Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Brian Fung, *The Washington Post*, 16 Jan 2014 (via IEEE CIPHER 118, 24 Jan 2014, http://www.ieee-security.org/cipher.html) IT security firm Solutionary has gathered data indicating that Amazon's cloud services are the number one hosting site for malware affecting millions of LinkedIn subscribers. http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/16/amazon-is-a-hornets-nest-of-malware/
John E Dunn | Techworld, InfoWorld, 6 Jan 02104 Copycat version of the CryptoLocker ransom Trojan takes aim at P2P file sharers http://www.infoworld.com/d/security/cryptolocker-20-turns-worm-spreads-usb-drives-233436
In response to Edward Snowden's revelations about NSA's quantum computing effort, China is launching a crash program. http://www.scmp.com/lifestyle/technology/article/1401755/china-race-create-first-quantum-code-breaking-supercomputer The RISK is that the pervasive corruption in China will be attracted to this program like ants on a candy bar. "Researchers working on projects from the generation of the strongest ever man-made magnetic field to building a 'quantum chip' from diamonds have been told by officials to get the job done, regardless of how much it costs." Oh yeah, baby, you're playing our song!
http://www.itbusiness.ca/article/how-to-opt-out-of-getting-emails-from-any-google-user Brian Jackson, *IT Business*, 9 Jabn 2014 selected text: Google is further integrating its Google+ social network service with its Gmail service by allowing users to send each other messages even if they don't know the other user's e-mail address. But instead of maintaining the default setting that would prevent you from being e-mailed by those that don't have your address, Google will require you to opt-out of receiving messages from all Google+ users.
I follow infoworld.com articles and have submitted links to many of them to RISKS. I usually do not bother creating logins at very many Websites. My mouse pointer just happened to be over the down-vote button for one comment on an article I read. Up popped "You must signed in to down-vote this post." The up-vote button does not have such a requirement (at least, there is no pop-up). I have never put much credence in the votes on comments, and now, with this asymmetry, I have even less reason to do so.
Arild Færaas, *Aftenposten*, 09 Jan 2014 Four men who were part of a group that wrote mobile history tell for the first time how strong protection against eavesdropping of cell phones was weakened. http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285.html (They essentially blame the Brits.)
http://j.mp/1lPC4HK (*The Guardian* via NNSquad) "But the success of TAO demonstrates a viable alternative. And if the NSA has any legitimate role in intelligence gathering, targeted operations like TAO have the significant advantage that they leave the rest of us - and the systems we rely on - alone." - - - Matt Blaze appears to be endorsing the view I've been expressing for quite some time on this matter. We should be working to make opportunistic, mass surveillance as difficult, time-consuming, and expensive as possible -- since it normally involves the communications of innocent parties. Targeted surveillance—under proper supervision and oversight—still has an important, legitimate role to play in a dangerous world, and is largely intractable from a technical standpoint in any case, given the wide variety of attack vectors available.
*The Guardian*, 9 Jan 2014 http://www.theguardian.com/world/2014/jan/09/nsa-gchq-illegal-european-parliamentary-inquiry NSA and GCHQ operations have shaken trust between countries that considered themselves allies, the report says. Photograph: Alex Milan Tracy/NurPhoto/Corbis Mass surveillance programmes used by the US and Britain to spy on people in Europe have been condemned in the "strongest possible terms" by the first parliamentary inquiry into the disclosures, which has demanded an end to the vast, systematic and indiscriminate collection of personal data by intelligence agencies. The inquiry by the European parliament's civil liberties committee says the activities of America's National Security Agency (NSA) and its British counterpart, GCHQ, appear to be illegal and that their operations have "profoundly shaken" the trust between countries that considered themselves allies. The 51-page draft report, obtained by the Guardian, was discussed by the committee on Thursday. Claude Moraes, the rapporteur asked to assess the impact of revelations made by the whistleblower Edward Snowden, also condemns the "chilling" way journalists working on the stories have been intimidated by state authorities. Though Snowden is still in Russia, MEPs are expected to take evidence from him via video-link in the coming weeks, as the European parliament continues to assess the damage from the disclosures. Committee MEPs voted overwhelmingly on Thursday to have Snowden testify, defying warnings from key