TA14-002A

For quite some time, cyber criminals have been targeting consumer data
entered in POS systems. In some circumstances, criminals attach a physical
device to the POS system to collect card data, which is referred to as
skimming. In other cases, cyber criminals deliver malware which acquires
card data as it passes through a POS system, eventually exfiltrating the
desired data back to the criminal. Once the cybercriminal receives the data,
it is often trafficked to other suspects who use the data to create
fraudulent credit and debit cards.

As POS systems are connected to computers or devices, they are also often
enabled to access the Internet and e-mail services. Therefore malicious
links or attachments in e-mails as well as malicious websites can be
accessed and malware may subsequently be downloaded by an end user of a POS
system. The return on investment is much higher for a criminal to infect one
POS system that will yield card data from multiple consumers.

  [Excerpted for RISKS.  Please dig up the entire CERT message if this might
  affect you.  PGN]


4.6 million Snapchat phone numbers and usernames leaked

Lauren Weinstein <lauren@vortex.com>
Wed, 1 Jan 2014 07:41:31 -0800
http://j.mp/1d9Nt0o (Verge via NNSquad)

  The phone numbers and usernames of more than 4.6 million North American
  Snapchat users have been leaked online. SnapchatDB, an unofficial site run
  by an anonymous individual or group, allows open access to two files - one
  an SQL dump, one CSV text - that show details of the photo-sharing app's
  users alongside their location.  The final two digits of phone numbers
  have been censored "to minimize spam and abuse," but SnapchatDB says
  people should "feel free" to contact it for the uncensored database, as it
  may release it under certain circumstances. Usernames are presented
  unedited, and SnapchatDB notes that "people tend to use the same username
  around the web." Those that download the information, it says, can try to
  "find phone number information associated with Facebook and Twitter
  accounts, or simply to figure out the phone numbers of people you wish to
  get in touch with."

    See also Has your Snapchat info been leaked?
    http://j.mp/1da2rDs  (Snapcheck)

       [See also
http://www.zdnet.com/researchers-publish-snapchat-code-allowing-phone-number-matching-after-exploit-disclosures-ignored-7000024629/
       PGN]


Local restaurant chain source of data breach that compromised card info of conventioneers (Deirdre Fernandes)

Monty Solomon <monty@roscom.com>
Sat, 28 Dec 2013 17:34:36 -0500
Deirdre Fernandes, *The Boston Globe*, 27 Dec 2013

A local restaurant chain confirmed Friday that its computer systems were
breached, putting at risk the credit card information of thousands of
customers, including visitors who attended two major conventions in Boston.

Briar Group, which owns 10 restaurants and bars in Boston, including two at
the Westin hotel connected to the Boston Convention and Exhibition Center,
said its computer systems were infiltrated sometime between October and
early November. It said customer names, credit card numbers, expiration
dates, and security information were captured from the cards' magnetic
strips. ...

http://www.boston.com/business/news/2013/12/27/local-restaurant-chain-was-source-data-breach-that-compromised-card-info-conventioneers/0dpNHdFp7VVltD9bZIbrVI/story.html

Chain confirms it was source of breach affecting conventions
By Deirdre Fernandes |  GLOBE STAFF     DECEMBER 28, 2013
http://www.bostonglobe.com/business/2013/12/27/local-restaurant-chain-source-data-breach-that-compromised-card-info-conventioneers/wPhKKndyN4hshrU47J2rwO/story.html?s_campaignƒ15

Important information about unauthorized access to credit card data
December 27, 2013
http://www.briar-group.com/whats-new/important-information-about-unauthorized-access-credit-card-data


Researchers Hack Webcam While Disabling Warning Lights (Nick Bilton)

Monty Solomon <monty@roscom.com>
Sun, 29 Dec 2013 01:19:01 -0500
Nick Bilton, *The New York Times*, 19 Dec 2013

If you're sitting at your computer reading this, smile, you could be on
camera. Actually, don't smile.

Last week, researchers at Johns Hopkins University's Department of Computer
Science showed off an exploit that allows a hacker to take over some MacBook
computers and activate their Web cameras without the users' knowledge.

