The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 70

Tuesday 21 January 2014


Amazon is a hornet's nest of malware
Brian Fung via IEEE Cipher
CryptoLocker 2.0 turns into worm that spreads via USB drives
John E Dunn via Gene Wirchenko
China launches quantum computing effort
Mark Thorson
How to opt out of getting e-mails from any Google+ user
Brian Jackson via Gene Wirchenko
Bias in Forum Comment Voting
Gene Wirchenko
We were pressured to weaken mobile security
Arild Færaas via Prashanth Mundkur
Middle Ground on NSA
on Matt Blaze via Lauren Weinstein
NSA and GCHQ activities appear illegal: EU parliamentary inquiry
*The Guardian* via David Farber
"Costs of NSA phone records collection program outweigh the benefits"
Jaikumar Vijayan via Gene Wirchenko
Where do we *get* these people?!
Phil Smith
Re: How did we end up with a centralized Internet for the NSA to mine?
O'Reilly Radar via John Gilmore via Dave Farber
Re: Backdoor in popular wireless routers/DSL modems
Henry Baker
Info on RISKS (comp.risks)

Amazon is a hornet's nest of malware (Brian Fung)

"Cipher Editor" <>
Tue, 21 Jan 2014 12:26:31 -0700
Brian Fung, *The Washington Post*, 16 Jan 2014
(via IEEE CIPHER 118, 24 Jan 2014,

IT security firm Solutionary has gathered data indicating that Amazon's
cloud services are the number one hosting site for malware affecting
millions of LinkedIn subscribers.

"CryptoLocker 2.0 turns into worm that spreads via USB drives" (John E Dunn)

Gene Wirchenko <>
Wed, 08 Jan 2014 09:19:17 -0800
John E Dunn | Techworld, InfoWorld, 6 Jan 02104
Copycat version of the CryptoLocker ransom Trojan takes aim at P2P file sharers

China launches quantum computing effort

Mark Thorson <>
Fri, 10 Jan 2014 13:02:55 -0800
In response to Edward Snowden's revelations about NSA's quantum computing
effort, China is launching a crash program.

The RISK is that the pervasive corruption in China will be attracted to this
program like ants on a candy bar.

"Researchers working on projects from the generation of the strongest ever
man-made magnetic field to building a 'quantum chip' from diamonds have been
told by officials to get the job done, regardless of how much it costs."

Oh yeah, baby, you're playing our song!

"How to opt out of getting e-mails from any Google+ user" (Brian Jackson)

Gene Wirchenko <>
Fri, 10 Jan 2014 09:49:07 -0800
Brian Jackson, *IT  Business*, 9 Jabn 2014

selected text:

Google is further integrating its Google+ social network service with its
Gmail service by allowing users to send each other messages even if they
don't know the other user's e-mail address. But instead of maintaining the
default setting that would prevent you from being e-mailed by those that
don't have your address, Google will require you to opt-out of receiving
messages from all Google+ users.

Bias in Forum Comment Voting

Gene Wirchenko <>
Tue, 07 Jan 2014 09:17:52 -0800
I follow articles and have submitted links to many of them to
RISKS.  I usually do not bother creating logins at very many Websites.  My
mouse pointer just happened to be over the down-vote button for one comment
on an article I read.  Up popped "You must signed in to down-vote this
post."  The up-vote button does not have such a requirement (at least, there
is no pop-up).

I have never put much credence in the votes on comments, and now, with this
asymmetry, I have even less reason to do so.

Prashanth Mundkur <>
Fri, 10 Jan 2014 09:42:54 -0800

Arild Færaas, *Aftenposten*, 09 Jan 2014

Four men who were part of a group that wrote mobile history tell for
the first time how strong protection against eavesdropping of cell
phones was weakened.

(They essentially blame the Brits.)