US congressmen that giving the "felon" a public platform would wreck the European parliament's reputation and hamper co-operation with Washington. While 36 committee members voted to hear Snowden, only two, both British Conservatives, voted against. "Snowden has endangered lives. Inviting him at all is a highly irresponsible act by an inquiry that has had little interest in finding out facts and ensuring a balanced approach to this delicate issue," said Timothy Kirkhope, a Tory MEP. "At least if Snowden wants to give evidence, he will now have to come out of the shadows and risk his location being discovered." The Lib Dem MEP Sarah Ludford denounced the Conservative position. "To ignore [Snowden] is absurd. The issue of whether the intelligence services are out of control merits serious examination in Europe as in the US. The Tories' ostrich-like denial is completely out of step with mainstream opinion in both continents, including Republicans in the US and Merkel's centre-right party in Germany. But their line is consistent with the obdurate refusal of Conservatives at Westminster to clarify and strengthen safeguards on snooping by GCHQ." The draft by Moraes, a Labour MEP, describes some of the programmes revealed by Snowden over the past seven months – including Prism, run by the NSA, and Tempora, which is operated by GCHQ.The former allows the NSA to conduct mass surveillance on EU citizens through the servers of US Internet companies. The latter sucks up vast amounts of information from the cables that carry Internet traffic in and out of the UK. The report says western intelligence agencies have been involved in spying on "an unprecedented scale and in an indiscriminate and non-suspicion-based manner". It is "very doubtful" that the collection of so much information is only guided by the fight against terrorism, the draft says, questioning the "legality, necessity and proportionality of the programmes". [...]
Jaikumar Vijayan | Computerworld, InfoWorld, 3 Jan 2014 The agency's metadata collection efforts haven't been key to thwarting terrorist attacks, researchers say http://podcasts.infoworld.com/d/security/costs-of-nsa-phone-records-collection-program-outweigh-the-benefits-233429 selected text: The NSA (National Security Agency) has often claimed that its data collection programs have helped thwart dozens of terrorist plots in the U.S. But an analysis of one such program, the NSA's controversial bulk telephone records collection initiative, suggests that the cost of running and maintaining the effort may far outweigh any benefits. The NSA has said that its surveillance efforts helped it disrupt 54 terrorism plots in the U.S. over the past several years. The authors note that the overall number by itself is very small considering the tens of billions of dollars that must have been spent on counterterrorism programs established after the terrorist attacks of Sept. 11, 2001. The number becomes even smaller when only the bulk phone metadata collection program is considered. According to Mueller and Stewart, a review of publicly available information shows that about 90 percent of the cases cited as successes by the NSA actually involved data gathered under PRISM, a separate program designed to gather information on non-U.S. terror suspects. That means that the metadata program played a role in about five cases since it was launched. Of those cases, only one appears to have been a truly serious threat—three Afghan-Americans were plotting to set off bombs in the United States, according to Mueller and Stewart. Even in that case, at least some of the information used to help thwart the plot came from other data collection programs. In fact, just one of the identified cases relied on phone metadata in a major way; it involved a San Diego cab driver who was later convicted of sending money to a terrorist group in Somalia. According to Mueller, even if the metadata program was to result in the NSA thwarting just one major terrorist attack every four years, it would still not be cost effective when all costs are accounted for.
* From a NY Times bestseller published this year. Our hero is on a plane, talking (with video!) to his uncle via Skype while over the Atlantic (OK, that's probably not gonna work very well already, but): "Hold on a moment." Nicholas tapped the keyboard, and a program he'd written several years earlier, and simple and elegant mobile encryption, kicked in. He gave it a second to overwrite the public wireless system he was using. [His uncle asks] "Now, how secure are you?" "I'm as secure as I can be without hurting the plane's radio integrity." So...he's encrypting, but the other end isn't decrypting? That'll work well ... As my wife commented, "You'd think an author would check with someone..." I finished the sentence: "...who'd seen a computer before". Scarily misleading gibberish, compounding the confusion too many folks already have about computers, encryption, and security.