The webcam hacking technique, first reported by The Washington Post, is said
to be similar to a tactic used to spy on Cassidy Wolf, a 19-year-old Miss
Teen USA, who fell victim to a webcam hacker earlier this year.

The Federal Bureau of Investigation arrested the man responsible for the
spying on Ms. Wolf. He pleaded guilty to charges in connection with his
spying on her and a number of other women, using software that could snap a
picture or record video of them without warning.

The Johns Hopkins paper, titled "iSeeYou: Disabling the MacBook Webcam
Indicator LED," explains how the researchers were able to reprogram an
iSight camera's microcontroller to activate the recording functions and LED
activation lights independently to spy on someone without giving that person
any idea that the computer camera is in use. ...

http://bits.blogs.nytimes.com/2013/12/19/researchers-hack-webcam-while-disabling-warning-lights/


Edward Snowden, Whistle-Blower (NYT Editorial)

Dewayne Hendricks <dewayne@warpspeed.com>
January 2, 2014 at 4:07:09 AM EST
Edward Snowden, Whistle-Blower
The Editorial Board, *The New York Times*, 1 Jan 2014
http://www.nytimes.com/2014/01/02/opinion/edward-snowden-whistle-blower.html

Seven months ago, the world began to learn the vast scope of the National
Security Agency's reach into the lives of hundreds of millions of people
in the United States and around the globe, as it collects information about
their phone calls, their e-mail messages, their friends and contacts, how
they spend their days and where they spend their nights. The public learned
in great detail how the agency has exceeded its mandate and abused its
authority, prompting outrage at kitchen tables and at the desks of Congress,
which may finally begin to limit these practices.

The revelations have already prompted two federal judges to accuse the
N.S.A. of violating the Constitution (although a third, unfortunately, found
the dragnet surveillance to be legal). A panel appointed by President Obama
issued a powerful indictment of the agency's invasions of privacy and
called for a major overhaul of its operations.

All of this is entirely because of information provided to journalists by
Edward Snowden, the former N.S.A. contractor who stole a trove of highly
classified documents after he became disillusioned with the agency's
voraciousness. Mr. Snowden is now living in Russia, on the run from American
charges of espionage and theft, and he faces the prospect of spending the
rest of his life looking over his shoulder.

Considering the enormous value of the information he has revealed, and the
abuses he has exposed, Mr. Snowden deserves better than a life of permanent
exile, fear and flight. He may have committed a crime to do so, but he has
done his country a great service. It is time for the United States to offer
Mr. Snowden a plea bargain or some form of clemency that would allow him to
return home, face at least substantially reduced punishment in light of his
role as a whistle-blower, and have the hope of a life advocating for greater
privacy and far stronger oversight of the runaway intelligence community.

Mr. Snowden is currently charged in a criminal complaint with two violations
of the Espionage Act involving unauthorized communication of classified
information, and a charge of theft of government property. Those three
charges carry prison sentences of 10 years each, and when the case is
presented to a grand jury for indictment, the government is virtually
certain to add more charges, probably adding up to a life sentence that
Mr. Snowden is understandably trying to avoid.

The president said in August that Mr. Snowden should come home to face those
charges in court and suggested that if Mr. Snowden had wanted to avoid
criminal charges he could have simply told his superiors about the abuses,
acting, in other words, as a whistle-blower.

“If the concern was that somehow this was the only way to get this
information out to the public, I signed an executive order well before
Mr. Snowden leaked this information that provided whistle-blower protection
to the intelligence community for the first time,'' Mr. Obama said at a news
conference. “So there were other avenues available for somebody whose
conscience was stirred and thought that they needed to question government
actions.''

In fact, that executive order did not apply to contractors, only to
intelligence employees, rendering its protections useless to
Mr. Snowden. More important, Mr. Snowden told The Washington Post earlier
this month that he did report his misgivings to two superiors at the agency,
showing them the volume of data collected by the N.S.A., and that they took
no action. (The N.S.A. says there is no evidence of this.) That's almost
certainly because the agency and its leaders don't consider these
collection programs to be an abuse and would never have acted on
Mr. Snowden's concerns.