Middle Ground on NSA

Lauren Weinstein <>
Wed, 8 Jan 2014 08:21:18 -0800  (*The Guardian* via NNSquad)

  "But the success of TAO demonstrates a viable alternative. And if the NSA
  has any legitimate role in intelligence gathering, targeted operations
  like TAO have the significant advantage that they leave the rest of us -
  and the systems we rely on - alone."

 - - -

Matt Blaze appears to be endorsing the view I've been expressing for quite
some time on this matter. We should be working to make opportunistic, mass
surveillance as difficult, time-consuming, and expensive as possible --
since it normally involves the communications of innocent parties. Targeted
surveillance—under proper supervision and oversight—still has an
important, legitimate role to play in a dangerous world, and is largely
intractable from a technical standpoint in any case, given the wide variety
of attack vectors available.

NSA and GCHQ activities appear illegal: EU parliamentary inquiry

David Farber <>
Fri, 10 Jan 2014 12:24:07 -0500
*The Guardian*, 9 Jan 2014

NSA and GCHQ operations have shaken trust between countries that considered
themselves allies, the report says. Photograph: Alex Milan

Mass surveillance programmes used by the US and Britain to spy on people in
Europe have been condemned in the "strongest possible terms" by the first
parliamentary inquiry into the disclosures, which has demanded an end to the
vast, systematic and indiscriminate collection of personal data by
intelligence agencies.

The inquiry by the European parliament's civil liberties committee says the
activities of America's National Security Agency (NSA) and its British
counterpart, GCHQ, appear to be illegal and that their operations have
"profoundly shaken" the trust between countries that considered themselves

The 51-page draft report, obtained by the Guardian, was discussed by the
committee on Thursday. Claude Moraes, the rapporteur asked to assess the
impact of revelations made by the whistleblower Edward Snowden, also
condemns the "chilling" way journalists working on the stories have been
intimidated by state authorities.

Though Snowden is still in Russia, MEPs are expected to take evidence from
him via video-link in the coming weeks, as the European parliament continues
to assess the damage from the disclosures. Committee MEPs voted
overwhelmingly on Thursday to have Snowden testify, defying warnings from
key US congressmen that giving the "felon" a public platform would wreck the
European parliament's reputation and hamper co-operation with Washington.

While 36 committee members voted to hear Snowden, only two, both British
Conservatives, voted against. "Snowden has endangered lives. Inviting him at
all is a highly irresponsible act by an inquiry that has had little interest
in finding out facts and ensuring a balanced approach to this delicate
issue," said Timothy Kirkhope, a Tory MEP. "At least if Snowden wants to
give evidence, he will now have to come out of the shadows and risk his
location being discovered."

The Lib Dem MEP Sarah Ludford denounced the Conservative position. "To
ignore [Snowden] is absurd. The issue of whether the intelligence services
are out of control merits serious examination in Europe as in the US. The
Tories' ostrich-like denial is completely out of step with mainstream
opinion in both continents, including Republicans in the US and Merkel's
centre-right party in Germany. But their line is consistent with the
obdurate refusal of Conservatives at Westminster to clarify and strengthen
safeguards on snooping by GCHQ."

The draft by Moraes, a Labour MEP, describes some of the programmes revealed
by Snowden over the past seven months – including Prism, run by the
NSA, and Tempora, which is operated by GCHQ.The former allows the NSA to
conduct mass surveillance on EU citizens through the servers of US Internet
companies. The latter sucks up vast amounts of information from the cables
that carry Internet traffic in and out of the UK.

The report says western intelligence agencies have been involved in spying
on "an unprecedented scale and in an indiscriminate and non-suspicion-based
manner". It is "very doubtful" that the collection of so much information is
only guided by the fight against terrorism, the draft says, questioning the
"legality, necessity and proportionality of the programmes".  [...]