[Via Dave Farber] Tim O'Reilly said: > The biggest change—what I might even term the biggest distortion >—in the Internet over the past couple decades has been the > centralization of content. Ironically, more and more content is > being produced by individuals and small Internet users, but it is > stored on commercial services... > > Why hasn't the decentralized model taken off? I blame SaaS. I think it goes deeper than Software-as-a-Service, which I see as a fad name for a longstanding situation. Here is why: A whole bunch of companies decided that making their communications service accessible through web browsers made it easiest for users to adopt. But web browsers are only clients. They don't do peer-to-peer. They are not decentralized; they can only reach centralized resources. The limitations of the "browser as interface" model are what drove people to build centralized services. There were many good and bad reasons for companies to decide that the browser was the best interface. It was an easy way to break the Microsoft operating system monopoly; you could write it once and if you were smart, it would work anywhere, and not just on Microsoft computers. You could revise and improve the service every day, and your changes would immediately take effect. Nobody had to download anything, so there was less malware, better acceptance, and no mix of different versions to support. Widespread use of NAT and firewalls in the network makes it hard for programs to communicate with anything other than centralized servers and required using the HTTP protocol. I'm sure there are half a dozen other reasons, but the choice of the browser client as platform was the key, in my opinion. Since the web browser we have only seen two non-http protocols really get mass acceptance: BitTorrent, and Skype. BitTorrent did things easily that browsers did poorly, and that people wanted done; and was done as an open protocol (unlike BT's more recent offerings), so many people could help innovate. It was worth downloading and running. Skype leveraged users into flat-rate worldwide calling, just like the Internet, out from under the thumb of the phone company's per-minute rates. And then improved on phones with better audio quality, video, etc. What Ma Bell had been too clumsy to do since the 1964 World's Fair (Picturephones), Skype did. It was proprietary, which made it easier to corrupt later, but it couldn't run in a browser, yet its advantages made it worth downloading. Perhaps Netflix is running yet another mass market non-http protocol nowadays, providing DRM that web browsers did poorly. (I am not up on what protocols they are running.) Users do not want DRM—they just want to watch videos, paid or unpaid. But once users got used to the rental model for DVDs (watch it, be unable to easily keep a copy, send it back in a mailer), streaming DRM-encrusted movies just seemed like an easier version of the same thing. Worth downloading some software to avoid the postal delays.
Why bother with a home router *backdoor*, when *the router front door is wide open*? The following is at least a 700-day exploit (based on the date 14 Feb 2012 found in the router's file system: the Valentine's Day massacre!) which is known to everyone except for the vast majority of the public who is sent these routers by this particular serVice proVider to use in their homes. The router code I'm describing incorporates all of the changes made _after_ Defcon 18: "How to Hack Millions of Routers" http://www.youtube.com/watch?v=Zazk0plSoQg http://media.blackhat.com/bh-us-10/presentations/Heffner/BlackHat-USA-2010-Heffner-How-to-Hack-Millions-of-Routers-slides.pdf In May 2013, I received my latest home router—an ******tec wireless ADSL router from one of the largest U.S. serVice proViders. This router has two methods of configuration by the ordinary home user: an http web GUI and a Telnet interface. There appears to be a service provider "back door" in the form of a "call home" capability, but I haven't been able to determine the precise nature of the data provided through this back door. Note that this wireless router already has two well-known vulnerabilities: it uses http instead of encrypted https, and it uses Telnet instead of encrypted ssh. This means that passwords are sent unencrypted through the air on this wireless device. The web GUI defaults to (at least) _two_ username/password pairs: "admin/password" and "user/user". The admin/password pair is prominently advertised in the documentation; the "user/user" pair is completely undocumented, and discovered only through careful inspection of the executable code in the router ! The Telnet interface has (at least) one username/password pair: "admin/admin", whose password can be changed via the web GUI. Both the web GUI and Telnet interfaces can be configured for both "local" access—i.e., access from 192.168.1.x home IP addresses—and "remote" access—i.e., anywhere on the Internet. Luckily, both the web GUI and the Telnet interface are factory configured with "remote" access initially disabled. When the home user logs into the web GUI interface for the first time, he/she is _required_ to change the password for "admin", but nowhere is it mentioned that he/she should also change the password for "user", nor is it mentioned that he/she should also change the password for the Telnet interface. The web GUI interface is powerful, because it can be used to enable remote access to both the web GUI