In retrospect, Mr. Snowden was clearly justified in believing that the only
way to blow the whistle on this kind of intelligence-gathering was to expose
it to the public and let the resulting furor do the work his superiors would
not. Beyond the mass collection of phone and Internet data, consider just a
few of the violations he revealed or the legal actions he provoked: [...]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>


Recent Der Spiegel coverage about the NSA and GCHQ

Jacob Appelbaum <jacob@appelbaum.net>
January 2, 2014 at 4:37:45 PM PST
I wanted to write to highlight some important documents that have recently
been released by Der Spiegel about the NSA and GCHQ. We worked very hard and
for quite some time on these stories - I hope that you'll enjoy them.

Inside TAO: Documents Reveal Top NSA Hacking Unit:

http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html

Part 1: Documents Reveal Top NSA Hacking Unit:

http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html

Part 2: Targeting Mexico:

http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-2.html

Part 3: The NSA's Shadow Network:

http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html

NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need:

http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html

Shopping for Spy Gear: Catalog Advertises NSA Toolbox:

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

Interactive Graphic: The NSA's Spy Catalog:

http://www.spiegel.de/international/world/a-941262.html

  [The following are auf deutsch, URLs omitted.  PGN:]
TAO slides
NSA QUANTUM Tasking Techniques for the R&T Analyst
Yahoo! user targeting and attack example with QUANTUM
QUANTUMTHEORY and related QUANTUM programs
QUANTUM INSERT, race condition details
Details about the Man-On-The-Side with QUANTUM
QFIRE, TURMOIL, TURBINE, TURBULENCE
MARINA
Catalog of equipment covering around ~50 programs
NSA QUANTUMTHEORY capabilities list
GCHQ QUANTUMTHEORY capabilities list
OLYMPUSFIRE

An overview of all of these articles is available in German:
http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die-nsa-weltweit-rechner-hackt-a-941149.html

Earlier this week, I also recently gave a talk titled "To Protect and
Infect: part two" at CCC's 30C3. In the talk I explain a number of these
topics - the video is a reasonable complement to the above stories:
https://www.youtube.com/watch?v°w36GAyZIA

There are quite a few news articles and most of them have focused on the
iPhone backdoor known as DROPOUTJEEP - they largely miss the big picture
asserting that the NSA needs physical access.  This is a
misunderstanding. The way that the NSA and GCHQ compromise devices with
QUANTUMNATION does not require physical access - that is merely one way to
compromise an iPhone. Generally the NSA and GCHQ compromise the phone
through the network using QUANTUM/QUANTUMNATION/QUANTUMTHEORY related attack
capabilities.

An example of a vulnerable Apple user is shown:
http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329-24.html

"note: QUANTUMNATION and standard QUANTUM tasking results in the same
exploitation technique. The main difference is QUANTUNATION deploys a state
0 implant and is able to be submitted by the TOPI. Any ios device will
always get VALIDATOR deployed."

  [Details on VALIDATOR auf deutsch.  PGN]

They're not talking about Cisco in that slide, I assure you.

Welcome to 2014!

The truth is coming and it can't be stopped,
Jacob


Court Rules No Suspicion Needed for Laptop Searches at Border

<*Richard Forno*>
Tuesday, December 31, 2013
https://www.aclu.org/national-security-technology-and-liberty/court-rules-no-suspicion-needed-laptop-searches-border

Decision Dismisses ACLU Lawsuit Challenging DHS Search Policy as Unconstitutional
31 Dec 2013 [via Dave Farber's IP distribution]

BROOKLYN—A federal court today dismissed a lawsuit arguing that the
government should not be able to search and copy people's laptops, cell
phones, and other devices at border checkpoints without reasonable
suspicion. An appeal is being considered. Government documents show that
thousands of innocent American citizens are searched when they return from
trips abroad.