"Costs of NSA phone records collection program outweigh the benefits" (Jaikumar Vijayan)

Gene Wirchenko <>
Wed, 08 Jan 2014 09:26:45 -0800
Jaikumar Vijayan | Computerworld, InfoWorld, 3 Jan 2014
The agency's metadata collection efforts haven't been key to
thwarting terrorist attacks, researchers say

selected text:

The NSA (National Security Agency) has often claimed that its data
collection programs have helped thwart dozens of terrorist plots in the
U.S. But an analysis of one such program, the NSA's controversial bulk
telephone records collection initiative, suggests that the cost of running
and maintaining the effort may far outweigh any benefits.

The NSA has said that its surveillance efforts helped it disrupt 54
terrorism plots in the U.S. over the past several years.

The authors note that the overall number by itself is very small considering
the tens of billions of dollars that must have been spent on
counterterrorism programs established after the terrorist attacks of
Sept. 11, 2001. The number becomes even smaller when only the bulk phone
metadata collection program is considered.

According to Mueller and Stewart, a review of publicly available information
shows that about 90 percent of the cases cited as successes by the NSA
actually involved data gathered under PRISM, a separate program designed to
gather information on non-U.S. terror suspects.

That means that the metadata program played a role in about five cases since
it was launched. Of those cases, only one appears to have been a truly
serious threat—three Afghan-Americans were plotting to set off bombs in
the United States, according to Mueller and Stewart. Even in that case, at
least some of the information used to help thwart the plot came from other
data collection programs.

In fact, just one of the identified cases relied on phone metadata in a
major way; it involved a San Diego cab driver who was later convicted of
sending money to a terrorist group in Somalia.

According to Mueller, even if the metadata program was to result in the NSA
thwarting just one major terrorist attack every four years, it would still
not be cost effective when all costs are accounted for.

Where do we *get* these people?!

Phil Smith <>
Thu, 9 Jan 2014 07:10:37 -0800
 * From a NY Times bestseller published this year. Our hero is on a plane,
 talking (with video!) to his uncle via Skype while over the Atlantic (OK,
 that's probably not gonna work very well already, but):

"Hold on a moment." Nicholas tapped the keyboard, and a program he'd written
several years earlier, and simple and elegant mobile encryption, kicked
in. He gave it a second to overwrite the public wireless system he was

[His uncle asks] "Now, how secure are you?"

"I'm as secure as I can be without hurting the plane's radio integrity."
So...he's encrypting, but the other end isn't decrypting? That'll work well

As my wife commented, "You'd think an author would check with someone..."
I finished the sentence: "...who'd seen a computer before".

Scarily misleading gibberish, compounding the confusion too many folks
already have about computers, encryption, and security.

Re: [IP] How did we end up with a centralized Internet for the NSA to mine? - O'Reilly Radar

John Gilmore <>
January 8, 2014 at 3:56:53 PM EST
  [Via Dave Farber]

Tim O'Reilly said:
> The biggest change—what I might even term the biggest distortion
>—in the Internet over the past couple decades has been the
> centralization of content. Ironically, more and more content is
> being produced by individuals and small Internet users, but it is
> stored on commercial services...
> Why hasn't the decentralized model taken off? I blame SaaS.

I think it goes deeper than Software-as-a-Service, which I see as a fad name
for a longstanding situation.  Here is why:

A whole bunch of companies decided that making their communications service
accessible through web browsers made it easiest for users to adopt.

But web browsers are only clients.  They don't do peer-to-peer.  They are
not decentralized; they can only reach centralized resources.

The limitations of the "browser as interface" model are what drove people to
build centralized services.

There were many good and bad reasons for companies to decide that the
browser was the best interface.  It was an easy way to break the Microsoft
operating system monopoly; you could write it once and if you were smart, it
would work anywhere, and not just on Microsoft computers.  You could revise
and improve the service every day, and your changes would immediately take
effect.  Nobody had to download anything, so there was less malware, better
acceptance, and no mix of different versions to support.  Widespread use of
NAT and firewalls in the network makes it hard for programs to communicate
with anything other than centralized servers and required using the HTTP
protocol.  I'm sure there are half a dozen other reasons, but the choice of
the browser client as platform was the key, in my opinion.