and Telnet interfaces. The web GUI can also be used to configure wireless security and its passwords. Finally, the web GUI interface can be used to completely change the router's firmware through reflashing of its internal memory. Curiously, the web GUI _cannot_ be used to change the password for the username "user"; mine may be the only one of millions of these routers which has a password for "user" other than "user". (I have verified this impossibility by examining all of the .html code for this router's web pages.) The _only_ way to change the password for "user" is to use the Telnet "passwd" command. This method is completely undocumented, and took quite a lot of experimentation to determine. The Telnet interface is powerful because it can be used to change the passwords for the web GUI interface; curiously, it appears to be impossible to change the password for the Telnet interface using Telnet itself (the web GUI is needed for that)! The Telnet interface is also powerful because it gives "root access" to the router. While the initial Telnet shell is limited, simply typing "sh" gives a full Busybox shell. This Busybox shell includes a "wget" command, which can be used to download executable binary files from anywhere on the Internet, and subsequently execute them with the "sh" command. (Note that although /etc/passwd mentions the 4 pairs: admin/password, support/support, user/user, nobody/password, it doesn't appear that this file is used for anything, as changes made via the "passwd" command didn't seem to be reflected in this file.) But even the limited Telnet shell provides the "dumpmdm" command, which dumps ~192Kbytes of beautifully formated ascii cleartext XML; all of the passwords (including wireless passwords and keys) are in this XML file in unencrypted form, complete with their description. Curiously, this dumpmdm XML text mentions the username/password pair: "support/support", however, I was not able to successfully utilize support/support for either the web GUI or the Telnet interface. There is a further undocumented vulnerability with this router: its USB port. While some routers use a USB port for LAN printers or LAN Samba/NFS file systems, this particular router does not provide those capabilities with its service-provider-supplied firmware. What this router's USB port does provide, however, is the ability to plug in (and automatically mount) a flash drive with either a MSDOS FAT32 file system, or even a Windows NTFS file system! Needless to say, the possibilities for mischief explode with the ability to read and write tens of gigabytes of data on a local flash drive. (It is conceivable that this router may automatically start executing code from its USB flash drive in Windows-style "autorun" fashion; I was not able to rule out this possibility with my testing.) What can be done to fix these problems? 1. Home routers should only be configurable via encrypted https web GUI's and SSH command line interfaces—particularly given all of the vulnerabilities of wireless protocols. 2. The web GUI's and documentation should prominently and clearly mention _all_ of the configuration access methods, both web GUI and Telnet. In plain language, this GUI and documentation should ask each new user: "Do you want to lock all your doors and windows, including the garage door and the doggie door?" In particular, all such doors and windows should be disclosed, including "user/user" and "support/support", etc. 3. This particular router has a very misleading configuration page for remote Telnet; it asks the user whether he/she wishes to enable "remote" Telnet, and what the password should be. However, it doesn't mention the fact that this (normally unchanged) password is also used for "local" Telnet, and that this password should be changed even when "remote" Telnet is disabled. Most ordinary users will not know what Telnet is or what it can be used to do. Perhaps the following language might help: "Do you want to provide an unlocked service entrance to your house which is accessible to anyone with a hard hat and a tool belt, whether or not he/she shows any credentials?" This router does appear to "call home" to the serVice proVider via a web page with a username/password mentioned in the aforementioned dumpmdm XML file; this username incorporates the _serial number_ of the particular modem, which presumably can be linked back to user's physical home address. At least this particular transaction is via encrypted https. 4. Why bother enabling a USB port whose _only_ use is malicious? If I could use it for remote USB printing or playing music through USB speakers, that would be great, but this USB port is totally useless except as a potential port for hackers. BTW, if you Google certain phrases found on the various private pages of this type of router's web GUI, you will find a number of these routers whose remote web GUI has been opened up to the whole Internet. Furthermore, it appears that these routers have been open for a long time, based on their Google page rank. I must assume that these routers are honeypots... Perhaps the best solution to these problems is to get rid of crappy proprietary router firmware in favor of DD-WRT (www.dd-wrt.com), OpenWRT (openwrt.org), etc. Of course, while these systems have high quality, they are difficult for non-wizards to set up properly. But at least they are _capable_ of being set up properly.
Please report problems with the web pages to the maintainer