"We're disappointed in today's decision, which allows the government to
conduct intrusive searches of Americans' laptops and other electronics at
the border without any suspicion that those devices contain evidence of
wrongdoing," said Catherine Crump, the American Civil Liberties Union
attorney who argued the case in July 2011. "Suspicionless searches of
devices containing vast amounts of personal information cannot meet the
standard set by the Fourth Amendment, which prohibits unreasonable searches
and seizures. Unfortunately, these searches are part of a broader pattern of
aggressive government surveillance that collects information on too many
innocent people, under lax standards, and without adequate oversight."

The ACLU, the New York Civil Liberties Union, and the National Association
of Criminal Defense Lawyers filed the lawsuit in September 2010 against the
Department of Homeland Security. DHS asserts the right to look though the
contents of a traveler's electronic devices, and to keep the devices or copy
the contents in order to continue searching them once the traveler has been
allowed to enter the U.S., regardless of whether the traveler is suspected
of any wrongdoing.

The lawsuit was filed on behalf of Pascal Abidor, a dual French-American
citizen who had his laptop searched and confiscated at the Canadian border;
the National Press Photographers Association, whose members include
television and still photographers, editors, students and representatives of
the photojournalism industry; and the NACDL, which has attorney members in
25 countries.

Abidor was traveling from Montreal to New York on an Amtrak train in May
2010 when he had his laptop searched and confiscated by customs officers.
Abidor, an Islamic Studies Ph.D. student at McGill University, was
questioned, taken off the train in handcuffs, and held in a cell for several
hours before being released without charge. When his laptop was returned 11
days later, there was evidence that many of his personal files had been
searched, including photos and chats with his girlfriend.

In June, in response to an ACLU Freedom of Information Act request, DHS
released its December 2011 Civil Rights/Civil Liberties Impact Assessment of
its electronics search policy, concluding that suspicionless searches do not
violate the First or Fourth Amendments. The report said that a reasonable
suspicion standard is inadvisable because it could lead to litigation and
the forced divulgence of national security information, and would prevent
border officers from acting on inchoate "hunches," a method that it says has
sometimes proved fruitful.

Today's ruling is available at:
aclu.org/sites/default/files/assets/abidor_decision.pdf
CONTACT: 212-549-2666, media@aclu.org


Re: Hackers target cash machines with USB sticks (RISKS-27/.67)

David Alexander <davidalexander440@btinternet.com>
Thu, 2 Jan 2014 15:42:49 +0000 (GMT)
The article states that the researchers said the gang must have had a
"profound knowledge' of the workings of the cash machines in order to
develop and successfully install the software." Nobody should be surprised
that organised crime knows how to attach ATMs the smart way. Gangs have been
known to physically remove ATMs from buildings and take them away to empty
at their convenience. It's not beyond their wit to either sell the empty
machine on to a group of smart criminals for analysis or to simply steal one
of each type to order for that very purpose. Exactly the same thing used to
happen with the units in payphones to work out how to open them and get the
coins out. It's simply the next version of the 'arms race'.


Re: Data brokers won't even tell the government how it ... your data

"Matthew Kruk" <mkrukg@gmail.com>
Fri, 27 Dec 2013 16:59:03 -0700
"What the companies would not specify in full were their sources for consumer
data.  Three companies, Acxiom, Experian, and Epsilon, would not reveal the
sources of their data, citing confidentiality clauses as the reason."

Oh the irony.


Internet citizen mobilization and the law

"Gary T Marx" <gtmarx@mit.edu>
Thu, 2 Jan 2014 16:15:42 -0800
This article deals with the vagaries of citizen mobilization of and support
for the law via the Net.

http://web.mit.edu/gtmarx/www/marx-publicas.html
www.garymarx.net

This article taking off from citizen uses of the Net after the Boston
Marathon case, deals with the irony presented by technologies of visibility
which can protect the integrity of the person and the group ala Hobbesian
deterrence, yet can also be a tool for dastardly deeds.  The challenge is to
create informational borders that sustain the former, but not the latter.
One of the great unresolved civilizational issues is coming to terms with
(but never comfortably resolving) the tensions between and within visibility
as accountability and invasion, and invisibility as both freedom and
license.

Please report problems with the web pages to the maintainer

x
Top