Since the web browser we have only seen two non-http protocols really get
mass acceptance: BitTorrent, and Skype.  BitTorrent did things easily that
browsers did poorly, and that people wanted done; and was done as an open
protocol (unlike BT's more recent offerings), so many people could help
innovate.  It was worth downloading and running.  Skype leveraged users into
flat-rate worldwide calling, just like the Internet, out from under the
thumb of the phone company's per-minute rates.  And then improved on phones
with better audio quality, video, etc.  What Ma Bell had been too clumsy to
do since the 1964 World's Fair (Picturephones), Skype did.  It was
proprietary, which made it easier to corrupt later, but it couldn't run in a
browser, yet its advantages made it worth downloading.

Perhaps Netflix is running yet another mass market non-http protocol
nowadays, providing DRM that web browsers did poorly.  (I am not up on what
protocols they are running.)  Users do not want DRM—they just want to
watch videos, paid or unpaid.  But once users got used to the rental model
for DVDs (watch it, be unable to easily keep a copy, send it back in a
mailer), streaming DRM-encrusted movies just seemed like an easier version
of the same thing.  Worth downloading some software to avoid the postal

Re: Backdoor in popular wireless routers/DSL modems

Henry Baker <>
Tue, 07 Jan 2014 07:08:06 -0800
Why bother with a home router *backdoor*, when *the router front door is
wide open*?

The following is at least a 700-day exploit (based on the date 14 Feb 2012
found in the router's file system: the Valentine's Day massacre!) which is
known to everyone except for the vast majority of the public who is sent
these routers by this particular serVice proVider to use in their homes.
The router code I'm describing incorporates all of the changes made _after_
Defcon 18:

"How to Hack Millions of Routers"

In May 2013, I received my latest home router—an ******tec wireless ADSL
router from one of the largest U.S. serVice proViders.  This router has two
methods of configuration by the ordinary home user: an http web GUI and a
Telnet interface.  There appears to be a service provider "back door" in the
form of a "call home" capability, but I haven't been able to determine the
precise nature of the data provided through this back door.

Note that this wireless router already has two well-known vulnerabilities:
it uses http instead of encrypted https, and it uses Telnet instead of
encrypted ssh.  This means that passwords are sent unencrypted through the
air on this wireless device.

The web GUI defaults to (at least) _two_ username/password pairs:
"admin/password" and "user/user".  The admin/password pair is prominently
advertised in the documentation; the "user/user" pair is completely
undocumented, and discovered only through careful inspection of the
executable code in the router !

The Telnet interface has (at least) one username/password pair:
"admin/admin", whose password can be changed via the web GUI.

Both the web GUI and Telnet interfaces can be configured for both "local"
access—i.e., access from 192.168.1.x home IP addresses—and "remote"
access—i.e., anywhere on the Internet.  Luckily, both the web GUI and the
Telnet interface are factory configured with "remote" access initially

When the home user logs into the web GUI interface for the first time,
he/she is _required_ to change the password for "admin", but nowhere is it
mentioned that he/she should also change the password for "user", nor is it
mentioned that he/she should also change the password for the Telnet

The web GUI interface is powerful, because it can be used to enable remote
access to both the web GUI and Telnet interfaces.  The web GUI can also be
used to configure wireless security and its passwords.  Finally, the web GUI
interface can be used to completely change the router's firmware through
reflashing of its internal memory.

Curiously, the web GUI _cannot_ be used to change the password for the
username "user"; mine may be the only one of millions of these routers which
has a password for "user" other than "user".  (I have verified this
impossibility by examining all of the .html code for this router's web
pages.)  The _only_ way to change the password for "user" is to use the
Telnet "passwd" command.  This method is completely undocumented, and took
quite a lot of experimentation to determine.

The Telnet interface is powerful because it can be used to change the
passwords for the web GUI interface; curiously, it appears to be impossible
to change the password for the Telnet interface using Telnet itself (the web
GUI is needed for that)!

The Telnet interface is also powerful because it gives "root access" to the
router.  While the initial Telnet shell is limited, simply typing "sh" gives
a full Busybox shell.  This Busybox shell includes a "wget" command, which
can be used to download executable binary files from anywhere on the
Internet, and subsequently execute them with the "sh" command.

(Note that although /etc/passwd mentions the 4 pairs: admin/password,
support/support, user/user, nobody/password, it doesn't appear that this
file is used for anything, as changes made via the "passwd" command didn't
seem to be reflected in this file.)

But even the limited Telnet shell provides the "dumpmdm" command, which
dumps ~192Kbytes of beautifully formated ascii cleartext XML; all of the
passwords (including wireless passwords and keys) are in this XML file in
unencrypted form, complete with their description.  Curiously, this dumpmdm
XML text mentions the username/password pair: "support/support", however, I
was not able to successfully utilize support/support for either the web GUI
or the Telnet interface.

There is a further undocumented vulnerability with this router: its USB
port.  While some routers use a USB port for LAN printers or LAN Samba/NFS
file systems, this particular router does not provide those capabilities
with its service-provider-supplied firmware.  What this router's USB port
does provide, however, is the ability to plug in (and automatically mount) a
flash drive with either a MSDOS FAT32 file system, or even a Windows NTFS
file system!  Needless to say, the possibilities for mischief explode with
the ability to read and write tens of gigabytes of data on a local flash
drive.  (It is conceivable that this router may automatically start
executing code from its USB flash drive in Windows-style "autorun" fashion;
I was not able to rule out this possibility with my testing.)

What can be done to fix these problems?

1.  Home routers should only be configurable via encrypted https web GUI's
and SSH command line interfaces—particularly given all of the
vulnerabilities of wireless protocols.

2.  The web GUI's and documentation should prominently and clearly mention
_all_ of the configuration access methods, both web GUI and Telnet.  In
plain language, this GUI and documentation should ask each new user: "Do you
want to lock all your doors and windows, including the garage door and the
doggie door?"

In particular, all such doors and windows should be disclosed, including
"user/user" and "support/support", etc.

3.  This particular router has a very misleading configuration page for
remote Telnet; it asks the user whether he/she wishes to enable "remote"
Telnet, and what the password should be.  However, it doesn't mention the
fact that this (normally unchanged) password is also used for "local"
Telnet, and that this password should be changed even when "remote" Telnet
is disabled.

Most ordinary users will not know what Telnet is or what it can be used to
do.  Perhaps the following language might help: "Do you want to provide an
unlocked service entrance to your house which is accessible to anyone with a
hard hat and a tool belt, whether or not he/she shows any credentials?"

This router does appear to "call home" to the serVice proVider via a web
page with a username/password mentioned in the aforementioned dumpmdm XML
file; this username incorporates the _serial number_ of the particular
modem, which presumably can be linked back to user's physical home address.
At least this particular transaction is via encrypted https.

4.  Why bother enabling a USB port whose _only_ use is malicious?  If I
could use it for remote USB printing or playing music through USB speakers,
that would be great, but this USB port is totally useless except as a
potential port for hackers.

BTW, if you Google certain phrases found on the various private pages of
this type of router's web GUI, you will find a number of these routers whose
remote web GUI has been opened up to the whole Internet.  Furthermore, it
appears that these routers have been open for a long time, based on their
Google page rank.  I must assume that these routers are honeypots...

Perhaps the best solution to these problems is to get rid of crappy
proprietary router firmware in favor of DD-WRT (, OpenWRT
(, etc.  Of course, while these systems have high quality, they
are difficult for non-wizards to set up properly.  But at least they are
_capable_ of being set up properly.

Please report problems with the web pages to the maintainer